Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JENKINS-73525] add FIPS compliance checks to plugin when running in FIPS mode #50

Merged
merged 8 commits into from
Aug 13, 2024

Conversation

jmdesprez
Copy link

@jmdesprez jmdesprez commented Jul 29, 2024

See JENKINS-73525

This PR add compliance checks when running in FIPS mode. The verification rules that I've implemented are as follows:

  1. When running in FIPS mode, either TLS or a local pipe must be used
  2. When running in FIPS mode, the TLS verification is mandatory (it cannot be skipped)

Checking if FIPS is enabled requires a recent Jenkins version so I bumped the dependencies in 0c690eb

Then I updated those classes to add the FIPS compliance check:

  • KubernetesAuthConfig
  • HttpClientWithTLSOptionsFactory
  • OpenShiftBearerTokenCredentialsImpl

Testing done

For each class, I wrote two unit tests per change: one with FIPS mode enabled, one without. For each test, I checked all the possible combinations.

I generated the keystore using this command:

keytool -genkey -alias unittest -keyalg RSA -keystore src/test/resources/org/jenkinsci/plugins/kubernetes/credentials/keystore.jks -keysize 2048 -ext SAN=DNS:localhost
Enter keystore password:  
Re-enter new password: 
Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
  [Unknown]:  
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]:  
What is the name of your State or Province?
  [Unknown]:  
What is the two-letter country code for this unit?
  [Unknown]:  
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes (No relevant PR)
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@jmdesprez jmdesprez requested a review from a team as a code owner July 29, 2024 16:17
@jmdesprez jmdesprez marked this pull request as draft August 6, 2024 09:09
@jmdesprez
Copy link
Author

Putting in draft mode while I'm changing the implementation

@jmdesprez jmdesprez marked this pull request as ready for review August 6, 2024 18:53
Copy link

@PereBueno PereBueno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a suggestion that will make spotbugs happy

Co-authored-by: Pere <pbuenoyerbes@cloudbees.com>
@fcojfernandez
Copy link

@jenkinsci/kubernetes-credentials-plugin-developers can we get a review and merge here?

@Vlatombe Vlatombe self-requested a review August 12, 2024 09:03
pom.xml Outdated Show resolved Hide resolved
@Vlatombe Vlatombe merged commit 71b1a82 into jenkinsci:master Aug 13, 2024
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants