Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-73849] [JEP-237] remove the ability to disable SSL and token validation in FIPS mode #423

Merged
merged 18 commits into from
Oct 11, 2024
Merged

[JENKINS-73849] [JEP-237] remove the ability to disable SSL and token validation in FIPS mode #423

merged 18 commits into from
Oct 11, 2024

Conversation

PereBueno
Copy link
Contributor

@PereBueno PereBueno commented Oct 11, 2024
edited by jtnord
Loading

https://issues.jenkins.io/browse/JENKINS-73849
https://github.com/jenkinsci/jep/tree/master/jep/237

When Jenknis is running in FIPS-140 mode, SSL and token verificaiton can no longer be disabled.
This change adds a form validation that will warn the user, fails with an IllegalArgumentException if trying to save regardless the warning and checks values on readResolve, in case config file was manually modified, or the plugin has been upgraded and was configured before these checks where enabled.

NOTE: This change does not ensure that the plugin is FIPS-140 compliant, and further changes are required.

Testing done

Added 3 tests and checked manually.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

jtnord and others added 16 commits September 27, 2024 12:33
@jtnord
Replace EOL Google Oauth library
6e17311 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
@PereBueno
[JENKINS-73849] added validations for ssl & token verification disabling
76a9620
@PereBueno
[JENKINS-73849] testing the feature
176faeb
@PereBueno
assertThat instead of assertTrue
e73b6dc
@jtnord
Replace EOL Google Oauth library
d7120c5 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
@PereBueno
Merge branch 'pac4j' into JENKINS_73849
b4c8f53
@PereBueno
Merge branch 'pac4j' into JENKINS_73849
f435249
@PereBueno
[JENKINS-73849] switching IllegalArgumentException to FormException
7b82fa7
@PereBueno
removign duplicate field and validation
cc81f1a
@PereBueno
fixing help message
1200523
@PereBueno
Merge branch 'pac4j' into JENKINS_73849
19efd25
@PereBueno
removing merge dummy changes
6e8c9c6
@PereBueno
Merge branch 'JENKINS_73849' of https://github.com/PereBueno/oic-auth…
82f820c 
…-plugin into JENKINS_73849
@PereBueno
removing unused code
6f51117
@PereBueno
blanks
a79e93f
@PereBueno @fcojfernandez
Update src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
5231bc9 
Co-authored-by: Francisco Javier Fernandez <[email protected]>
@PereBueno PereBueno requested a review from a team as a code owner October 11, 2024 08:16
@PereBueno PereBueno mentioned this pull request Oct 11, 2024
Closed
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 11, 2024
View reviewed changes
src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
@@ -1371,6 +1390,22 @@
return this.doCheckFieldName(tokenFieldToCheckKey, FormValidation.ok());
}

@RequirePOST
public FormValidation doCheckDisableSslVerification(@QueryParameter Boolean disableSslVerification) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in DescriptorImpl#doCheckDisableSslVerification
src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
}

@RequirePOST
public FormValidation doCheckDisableTokenVerification(@QueryParameter Boolean disableTokenVerification) {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in DescriptorImpl#doCheckDisableTokenVerification
@codecov Codecov
Copy link

codecov bot commented Oct 11, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 77.77778% with 4 lines in your changes missing coverage. Please review.

Project coverage is 71.88%. Comparing base (f8230ef) to head (e42a99f).
Report is 6 commits behind head on master.

Files with missing lines Patch % Lines
...va/org/jenkinsci/plugins/oic/OicSecurityRealm.java 77.77% 1 Missing and 3 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master     #423      +/-   ##
============================================
- Coverage     71.91%   71.88%   -0.03%     
- Complexity      199      206       +7     
============================================
  Files            16       16              
  Lines           883      900      +17     
  Branches        120      126       +6     
============================================
+ Hits            635      647      +12     
- Misses          185      186       +1     
- Partials         63       67       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

olamy
olamy previously approved these changes Oct 11, 2024
View reviewed changes
@PereBueno PereBueno requested a review from olamy October 11, 2024 09:51
olamy
olamy previously approved these changes Oct 11, 2024
View reviewed changes
Copy link
Member

@olamy olamy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah codecov happy lol 😂

@PereBueno PereBueno changed the title JENKINS-73849 JENKINS-73849 Don't allow disabling SSL or token validation when in FIPS mode Oct 11, 2024
@jtnord jtnord changed the title JENKINS-73849 Don't allow disabling SSL or token validation when in FIPS mode [JENKINS-73849] [JEP-237] remove the ability to disable SSL and token validation in FIPS mode Oct 11, 2024
@jtnord jtnord changed the base branch from master to dependabot/maven/master/com.puppycrawl.tools-checkstyle-10.18.2 October 11, 2024 10:34
@jtnord jtnord changed the base branch from dependabot/maven/master/com.puppycrawl.tools-checkstyle-10.18.2 to master October 11, 2024 10:34
@jtnord jtnord dismissed olamy’s stale review October 11, 2024 10:34

The base branch was changed.

jtnord
jtnord reviewed Oct 11, 2024
View reviewed changes
src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java
@@ -65,20 +66,20 @@ public void testAuthenticate_withUsernamePasswordAuthenticationToken() throws Ex
}

@Test
public void testGetAuthenticationGatewayUrl() throws IOException {
public void testGetAuthenticationGatewayUrl() throws IOException, Descriptor.FormException {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: generally for test methods I would just use throws Exception to reduce any maintenance burden

@jtnord jtnord added the chore label Oct 11, 2024
@jtnord jtnord merged commit 51d456d into jenkinsci:master Oct 11, 2024
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtnord jtnord jtnord approved these changes

@olamy olamy olamy left review comments

Assignees
No one assigned
Labels
chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PereBueno @olamy @jtnord