Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JENKINS-73825] ldap allows insecure configurations #299

Closed
wants to merge 2 commits into from

Conversation

vwagh-dev
Copy link
Contributor

@vwagh-dev vwagh-dev commented Sep 25, 2024

See JENKINS-73825
In FIPS mode, now LDAP don't allows the insecure configuration. Also it shows the error messages in case of insecure ldap url/ short password

Testing

Manually testing is done with below scenarios

  1. Configure insecure ldap url & error should thrown + form data should not be saved
  2. Configure secure ldap url + form data should not be saved
  3. In advance configuration manager password less than 14 is not allowed
  4. CASC configuration unit test to load the ldap configuration i.e. CasCFipsTest
    • When configuration has secure url + valid password length => Tested
    • When configuration has insecure url/valid password length CasCFipsTest.configure_ldap_for_invalid => Blocked
  5. ConfigRoundTrip scenario with FIPS enabled i.e. LDAPEmbeddedFIPSTest.login() => Blocked

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue


@LDAPTestConfiguration(ldapsProtocol = true)
public class LDAPEmbeddedFIPSTest {
public LDAPRule ads = new LDAPRule();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I doubt that you need an actual ldap server running in the background for the tests you are going to do, it will only take up unnecessary compute.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm just trying to login using the secure ldap url .


//@Test
@LDAPSchema(ldif = "planetexpress", id = "planetexpress", dn = "dc=planetexpress,dc=com")
public void login() throws Exception {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

none of the testing here looks relevant

null, "cn", "mail", null, null);
r.jenkins.setSecurityRealm(realm);
r.configRoundtrip();
String content = r.createWebClient().login("fry", "fry").goTo("whoAmI").getBody().getTextContent();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should fail when @BorisYaoA 's fix is merged as the password is too short.

@rsandell
Copy link
Member

And don't reference Cb internal tickets in the PR description/title. Create a cloned ticket on issues.jenkins.io and reference that instead.

@vwagh-dev vwagh-dev changed the title Bee 51762 [JENKINS-73825] ldap allows insecure configurations Sep 27, 2024
@vwagh-dev vwagh-dev closed this Sep 27, 2024
@vwagh-dev vwagh-dev deleted the BEE-51762 branch September 27, 2024 07:31
@vwagh-dev vwagh-dev restored the BEE-51762 branch September 27, 2024 07:34
@vwagh-dev vwagh-dev deleted the BEE-51762 branch September 27, 2024 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants