Upgrade to pac4j 6.x and migrate to EE 9 (#455)

Co-authored-by: Francisco Javier Fernandez <31063239+fcojfernandez@users.noreply.github.com>
jenkinsci · Jan 10, 2025 · 2849bd3 · 2849bd3
1 parent 714a976
commit 2849bd3
Show file tree

Hide file tree

Showing 13 changed files with 179 additions and 109 deletions.
diff --git a/pom.xml b/pom.xml
@@ -49,10 +49,8 @@
     <jenkins.version>${jenkins.baseline}.1</jenkins.version>
     <spotless.check.skip>false</spotless.check.skip>
     <spotbugs.effort>Max</spotbugs.effort>
-    <configuration-as-code.version>1836.vccda_4a_122a_a_e</configuration-as-code.version>
     <hpi.compatibleSinceVersion>4.383</hpi.compatibleSinceVersion>
-    <!-- latest 5.x as 6 uses java 17 -->
-    <pac4jVersion>5.7.7</pac4jVersion>
+    <pac4jVersion>6.1.0</pac4jVersion>
   </properties>
 
   <dependencyManagement>
@@ -64,16 +62,6 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <!--
-      Let's use a FIPS compliant version of nimbus-jose-jwt
-      TODO Remove when pac4j includes this version or a newer one
-      -->
-      <dependency>
-        <groupId>com.nimbusds</groupId>
-        <artifactId>nimbus-jose-jwt</artifactId>
-        <version>9.48</version>
-      </dependency>
-      <!-- end -->
       <dependency>
         <!-- do not exlude the annotations so we can benifit from spotbugs checks but set the to provided so we do not bundle them -->
         <groupId>com.github.stephenc.jcip</groupId>
@@ -93,6 +81,14 @@
       <groupId>io.jenkins.plugins</groupId>
       <artifactId>asm-api</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.jenkins.plugins</groupId>
+      <artifactId>commons-lang3-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.jenkins.plugins</groupId>
+      <artifactId>commons-text-api</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>jackson2-api</artifactId>
@@ -104,13 +100,33 @@
 
     <dependency>
       <groupId>org.pac4j</groupId>
-      <!-- replace with pac4j-jakartaee when we use a Jenkins version with jakartaee -->
-      <artifactId>pac4j-javaee</artifactId>
+      <artifactId>pac4j-jakartaee</artifactId>
       <version>${pac4jVersion}</version>
       <exclusions>
         <exclusion>
-          <groupId>com.google.guava</groupId>
-          <artifactId>guava</artifactId>
+          <!-- consume from jackson2-api plugin -->
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-annotations</artifactId>
+        </exclusion>
+        <exclusion>
+          <!-- consume from jackson2-api plugin -->
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-databind</artifactId>
+        </exclusion>
+        <exclusion>
+          <!-- consume from jackson2-api plugin -->
+          <groupId>com.fasterxml.jackson.datatype</groupId>
+          <artifactId>jackson-datatype-jsr310</artifactId>
+        </exclusion>
+        <exclusion>
+          <!-- consume from commons-lang3-api plugin -->
+          <groupId>org.apache.commons</groupId>
+          <artifactId>commons-lang3</artifactId>
+        </exclusion>
+        <exclusion>
+          <!-- consume from commons-text-api plugin -->
+          <groupId>org.apache.commons</groupId>
+          <artifactId>commons-text</artifactId>
         </exclusion>
         <exclusion>
           <!-- consume from asm-api plugin -->
@@ -128,8 +144,12 @@
       <groupId>org.pac4j</groupId>
       <artifactId>pac4j-oidc</artifactId>
       <version>${pac4jVersion}</version>
-      <!-- java 11 compatability-->
       <exclusions>
+        <exclusion>
+          <!-- consume from jackson2-api plugin -->
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
         <exclusion>
           <!-- consume from jackson2-api plugin -->
           <groupId>com.fasterxml.jackson.core</groupId>
@@ -140,6 +160,16 @@
           <groupId>com.google.guava</groupId>
           <artifactId>guava</artifactId>
         </exclusion>
+        <exclusion>
+          <!-- consume from commons-text-api plugin -->
+          <groupId>commons-text</groupId>
+          <artifactId>commons-text</artifactId>
+        </exclusion>
+        <exclusion>
+          <!-- consume from Jenkins core -->
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-api</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>

diff --git a/src/main/java/org/jenkinsci/plugins/oic/AnythingGoesTokenValidator.java b/src/main/java/org/jenkinsci/plugins/oic/AnythingGoesTokenValidator.java
@@ -17,14 +17,20 @@
 import java.util.logging.Logger;
 import org.pac4j.core.exception.TechnicalException;
 import org.pac4j.oidc.config.OidcConfiguration;
+import org.pac4j.oidc.metadata.OidcOpMetadataResolver;
+import org.pac4j.oidc.metadata.StaticOidcOpMetadataResolver;
 import org.pac4j.oidc.profile.creator.TokenValidator;
 
 public class AnythingGoesTokenValidator extends TokenValidator {
 
     public static final Logger LOGGER = Logger.getLogger(AnythingGoesTokenValidator.class.getName());
 
     public AnythingGoesTokenValidator() {
-        super(createFakeOidcConfiguration());
+        this(createFakeOidcProviderMetadata());
+    }
+
+    public AnythingGoesTokenValidator(OIDCProviderMetadata metadata) {
+        super(createFakeOidcConfiguration(metadata), metadata);
     }
 
     @Override
@@ -50,18 +56,23 @@ public IDTokenClaimsSet validate(final JWT idToken, final Nonce expectedNonce) {
      * which if we are not validating we may not actually have (e.g. jwks_url).
      * So we need a configuration with this set just so the validator can say "this is valid".
      */
-    private static OidcConfiguration createFakeOidcConfiguration() {
+    private static OidcConfiguration createFakeOidcConfiguration(OIDCProviderMetadata metadata) {
+        OidcConfiguration config = new OidcConfiguration();
+        config.setClientId("ignored");
+        config.setSecret("ignored");
+        OidcOpMetadataResolver opMetadataResolver = new StaticOidcOpMetadataResolver(config, metadata);
+        config.setOpMetadataResolver(opMetadataResolver);
+        config.setPreferredJwsAlgorithm(JWSAlgorithm.HS256);
+        config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
+        return config;
+    }
+
+    private static OIDCProviderMetadata createFakeOidcProviderMetadata() {
         try {
-            OidcConfiguration config = new OidcConfiguration();
-            config.setClientId("ignored");
-            config.setSecret("ignored");
             OIDCProviderMetadata providerMetadata = new OIDCProviderMetadata(
                     new Issuer("http://ignored"), List.of(SubjectType.PUBLIC), new URI("http://ignored.and.invalid./"));
             providerMetadata.setIDTokenJWSAlgs(List.of(JWSAlgorithm.HS256));
-            config.setProviderMetadata(providerMetadata);
-            config.setPreferredJwsAlgorithm(JWSAlgorithm.HS256);
-            config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
-            return config;
+            return providerMetadata;
         } catch (URISyntaxException e) {
             // should never happen the urls we are using are valid
             throw new IllegalStateException(e);

diff --git a/src/main/java/org/jenkinsci/plugins/oic/CustomOidcConfiguration.java b/src/main/java/org/jenkinsci/plugins/oic/CustomOidcConfiguration.java
@@ -30,6 +30,7 @@ class CustomOidcConfiguration extends OidcConfiguration {
 
     @Override
     public void configureHttpRequest(HTTPRequest request) {
+        super.configureHttpRequest(request);
         Proxy proxy = null;
         Jenkins jenkins = Jenkins.getInstanceOrNull();
         if (jenkins != null) { // unit tests
@@ -47,6 +48,5 @@ public void configureHttpRequest(HTTPRequest request) {
                 throw new IllegalStateException("could not configure the SSLFactory, this should not be possible", e);
             }
         }
-        super.configureHttpRequest(request);
     }
 }
diff --git a/src/main/java/org/jenkinsci/plugins/oic/EscapeHatchCrumbExclusion.java b/src/main/java/org/jenkinsci/plugins/oic/EscapeHatchCrumbExclusion.java
@@ -2,11 +2,11 @@
 
 import hudson.Extension;
 import hudson.security.csrf.CrumbExclusion;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 
 /**
  * Excluding the escapeHatch login from CSRF protection as the crumb is calculated based on the authentication

diff --git a/src/main/java/org/jenkinsci/plugins/oic/FailedCheckOfTokenException.java b/src/main/java/org/jenkinsci/plugins/oic/FailedCheckOfTokenException.java
@@ -1,11 +1,11 @@
 package org.jenkinsci.plugins.oic;
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
+import jakarta.servlet.ServletException;
 import java.io.IOException;
-import javax.servlet.ServletException;
 import org.kohsuke.stapler.HttpResponse;
-import org.kohsuke.stapler.StaplerRequest;
-import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.kohsuke.stapler.StaplerResponse2;
 
 /**
  * Exception to be thrown when the received ID Token did not pass the expected check.
@@ -26,7 +26,7 @@ public String getIdpLogoutUrl() {
     }
 
     @Override
-    public void generateResponse(StaplerRequest req, StaplerResponse rsp, Object node)
+    public void generateResponse(StaplerRequest2 req, StaplerResponse2 rsp, Object node)
             throws IOException, ServletException {
         req.getView(this, "error").forward(req, rsp);
     }

diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicCredentials.java b/src/main/java/org/jenkinsci/plugins/oic/OicCredentials.java
@@ -10,7 +10,7 @@
 import java.io.Serializable;
 import net.sf.json.JSONObject;
 import org.jenkinsci.Symbol;
-import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerRequest2;
 
 public class OicCredentials extends UserProperty implements Serializable {
     static final String PROPERTY_NAME = "oicCredentials";
@@ -23,7 +23,7 @@ public class OicCredentials extends UserProperty implements Serializable {
     private final Long expiresAtMillis;
 
     @Override
-    public UserProperty reconfigure(StaplerRequest req, JSONObject form) throws Descriptor.FormException {
+    public UserProperty reconfigure(StaplerRequest2 req, JSONObject form) throws Descriptor.FormException {
         req.bindJSON(this, form);
         return this;
     }

diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicCrumbExclusion.java b/src/main/java/org/jenkinsci/plugins/oic/OicCrumbExclusion.java
@@ -3,15 +3,15 @@
 import hudson.Extension;
 import hudson.security.SecurityRealm;
 import hudson.security.csrf.CrumbExclusion;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import jenkins.model.Jenkins;
 
 /**
- * Crumb exclusion to allow POSTing to {@link OicSecurityRealm#doFinishLogin(org.kohsuke.stapler.StaplerRequest, org.kohsuke.stapler.StaplerResponse)}
+ * Crumb exclusion to allow POSTing to {@link OicSecurityRealm#doFinishLogin(org.kohsuke.stapler.StaplerRequest2, org.kohsuke.stapler.StaplerResponse2)}
  */
 @Extension
 public class OicCrumbExclusion extends CrumbExclusion {