[JENKINS-73904] Increase test codecoverage and fix issues

jenkinsci · Oct 11, 2024 · 396cf59 · 396cf59
1 parent a20ca48
commit 396cf59
Show file tree

Hide file tree

Showing 4 changed files with 236 additions and 139 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicAlgorithmValidator.java b/src/main/java/org/jenkinsci/plugins/oic/OicAlgorithmValidator.java
@@ -47,6 +47,8 @@ public class OicAlgorithmValidator {
 
         // Init complaint EncryptionMethods
         supportedEncryptionMethod.addAll(ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS);
+        // XC20P is not complaint method
+        supportedEncryptionMethod.remove(EncryptionMethod.XC20P);
     }
 
     /**
@@ -107,9 +109,7 @@ public static void filterFipsNonCompliantJwsAlgorithm(List<JWSAlgorithm> algorit
     public static boolean isEncryptionMethodFipsNonCompliant(Algorithm encryptionMethod) {
         boolean matchNotFound = false;
         if (isFIPSMode && encryptionMethod != null) {
-            if (!supportedEncryptionMethod.isEmpty()) {
-                matchNotFound = supportedEncryptionMethod.stream().noneMatch(method -> method.equals(encryptionMethod));
-            }
+            matchNotFound = supportedEncryptionMethod.stream().noneMatch(method -> method.equals(encryptionMethod));
         }
         return matchNotFound;
     }

diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
@@ -521,6 +521,12 @@ private static void filterJwsAlgorithms(OIDCProviderMetadata oidcProviderMetadat
             oidcProviderMetadata.setIDTokenJWSAlgs(idTokenJWSAlgs);
         }
 
+        if (oidcProviderMetadata.getUserInfoJWSAlgs() != null) {
+            List<JWSAlgorithm> userInfoJwsAlgo = new ArrayList<>(oidcProviderMetadata.getUserInfoJWSAlgs());
+            OicAlgorithmValidator.filterFipsNonCompliantJwsAlgorithm(userInfoJwsAlgo);
+            oidcProviderMetadata.setUserInfoJWSAlgs(userInfoJwsAlgo);
+        }
+
         if (oidcProviderMetadata.getTokenEndpointJWSAlgs() != null) {
             List<JWSAlgorithm> tokenEndpointJWSAlgs = new ArrayList<>(oidcProviderMetadata.getTokenEndpointJWSAlgs());
             OicAlgorithmValidator.filterFipsNonCompliantJwsAlgorithm(tokenEndpointJWSAlgs);
@@ -565,6 +571,13 @@ private static void filterJwsAlgorithms(OIDCProviderMetadata oidcProviderMetadat
             OicAlgorithmValidator.filterFipsNonCompliantJwsAlgorithm(backChannelAuthenticationRequestJWSAlgs);
             oidcProviderMetadata.setBackChannelAuthenticationRequestJWSAlgs(backChannelAuthenticationRequestJWSAlgs);
         }
+
+        if (oidcProviderMetadata.getClientRegistrationAuthnJWSAlgs() != null) {
+            List<JWSAlgorithm> clientRegisterationAuth =
+                    new ArrayList<>(oidcProviderMetadata.getClientRegistrationAuthnJWSAlgs());
+            OicAlgorithmValidator.filterFipsNonCompliantJwsAlgorithm(clientRegisterationAuth);
+            oidcProviderMetadata.setClientRegistrationAuthnJWSAlgs(clientRegisterationAuth);
+        }
     }
 
     private static void filterJweAlgorithms(OIDCProviderMetadata oidcProviderMetadata) {
@@ -575,6 +588,12 @@ private static void filterJweAlgorithms(OIDCProviderMetadata oidcProviderMetadat
             oidcProviderMetadata.setIDTokenJWEAlgs(idTokenJWEAlgs);
         }
 
+        if (oidcProviderMetadata.getUserInfoJWEAlgs() != null) {
+            List<JWEAlgorithm> userTokenJWEAlgs = new ArrayList<>(oidcProviderMetadata.getUserInfoJWEAlgs());
+            OicAlgorithmValidator.filterFipsNonCompliantJweAlgorithm(userTokenJWEAlgs);
+            oidcProviderMetadata.setUserInfoJWEAlgs(userTokenJWEAlgs);
+        }
+
         if (oidcProviderMetadata.getRequestObjectJWEAlgs() != null) {
             List<JWEAlgorithm> requestObjectJWEAlgs = new ArrayList<>(oidcProviderMetadata.getRequestObjectJWEAlgs());
             OicAlgorithmValidator.filterFipsNonCompliantJweAlgorithm(requestObjectJWEAlgs);
@@ -603,6 +622,28 @@ private static void filterEncryptionMethods(OIDCProviderMetadata oidcProviderMet
             OicAlgorithmValidator.filterFipsNonCompliantEncryptionMethod(authorizationJWEEncs);
             oidcProviderMetadata.setAuthorizationJWEEncs(authorizationJWEEncs);
         }
+
+        if (oidcProviderMetadata.getIDTokenJWEEncs() != null) {
+            List<EncryptionMethod> idTokenJWEEncs = new ArrayList<>(oidcProviderMetadata.getIDTokenJWEEncs());
+            OicAlgorithmValidator.filterFipsNonCompliantEncryptionMethod(idTokenJWEEncs);
+            oidcProviderMetadata.setIDTokenJWEEncs(idTokenJWEEncs);
+        }
+        if (oidcProviderMetadata.getUserInfoJWEEncs() != null) {
+            List<EncryptionMethod> userInfoJWEEncs = new ArrayList<>(oidcProviderMetadata.getUserInfoJWEEncs());
+            OicAlgorithmValidator.filterFipsNonCompliantEncryptionMethod(userInfoJWEEncs);
+            oidcProviderMetadata.setUserInfoJWEEncs(userInfoJWEEncs);
+        }
+        if (oidcProviderMetadata.getRequestObjectJWEEncs() != null) {
+            List<EncryptionMethod> requestObjectJweEncs =
+                    new ArrayList<>(oidcProviderMetadata.getRequestObjectJWEEncs());
+            OicAlgorithmValidator.filterFipsNonCompliantEncryptionMethod(requestObjectJweEncs);
+            oidcProviderMetadata.setRequestObjectJWEEncs(requestObjectJweEncs);
+        }
+        if (oidcProviderMetadata.getAuthorizationJWEEncs() != null) {
+            List<EncryptionMethod> authJweEncs = new ArrayList<>(oidcProviderMetadata.getAuthorizationJWEEncs());
+            OicAlgorithmValidator.filterFipsNonCompliantEncryptionMethod(authJweEncs);
+            oidcProviderMetadata.setAuthorizationJWEEncs(authJweEncs);
+        }
     }
 
     /**

diff --git a/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFIPSAlgoTest.java b/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFIPSAlgoTest.java
@@ -1,9 +1,20 @@
 package org.jenkinsci.plugins.oic;
 
+import com.nimbusds.jose.EncryptionMethod;
+import com.nimbusds.jose.JWEAlgorithm;
+import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.id.Issuer;
+import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
+import com.nimbusds.openid.connect.sdk.SubjectType;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
 import java.io.IOException;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 import jenkins.security.FIPS140;
+import net.minidev.json.JSONObject;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -19,7 +30,7 @@ public class OicSecurityRealmFIPSAlgoTest {
     @BeforeClass
     public static void setup() {
         fips140Mock = mockStatic(FIPS140.class);
-        fips140Mock.when(FIPS140::useCompliantAlgorithms).thenReturn(false);
+        fips140Mock.when(FIPS140::useCompliantAlgorithms).thenReturn(true);
     }
 
     @AfterClass
@@ -28,14 +39,175 @@ public static void breakdown() {
     }
 
     @Test
-    public void doCheckAlgorithmFilter() throws IOException, ParseException {
-        OIDCProviderMetadata oidcProviderMetadata = OicSecurityRealmNonFIPSAlgoTest.getNonCompliantMockObject();
+    public void doCheckAlgorithmFilterInFipsMode() throws IOException, ParseException {
+        OIDCProviderMetadata oidcProviderMetadata = getNonCompliantMockObject();
+        oidcProviderMetadata.setClientRegistrationAuthnJWSAlgs(compliantJwsAlgo());
+        oidcProviderMetadata.setDPoPJWSAlgs(compliantJwsAlgo());
+        oidcProviderMetadata.setAuthorizationJWSAlgs(compliantJwsAlgo());
+        oidcProviderMetadata.setAuthorizationJWEAlgs(compliantJweAlgo());
+        oidcProviderMetadata.setAuthorizationJWEEncs(compliantEncryptionMethod());
+        oidcProviderMetadata.setClientRegistrationAuthnJWSAlgs(compliantJwsAlgo());
+
         int countIDTokenJWSAlgs = oidcProviderMetadata.getIDTokenJWSAlgs().size();
         int countIDTokenJWEAlgs = oidcProviderMetadata.getIDTokenJWEAlgs().size();
+        int countIDTokenEncMethod = oidcProviderMetadata.getIDTokenJWEEncs().size();
         OicSecurityRealm.filterNonCompliantAlgorithms(oidcProviderMetadata);
+
+        assertEquals(
+                countIDTokenJWSAlgs - nonCompliantSigningAlgo().size(),
+                oidcProviderMetadata.getIDTokenJWSAlgs().size());
         assertEquals(
-                countIDTokenJWSAlgs, oidcProviderMetadata.getIDTokenJWSAlgs().size());
+                countIDTokenJWEAlgs - nonCompliantEncryptionAlgo().size(),
+                oidcProviderMetadata.getIDTokenJWEAlgs().size());
         assertEquals(
-                countIDTokenJWEAlgs, oidcProviderMetadata.getIDTokenJWEAlgs().size());
+                countIDTokenEncMethod - nonCompliantEncryptionMethod().size(),
+                oidcProviderMetadata.getIDTokenJWEEncs().size());
+    }
+
+    protected static List<JWSAlgorithm> nonCompliantSigningAlgo() {
+        List<JWSAlgorithm> nonCompliantSignAlgos = new ArrayList<>();
+        nonCompliantSignAlgos.add(new JWSAlgorithm("EdDSA"));
+        nonCompliantSignAlgos.add(new JWSAlgorithm("Ed25519"));
+        nonCompliantSignAlgos.add(new JWSAlgorithm("Ed448"));
+        return nonCompliantSignAlgos;
+    }
+
+    protected static List<JWEAlgorithm> nonCompliantEncryptionAlgo() {
+
+        List<JWEAlgorithm> nonCompliantEncryptionAlgos = new ArrayList<>();
+        nonCompliantEncryptionAlgos.add(new JWEAlgorithm("RSA1_5"));
+        nonCompliantEncryptionAlgos.add(new JWEAlgorithm("ECDH-1PU"));
+        nonCompliantEncryptionAlgos.add(new JWEAlgorithm("ECDH-1PU+A128KW"));
+        nonCompliantEncryptionAlgos.add(new JWEAlgorithm("ECDH-1PU+A256KW"));
+        return nonCompliantEncryptionAlgos;
+    }
+
+    protected static List<EncryptionMethod> nonCompliantEncryptionMethod() {
+        List<EncryptionMethod> nonComplEncryptionMethods = new ArrayList<>();
+        nonComplEncryptionMethods.add(new EncryptionMethod("XC20P"));
+        return nonComplEncryptionMethods;
+    }
+
+    protected static List<JWSAlgorithm> compliantJwsAlgo() {
+        List<JWSAlgorithm> compliantSignAlgos = new ArrayList<>();
+        compliantSignAlgos.add(new JWSAlgorithm("HS256"));
+        compliantSignAlgos.add(new JWSAlgorithm("HS384"));
+        compliantSignAlgos.add(new JWSAlgorithm("HS512"));
+        compliantSignAlgos.add(new JWSAlgorithm("RS384"));
+        compliantSignAlgos.add(new JWSAlgorithm("PS384"));
+        compliantSignAlgos.add(new JWSAlgorithm("ES512"));
+        return compliantSignAlgos;
+    }
+
+    protected static List<JWEAlgorithm> compliantJweAlgo() {
+        List<JWEAlgorithm> compliantEncryptionAlgos = new ArrayList<>();
+        compliantEncryptionAlgos.add(new JWEAlgorithm("RSA-OAEP"));
+        compliantEncryptionAlgos.add(new JWEAlgorithm("A192KW"));
+        compliantEncryptionAlgos.add(new JWEAlgorithm("A128CGMKW"));
+        compliantEncryptionAlgos.add(new JWEAlgorithm("A256CGMKW"));
+        return compliantEncryptionAlgos;
+    }
+
+    protected static List<EncryptionMethod> compliantEncryptionMethod() {
+        List<EncryptionMethod> encryptionMethod = new ArrayList<>();
+        encryptionMethod.add(new EncryptionMethod("RSA-OAEP"));
+        encryptionMethod.add(new EncryptionMethod("A192KW"));
+        encryptionMethod.add(new EncryptionMethod("A128CGMKW"));
+        encryptionMethod.add(new EncryptionMethod("A256CGMKW"));
+        return encryptionMethod;
+    }
+
+    protected static OIDCProviderMetadata getNonCompliantMockObject() throws ParseException {
+        OIDCProviderMetadata oidcProviderMetadata = createCompliantMockObject();
+        // Add non compliant signing algo
+        oidcProviderMetadata.getIDTokenJWSAlgs().addAll(nonCompliantSigningAlgo());
+        // Add non-compliant encryption algo
+        oidcProviderMetadata.getIDTokenJWEAlgs().addAll(nonCompliantEncryptionAlgo());
+        // Add non-compliant encryption method
+        oidcProviderMetadata.getIDTokenJWEEncs().addAll(nonCompliantEncryptionMethod());
+        return oidcProviderMetadata;
+    }
+
+    protected static OIDCProviderMetadata createCompliantMockObject() throws ParseException {
+        String json = "{\n" + "  \"issuer\": \"https://your-oidc-provider.com\",\n"
+                + "  \"authorization_endpoint\": \"https://your-oidc-provider.com/oauth2/authorize\",\n"
+                + "  \"token_endpoint\": \"https://your-oidc-provider.com/oauth2/token\",\n"
+                + "  \"userinfo_endpoint\": \"https://your-oidc-provider.com/oauth2/userinfo\",\n"
+                + "  \"jwks_uri\": \"https://your-oidc-provider.com/.well-known/jwks.json\",\n"
+                + "  \"registration_endpoint\": \"https://your-oidc-provider.com/oauth2/register\",\n" + "  \n"
+                + "  \"scopes_supported\": [\n" + "    \"openid\",\n" + "    \"profile\",\n" + "    \"email\",\n"
+                + "    \"address\",\n" + "    \"phone\",\n" + "    \"offline_access\"\n" + "  ],\n"
+                + "  \"response_types_supported\": [\n" + "    \"code\",\n" + "    \"id_token\",\n"
+                + "    \"token id_token\",\n" + "    \"code id_token\",\n" + "    \"code token\",\n"
+                + "    \"code token id_token\"\n" + "  ],\n" + "  \"grant_types_supported\": [\n"
+                + "    \"authorization_code\",\n" + "    \"implicit\",\n" + "    \"refresh_token\",\n"
+                + "    \"client_credentials\"\n" + "  ],\n" + "  \"subject_types_supported\": [\n"
+                + "    \"public\",\n" + "    \"pairwise\"\n" + "  ],\n"
+                + "  \"id_token_signing_alg_values_supported\": [\n" + "    \"RS256\",\n" + "    \"RS384\",\n"
+                + "    \"RS512\",\n" + "    \"ES256\",\n" + "    \"ES384\",\n" + "    \"ES512\",\n"
+                + "    \"PS256\",\n" + "    \"PS384\",\n" + "    \"PS512\",\n" + "    \"HS256\",\n"
+                + "    \"HS384\",\n" + "    \"HS512\" \n" + "  ],\n"
+                + "  \"id_token_encryption_alg_values_supported\": [\n" + "    \"RSA-OAEP\", \n"
+                + "    \"ECDH-ES\"\n" + "  ],\n" + "  \"id_token_encryption_enc_values_supported\": [\n"
+                + "    \"A128CBC-HS256\",\n" + "    \"A192CBC-HS384\",\n" + "    \"A256CBC-HS512\",\n"
+                + "    \"A128GCM\",\n" + "    \"A192GCM\",\n" + "    \"A256GCM\"\n" + "  ],\n"
+                + "  \"userinfo_signing_alg_values_supported\": [\n" + "    \"RS256\",\n" + "    \"RS384\",\n"
+                + "    \"RS512\",\n" + "    \"ES256\",\n" + "    \"ES384\",\n" + "    \"ES512\",\n"
+                + "    \"PS256\",\n" + "    \"PS384\",\n" + "    \"PS512\",\n" + "    \"HS256\",\n"
+                + "    \"HS384\",\n" + "    \"HS512\"\n" + "  ],\n"
+                + "  \"userinfo_encryption_alg_values_supported\": [\n" + "    \"RSA-OAEP\",\n"
+                + "    \"ECDH-ES\"\n" + "  ],\n" + "  \"userinfo_encryption_enc_values_supported\": [\n"
+                + "    \"A128CBC-HS256\",\n" + "    \"A192CBC-HS384\",\n" + "    \"A256CBC-HS512\",\n"
+                + "    \"A128GCM\",\n" + "    \"A192GCM\",\n" + "    \"A256GCM\"\n" + "  ],\n"
+                + "  \"request_object_signing_alg_values_supported\": [\n" + "    \"RS256\",\n"
+                + "    \"RS384\",\n" + "    \"RS512\",\n" + "    \"ES256\",\n" + "    \"ES384\",\n"
+                + "    \"ES512\",\n" + "    \"PS256\",\n" + "    \"PS384\",\n" + "    \"PS512\",\n"
+                + "    \"HS256\",\n" + "    \"HS384\",\n" + "    \"HS512\"\n" + "  ],\n"
+                + "  \"request_object_encryption_alg_values_supported\": [\n" + "    \"RSA-OAEP\",\n"
+                + "    \"ECDH-ES\"\n" + "  ],\n" + "  \"request_object_encryption_enc_values_supported\": [\n"
+                + "    \"A128CBC-HS256\",\n" + "    \"A192CBC-HS384\",\n" + "    \"A256CBC-HS512\",\n"
+                + "    \"A128GCM\",\n" + "    \"A192GCM\",\n" + "    \"A256GCM\"\n" + "  ],\n"
+                + "  \"token_endpoint_auth_methods_supported\": [\n" + "    \"client_secret_basic\",\n"
+                + "    \"client_secret_post\",\n" + "    \"private_key_jwt\"\n" + "  ],\n"
+                + "  \"token_endpoint_auth_signing_alg_values_supported\": [\n" + "    \"RS256\",\n"
+                + "    \"RS384\",\n" + "    \"RS512\",\n" + "    \"ES256\",\n" + "    \"ES384\",\n"
+                + "    \"ES512\",\n" + "    \"PS256\",\n" + "    \"PS384\",\n" + "    \"PS512\",\n"
+                + "    \"HS256\",\n" + "    \"HS384\",\n" + "    \"HS512\"\n" + "  ],\n"
+                + "  \"claims_supported\": [\n" + "    \"sub\",\n" + "    \"name\",\n"
+                + "    \"preferred_username\",\n" + "    \"email\",\n" + "    \"email_verified\",\n"
+                + "    \"given_name\",\n" + "    \"family_name\",\n" + "    \"profile\",\n" + "    \"picture\",\n"
+                + "    \"locale\",\n" + "    \"phone_number\",\n" + "    \"address\",\n" + "    \"birthdate\",\n"
+                + "    \"gender\"\n" + "  ],\n" + "  \"claim_types_supported\": [\n" + "    \"normal\"\n"
+                + "  ],\n" + "  \"claims_parameter_supported\": true,\n"
+                + "  \"request_parameter_supported\": true,\n" + "  \"request_uri_parameter_supported\": true,\n"
+                + "  \"require_request_uri_registration\": false,\n"
+                + "  \"revocation_endpoint\": \"https://your-oidc-provider.com/oauth2/revoke\",\n"
+                + "  \"revocation_endpoint_auth_methods_supported\": [\n" + "    \"client_secret_basic\",\n"
+                + "    \"client_secret_post\",\n" + "    \"private_key_jwt\"\n" + "  ],\n"
+                + "  \"revocation_endpoint_auth_signing_alg_values_supported\": [\n" + "    \"RS256\",\n"
+                + "    \"RS384\",\n" + "    \"RS512\",\n" + "    \"ES256\",\n" + "    \"ES384\",\n"
+                + "    \"ES512\",\n" + "    \"PS256\",\n" + "    \"PS384\",\n" + "    \"PS512\"\n" + "  ],\n"
+                + "  \"introspection_endpoint\": \"https://your-oidc-provider.com/oauth2/introspect\",\n"
+                + "  \"introspection_endpoint_auth_methods_supported\": [\n" + "    \"client_secret_basic\",\n"
+                + "    \"client_secret_post\",\n" + "    \"private_key_jwt\"\n" + "  ],\n"
+                + "  \"introspection_endpoint_auth_signing_alg_values_supported\": [\n" + "    \"RS256\",\n"
+                + "    \"RS384\",\n" + "    \"RS512\",\n" + "    \"ES256\",\n" + "    \"ES384\",\n"
+                + "    \"ES512\",\n" + "    \"PS256\",\n" + "    \"PS384\",\n" + "    \"PS512\"\n" + "  ],\n"
+                + "  \"code_challenge_methods_supported\": [\n" + "    \"plain\",\n" + "    \"S256\"\n" + "  ],\n"
+                + "  \"tls_client_certificate_bound_access_tokens\": true,\n"
+                + "  \"backchannel_logout_supported\": true,\n"
+                + "  \"backchannel_logout_session_supported\": true,\n"
+                + "  \"frontchannel_logout_supported\": true,\n"
+                + "  \"frontchannel_logout_session_supported\": true,\n"
+                + "  \"end_session_endpoint\": \"https://your-oidc-provider.com/logout\"\n" + "}";
+        JSONObject jsonObject = JSONObjectUtils.parse(json);
+        jsonObject.put("issuer", new Issuer("https://op.example.com").getValue());
+        jsonObject.put(
+                "subject_types_supported",
+                Arrays.asList(SubjectType.PUBLIC.toString(), SubjectType.PAIRWISE.toString()));
+        jsonObject.put(
+                "jwks_uri", URI.create("https://op.example.com/jwks.json").toString());
+
+        return OIDCProviderMetadata.parse(jsonObject);
     }
 }