Merge pull request #418 from olamy/fips-escapehatch

[JEP-237] disable escapeHatch when Jenkins is in FIPS mode
jenkinsci · Oct 11, 2024 · 2679db6 · 2679db6
2 parents 5b97484 + ab4ab83
commit 2679db6
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 17 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
@@ -352,6 +352,14 @@ protected Object readResolve() throws ObjectStreamException {
         this.setTokenFieldToCheckKey(this.tokenFieldToCheckKey);
         // ensure escapeHatchSecret is encrypted
         this.setEscapeHatchSecret(this.escapeHatchSecret);
+
+        // validate this option in FIPS env or not
+        try {
+            this.setEscapeHatchEnabled(this.escapeHatchEnabled);
+        } catch (FormException e) {
+            throw new IllegalArgumentException(e.getFormField() + ": " + e.getMessage());
+        }
+
         try {
             if (automanualconfigure != null) {
                 if ("auto".equals(automanualconfigure)) {
@@ -607,7 +615,10 @@ public void setPostLogoutRedirectUrl(String postLogoutRedirectUrl) {
     }
 
     @DataBoundSetter
-    public void setEscapeHatchEnabled(boolean escapeHatchEnabled) {
+    public void setEscapeHatchEnabled(boolean escapeHatchEnabled) throws FormException {
+        if (FIPS140.useCompliantAlgorithms() && escapeHatchEnabled) {
+            throw new FormException("Escape Hatch cannot be enabled in FIPS environment", "escapeHatchEnabled");
+        }
         this.escapeHatchEnabled = escapeHatchEnabled;
     }
 
@@ -1422,5 +1433,10 @@ private FormValidation doCheckFieldName(String fieldName, FormValidation validIf
         public Descriptor<OicServerConfiguration> getDefaultServerConfigurationType() {
             return Jenkins.get().getDescriptor(OicServerWellKnownConfiguration.class);
         }
+
+        @Restricted(NoExternalUse.class) // used by jelly only
+        public boolean isFipsEnabled() {
+            return FIPS140.useCompliantAlgorithms();
+        }
     }
 }
diff --git a/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly b/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly
@@ -68,22 +68,23 @@
         <f:checkbox/>
       </f:entry>
     </f:advanced>
-
-    <f:block>
-      <table>
-        <f:optionalBlock inline="true" title="${%ConfigureEscapeHatch}" field="escapeHatchEnabled">
-          <f:entry title="${%Username}" field="escapeHatchUsername">
-            <f:textbox/>
-          </f:entry>
-          <f:entry title="${%Secret}" field="escapeHatchSecret">
-            <f:password/>
-          </f:entry>
-          <f:entry title="${%Group}" field="escapeHatchGroup">
-            <f:textbox/>
-          </f:entry>
-        </f:optionalBlock>
-      </table>
-    </f:block>
+    <j:if test="${!descriptor.isFipsEnabled()}">
+      <f:block>
+        <table>
+          <f:optionalBlock inline="true" title="${%ConfigureEscapeHatch}" field="escapeHatchEnabled">
+            <f:entry title="${%Username}" field="escapeHatchUsername">
+              <f:textbox/>
+            </f:entry>
+            <f:entry title="${%Secret}" field="escapeHatchSecret">
+              <f:password/>
+            </f:entry>
+            <f:entry title="${%Group}" field="escapeHatchGroup">
+              <f:textbox/>
+            </f:entry>
+          </f:optionalBlock>
+        </table>
+      </f:block>
+    </j:if>
 
   </f:section>
 

diff --git a/src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java b/src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java
@@ -0,0 +1,35 @@
+package org.jenkinsci.plugins.oic;
+
+import hudson.model.Descriptor;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.jvnet.hudson.test.FlagRule;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+public class SecurityRealmConfigurationFIPSTest {
+
+    @ClassRule
+    public static FlagRule<String> FIPS_RULE = FlagRule.systemProperty("jenkins.security.FIPS140.COMPLIANCE", "true");
+
+    @Test(expected = Descriptor.FormException.class)
+    public void escapeHatchThrowsException() throws Exception {
+        new OicSecurityRealm("clientId", null, null, null).setEscapeHatchEnabled(true);
+    }
+
+    @Test
+    public void escapeHatchToFalse() throws Exception {
+        OicSecurityRealm oicSecurityRealm = new OicSecurityRealm("clientId", null, null, null);
+        oicSecurityRealm.setEscapeHatchEnabled(false);
+        assertThat(oicSecurityRealm.isEscapeHatchEnabled(), is(false));
+    }
+
+    @Test
+    public void readresolve() throws Exception {
+        OicSecurityRealm oicSecurityRealm = new OicSecurityRealm("clientId", null, null, null);
+        oicSecurityRealm.setEscapeHatchEnabled(false);
+        assertThat(oicSecurityRealm.isEscapeHatchEnabled(), is(false));
+        oicSecurityRealm.readResolve();
+    }
+}