Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-73408] Ensure keys are FIPS compliant when running in FIPS mode, core requirement bump to 2.426.3 #210

Merged
merged 27 commits into from
Jul 23, 2024
Merged

[JENKINS-73408] Ensure keys are FIPS compliant when running in FIPS mode, core requirement bump to 2.426.3 #210

merged 27 commits into from
Jul 23, 2024

Conversation

PereBueno
Copy link
Contributor

@PereBueno PereBueno commented Jul 8, 2024
edited
Loading

https://issues.jenkins.io/browse/JENKINS-73408
Added checks to make sure provided SSH keys are accepted for FIPS 140.2.
Change should be transparent if not running in FIPS mode.
When provided key is not compliant an exception will be logged and thrown. Checks are done in the constructor and in readResolve, so invalid new keys won't be added and existing ones will be removed on startup. This also covers jcasc scenario.
Also, had to bump jenkins version to 2.426.3 as this needs FIPS140.

Form validation has been added, but as https://issues.jenkins.io/browse/JENKINS-73404 is needed for it to work in secretTextArea.

This has an unwanted side effect: creating a credential with an invalid key in FIPS mode will show an angry jenkins (and obviously, credential won't be saved). Validation was added to at least inform the user saving won't be right.

Testing done

Added 3 unit tests.
Also, tested manually, behaviour is the expected.
Attaching snapshots of form validation (won't be appearing after moving back to secretTextArea). Updated just one snapshot, when there's an original exception (normally raised by bouncycastle) we're attaching the original exception to formvalidation results.
image
image
image
image

image

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@PereBueno PereBueno marked this pull request as ready for review July 9, 2024 15:00
@PereBueno PereBueno requested a review from a team as a code owner July 9, 2024 15:00
@jtnord
Copy link
Member

jtnord commented Jul 9, 2024

Form validation was not added as https://issues.jenkins.io/browse/JENKINS-73404 is needed for that

Can you add the FormValidation as if it did work (ie the upstream bugs where not present). You can test the basis of this by temproarily swapping the secretTextarea to a Textarea.

This means the validation would then "Just work" when run on a core with fixes and no extra work would be needed.

jtnord
jtnord reviewed Jul 9, 2024
View reviewed changes
Copy link
Member

@jtnord jtnord left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

testing and the bc-fips dependency are conflicting. the BouncyCastleProvider would not be available at all in FIPS mode.

src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java Outdated Show resolved Hide resolved
pom.xml Outdated Show resolved Hide resolved
...t/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKeyFIPSTest.java Outdated Show resolved Hide resolved
@PereBueno
Copy link
Contributor Author

testing and the bc-fips dependency are conflicting. the BouncyCastleProvider would not be available at all in FIPS mode.

Removed the test dependency, now using bouncycastle-api only

@PereBueno @fcojfernandez
Update src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/imp…
ad8fbec 
…l/BasicSSHUserPrivateKey.java

Co-authored-by: Francisco Javier Fernandez <31063239+fcojfernandez@users.noreply.github.com>
@PereBueno PereBueno requested a review from jtnord July 11, 2024 12:20
jtnord
jtnord reviewed Jul 12, 2024
View reviewed changes
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java Show resolved Hide resolved
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java Show resolved Hide resolved
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java Show resolved Hide resolved
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java Outdated Show resolved Hide resolved
.../plugins/sshcredentials/impl/BasicSSHUserPrivateKey/DirectEntryPrivateKeySource/config.jelly Outdated Show resolved Hide resolved
src/main/resources/com/cloudbees/jenkins/plugins/sshcredentials/impl/Messages.properties Show resolved Hide resolved
@PereBueno @jtnord
Update src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/imp…
bdce55b 
…l/BasicSSHUserPrivateKey.java

Co-authored-by: James Nord <jtnord@users.noreply.github.com>
@PereBueno PereBueno requested a review from jtnord July 17, 2024 13:56
@olamy olamy changed the title [JENKINS-73408] Ensure keys are FIPS compliant when running in FIPS mode [JENKINS-73408] Ensure keys are FIPS compliant when running in FIPS mode, core requirement bump to 2.426.3 Jul 23, 2024
@olamy olamy merged commit b5a52ed into jenkinsci:master Jul 23, 2024
15 checks passed
@basil
Copy link
Member

basil commented Jul 23, 2024 

diff --git a/pom.xml b/pom.xml
index 831b562..7d58ca5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -92,8 +92,8 @@
     <dependencies>
       <dependency>
         <groupId>io.jenkins.tools.bom</groupId>
-        <artifactId>bom-2.387.x</artifactId>
-        <version>2543.vfb_1a_5fb_9496d</version>
+        <artifactId>bom-2.426.x</artifactId>
+        <version>3208.vb_21177d4b_cd9</version>
         <scope>import</scope>
         <type>pom</type>
       </dependency>
[ERROR] com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKeyFIPSTest.nonCompliantKeysLaunchExceptionTest -- Time elapsed: 2.746 s <<< ERROR!
org.jvnet.hudson.reactor.ReactorException: java.lang.Error: java.lang.reflect.InvocationTargetException
        at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:290)
        at jenkins.InitReactorRunner.run(InitReactorRunner.java:49)
        at jenkins.model.Jenkins.executeReactor(Jenkins.java:1205)
        at jenkins.model.Jenkins.<init>(Jenkins.java:992)
        at hudson.model.Hudson.<init>(Hudson.java:86)
        at org.jvnet.hudson.test.JenkinsRule.newHudson(JenkinsRule.java:746)
        at org.jvnet.hudson.test.JenkinsRule.before(JenkinsRule.java:408)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:649)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.Error: java.lang.reflect.InvocationTargetException
        at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:115)
        at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:185)
        at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305)
        at jenkins.model.Jenkins$5.runTask(Jenkins.java:1170)
        at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:221)
        at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:120)
        at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        ... 1 more
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:109)
        ... 9 more
Caused by: java.lang.IllegalStateException: The eddsa-api plugin is not FIPS compliant and can not be used in a Jenkins configured to run in FIPS-140 mode
        at io.jenkins.plugins.eddsa_api.FIPSComplianceCheck.preventUsageInFipsMode(FIPSComplianceCheck.java:15)
        ... 11 more
[ERROR] com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKeyFIPSTest.formValidationTest -- Time elapsed: 0.025 s <<< ERROR!
org.jvnet.hudson.reactor.ReactorException: java.lang.Error: java.lang.reflect.InvocationTargetException
        at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:290)
        at jenkins.InitReactorRunner.run(InitReactorRunner.java:49)
        at jenkins.model.Jenkins.executeReactor(Jenkins.java:1205)
        at jenkins.model.Jenkins.<init>(Jenkins.java:992)
        at hudson.model.Hudson.<init>(Hudson.java:86)
        at org.jvnet.hudson.test.JenkinsRule.newHudson(JenkinsRule.java:746)
        at org.jvnet.hudson.test.JenkinsRule.before(JenkinsRule.java:408)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:649)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.Error: java.lang.reflect.InvocationTargetException
        at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:115)
        at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:185)
        at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305)
        at jenkins.model.Jenkins$5.runTask(Jenkins.java:1170)
        at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:221)
        at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:120)
        at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        ... 1 more
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:109)
        ... 9 more
Caused by: java.lang.IllegalStateException: The eddsa-api plugin is not FIPS compliant and can not be used in a Jenkins configured to run in FIPS-140 mode
        at io.jenkins.plugins.eddsa_api.FIPSComplianceCheck.preventUsageInFipsMode(FIPSComplianceCheck.java:15)
        ... 11 more
[ERROR] com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKeyFIPSTest.invalidKeysAreRemovedOnStartupTest -- Time elapsed: 0.039 s <<< ERROR!
org.jvnet.hudson.reactor.ReactorException: java.lang.Error: java.lang.reflect.InvocationTargetException
        at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:290)
        at jenkins.InitReactorRunner.run(InitReactorRunner.java:49)
        at jenkins.model.Jenkins.executeReactor(Jenkins.java:1205)
        at jenkins.model.Jenkins.<init>(Jenkins.java:992)
        at hudson.model.Hudson.<init>(Hudson.java:86)
        at org.jvnet.hudson.test.JenkinsRule.newHudson(JenkinsRule.java:746)
        at org.jvnet.hudson.test.JenkinsRule.before(JenkinsRule.java:408)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:649)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.Error: java.lang.reflect.InvocationTargetException
        at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:115)
        at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:185)
        at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305)
        at jenkins.model.Jenkins$5.runTask(Jenkins.java:1170)
        at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:221)
        at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:120)
        at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        ... 1 more
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:109)
        ... 9 more
Caused by: java.lang.IllegalStateException: The eddsa-api plugin is not FIPS compliant and can not be used in a Jenkins configured to run in FIPS-140 mode
        at io.jenkins.plugins.eddsa_api.FIPSComplianceCheck.preventUsageInFipsMode(FIPSComplianceCheck.java:15)
        ... 11 more
[ERROR] com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKeyFIPSTest.invalidKeyIsNotSavedInFIPSModeTest -- Time elapsed: 0.022 s <<< ERROR!
org.jvnet.hudson.reactor.ReactorException: java.lang.Error: java.lang.reflect.InvocationTargetException
        at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:290)
        at jenkins.InitReactorRunner.run(InitReactorRunner.java:49)
        at jenkins.model.Jenkins.executeReactor(Jenkins.java:1205)
        at jenkins.model.Jenkins.<init>(Jenkins.java:992)
        at hudson.model.Hudson.<init>(Hudson.java:86)
        at org.jvnet.hudson.test.JenkinsRule.newHudson(JenkinsRule.java:746)
        at org.jvnet.hudson.test.JenkinsRule.before(JenkinsRule.java:408)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:649)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.Error: java.lang.reflect.InvocationTargetException
        at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:115)
        at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:185)
        at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305)
        at jenkins.model.Jenkins$5.runTask(Jenkins.java:1170)
        at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:221)
        at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:120)
        at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        ... 1 more
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:109)
        ... 9 more
Caused by: java.lang.IllegalStateException: The eddsa-api plugin is not FIPS compliant and can not be used in a Jenkins configured to run in FIPS-140 mode
        at io.jenkins.plugins.eddsa_api.FIPSComplianceCheck.preventUsageInFipsMode(FIPSComplianceCheck.java:15)
        ... 11 more

@basil basil mentioned this pull request Jul 23, 2024
Merged
basil
basil reviewed Jul 23, 2024
View reviewed changes
pom.xml
@@ -71,7 +71,7 @@

<properties>
<changelist>999999-SNAPSHOT</changelist>
<jenkins.version>2.387.3</jenkins.version>
<jenkins.version>2.426.3</jenkins.version>
Copy link
Member

@basil basil Jul 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Core bumps should also update the BOM artifactId: #210 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah right. we might need something to check this automatically rather than relying on human check. maybe an enforcer rule could do the job here

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

easiest way that is done in a few plugins is to use variables, e.g.:
https://github.com/jenkinsci/junit-plugin/blob/85201a38881e5811c8632b610d8d655f161db103/pom.xml#L18

https://github.com/jenkinsci/junit-plugin/blob/85201a38881e5811c8632b610d8d655f161db103/pom.xml#L194

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#211

@basil basil mentioned this pull request Jul 23, 2024
Closed
timja
timja reviewed Jul 24, 2024
View reviewed changes
...s/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey/credentials.jelly
</f:entry>
<script><![CDATA[
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

new script blocks shouldn't be introduced: https://www.jenkins.io/doc/developer/security/csp/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#211

@PereBueno PereBueno mentioned this pull request Jul 24, 2024
Merged
6 tasks
@timja timja mentioned this pull request Jul 24, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timja timja timja left review comments

@basil basil basil left review comments

@olamy olamy olamy approved these changes

@fcojfernandez fcojfernandez fcojfernandez approved these changes

@jtnord jtnord Awaiting requested review from jtnord

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@PereBueno @jtnord @basil @olamy @timja @fcojfernandez