Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-73812] Adding minimum password length for FIPS compliance #200

Open
wants to merge 13 commits into
base: master
Choose a base branch
from
+612 −11
Open

[JENKINS-73812] Adding minimum password length for FIPS compliance #200

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
a38e883
Adding minimum password length for FIPS compliance
nevingeorgesunny Sep 25, 2024
16b60a0
adding a unit test for AD domian setting in FIPS mode
nevingeorgesunny Sep 30, 2024
1ced7f6
optimizing testcases
nevingeorgesunny Sep 30, 2024
e5de756
Adding PR suggestions changes
nevingeorgesunny Sep 30, 2024
14a3e68
not using TRUST_ALL_CERTIFICATES in test cases
nevingeorgesunny Sep 30, 2024
4862027
adding JCasC tests
nevingeorgesunny Oct 1, 2024
d0e482f
Adding integration test for ActiveDirectoryDomain
nevingeorgesunny Oct 1, 2024
1226da3
Fixing test failures
nevingeorgesunny Oct 1, 2024
45c62f2
Fixing test failures
nevingeorgesunny Oct 1, 2024
db72ad0
disabling testActiveDirectoryDomainTestDomainButtonClickWithShortPass…
nevingeorgesunny Oct 1, 2024
bd50b55
adding a delay to load the page before I fetch the Test domain button
nevingeorgesunny Oct 1, 2024
98cd507
addming more delays
nevingeorgesunny Oct 1, 2024
93da15f
merging master
nevingeorgesunny Oct 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java
View file
Open in desktop
fcojfernandez marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import hudson.util.ListBoxModel;
import hudson.util.Secret;
import jenkins.model.Jenkins;
import jenkins.security.FIPS140;
import org.acegisecurity.BadCredentialsException;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.accmod.Restricted;
Expand Down Expand Up @@ -149,6 +150,11 @@
@DataBoundConstructor
public ActiveDirectoryDomain(String name, String servers, String site, String bindName, String bindPassword, TlsConfiguration tlsConfiguration) {
this.name = name;
// Gives exception if Password is set lees than 14 chars long in FIPS mode.
if(FIPS140.useCompliantAlgorithms() && StringUtils.length(bindPassword) < 14) {
throw new IllegalArgumentException(Messages.passwordTooShortFIPS());
fcojfernandez marked this conversation as resolved.
Show resolved Hide resolved
}

// Append default port if not specified
servers = fixEmpty(servers);
if (servers != null) {
Expand Down Expand Up @@ -266,6 +272,17 @@
return model;
}

/**
* Displays an error message if the provided password is less than 14 characters
* while in FIPS mode. This message is triggered when the bindPassword field loses focus.
*/
public FormValidation doCheckBindPassword(@QueryParameter String bindPassword) {
Fixed Show fixed Hide fixed

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in DescriptorImpl#doCheckBindPassword
nevingeorgesunny marked this conversation as resolved.
Show resolved Hide resolved
if(FIPS140.useCompliantAlgorithms() && StringUtils.length(bindPassword) < 14) {
fcojfernandez marked this conversation as resolved.
Show resolved Hide resolved
return FormValidation.error(Messages.passwordTooShortFIPS());
}
return FormValidation.ok();
}

@RequirePOST
public FormValidation doValidateTest(@QueryParameter(fixEmpty = true) String name, @QueryParameter(fixEmpty = true) String servers, @QueryParameter(fixEmpty = true) String site, @QueryParameter(fixEmpty = true) String bindName,
@QueryParameter(fixEmpty = true) String bindPassword, @QueryParameter(fixEmpty = true) TlsConfiguration tlsConfiguration, @QueryParameter GroupLookupStrategy groupLookupStrategy,
Expand Down
3 changes: 2 additions & 1 deletion src/main/resources/hudson/plugins/active_directory/Messages.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,5 @@ TlsConfiguration.TrustAllCertificates = (Insecure) Trust all Certificates
TlsConfiguration.JdkTrustStore = JDK TrustStore

TlsConfiguration.AdministrativeMonitor.DisplayName = Active Directory TLS Configuration Monitor
TlsConfiguration.ErrorMessage = Disabling TLS in FIPS mode is not allowed. Either enable StartTls or Require TLS.
TlsConfiguration.ErrorMessage = Disabling TLS in FIPS mode is not allowed. Either enable StartTls or Require TLS.
passwordTooShortFIPS = Password is too short (< 14 characters)
66 changes: 66 additions & 0 deletions src/test/java/hudson/plugins/active_directory/ActiveDirectoryDomainTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
package hudson.plugins.active_directory;

import org.junit.ClassRule;
import org.junit.Test;
import org.jvnet.hudson.test.FlagRule;

import hudson.util.FormValidation;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThrows;

public class ActiveDirectoryDomainTest {


private ActiveDirectorySecurityRealm securityRealm;
private AbstractActiveDirectoryAuthenticationProvider authenticationProvider;

@ClassRule
public static FlagRule<String> fipsSystemPropertyRule =
FlagRule.systemProperty("jenkins.security.FIPS140.COMPLIANCE", "true");


@Test
public void testPasswordTooShortInFIPSMode() {
// Create an instance of ActiveDirectoryDomain with a short password and assert exception
IllegalArgumentException exception = assertThrows(IllegalArgumentException.class, () -> {
new ActiveDirectoryDomain("example.com", "server", "site", "bindName", "short", TlsConfiguration.TRUST_ALL_CERTIFICATES);
nevingeorgesunny marked this conversation as resolved.
Show resolved Hide resolved
});

// Verify the exception message
assertEquals(Messages.passwordTooShortFIPS(), exception.getMessage());
}

@Test
public void testPasswordValidInFIPSMode() {
// Create an instance of ActiveDirectoryDomain with a valid password
ActiveDirectoryDomain domain = new ActiveDirectoryDomain("example.com", "server", "site", "bindName", "validPassword123", TlsConfiguration.TRUST_ALL_CERTIFICATES);

// Verify the domain object is created successfully
assertEquals("example.com", domain.getName());
assertEquals("server:3268", domain.getServers());
assertEquals("site", domain.getSite());
assertEquals("bindName", domain.getBindName());
assertEquals("validPassword123", domain.getBindPassword().getPlainText());
}

@Test
public void testDoCheckBindPasswordFIPSModeShortPassword() {
// Create an instance of the DescriptorImpl class
ActiveDirectoryDomain.DescriptorImpl descriptor = new ActiveDirectoryDomain.DescriptorImpl();

// Test with a password less than 14 characters
FormValidation result = descriptor.doCheckBindPassword("shortPass");
assertEquals(FormValidation.error(Messages.passwordTooShortFIPS()).getMessage(), result.getMessage());
}

@Test
public void testDoCheckBindPasswordFIPSModeValidPassword() {
// Create an instance of the DescriptorImpl class
ActiveDirectoryDomain.DescriptorImpl descriptor = new ActiveDirectoryDomain.DescriptorImpl();

// Test with a password of 14 characters or more
FormValidation result = descriptor.doCheckBindPassword("validPassword123");
assertEquals(FormValidation.ok().getMessage(), result.getMessage());
}
}