Add support for avatars

[jonesbusy]

Fix for #512 (more details here)

• Avatar is an URL given when profile scope is requested (standard OpenID)
• Added tests

Other known plugin that support avatar extension point

https://github.com/jenkinsci/avatar-plugin
https://github.com/jenkinsci/azure-ad-plugin
https://github.com/jenkinsci/gravatar-plugin

Testing done

There was some fixes on Jenkins 2.495 for avatar rendering. That's why it would look different

On 2.479.1 (this current plugin jenkins.version). This is was fixed by jenkinsci/jenkins#10180 which should be included on ~3 month LTS

On 2.495 this looks much better

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[jonesbusy]

FYI @timja thanks for the help, jenkinsci/azure-ad-plugin#658 was a good inspiration for it

[codecov]

Codecov Report

Attention: Patch coverage is 83.67347% with 8 lines in your changes missing coverage. Please review.

Project coverage is 72.45%. Comparing base (7b42906) to head (91ca44a).
Report is 39 commits behind head on master.

Files with missing lines	Patch %	Lines
...a/org/jenkinsci/plugins/oic/OicAvatarProperty.java	85.00%	1 Missing and 2 partials ⚠️
...a/org/jenkinsci/plugins/oic/OicAvatarResolver.java	50.00%	1 Missing and 2 partials ⚠️
...va/org/jenkinsci/plugins/oic/OicSecurityRealm.java	91.30%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #523      +/-   ##
============================================
+ Coverage     72.04%   72.45%   +0.40%     
- Complexity      235      249      +14     
============================================
  Files            18       20       +2     
  Lines          1073     1118      +45     
  Branches        149      154       +5     
============================================
+ Hits            773      810      +37     
- Misses          207      212       +5     
- Partials         93       96       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jtnord]

Thankyou for the contribution, however I have a concern about this.

The OIDC spec has the users picture as a URL (string) in the picture claim (part of the profile claim).
AFAICT this is adding support for a non standard field. If this is the case the. I don't think this should be here as we will end up with request to support all and every way some provider does it in a unique way.

If this is non standard then there should be an extension point that can be implemented and chosen, with (I would say) the only implementation in this plugin should be the standard picture claim, which can just store and return the URL.

[jtnord]

keycloak/keycloak#30428 (comment)

[jonesbusy]

Thanks for the review. If the URL is the standard, let's use the URL to display the avatar.

I will check then on my side how to get a URL based on the base64 data (maybe some keycloak extension to extract the thumbnail and upload it somewhere, then return the URL in the profile).

I will update the PR harcodingly

[jonesbusy]

I updated the PR to use URL instead. Ii work now the same but with URL instead of Base64 (I've temporarly tested with an hardcoded claim "picture"). The mapping is still configurable

[jonesbusy]

I've pushed 2 commits. One that remove the configuration for the picture field since it's standard on OpenId.

The other one that change to direct link for the avatar.

The URL is now stored as property

<avatarImage>
    <url>http://localhost:8083/realms/ci-local-dev/avatar/ab2a1093-db55-4b61-8711-08ac4c38252e</url>
</avatarImage>

I confirm it work when the image is hosted on different domain (jenkins 8080, keycloak 8083)

[jonesbusy]

I rebased the 4 commits

[jonesbusy]

Fixed conflicts due to Junit5 migration and squashed commits

[jonesbusy]

@jtnord Hi again, would you be able to take a look? It's now using standard picture claim

[jtnord]

Suggested change

	return "Openid Connect Avatar";
	return "OpenID Connect Avatar";

[jtnord]

it is OpenID not OpenId or Openid (the ID is for Identity Document not Id as in Identity).
(yes this plugin should have been called oidc-auth but that ship sailed, but the user facing stuff should be correct)

Suggested change

	return "Openid Connect Avatar";
	return "OpenID Connect Avatar";

[jonesbusy]

I will fix for the new code. However there are multiple occurence on the plugin

For example

OicSecurityRealm.DisplayName = Se connecter avec Openid Connect
OicSecurityRealm.ClientIdRequired = Le client id est requis.
OicSecurityRealm.ClientSecretRequired = Le client secret est obligatoire.
OicSecurityRealm.URLNotAOpenIdEnpoint = L'URL ne semble pas d\u00e9crire des terminaux OpenID Connect

[jtnord]

Thanks, I thought I had fixed them, but obviously I hadn't. filed #542 so I do not forget.

[jtnord]

unused logger

Suggested change

private static final Logger LOGGER = Logger.getLogger(OicAvatarProperty.class.getName());

[jtnord]

Would It be useful to know which user this was for?
Also should this not remove the property (e.g. if someone deletes there picture from the profile, we would continue to show it?)

[jonesbusy]

Good point

[jtnord]

WiremockRule.baseUrl()?

[jtnord]

This does string concatenation and then in most cases throws the result away.
Better to use parameterized logging or a supplier.

Additionally, would it be useful to know which user this was for?

(untested)

Suggested change

	LOGGER.finest("Avatar url is: " + avatarUrl);
	LOGGER.finest(() -> {"Avatar for user `" + user.getId() + "` url is: " + avatarUrl });

[jtnord]

is it still valid to have this in a try/catch now we are not downloading, / decrypting the picture?

[jtnord]

should this not check the AvatarResolver also?

e.g. (untested)

Suggested change

	assertEquals(expectedAvatarUrl, avatarProperty.getAvatarUrl(), "Avatar url should be " + expectedAvatarUrl);
	assertEquals("Openid Connect Avatar", avatarProperty.getDisplayName());
	assertNull(avatarProperty.getIconFileName(), "Icon filename must be null");
	assertEquals(expectedAvatarUrl, avatarProperty.getAvatarUrl(), "Avatar url should be " + expectedAvatarUrl);
	assertEquals("OpenID Connect Avatar", avatarProperty.getDisplayName());
	assertNull(avatarProperty.getIconFileName(), "Icon filename must be null");
	String urlViaAvatarResolver = UserAvatarResolver.resolve(user, "48x48");
	assertEquals(expectedAvatarUrl, urlViaAvatarResolver, "Avatar url should be " + expectedAvatarUrl);

[jtnord]

@jtnord Hi again, would you be able to take a look? It's now using standard picture claim

thanks for the reminder, I had reviewed it but forgot to submit it :(