Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove FileOnMasterKeyStroreSource and SECURITY-1322 migration #540

Conversation

jtnord
Copy link
Member

@jtnord jtnord commented Jun 21, 2024

It has been 5 years since the security fix was introduced and the migration code occurred.

Whilst an admin could have still (ab)used the CLI/REST to set a FileOnMaster they could not do this from the UI creating a disparity.

This change removes the migration and the ability to use this via CLI/REST

As noted originally and as would be present in the Jenkins logs at INFO level:
SECURITY-1322: Migrating FileOnMasterKeyStoreSource to UploadedKeyStoreSource. The containing item may need to be saved to complete the migration.
Users would be required to check that they have saved any jobs where migration has occurred before updating to ensure that the CertificateCredential is not lost.

Testing done

mvn verify

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@jtnord jtnord added the removed label Jun 21, 2024
@jtnord jtnord requested a review from a team June 21, 2024 10:00
pom.xml Outdated Show resolved Hide resolved
@@ -113,101 +113,6 @@ public void displayName() throws IOException {
assertEquals(EXPECTED_DISPLAY_NAME, CredentialsNameProvider.name(new CertificateCredentialsImpl(null, "abc123", null, "password", storeSource)));
}

@Test
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the code these tests where testing has been deleted.
Whilst we could leave a test that shows the behaviour doesn't work, I don't see a point in that)

@jtnord jtnord added the chore label Jun 21, 2024
It has been 5 years since the security fix was introduced and the
migration code occureed.

Whilst an admin could have still (ab)used the CLI/REST to set a
FileOnMaster they could not do this from the UI creating a disparity.

This change removes the migration and the ability to use this via
CLI/REST
@jtnord jtnord force-pushed the remove-FileOnMaster-and-SECURITY-1322-migration branch from 5a1fd31 to 079a4cb Compare June 21, 2024 10:11
@jtnord
Copy link
Member Author

jtnord commented Jun 21, 2024

@jtnord Maybe you already know, but just in case, a few plugins use FileOnMasterKeyStoreSource directly in tests, so this will cause some PCT issues. Here is what I see in a quick GitHub search:

Thanks. the compuware was written 4 years after the original deprecation so I have no inclination to fix that - will fix the other 2.

@dwnusbaum
Copy link
Member

@jtnord The PR title has a typo, I edited my comment once I realized, see https://github.com/search?type=code&q=+owner%3Ajenkinsci+FileOnMasterKeyStoreSource

@jtnord jtnord changed the title Remove FileOnMasterKeySource and SECURITY-1322 migration Remove FileOnMasterKeyStroreSource and SECURITY-1322 migration Jun 21, 2024
@jtnord
Copy link
Member Author

jtnord commented Jun 21, 2024

@jtnord The PR title has a typo, I edited my comment once I realized, see https://github.com/search?type=code&q=+owner%3Ajenkinsci+FileOnMasterKeyStoreSource

🤦 thanks!

@jtnord jtnord enabled auto-merge July 2, 2024 10:10
@jtnord jtnord merged commit 46f52ab into jenkinsci:master Jul 2, 2024
15 checks passed
@basil
Copy link
Member

basil commented Jul 2, 2024

Breaks PCT in credentials-binding with java.lang.NoClassDefFoundError: com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$FileOnMasterKeyStoreSource. The class is still used in CertificateMultiBindingTest.

@basil
Copy link
Member

basil commented Jul 2, 2024

@jtnord

@dwnusbaum
Copy link
Member

BOM update just needs to be coordinated with jenkinsci/credentials-binding-plugin#310 and jenkinsci/pipeline-model-definition-plugin#723.

@basil
Copy link
Member

basil commented Jul 2, 2024

BOM update just needs to be coordinated with jenkinsci/credentials-binding-plugin#310 and jenkinsci/pipeline-model-definition-plugin#723.

@dwnusbaum No, jenkinsci/credentials-binding-plugin#310 is incomplete—that PR removed one usage of FileOnMasterKeyStoreSource, but there is still another usage a few dozen lines down in the same file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants