added option to define extra groups for AccessToken

scm-webapp/src/main/java/sonia/scm/security/BearerRealm.java

@@ -101,11 +101,11 @@ public class BearerRealm extends AuthenticatingRealm
     BearerToken bt = (BearerToken) token;
     AccessToken accessToken = tokenResolver.resolve(bt);
 
-    return helper.getAuthenticationInfo(
-      accessToken.getSubject(),
-      bt.getCredentials(),
-      Scopes.fromClaims(accessToken.getClaims())
-    );
+    return helper.authenticationInfoBuilder(accessToken.getSubject())
+      .withCredentials(bt.getCredentials())
+      .withScope(Scopes.fromClaims(accessToken.getClaims()))
+      .withGroups(accessToken.getGroups())
+      .build();
   }
 
 }

scm-webapp/src/main/java/sonia/scm/security/JwtAccessToken.java

@@ -30,12 +30,15 @@
  */
 package sonia.scm.security;
 
+import com.google.common.collect.ImmutableSet;
 import io.jsonwebtoken.Claims;
 
 import java.util.Collections;
 import java.util.Date;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 
 import static java.util.Optional.ofNullable;
 
@@ -49,6 +52,8 @@ public final class JwtAccessToken implements AccessToken {
 
   public static final String REFRESHABLE_UNTIL_CLAIM_KEY = "scm-manager.refreshExpiration";
   public static final String PARENT_TOKEN_ID_CLAIM_KEY = "scm-manager.parentTokenId";
+  public static final String GROUPS_CLAIM_KEY = "scm-manager.groups";
+
   private final Claims claims;
   private final String compact;
 
@@ -103,6 +108,16 @@ public final class JwtAccessToken implements AccessToken {
     return Optional.ofNullable(claims.get(key));
   }
 
+  @Override
+  @SuppressWarnings("unchecked")
+  public Set<String> getGroups() {
+    Iterable<String> groups = claims.get(GROUPS_CLAIM_KEY, Iterable.class);
+    if (groups != null) {
+      return ImmutableSet.copyOf(groups);
+    }
+    return ImmutableSet.of();
+  }
+
   @Override
   public String compact() {
     return compact;

scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilder.java

@@ -39,9 +39,12 @@ import io.jsonwebtoken.SignatureAlgorithm;
 
 import java.time.Clock;
 import java.time.Instant;
+import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.subject.Subject;
@@ -74,6 +77,7 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
   private Instant refreshExpiration;
   private String parentKeyId;
   private Scope scope = Scope.empty();
+  private Set<String> groups = new HashSet<>();
 
   private final Map<String,Object> custom = Maps.newHashMap();
 
@@ -134,6 +138,12 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
     return this;
   }
 
+  @Override
+  public JwtAccessTokenBuilder groups(String... groups) {
+    Collections.addAll(this.groups, groups);
+    return this;
+  }
+
   JwtAccessTokenBuilder refreshExpiration(Instant refreshExpiration) {
     this.refreshExpiration = refreshExpiration;
     this.refreshableFor = 0;
@@ -195,6 +205,10 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
       claims.setIssuer(issuer);
     }
 
+    if (!groups.isEmpty()) {
+      claims.put(JwtAccessToken.GROUPS_CLAIM_KEY, groups);
+    }
+
     // sign token and create compact version
     String compact = Jwts.builder()
         .setClaims(claims)