Merge pull request #409 from jtnord/pac4j

Replace EOL Google Oauth library

pom.xml

@@ -45,21 +45,85 @@
     <revision>4</revision>
     <changelist>999999-SNAPSHOT</changelist>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
+    <!-- update the jenkins-bom version when updating -->
     <jenkins.version>2.426.3</jenkins.version>
     <spotless.check.skip>false</spotless.check.skip>
     <spotbugs.effort>Max</spotbugs.effort>
     <configuration-as-code.version>1836.vccda_4a_122a_a_e</configuration-as-code.version>
-    <hpi.compatibleSinceVersion>4.347</hpi.compatibleSinceVersion>
+    <hpi.compatibleSinceVersion>4.383</hpi.compatibleSinceVersion>
+    <!-- latest 5.x as 6 uses java 17 -->
+    <pac4jVersion>5.7.7</pac4jVersion>
   </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.jenkins.tools.bom</groupId>
+        <artifactId>bom-2.426.x</artifactId>
+        <version>3208.vb_21177d4b_cd9</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <!-- do not exlude the annotations so we can benifit from spotbugs checks but set the to provided so we do not bundle them -->
+        <groupId>com.github.stephenc.jcip</groupId>
+        <artifactId>jcip-annotations</artifactId>
+        <scope>provided</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
-      <groupId>com.google.http-client</groupId>
-      <artifactId>google-http-client</artifactId>
-      <version>1.45.0</version>
+      <groupId>io.burt</groupId>
+      <artifactId>jmespath-core</artifactId>
+      <version>0.6.0</version>
+    </dependency>
+    <dependency>
+      <groupId>io.jenkins.plugins</groupId>
+      <artifactId>asm-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>jackson2-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>mailer</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.pac4j</groupId>
+      <!-- replace with pac4j-jakartaee when we use a Jenkins version with jakartaee -->
+      <artifactId>pac4j-javaee</artifactId>
+      <version>${pac4jVersion}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.google.guava</groupId>
+          <artifactId>guava</artifactId>
+        </exclusion>
+        <exclusion>
+          <!-- consume from asm-api plugin -->
+          <groupId>org.ow2.asm</groupId>
+          <artifactId>asm</artifactId>
+        </exclusion>
+        <exclusion>
+          <!-- consume from Jenkins core -->
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-api</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.pac4j</groupId>
+      <artifactId>pac4j-oidc</artifactId>
+      <version>${pac4jVersion}</version>
+      <!-- java 11 compatability-->
       <exclusions>
         <exclusion>
-          <groupId>com.google.errorprone</groupId>
-          <artifactId>error_prone_annotations</artifactId>
+          <!-- consume from jackson2-api plugin -->
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-databind</artifactId>
         </exclusion>
         <exclusion>
           <groupId>com.google.guava</groupId>
@@ -68,42 +132,26 @@
       </exclusions>
     </dependency>
     <dependency>
-      <groupId>com.google.http-client</groupId>
-      <artifactId>google-http-client-gson</artifactId>
-      <version>1.45.0</version>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+      <version>2.11.0</version>
+      <scope>test</scope>
     </dependency>
-    <!-- see build plugin unpack -->
     <dependency>
       <groupId>com.google.oauth-client</groupId>
       <artifactId>google-oauth-client</artifactId>
       <version>1.36.0</version>
+      <scope>test</scope>
       <exclusions>
         <exclusion>
           <groupId>com.google.guava</groupId>
           <artifactId>guava</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
-    <dependency>
-      <groupId>io.burt</groupId>
-      <artifactId>jmespath-core</artifactId>
-      <version>0.6.0</version>
-    </dependency>
-    <dependency>
-      <groupId>org.jenkins-ci.plugins</groupId>
-      <artifactId>mailer</artifactId>
-      <version>448.v5b_97805e3767</version>
-    </dependency>
-    <dependency>
-      <groupId>com.github.tomakehurst</groupId>
-      <artifactId>wiremock-standalone</artifactId>
-      <version>2.27.2</version>
-      <scope>test</scope>
-    </dependency>
     <dependency>
       <groupId>io.jenkins.configuration-as-code</groupId>
       <artifactId>test-harness</artifactId>
-      <version>${configuration-as-code.version}</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -122,6 +170,12 @@
       <artifactId>mockito-junit-jupiter</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.wiremock</groupId>
+      <artifactId>wiremock-standalone</artifactId>
+      <version>3.9.1</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <repositories>

src/main/java/org/jenkinsci/plugins/oic/AnythingGoesTokenValidator.java

@@ -0,0 +1,70 @@
+package org.jenkinsci.plugins.oic;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.id.Issuer;
+import com.nimbusds.openid.connect.sdk.Nonce;
+import com.nimbusds.openid.connect.sdk.SubjectType;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.pac4j.core.exception.TechnicalException;
+import org.pac4j.oidc.config.OidcConfiguration;
+import org.pac4j.oidc.profile.creator.TokenValidator;
+
+public class AnythingGoesTokenValidator extends TokenValidator {
+
+    public static final Logger LOGGER = Logger.getLogger(AnythingGoesTokenValidator.class.getName());
+
+    public AnythingGoesTokenValidator() {
+        super(createFakeOidcConfiguration());
+    }
+
+    @Override
+    public IDTokenClaimsSet validate(final JWT idToken, final Nonce expectedNonce) {
+        // validation is disabled, so everything is valid.
+        try {
+            return new IDTokenClaimsSet(idToken.getJWTClaimsSet());
+        } catch (ParseException | java.text.ParseException e) {
+            LOGGER.log(
+                    Level.WARNING,
+                    "Token validation is disabled, but the token is corrupt and claims will not be represted.",
+                    e);
+            try {
+                return new IDTokenClaimsSet(new JWTClaimsSet.Builder().build());
+            } catch (ParseException e1) {
+                throw new TechnicalException("could not create and empty IDTokenClaimsSet");
+            }
+        }
+    }
+
+    /**
+     * Annoyingly the super class needs an OidcConfiguration with some values set,
+     * which if we are not validating we may not actually have (e.g. jwks_url).
+     * So we need a configuration with this set just so the validator can say "this is valid".
+     */
+    private static OidcConfiguration createFakeOidcConfiguration() {
+        try {
+            OidcConfiguration config = new OidcConfiguration();
+            config.setClientId("ignored");
+            config.setSecret("ignored");
+            OIDCProviderMetadata providerMetadata = new OIDCProviderMetadata(
+                    new Issuer("http://ignored"), List.of(SubjectType.PUBLIC), new URI("http://ignored.and.invalid./"));
+            providerMetadata.setIDTokenJWSAlgs(List.of(JWSAlgorithm.HS256));
+            config.setProviderMetadata(providerMetadata);
+            config.setPreferredJwsAlgorithm(JWSAlgorithm.HS256);
+            config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
+            return config;
+        } catch (URISyntaxException e) {
+            // should never happen the urls we are using are valid
+            throw new IllegalStateException(e);
+        }
+    }
+}

src/main/java/org/jenkinsci/plugins/oic/CustomOidcConfiguration.java

@@ -0,0 +1,52 @@
+package org.jenkinsci.plugins.oic;
+
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import hudson.ProxyConfiguration;
+import java.net.Proxy;
+import java.net.http.HttpRequest;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import jenkins.model.Jenkins;
+import jenkins.security.FIPS140;
+import org.jenkinsci.plugins.oic.ssl.IgnoringHostNameVerifier;
+import org.jenkinsci.plugins.oic.ssl.TLSUtils;
+import org.pac4j.oidc.config.OidcConfiguration;
+
+/**
+ * An OidcConfiguration that will customize {@link HttpRequest} with the Jenkins proxy, and iff TLS is disabled a lenient {@link HostnameVerifier} and {@link SSLContext}.
+ */
+class CustomOidcConfiguration extends OidcConfiguration {
+
+    private final boolean disableTLS;
+
+    CustomOidcConfiguration(boolean disableTLS) {
+        this.disableTLS = disableTLS;
+        if (FIPS140.useCompliantAlgorithms() && disableTLS) {
+            throw new IllegalStateException("Cannot disable TLS validation in FIPS-140 mode");
+        }
+    }
+
+    @Override
+    public void configureHttpRequest(HTTPRequest request) {
+        Proxy proxy = null;
+        Jenkins jenkins = Jenkins.getInstanceOrNull();
+        if (jenkins != null) { // unit tests
+            ProxyConfiguration pc = jenkins.getProxy();
+            if (pc != null) {
+                proxy = pc.createProxy(request.getURL().getHost());
+            }
+        }
+        request.setProxy(proxy);
+        if (disableTLS) {
+            request.setHostnameVerifier(IgnoringHostNameVerifier.INSTANCE);
+            try {
+                request.setSSLSocketFactory(TLSUtils.createAnythingGoesSSLSocketFactory());
+            } catch (KeyManagementException | NoSuchAlgorithmException e) {
+                throw new IllegalStateException("could not configure the SSLFactory, this should not be possible", e);
+            }
+        }
+        super.configureHttpRequest(request);
+    }
+}

src/main/java/org/jenkinsci/plugins/oic/OicCrumbExclusion.java

@@ -11,7 +11,7 @@
 import jenkins.model.Jenkins;
 
 /**
- * Crumb exclusion to allow POSTing to {@link OicSecurityRealm#doFinishLogin(org.kohsuke.stapler.StaplerRequest)}
+ * Crumb exclusion to allow POSTing to {@link OicSecurityRealm#doFinishLogin(org.kohsuke.stapler.StaplerRequest, org.kohsuke.stapler.StaplerResponse)}
  */
 @Extension
 public class OicCrumbExclusion extends CrumbExclusion {