Replace EOL Google Oauth library

This changes the Google OAuth library which is in maintainance mode with a supported library (nimbusds via pac4j) The library requires that the Issuer is set to enforce security and there is no option to disable this requirement as it is mandated in the specificiation. As such users must first update to 4.355.v3a_fb_fca_b_96d4 to set the Issuer before updating to this version. fixes: jenkinsci#313
jtnord · Oct 4, 2024 · 60fc090 · 60fc090
1 parent d4eba97
commit 60fc090
Show file tree

Hide file tree

Showing 35 changed files with 1,001 additions and 2,017 deletions.
diff --git a/pom.xml b/pom.xml
@@ -45,21 +45,85 @@
     <revision>4</revision>
     <changelist>999999-SNAPSHOT</changelist>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
+    <!-- update the jenkins-bom version when updating -->
     <jenkins.version>2.426.3</jenkins.version>
     <spotless.check.skip>false</spotless.check.skip>
     <spotbugs.effort>Max</spotbugs.effort>
     <configuration-as-code.version>1836.vccda_4a_122a_a_e</configuration-as-code.version>
-    <hpi.compatibleSinceVersion>4.347</hpi.compatibleSinceVersion>
+    <hpi.compatibleSinceVersion>4.364</hpi.compatibleSinceVersion>
+    <!-- latest 5.x as 6 uses java 17 -->
+    <pac4jVersion>5.7.5</pac4jVersion>
   </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.jenkins.tools.bom</groupId>
+        <artifactId>bom-2.426.x</artifactId>
+        <version>3208.vb_21177d4b_cd9</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <!-- do not exlude the annotations so we can benifit from spotbugs checks but set the to provided so we do not bundle them -->
+        <groupId>com.github.stephenc.jcip</groupId>
+        <artifactId>jcip-annotations</artifactId>
+        <scope>provided</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
-      <groupId>com.google.http-client</groupId>
-      <artifactId>google-http-client</artifactId>
-      <version>1.45.0</version>
+      <groupId>io.burt</groupId>
+      <artifactId>jmespath-core</artifactId>
+      <version>0.6.0</version>
+    </dependency>
+    <dependency>
+      <groupId>io.jenkins.plugins</groupId>
+      <artifactId>asm-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>jackson2-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>mailer</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.pac4j</groupId>
+      <!-- replace with pac4j-jakartaee when we use a Jenkins version with jakartaee -->
+      <artifactId>pac4j-javaee</artifactId>
+      <version>${pac4jVersion}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.google.guava</groupId>
+          <artifactId>guava</artifactId>
+        </exclusion>
+        <exclusion>
+          <!-- consume from asm-api plugin -->
+          <groupId>org.ow2.asm</groupId>
+          <artifactId>asm</artifactId>
+        </exclusion>
+        <exclusion>
+          <!-- consume from Jenkins core -->
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-api</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.pac4j</groupId>
+      <artifactId>pac4j-oidc</artifactId>
+      <version>${pac4jVersion}</version>
+      <!-- java 11 compatability-->
       <exclusions>
         <exclusion>
-          <groupId>com.google.errorprone</groupId>
-          <artifactId>error_prone_annotations</artifactId>
+          <!-- consume from jackson2-api plugin -->
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-databind</artifactId>
         </exclusion>
         <exclusion>
           <groupId>com.google.guava</groupId>
@@ -68,42 +132,26 @@
       </exclusions>
     </dependency>
     <dependency>
-      <groupId>com.google.http-client</groupId>
-      <artifactId>google-http-client-gson</artifactId>
-      <version>1.45.0</version>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+      <version>2.11.0</version>
+      <scope>test</scope>
     </dependency>
-    <!-- see build plugin unpack -->
     <dependency>
       <groupId>com.google.oauth-client</groupId>
       <artifactId>google-oauth-client</artifactId>
       <version>1.36.0</version>
+      <scope>test</scope>
       <exclusions>
         <exclusion>
           <groupId>com.google.guava</groupId>
           <artifactId>guava</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
-    <dependency>
-      <groupId>io.burt</groupId>
-      <artifactId>jmespath-core</artifactId>
-      <version>0.6.0</version>
-    </dependency>
-    <dependency>
-      <groupId>org.jenkins-ci.plugins</groupId>
-      <artifactId>mailer</artifactId>
-      <version>448.v5b_97805e3767</version>
-    </dependency>
-    <dependency>
-      <groupId>com.github.tomakehurst</groupId>
-      <artifactId>wiremock-standalone</artifactId>
-      <version>2.27.2</version>
-      <scope>test</scope>
-    </dependency>
     <dependency>
       <groupId>io.jenkins.configuration-as-code</groupId>
       <artifactId>test-harness</artifactId>
-      <version>${configuration-as-code.version}</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -122,6 +170,12 @@
       <artifactId>mockito-junit-jupiter</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.wiremock</groupId>
+      <artifactId>wiremock-standalone</artifactId>
+      <version>3.9.1</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <repositories>

diff --git a/src/main/java/org/jenkinsci/plugins/oic/AnythingGoesTokenValidator.java b/src/main/java/org/jenkinsci/plugins/oic/AnythingGoesTokenValidator.java
@@ -0,0 +1,70 @@
+package org.jenkinsci.plugins.oic;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.id.Issuer;
+import com.nimbusds.openid.connect.sdk.Nonce;
+import com.nimbusds.openid.connect.sdk.SubjectType;
+import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.pac4j.core.exception.TechnicalException;
+import org.pac4j.oidc.config.OidcConfiguration;
+import org.pac4j.oidc.profile.creator.TokenValidator;
+
+public class AnythingGoesTokenValidator extends TokenValidator {
+
+    public static final Logger LOGGER = Logger.getLogger(AnythingGoesTokenValidator.class.getName());
+
+    public AnythingGoesTokenValidator() {
+        super(createFakeOidcConfiguration());
+    }
+
+    @Override
+    public IDTokenClaimsSet validate(final JWT idToken, final Nonce expectedNonce) {
+        // validation is disabled, so everything is valid.
+        try {
+            return new IDTokenClaimsSet(idToken.getJWTClaimsSet());
+        } catch (ParseException | java.text.ParseException e) {
+            LOGGER.log(
+                    Level.WARNING,
+                    "Token validation is disabled, but the token is corrupt and claims will not be represted.",
+                    e);
+            try {
+                return new IDTokenClaimsSet(new JWTClaimsSet.Builder().build());
+            } catch (ParseException e1) {
+                throw new TechnicalException("could not create and empty IDTokenClaimsSet");
+            }
+        }
+    }
+
+    /**
+     * Annoyingly the super class needs an OidcConfiguration with some values set,
+     * which if we are not validating we may not actually have (e.g. jwks_url).
+     * So we need a configuration with this set just so the validator can say "this is valid".
+     */
+    private static OidcConfiguration createFakeOidcConfiguration() {
+        try {
+            OidcConfiguration config = new OidcConfiguration();
+            config.setClientId("ignored");
+            config.setSecret("ignored");
+            OIDCProviderMetadata providerMetadata = new OIDCProviderMetadata(
+                    new Issuer("http://ignored"), List.of(SubjectType.PUBLIC), new URI("http://ignored.and.invalid./"));
+            providerMetadata.setIDTokenJWSAlgs(List.of(JWSAlgorithm.HS256));
+            config.setProviderMetadata(providerMetadata);
+            config.setPreferredJwsAlgorithm(JWSAlgorithm.HS256);
+            config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
+            return config;
+        } catch (URISyntaxException e) {
+            // should never happen the urls we are using are valid
+            throw new IllegalStateException(e);
+        }
+    }
+}
diff --git a/src/main/java/org/jenkinsci/plugins/oic/JenkinsAwareConnectionFactory.java b/src/main/java/org/jenkinsci/plugins/oic/JenkinsAwareConnectionFactory.java
diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicCrumbExclusion.java b/src/main/java/org/jenkinsci/plugins/oic/OicCrumbExclusion.java
@@ -11,7 +11,7 @@
 import jenkins.model.Jenkins;
 
 /**
- * Crumb exclusion to allow POSTing to {@link OicSecurityRealm#doFinishLogin(org.kohsuke.stapler.StaplerRequest)}
+ * Crumb exclusion to allow POSTing to {@link OicSecurityRealm#doFinishLogin(org.kohsuke.stapler.StaplerRequest, org.kohsuke.stapler.StaplerResponse)}
  */
 @Extension
 public class OicCrumbExclusion extends CrumbExclusion {

diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicJsonWebTokenVerifier.java b/src/main/java/org/jenkinsci/plugins/oic/OicJsonWebTokenVerifier.java