Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-73849] Adding token and SSL verification disabling check for FIPS #1

Open
wants to merge 16 commits into
base: pac4j
Choose a base branch
from
Open

[JENKINS-73849] Adding token and SSL verification disabling check for FIPS #1

wants to merge 16 commits into from
+206 −16

Conversation

PereBueno
Copy link

When in FIPs mode SSL and token verificaiton can not be disabled.
This change adds a form validation that will warn the user, fails with an IllegalArgumentException if trying to save regardless the warning and checks values on readResolve, in case config file was manually modified.

Testing done

Added 3 tests and checked manually.

### Submitter checklist
- [ ] Make sure you are opening from a **topic/feature/bugfix branch** (right side) and not your main branch!
- [ ] Ensure that the pull request title represents the desired changelog entry
- [ ] Please describe what you did
- [ ] Link to relevant issues in GitHub or Jira
- [ ] Link to relevant pull requests, esp. upstream and downstream changes
- [ ] Ensure you have provided tests - that demonstrates feature works or fixes the issue

jtnord and others added 3 commits September 27, 2024 12:33
@jtnord
Replace EOL Google Oauth library
6e17311 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
@PereBueno
[JENKINS-73849] added validations for ssl & token verification disabling
76a9620
@PereBueno
[JENKINS-73849] testing the feature
176faeb
@jtnord
Replace EOL Google Oauth library
d7120c5 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
@jtnord jtnord force-pushed the pac4j branch 7 times, most recently from b6041de to 60fc090 Compare October 4, 2024 12:00
jtnord
jtnord reviewed Oct 8, 2024
View reviewed changes
src/main/java/org/jenkinsci/plugins/oic/OicServerManualConfiguration.java Outdated Show resolved Hide resolved
src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/help-clientSecret.html Outdated
Comment on lines 2 to 4
The Client secret used by jenkins to authenticate itself to the openid connect provider.
Special value "none" can be used to disable client secret (only with client_secret_post authentication).
The Subject Idendifier Type to use as part of the flow with the openid connect provider.
This must be supported by the IdP.
Valid values are <code>public</code> and <code>pairwise</code>.
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this PR is out of date with the target branch (or incorrect merge has been performed?)

src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java Outdated Show resolved Hide resolved
src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java Outdated Show resolved Hide resolved
@PereBueno PereBueno requested a review from jtnord October 9, 2024 09:01
@PereBueno PereBueno mentioned this pull request Oct 9, 2024
Open
6 tasks
@PereBueno @fcojfernandez
Update src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
5231bc9 
Co-authored-by: Francisco Javier Fernandez <31063239+fcojfernandez@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fcojfernandez fcojfernandez fcojfernandez approved these changes

@jtnord jtnord Awaiting requested review from jtnord

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PereBueno @jtnord @fcojfernandez