jenkinsci · basil · Aug 14, 2024 · Aug 13, 2024 · Aug 13, 2024 · Aug 13, 2024
diff --git a/pom.xml b/pom.xml
@@ -42,7 +42,7 @@
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
 
     <!-- jenkins versions -->
-    <jenkins.version>2.426.3</jenkins.version>
+    <jenkins.version>2.472</jenkins.version>
     <bom.artifactId>bom-2.426.x</bom.artifactId>
     <bom.version>3208.vb_21177d4b_cd9</bom.version>
 
@@ -51,6 +51,9 @@
 
     <spotbugs.effort>Max</spotbugs.effort>
     <spotbugs.threshold>Low</spotbugs.threshold>
+    <!--TODO Until is included in parent pom -->
+    <maven.compiler.release>17</maven.compiler.release>
+    <jenkins-test-harness.version>2250.v03a_1295b_0a_30</jenkins-test-harness.version>
   </properties>
 
   <dependencies>

@@ -1,24 +1,24 @@
 package org.jenkinsci.plugins.kubernetes.credentials;
 
 import com.cloudbees.plugins.credentials.CredentialsScope;
-import org.eclipse.jetty.server.Connector;
-import org.eclipse.jetty.server.HttpConfiguration;
-import org.eclipse.jetty.server.HttpConnectionFactory;
-import org.eclipse.jetty.server.SecureRequestCustomizer;
-import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.ServerConnector;
-import org.eclipse.jetty.server.SslConnectionFactory;
-import org.eclipse.jetty.servlet.ServletContextHandler;
-import org.eclipse.jetty.servlet.ServletHolder;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
+
 import org.junit.After;
 import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.jvnet.hudson.test.FlagRule;
 
 import java.io.IOException;
+import java.net.InetSocketAddress;
 import java.net.URL;
+import java.security.KeyStore;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+
+import com.sun.net.httpserver.HttpServer;
+import com.sun.net.httpserver.HttpsConfigurator;
+import com.sun.net.httpserver.HttpsServer;
 
 import static org.junit.Assert.fail;
 
@@ -48,11 +48,7 @@ public abstract class AbstractOpenShiftBearerTokenCredentialFIPSTest {
 
     protected String motivation;
 
-    private Server server;
-
-    private ServerConnector sslConnector;
-
-    private ServerConnector serverConnector;
+    private HttpServer server;
 
 
     public AbstractOpenShiftBearerTokenCredentialFIPSTest(
@@ -68,44 +64,42 @@ public void prepareFakeOAuthServer() throws Exception {
         if (keystore == null) {
             fail("Unable to find keystore.jks");
         }
-        server = new Server();
 
-        HttpConfiguration httpsConfig = new HttpConfiguration();
-        httpsConfig.addCustomizer(new SecureRequestCustomizer());
+        if ("https".equals(scheme)) {
+            server = HttpsServer.create(new InetSocketAddress("localhost", 0), 0);
+            setupHttps((HttpsServer) server);
+            OpenShiftBearerTokenCredentialMockServer.registerHttpHandlers(server);
+        } else {
+            server = HttpServer.create(new InetSocketAddress("localhost", 0), 0);
+            OpenShiftBearerTokenCredentialMockServer.registerHttpHandlers(server);
+        }
 
-        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
-        sslContextFactory.setKeyStorePath(keystore.toExternalForm());
-        sslContextFactory.setKeyManagerPassword("unittest");
-        sslContextFactory.setKeyStorePassword("unittest");
+        server.setExecutor(null); // Creates a default executor
+        server.start();
+    }
 
-        sslConnector = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(httpsConfig));
-        serverConnector = new ServerConnector(server);
-        server.setConnectors(new Connector[]{serverConnector, sslConnector});
+    private void setupHttps(HttpsServer httpsServer) throws Exception {
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+        KeyStore ks = KeyStore.getInstance("JKS");
+        ks.load(keystore.openStream(), "unittest".toCharArray());
+        kmf.init(ks, "unittest".toCharArray());
 
-        ServletContextHandler context = new ServletContextHandler();
-        context.setContextPath("/");
-        context.addServlet(new ServletHolder(new MockHttpServlet()), "/*");
-        server.setHandler(context);
-        server.start();
+        sslContext.init(kmf.getKeyManagers(), null, null);
+        httpsServer.setHttpsConfigurator(new HttpsConfigurator(sslContext));
     }
 
     @After
     public void unprepareFakeOAuthServer() throws Exception {
-        server.stop();
+        server.stop(0);
     }
 
     @Test
     public void ensureFIPSCompliantURIRequest() throws IOException {
         OpenShiftBearerTokenCredentialImpl cred;
         cred = new OpenShiftBearerTokenCredentialImpl(CredentialsScope.GLOBAL, "id", "description", "username", "password");
         try {
-            int port;
-            if ("https".equals(scheme)) {
-                port = sslConnector.getLocalPort();
-            } else {
-                port = serverConnector.getLocalPort();
-            }
-            cred.getToken(scheme + "://localhost:" + port + "/valid-response", null, skipTLSVerify);
+            cred.getToken(scheme + "://localhost:" + server.getAddress().getPort() + "/valid-response", null, skipTLSVerify);
             if (!shouldPass) {
                 fail("This test was expected to fail, reason: " + motivation);
             }

@@ -0,0 +1,109 @@
+package org.jenkinsci.plugins.kubernetes.credentials;
+
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpHandler;
+import com.sun.net.httpserver.HttpServer;
+import com.sun.net.httpserver.HttpsServer;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.function.BiConsumer;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Author: Nevin Sunny
+ * Date: 13/08/24
+ * Time: 11:24 am
+ */
+public class OpenShiftBearerTokenCredentialMockServer {
+
+	public static void registerHttpHandlers(HttpServer server) throws IOException {
+		BiConsumer<String, HttpHandler> register = server::createContext;
+
+		register.accept("/bad-location/oauth/authorize", OpenShiftBearerTokenCredentialMockServer::badLocationHandler);
+		register.accept(
+				"/missing-location/oauth/authorize", OpenShiftBearerTokenCredentialMockServer::missingLocationHandler);
+		register.accept("/bad-response/oauth/authorize", OpenShiftBearerTokenCredentialMockServer::badResponseHandler);
+		register.accept(
+				"/valid-response/oauth/authorize", OpenShiftBearerTokenCredentialMockServer::validResponseHandler1);
+		register.accept(
+				"/valid-response2/oauth/authorize", OpenShiftBearerTokenCredentialMockServer::validResponseHandler2);
+		register.accept("/", OpenShiftBearerTokenCredentialMockServer::defaultHandler);
+	}
+
+	private static void badLocationHandler(HttpExchange he) throws IOException {
+		String redirectURL = "bad";
+		he.getResponseHeaders().set("Location", redirectURL);
+		he.sendResponseHeaders(302, -1);
+	}
+
+	private static void missingLocationHandler(HttpExchange he) throws IOException {
+		he.sendResponseHeaders(302, -1); // No Location header
+	}
+
+	private static void badResponseHandler(HttpExchange he) throws IOException {
+		he.sendResponseHeaders(400, -1);
+	}
+
+	private static void validResponseHandler1(HttpExchange he) throws IOException {
+		String redirectURL = "http://my-service/#access_token=1234&expires_in=86400";
+		he.getResponseHeaders().set("Location", redirectURL);
+		he.sendResponseHeaders(302, -1);
+	}
+
+	private static void validResponseHandler2(HttpExchange he) throws IOException {
+		String redirectURL = "http://my-service/#access_token=1235&expires_in=86400";
+		he.getResponseHeaders().set("Location", redirectURL);
+		he.sendResponseHeaders(302, -1);
+	}
+
+	private static void defaultHandler(HttpExchange he) throws IOException {
+		String path = he.getRequestURI().getPath();
+		Pattern pattern = Pattern.compile("(.*)/.well-known/oauth-authorization-server");
+		Matcher matcher = pattern.matcher(path);
+
+		String scheme = "http";
+		if (he.getHttpContext().getServer() instanceof HttpsServer) {
+			scheme = "https";
+		}
+
+		String hostname = "localhost";
+		int port = he.getLocalAddress().getPort();
+
+		if (matcher.find()) {
+			String responseToClient = "{\n" + "  \"issuer\": \""
+			                          + scheme + "://" + hostname + ":" + port + "/\",\n" + "  \"authorization_endpoint\": \""
+			                          + scheme + "://" + hostname + ":" + port + matcher.group(1) + "/oauth/authorize\",\n"
+			                          + "  \"token_endpoint\": \""
+			                          + scheme + "://" + hostname + ":" + port + "/oauth/token\",\n" + "  \"scopes_supported\": [\n"
+			                          + "    \"user:check-access\",\n"
+			                          + "    \"user:full\",\n"
+			                          + "    \"user:info\",\n"
+			                          + "    \"user:list-projects\",\n"
+			                          + "    \"user:list-scoped-projects\"\n"
+			                          + "  ],\n"
+			                          + "  \"response_types_supported\": [\n"
+			                          + "    \"code\",\n"
+			                          + "    \"token\"\n"
+			                          + "  ],\n"
+			                          + "  \"grant_types_supported\": [\n"
+			                          + "    \"authorization_code\",\n"
+			                          + "    \"implicit\"\n"
+			                          + "  ],\n"
+			                          + "  \"code_challenge_methods_supported\": [\n"
+			                          + "    \"plain\",\n"
+			                          + "    \"S256\"\n"
+			                          + "  ]\n"
+			                          + "}";
+
+			byte[] responseBytes = responseToClient.getBytes();
+			he.sendResponseHeaders(200, responseBytes.length);
+			try (OutputStream os = he.getResponseBody()) {
+				os.write(responseBytes);
+			}
+		} else {
+			he.sendResponseHeaders(500, -1);
+			he.getResponseBody().write(("Bad test: unknown path " + path).getBytes());
+		}
+	}
+}