In FIPS env, escapeHatch cannot be enabled

Signed-off-by: Olivier Lamy <[email protected]>
jenkinsci · Oct 10, 2024 · ea9366c · ea9366c
1 parent 4f73328
commit ea9366c
Show file tree

Hide file tree

Showing 6 changed files with 76 additions and 32 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
@@ -86,6 +86,7 @@
 import javax.servlet.http.HttpSession;
 import jenkins.model.Jenkins;
 import jenkins.security.ApiTokenProperty;
+import jenkins.security.FIPS140;
 import jenkins.security.SecurityListener;
 import jenkins.util.SystemProperties;
 import org.apache.commons.lang.StringUtils;
@@ -337,6 +338,14 @@ protected Object readResolve() throws ObjectStreamException {
         this.setTokenFieldToCheckKey(this.tokenFieldToCheckKey);
         // ensure escapeHatchSecret is encrypted
         this.setEscapeHatchSecret(this.escapeHatchSecret);
+
+        // validate this option in FIPS env or not
+        try {
+            this.setEscapeHatchEnabled(this.escapeHatchEnabled);
+        } catch (FormException e) {
+            throw new IllegalArgumentException(e);
+        }
+
         try {
             if (automanualconfigure != null) {
                 if ("auto".equals(automanualconfigure)) {
@@ -592,7 +601,10 @@ public void setPostLogoutRedirectUrl(String postLogoutRedirectUrl) {
     }
 
     @DataBoundSetter
-    public void setEscapeHatchEnabled(boolean escapeHatchEnabled) {
+    public void setEscapeHatchEnabled(boolean escapeHatchEnabled) throws FormException {
+        if (FIPS140.useCompliantAlgorithms() && escapeHatchEnabled) {
+            throw new FormException("Escape Hatch cannot be enabled in FIPS environment", "escapeHatchEnabled");
+        }
         this.escapeHatchEnabled = escapeHatchEnabled;
     }
 
@@ -1387,5 +1399,10 @@ private FormValidation doCheckFieldName(String fieldName, FormValidation validIf
         public Descriptor<OicServerConfiguration> getDefaultServerConfigurationType() {
             return Jenkins.get().getDescriptor(OicServerWellKnownConfiguration.class);
         }
+
+        @Restricted(NoExternalUse.class) // used by jelly only
+        public boolean isFipsEnabled() {
+            return FIPS140.useCompliantAlgorithms();
+        }
     }
 }
diff --git a/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly b/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly
@@ -66,22 +66,23 @@
         <f:checkbox/>
       </f:entry>
     </f:advanced>
-
-    <f:block>
-      <table>
-        <f:optionalBlock inline="true" title="${%ConfigureEscapeHatch}" field="escapeHatchEnabled">
-          <f:entry title="${%Username}" field="escapeHatchUsername">
-            <f:textbox/>
-          </f:entry>
-          <f:entry title="${%Secret}" field="escapeHatchSecret">
-            <f:password/>
-          </f:entry>
-          <f:entry title="${%Group}" field="escapeHatchGroup">
-            <f:textbox/>
-          </f:entry>
-        </f:optionalBlock>
-      </table>
-    </f:block>
+    <j:if test="${!descriptor.isFipsEnabled()}">
+      <f:block>
+        <table>
+          <f:optionalBlock inline="true" title="${%ConfigureEscapeHatch}" field="escapeHatchEnabled">
+            <f:entry title="${%Username}" field="escapeHatchUsername">
+              <f:textbox/>
+            </f:entry>
+            <f:entry title="${%Secret}" field="escapeHatchSecret">
+              <f:password/>
+            </f:entry>
+            <f:entry title="${%Group}" field="escapeHatchGroup">
+              <f:textbox/>
+            </f:entry>
+          </f:optionalBlock>
+        </table>
+      </f:block>
+    </j:if>
 
   </f:section>
 

diff --git a/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java b/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java
@@ -3,7 +3,6 @@
 import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
 import com.github.tomakehurst.wiremock.junit.WireMockRule;
 import hudson.util.Secret;
-import java.io.IOException;
 import org.acegisecurity.AuthenticationManager;
 import org.acegisecurity.BadCredentialsException;
 import org.acegisecurity.GrantedAuthority;
@@ -65,20 +64,20 @@ public void testAuthenticate_withUsernamePasswordAuthenticationToken() throws Ex
     }
 
     @Test
-    public void testGetAuthenticationGatewayUrl() throws IOException {
+    public void testGetAuthenticationGatewayUrl() throws Exception {
         TestRealm realm = new TestRealm(wireMockRule);
         assertEquals("securityRealm/escapeHatch", realm.getAuthenticationGatewayUrl());
     }
 
     @Test
-    public void testShouldSetNullClientSecretWhenSecretIsNull() throws IOException {
+    public void testShouldSetNullClientSecretWhenSecretIsNull() throws Exception {
         TestRealm realm = new TestRealm.Builder(wireMockRule)
                 .WithMinimalDefaults().WithClient("id without secret", null).build();
         assertEquals("none", Secret.toString(realm.getClientSecret()));
     }
 
     @Test
-    public void testGetValidRedirectUrl() throws IOException {
+    public void testGetValidRedirectUrl() throws Exception {
         // root url is http://localhost:????/jenkins/
         final String rootUrl = jenkinsRule.jenkins.getRootUrl();
 
@@ -95,7 +94,7 @@ public void testGetValidRedirectUrl() throws IOException {
     }
 
     @Test
-    public void testShouldReturnRootUrlWhenRedirectUrlIsInvalid() throws IOException {
+    public void testShouldReturnRootUrlWhenRedirectUrlIsInvalid() throws Exception {
         // root url is http://localhost:????/jenkins/
         String rootUrl = jenkinsRule.jenkins.getRootUrl();
 
@@ -110,7 +109,7 @@ public void testShouldReturnRootUrlWhenRedirectUrlIsInvalid() throws IOException
     }
 
     @Test
-    public void testShouldCheckEscapeHatchWithPlainPassword() throws IOException {
+    public void testShouldCheckEscapeHatchWithPlainPassword() throws Exception {
         final String escapeHatchUsername = "aUsername";
         final String escapeHatchPassword = "aSecretPassword";
 
@@ -127,7 +126,7 @@ public void testShouldCheckEscapeHatchWithPlainPassword() throws IOException {
     }
 
     @Test
-    public void testShouldCheckEscapeHatchWithHashedPassword() throws IOException {
+    public void testShouldCheckEscapeHatchWithHashedPassword() throws Exception {
         final String escapeHatchUsername = "aUsername";
         final String escapeHatchPassword = "aSecretPassword";
         final String escapeHatchCryptedPassword = BCrypt.hashpw(escapeHatchPassword, BCrypt.gensalt());

diff --git a/src/test/java/org/jenkinsci/plugins/oic/PluginTest.java b/src/test/java/org/jenkinsci/plugins/oic/PluginTest.java
@@ -177,7 +177,7 @@ private void browseLoginPage() throws IOException, SAXException {
         webClient.goTo(jenkins.getSecurityRealm().getLoginUrl());
     }
 
-    private void configureTestRealm(@NonNull Consumer<OicSecurityRealm> consumer) throws IOException {
+    private void configureTestRealm(@NonNull Consumer<OicSecurityRealm> consumer) throws Exception {
         var securityRealm = new TestRealm(wireMockRule);
         consumer.accept(securityRealm);
         jenkins.setSecurityRealm(securityRealm);

diff --git a/src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java b/src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java
@@ -0,0 +1,27 @@
+package org.jenkinsci.plugins.oic;
+
+import hudson.model.Descriptor;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.jvnet.hudson.test.FlagRule;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+public class SecurityRealmConfigurationFIPSTest {
+
+    @ClassRule
+    public static FlagRule<String> FIPS_RULE = FlagRule.systemProperty("jenkins.security.FIPS140.COMPLIANCE", "true");
+
+    @Test(expected = Descriptor.FormException.class)
+    public void escapeHatchThrowsException() throws Exception {
+        new OicSecurityRealm("clientId", null, null, null).setEscapeHatchEnabled(true);
+    }
+
+    @Test
+    public void escapeHatchToFalse() throws Exception {
+        OicSecurityRealm oicSecurityRealm = new OicSecurityRealm("clientId", null, null, null);
+        oicSecurityRealm.setEscapeHatchEnabled(false);
+        assertThat(oicSecurityRealm.isEscapeHatchEnabled(), is(false));
+    }
+}
diff --git a/src/test/java/org/jenkinsci/plugins/oic/TestRealm.java b/src/test/java/org/jenkinsci/plugins/oic/TestRealm.java
@@ -147,7 +147,7 @@ public Builder WithDisableSslVerification(boolean disableSslVerification) {
             return this;
         }
 
-        public TestRealm build() throws IOException {
+        public TestRealm build() throws Exception {
             return new TestRealm(this);
         }
 
@@ -177,7 +177,7 @@ public OicServerConfiguration buildServerConfiguration() {
         }
     }
 
-    public TestRealm(Builder builder) throws IOException {
+    public TestRealm(Builder builder) throws Exception {
         super(
                 builder.clientId,
                 builder.clientSecret,
@@ -203,18 +203,18 @@ public TestRealm(Builder builder) throws IOException {
     }
 
     public TestRealm(WireMockRule wireMockRule, String userInfoServerUrl, String emailFieldName, String groupsFieldName)
-            throws IOException {
+            throws Exception {
         this(new Builder(wireMockRule)
                 .WithUserInfoServerUrl(userInfoServerUrl)
                         .WithEmailFieldName(emailFieldName)
                         .WithGroupsFieldName(groupsFieldName));
     }
 
-    public TestRealm(WireMockRule wireMockRule) throws IOException {
+    public TestRealm(WireMockRule wireMockRule) throws Exception {
         this(new Builder(wireMockRule).WithMinimalDefaults());
     }
 
-    public TestRealm(WireMockRule wireMockRule, String userInfoServerUrl) throws IOException {
+    public TestRealm(WireMockRule wireMockRule, String userInfoServerUrl) throws Exception {
         this(new Builder(wireMockRule).WithMinimalDefaults().WithUserInfoServerUrl(userInfoServerUrl));
     }
 
@@ -224,7 +224,7 @@ public TestRealm(
             String emailFieldName,
             String groupFieldName,
             boolean automanualconfigure)
-            throws IOException {
+            throws Exception {
         this(new Builder(wireMockRule)
                 .WithMinimalDefaults()
                         .WithUserInfoServerUrl(userInfoServerUrl)
@@ -243,7 +243,7 @@ public TestRealm(
             String escapeHatchUsername,
             String escapeHatchSecret,
             String escapeHatchGroup)
-            throws IOException {
+            throws Exception {
         this(new Builder(wireMockRule)
                 .WithMinimalDefaults()
                         .WithUserInfoServerUrl(userInfoServerUrl)