Integrate user's profile photo to Jenkins avatar (#658)

Author: timja

pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
         <artifactId>plugin</artifactId>
-        <version>4.88</version>
+        <version>5.6</version>
     </parent>
 
     <artifactId>azure-ad</artifactId>
@@ -37,8 +37,8 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 
         <!-- https://www.jenkins.io/doc/developer/plugin-development/choosing-jenkins-baseline/ -->
-        <jenkins.baseline>2.440</jenkins.baseline>
-        <jenkins.version>${jenkins.baseline}.3</jenkins.version>
+        <jenkins.baseline>2.479</jenkins.baseline>
+        <jenkins.version>${jenkins.baseline}.1</jenkins.version>
         <node.version>20.17.0</node.version>
         <npm.version>10.8.2</npm.version>
         <hpi.compatibleSinceVersion>391.v252da_e1dd39c</hpi.compatibleSinceVersion>
@@ -250,7 +250,7 @@
             <dependency>
                 <groupId>io.jenkins.tools.bom</groupId>
                 <artifactId>bom-${jenkins.baseline}.x</artifactId>
-                <version>3435.v238d66a_043fb_</version>
+                <version>4051.v78dce3ce8b_d6</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>

src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java

@@ -19,10 +19,13 @@
 import com.google.common.base.Suppliers;
 import com.microsoft.graph.http.GraphServiceException;
 import com.microsoft.graph.models.Group;
+import com.microsoft.graph.models.ProfilePhoto;
 import com.microsoft.graph.options.Option;
 import com.microsoft.graph.options.QueryOption;
 import com.microsoft.graph.requests.GraphServiceClient;
 import com.microsoft.graph.requests.GroupCollectionPage;
+import com.microsoft.graph.requests.ProfilePhotoRequestBuilder;
+import com.microsoft.jenkins.azuread.avatar.EntraAvatarProperty;
 import com.microsoft.jenkins.azuread.scribe.AzureAdApi;
 import com.microsoft.jenkins.azuread.utils.UUIDValidator;
 import com.thoughtworks.xstream.converters.Converter;
@@ -47,10 +50,14 @@
 import hudson.util.Secret;
 import io.jenkins.plugins.azuresdk.HttpClientRetriever;
 
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.StandardCopyOption;
 import javax.servlet.http.HttpSession;
 
 import jenkins.model.Jenkins;
 import jenkins.security.SecurityListener;
+import jenkins.util.SystemProperties;
 import okhttp3.Request;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
@@ -146,8 +153,8 @@ public AccessToken getAccessToken() {
         tokenRequestContext.setScopes(singletonList(graphResource + ".default"));
 
         AccessToken accessToken = ("Certificate".equals(credentialType) ? getClientCertificateCredential() : getClientSecretCredential())
-            .getToken(tokenRequestContext)
-            .block();
+                .getToken(tokenRequestContext)
+                .block();
 
         if (accessToken == null) {
             throw new IllegalStateException("Access token null when it is required");
@@ -185,6 +192,7 @@ ClientCertificateCredential getClientCertificateCredential() {
                 .httpClient(HttpClientRetriever.get())
                 .build();
     }
+
     public boolean isPromptAccount() {
         return promptAccount;
     }
@@ -230,6 +238,7 @@ public String getClientCertificateSecret() {
     public String getCredentialType() {
         return credentialType;
     }
+
     public String getTenantSecret() {
         return tenant.getEncryptedValue();
     }
@@ -465,9 +474,14 @@ public HttpResponse doFinishLogin(StaplerRequest request)
 
             // Enforce updating current identity
             SecurityContextHolder.getContext().setAuthentication(auth);
-            updateIdentity(auth.getAzureAdUser(), User.current());
+            User currentUser = User.current();
+            updateIdentity(auth.getAzureAdUser(), currentUser);
 
             SecurityListener.fireAuthenticated2(userDetails);
+
+            if (!isDisableGraphIntegration()) {
+                updateAvatar(userDetails, currentUser);
+            }
         } catch (Exception ex) {
             LOGGER.log(Level.SEVERE, "error", ex);
             throw ex;
@@ -480,6 +494,50 @@ public HttpResponse doFinishLogin(StaplerRequest request)
         }
     }
 
+    private void updateAvatar(AzureAdUser userDetails, User currentUser) {
+        if (currentUser == null) {
+            return;
+        }
+        try {
+            if (SystemProperties.getBoolean(AzureSecurityRealm.class.getName() + ".disableAvatar",  false)) {
+                return;
+            }
+            ProfilePhotoRequestBuilder photosRequestBuilder = getAzureClient()
+                    .users(userDetails.getObjectID()).photos("48x48");
+            LOGGER.finest("Fetching avatar metadata");
+            ProfilePhoto profilePhoto = photosRequestBuilder.buildRequest().get();
+            LOGGER.finest("Completed fetching avatar metadata");
+            if (profilePhoto != null) {
+                LOGGER.finest("Fetching avatar");
+                try (InputStream inputStream = photosRequestBuilder.content().buildRequest().get()) {
+                    if (inputStream != null) {
+                        String mediaContentType = profilePhoto.additionalDataManager().get("@odata.mediaContentType")
+                                .getAsString();
+                        EntraAvatarProperty.AvatarImage avatarImage = new EntraAvatarProperty.AvatarImage(
+                                mediaContentType
+                        );
+                        EntraAvatarProperty entraAvatarProperty = new EntraAvatarProperty(avatarImage);
+                        File targetFile = new File(currentUser.getUserFolder(), "entra-avatar." + avatarImage.getFilenameSuffix());
+
+                        Files.copy(
+                                inputStream,
+                                targetFile.toPath(),
+                                StandardCopyOption.REPLACE_EXISTING);
+                        currentUser.addProperty(entraAvatarProperty);
+                        LOGGER.finest("Saved avatar");
+                    }
+
+                } catch (IOException e) {
+                    LOGGER.log(Level.WARNING, "Failed to save profile photo for %s".formatted(currentUser.getId()), e);
+                }
+            } else {
+                LOGGER.finest("No avatar found");
+            }
+        } catch (GraphServiceException e) {
+            LOGGER.log(e.getResponseCode() == 404 ? Level.FINER : Level.WARNING, "Failed to get profile photo for %s".formatted(currentUser.getId()), e);
+        }
+    }
+
     JwtClaims validateIdToken(String expectedNonce, String idToken) throws InvalidJwtException {
         JwtClaims claims = getJwtConsumer().processToClaims(idToken);
         final String responseNonce = (String) claims.getClaimValue("nonce");
@@ -878,7 +936,7 @@ private void updateIdentity(final AzureAdUser azureAdUser, final User u) {
                 if (StringUtils.isNotBlank(azureAdUser.getEmail())) {
                     UserProperty existing = u.getProperty(UserProperty.class);
                     if (existing == null || !existing.hasExplicitlyConfiguredAddress()) {
-                            u.addProperty(new Mailer.UserProperty(azureAdUser.getEmail()));
+                        u.addProperty(new Mailer.UserProperty(azureAdUser.getEmail()));
                     }
                 }
             } catch (IOException e) {

src/main/java/com/microsoft/jenkins/azuread/avatar/EntraAvatarProperty.java

@@ -0,0 +1,115 @@
+package com.microsoft.jenkins.azuread.avatar;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.model.Action;
+import hudson.model.User;
+import hudson.model.UserProperty;
+import hudson.model.UserPropertyDescriptor;
+import java.io.File;
+import java.io.FileInputStream;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import jenkins.model.Jenkins;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.kohsuke.stapler.StaplerResponse2;
+
+public class EntraAvatarProperty extends UserProperty implements Action {
+    private static final Logger LOGGER = Logger.getLogger(EntraAvatarProperty.class.getName());
+
+    private final AvatarImage avatarImage;
+
+    public EntraAvatarProperty(AvatarImage avatarImage) {
+        this.avatarImage = avatarImage;
+    }
+
+    public String getAvatarUrl() {
+        if (isHasAvatar()) {
+            return getAvatarImageUrl();
+        }
+
+        return null;
+    }
+
+    private String getAvatarImageUrl() {
+        return "%s%s/%s/image".formatted(Jenkins.get().getRootUrl(), user.getUrl(), getUrlName());
+    }
+
+    public boolean isHasAvatar() {
+        return avatarImage != null && avatarImage.isValid();
+    }
+
+    /**
+     * Used to serve images as part of {@link EntraAvatarResolver}.
+     */
+    public void doImage(StaplerRequest2 req, StaplerResponse2 rsp) {
+        if (avatarImage == null) {
+            LOGGER.log(Level.WARNING, "No image set for user '" + user.getId() + "'");
+            return;
+        }
+
+        String imageFileName = "entra-avatar." + avatarImage.getFilenameSuffix();
+        File file = new File(user.getUserFolder(), imageFileName);
+        if (!file.exists()) {
+            LOGGER.log(Level.WARNING, "Avatar image for user '" + user.getId() + "' does not exist");
+            return;
+        }
+
+        try (FileInputStream fileInputStream = new FileInputStream(file); ) {
+            rsp.setContentType(avatarImage.mimeType);
+            rsp.serveFile(
+                    req, fileInputStream, file.lastModified(), file.length(), imageFileName);
+        } catch (Exception e) {
+            LOGGER.log(Level.SEVERE, "Unable to write image for user '" + user.getId() + "'", e);
+        }
+    }
+
+    public String getDisplayName() {
+        return "Entra Avatar";
+    }
+
+    public String getIconFileName() {
+        return null;
+    }
+
+    public String getUrlName() {
+        return "entra-avatar";
+    }
+
+    @Extension
+    public static class DescriptorImpl extends UserPropertyDescriptor {
+
+        @Override
+        @NonNull
+        public String getDisplayName() {
+            return "Entra Avatar";
+        }
+
+        @Override
+        public boolean isEnabled() {
+            return false;
+        }
+
+        @Override
+        public UserProperty newInstance(User user) {
+            return new EntraAvatarProperty(null);
+        }
+    }
+
+    public static class AvatarImage {
+        private final String mimeType;
+
+        public AvatarImage(String mimeType) {
+            this.mimeType = mimeType;
+        }
+
+        public String getFilenameSuffix() {
+            return mimeType.split("/")[1]
+                    .split("\\+")[0];
+        }
+
+        public boolean isValid() {
+            return mimeType != null;
+        }
+    }
+}

src/main/java/com/microsoft/jenkins/azuread/avatar/EntraAvatarResolver.java

@@ -0,0 +1,21 @@
+package com.microsoft.jenkins.azuread.avatar;
+
+import hudson.Extension;
+import hudson.model.User;
+import hudson.tasks.UserAvatarResolver;
+
+@Extension(ordinal = -1)
+public class EntraAvatarResolver extends UserAvatarResolver {
+    @Override
+    public String findAvatarFor(User user, int width, int height) {
+        if (user != null) {
+            EntraAvatarProperty avatarProperty = user.getProperty(EntraAvatarProperty.class);
+
+            if (avatarProperty != null) {
+                return avatarProperty.getAvatarUrl();
+            }
+        }
+
+        return null;
+    }
+}