Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JENKINS-75056] Upgrade pac4j to version 6.1.0 #491

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
2b6c31c
Bump pac4j to 6.x (Compilation only)
fcojfernandez Oct 8, 2024
dccb09f
TokenValidator properly set
fcojfernandez Oct 9, 2024
021db2a
Merge branch 'pac4j' into pac4j-upgrade
fcojfernandez Oct 9, 2024
de0b8d6
Compilation error after merging
fcojfernandez Oct 9, 2024
6d610a2
set always opMetadataResolver
fcojfernandez Oct 9, 2024
03baf3c
Use of StaticOidcOpMetadataResolver
fcojfernandez Oct 10, 2024
1754238
doCommenceLogin
fcojfernandez Oct 10, 2024
1ee4af1
doFinishLogin
fcojfernandez Oct 10, 2024
431b3fc
Merge branch 'pac4j' into pac4j-upgrade
fcojfernandez Oct 10, 2024
f14393f
Merge branch 'master' into pac4j-upgrade
fcojfernandez Oct 15, 2024
d6d3f21
Do not use default hostname verifier and SSL socket factory when TLS …
fcojfernandez Oct 15, 2024
121bd17
Refactor credentials
fcojfernandez Oct 16, 2024
3c2260f
Update .gitignore
fcojfernandez Oct 18, 2024
36391ab
Merge branch 'master' into pac4j-upgrade
fcojfernandez Oct 25, 2024
6792218
[JENKINS-75056] pac4j upgrade in pom
pankajy-dev Dec 20, 2024
68da1d3
[JENKINS-75056] Resolve merge conflicts
pankajy-dev Dec 20, 2024
19b6ce1
[JENKINS-75056] Spotless fix and code refactor
pankajy-dev Dec 20, 2024
5e2f1ed
[JENKINS-75056] spotless and use variable for version in pom
pankajy-dev Dec 23, 2024
13c0099
[JENKINS-75056] Excluded the libraries coming from other dependencies…
pankajy-dev Dec 23, 2024
9d733bd
Update src/main/java/org/jenkinsci/plugins/oic/OicdPluginOpMetadataRe…
pankajy-dev Dec 23, 2024
fe936f1
[JENKINS-75056] Code review changes
pankajy-dev Dec 24, 2024
bd97393
[JENKINS-75056] Remove unused properties
pankajy-dev Jan 2, 2025
8c01f81
Merge branch 'master' into jenkins-75056-pac4j-upgrade-6.1.0
pankajy-dev Jan 2, 2025
d07602c
[JENKINS-75056] Update maven version in the CI
pankajy-dev Jan 2, 2025
51ca040
Merge branch 'master' into jenkins-75056-pac4j-upgrade-6.1.0
pankajy-dev Jan 8, 2025
de69f90
[JENKINS-75056] Update comment to fix attach-javadoc maven goal
pankajy-dev Jan 8, 2025
7076e2f
Revert the change that was done mistakenly.
pankajy-dev Jan 8, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
fcojfernandez marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -45,4 +45,4 @@ jobs:
uses: codecov/codecov-action@v5
with:
token: ${{secrets.CODECOV_TOKEN}}
file: ./target/site/jacoco/jacoco.xml
file: ./target/site/jacoco/jacoco.xml
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,6 @@ target/
/.apt_generated/

.*.swp

work-cognito/
work-keycloak/
34 changes: 20 additions & 14 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@
<configuration-as-code.version>1836.vccda_4a_122a_a_e</configuration-as-code.version>
<hpi.compatibleSinceVersion>4.383</hpi.compatibleSinceVersion>
<!-- latest 5.x as 6 uses java 17 -->
<pac4jVersion>5.7.7</pac4jVersion>
<pac4jVersion>6.1.0</pac4jVersion>
</properties>

<dependencyManagement>
Expand All @@ -64,16 +64,6 @@
<type>pom</type>
<scope>import</scope>
</dependency>
<!--
Let's use a FIPS compliant version of nimbus-jose-jwt
TODO Remove when pac4j includes this version or a newer one
-->
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>9.48</version>
</dependency>
<!-- end -->
<dependency>
<!-- do not exlude the annotations so we can benifit from spotbugs checks but set the to provided so we do not bundle them -->
<groupId>com.github.stephenc.jcip</groupId>
Expand Down Expand Up @@ -104,10 +94,17 @@

<dependency>
<groupId>org.pac4j</groupId>
<!-- replace with pac4j-jakartaee when we use a Jenkins version with jakartaee -->
<artifactId>pac4j-javaee</artifactId>
<artifactId>pac4j-jakartaee</artifactId>
<version>${pac4jVersion}</version>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</exclusion>
<exclusion>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-jsr310</artifactId>
</exclusion>
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
Expand Down Expand Up @@ -140,8 +137,18 @@
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-jcl</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- TODO remove spring version, it will come from the core -->

<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
Expand Down Expand Up @@ -303,5 +310,4 @@
</plugin>
</plugins>
</build>

</project>
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ public class AnythingGoesTokenValidator extends TokenValidator {
public static final Logger LOGGER = Logger.getLogger(AnythingGoesTokenValidator.class.getName());

public AnythingGoesTokenValidator() {
super(createFakeOidcConfiguration());
super(createFakeOidcConfiguration(), createFakeProviderMetadata());
}

@Override
Expand All @@ -51,17 +51,25 @@ public IDTokenClaimsSet validate(final JWT idToken, final Nonce expectedNonce) {
* So we need a configuration with this set just so the validator can say "this is valid".
*/
private static OidcConfiguration createFakeOidcConfiguration() {
OidcConfiguration config = new OidcConfiguration();
config.setClientId("ignored");
config.setSecret("ignored");
config.setPreferredJwsAlgorithm(JWSAlgorithm.HS256);
config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
return config;
}

/**
* Annoyingly the super class needs an OIDCProviderMetadata with some values set,
* which if we are not validating we may not actually have (e.g. jwks_url).
* So we need a metadata provider with this set just so the validator can say "this is valid".
*/
private static OIDCProviderMetadata createFakeProviderMetadata() {
try {
OidcConfiguration config = new OidcConfiguration();
config.setClientId("ignored");
config.setSecret("ignored");
OIDCProviderMetadata providerMetadata = new OIDCProviderMetadata(
new Issuer("http://ignored"), List.of(SubjectType.PUBLIC), new URI("http://ignored.and.invalid./"));
providerMetadata.setIDTokenJWSAlgs(List.of(JWSAlgorithm.HS256));
config.setProviderMetadata(providerMetadata);
config.setPreferredJwsAlgorithm(JWSAlgorithm.HS256);
config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
return config;
return providerMetadata;
} catch (URISyntaxException e) {
// should never happen the urls we are using are valid
throw new IllegalStateException(e);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ public void configureHttpRequest(HTTPRequest request) {
}
}
request.setProxy(proxy);
// super class will configure the hostname verifier and the SSL socket factory and the default values in case
// the config object doesn't have those values must be overrriden in case the disableTLS is true
super.configureHttpRequest(request);
if (disableTLS) {
request.setHostnameVerifier(IgnoringHostNameVerifier.INSTANCE);
try {
Expand All @@ -47,6 +50,5 @@ public void configureHttpRequest(HTTPRequest request) {
throw new IllegalStateException("could not configure the SSLFactory, this should not be possible", e);
}
}
super.configureHttpRequest(request);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@

import hudson.Extension;
import hudson.security.csrf.CrumbExclusion;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
* Excluding the escapeHatch login from CSRF protection as the crumb is calculated based on the authentication
Expand Down
10 changes: 5 additions & 5 deletions src/main/java/org/jenkinsci/plugins/oic/OicCrumbExclusion.java
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,15 @@
import hudson.Extension;
import hudson.security.SecurityRealm;
import hudson.security.csrf.CrumbExclusion;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jenkins.model.Jenkins;

/**
* Crumb exclusion to allow POSTing to {@link OicSecurityRealm#doFinishLogin(org.kohsuke.stapler.StaplerRequest, org.kohsuke.stapler.StaplerResponse)}
* Crumb exclusion to allow POSTing to {@link OicSecurityRealm#doFinishLogin(org.kohsuke.stapler.StaplerRequest2, org.kohsuke.stapler.StaplerResponse2)}
*/
@Extension
public class OicCrumbExclusion extends CrumbExclusion {
Expand Down
Loading
Loading