-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1590 from PereBueno/JENKINS-73460
[JENKINS-73460] add FIPS compliance checks to plugin whem runnign in FIPS mode
- Loading branch information
Showing
12 changed files
with
527 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
109 changes: 109 additions & 0 deletions
109
src/test/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloudFIPSTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| package org.csanchez.jenkins.plugins.kubernetes; | ||
|
|
||
| import static org.hamcrest.MatcherAssert.assertThat; | ||
| import static org.hamcrest.Matchers.containsString; | ||
| import static org.hamcrest.Matchers.notNullValue; | ||
| import static org.hamcrest.Matchers.nullValue; | ||
| import static org.junit.Assert.assertThrows; | ||
|
|
||
| import hudson.ExtensionList; | ||
| import io.jenkins.cli.shaded.org.apache.commons.io.FileUtils; | ||
| import java.io.IOException; | ||
| import java.nio.charset.Charset; | ||
| import java.nio.file.Paths; | ||
| import jenkins.security.FIPS140; | ||
| import org.junit.ClassRule; | ||
| import org.junit.Rule; | ||
| import org.junit.Test; | ||
| import org.jvnet.hudson.test.FlagRule; | ||
| import org.jvnet.hudson.test.Issue; | ||
| import org.jvnet.hudson.test.JenkinsRule; | ||
| import org.jvnet.hudson.test.recipes.LocalData; | ||
|
|
||
| public class KubernetesCloudFIPSTest { | ||
|
|
||
| @ClassRule | ||
| public static FlagRule<String> fipsFlag = FlagRule.systemProperty(FIPS140.class.getName() + ".COMPLIANCE", "true"); | ||
|
|
||
| @Rule | ||
| public JenkinsRule r = new JenkinsRule(); | ||
|
|
||
| @Test | ||
| @Issue("JENKINS-73460") | ||
| public void onlyFipsCompliantValuesAreAcceptedTest() throws IOException { | ||
| KubernetesCloud cloud = new KubernetesCloud("test-cloud"); | ||
| assertThrows(IllegalArgumentException.class, () -> cloud.setSkipTlsVerify(true)); | ||
| cloud.setSkipTlsVerify(false); | ||
| assertThrows(IllegalArgumentException.class, () -> cloud.setServerUrl("http://example.org")); | ||
| cloud.setServerUrl("https://example.org"); | ||
| assertThrows( | ||
| "Invalid certificates throw exception", | ||
| IllegalArgumentException.class, | ||
| () -> cloud.setServerCertificate(getCert("not-a-cert"))); | ||
| Throwable exception = assertThrows( | ||
| "Invalid length", IllegalArgumentException.class, () -> cloud.setServerCertificate(getCert("rsa1024"))); | ||
| assertThat(exception.getLocalizedMessage(), containsString("2048")); | ||
| cloud.setServerCertificate(getCert("rsa2048")); | ||
| exception = assertThrows( | ||
| "invalid length", IllegalArgumentException.class, () -> cloud.setServerCertificate(getCert("dsa1024"))); | ||
| assertThat(exception.getLocalizedMessage(), containsString("2048")); | ||
| cloud.setServerCertificate(getCert("dsa2048")); | ||
| exception = assertThrows( | ||
| "Invalid field size", | ||
| IllegalArgumentException.class, | ||
| () -> cloud.setServerCertificate(getCert("ecdsa192"))); | ||
| assertThat(exception.getLocalizedMessage(), containsString("224")); | ||
| cloud.setServerCertificate(getCert("ecdsa224")); | ||
| } | ||
|
|
||
| @Test | ||
| @Issue("JENKINS-73460") | ||
| @LocalData | ||
| public void nonCompliantCloudsAreCleanedTest() { | ||
| assertThat("compliant-cloud is loaded", r.jenkins.getCloud("compliant-cloud"), notNullValue()); | ||
| assertThat("with-skip-tls is not loaded", r.jenkins.getCloud("with-skip-tls"), nullValue()); | ||
| assertThat("with-http-endpoint is not loaded", r.jenkins.getCloud("with-http-endpoint"), nullValue()); | ||
| assertThat("with-invalid-cert is not loaded", r.jenkins.getCloud("with-invalid-cert"), nullValue()); | ||
| } | ||
|
|
||
| @Test | ||
| @Issue("JENKINS-73460") | ||
| public void formValidationTest() throws IOException { | ||
| ExtensionList<KubernetesCloud.DescriptorImpl> descriptors = | ||
| ExtensionList.lookup(KubernetesCloud.DescriptorImpl.class); | ||
| KubernetesCloud.DescriptorImpl descriptor = descriptors.stream() | ||
| .filter(d -> d.getClass().isAssignableFrom(KubernetesCloud.DescriptorImpl.class)) | ||
| .findFirst() | ||
| .orElseGet(KubernetesCloud.DescriptorImpl::new); | ||
| assertThat( | ||
| "Valid url doesn't raise error", | ||
| descriptor.doCheckServerUrl("https://eample.org").getMessage(), | ||
| nullValue()); | ||
| assertThat( | ||
| "Invalid url raises error", | ||
| descriptor.doCheckServerUrl("http://eample.org").getMessage(), | ||
| notNullValue()); | ||
| assertThat( | ||
| "Valid cert doesn't raise error", | ||
| descriptor.doCheckServerCertificate(getCert("rsa2048")).getMessage(), | ||
| nullValue()); | ||
| assertThat( | ||
| "Invalid cert raises error", | ||
| descriptor.doCheckServerCertificate(getCert("rsa1024")).getMessage(), | ||
| notNullValue()); | ||
| assertThat( | ||
| "No TLS skip doesn't raise error", | ||
| descriptor.doCheckSkipTlsVerify(false).getMessage(), | ||
| nullValue()); | ||
| assertThat( | ||
| "TLS skip raises error", descriptor.doCheckSkipTlsVerify(true).getMessage(), notNullValue()); | ||
| } | ||
|
|
||
| private String getCert(String alg) throws IOException { | ||
| return FileUtils.readFileToString( | ||
| Paths.get("src/test/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloudFIPSTest/certs") | ||
| .resolve(alg) | ||
| .toFile(), | ||
| Charset.defaultCharset()); | ||
| } | ||
| } |
19 changes: 19 additions & 0 deletions
19
...t/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloudFIPSTest/certs/dsa1024
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIDDzCCArygAwIBAgIUYBblXc5PhKw86bwvpcfBv/PxOmEwCwYJYIZIAWUDBAMC | ||
| MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJ | ||
| bnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjQwNzE4MTU0MDAxWhcNMjQwODE3 | ||
| MTU0MDAxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8G | ||
| A1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBvzCCATQGByqGSM44BAEw | ||
| ggEnAoGBAN1Se68u8JFTdXrZ2ED2RDG89TRR51j1E7SPwlYItWQGAnJUkTRKyhYO | ||
| 6oItvkuie/9HqjFVcz0hW1D0EfKKuJjv2VjkN07bQyZ9Kr92tfnkC2IOvbfDs8Ev | ||
| g3GBOjKs7Bi9inOcQZCKt1ZeNd4j4jDrLPnisEc8urcBlbxnNCiHAh0A7PRieQst | ||
| d6p4yVCVQp/fsjmUp+bL7phoR5jxNQKBgQC4K58rznGE8QmhSsUonv5Uf+gnnpDI | ||
| 6eDiOUH/DpIDIMftK6AQ4wp6YY4pZP+dxfbBt9uimmfdyuvrO3i1oOD3UqmVSCwd | ||
| Qome8YPGfxtTYYB/o05li7KPzHTqVcGXZQont9IK+uQaCwnzv/dsERol2F2aPMnD | ||
| 6JE2hd/DCUWiqQOBhAACgYBeEMMpp5ROkIDZ5h4HeDDZztn1zWRrnsV89Cs6WcjR | ||
| vbeumfVIoo06yws5tZdMfssrBjk+irKFKIU9edhiKcOjB8ssMJi+7tOEWEC9ooHo | ||
| F6cOqiYmhLBhLrIyv5dZUe8RtyJRZaP+4bn3PbxZ7Cij8DWHntnwhEjrqlUp6vCq | ||
| K6MhMB8wHQYDVR0OBBYEFPJmnQzXspNFvJNwPqxj//pvgzBlMAsGCWCGSAFlAwQD | ||
| AgNAADA9AhwNYi4S6Cq9uh9KKBYz9jYdiJYjI2lmDnSFYGtQAh0AvZkHSf6BfSKE | ||
| STBsggtQOqDvcao45reTjyaDcw== | ||
| -----END CERTIFICATE----- |
27 changes: 27 additions & 0 deletions
27
...t/resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloudFIPSTest/certs/dsa2048
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIEkzCCBECgAwIBAgIUDza9+LN/FgNVUl6tr01fR+wt/U0wCwYJYIZIAWUDBAMC | ||
| MEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJ | ||
| bnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjQwNzE4MTU0MTA1WhcNMjQwODE3 | ||
| MTU0MTA1WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8G | ||
| A1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIDQzCCAjUGByqGSM44BAEw | ||
| ggIoAoIBAQC3MkKb6PbOGFDYkhMjbIbz9lREVMRGkLCSWCwa3R7KwWjE4yPl0ONq | ||
| pLGYWSKtS51y06vR+wcxgjQynKL2s1pTpdX3EcGwJtb3SdR1vLLHWoUyr5d4adtL | ||
| UNmu7SRe9pSXsw3Y6j8c1T/UlGkREHXHlJlwON13NY5ZEKkZ5vtaOsJaEL4mrxvz | ||
| /dR/joWbXNSfPdi5aeu6U2W2/zUwcOcu+PtvYafLGr5FL+fAG0UniQgF86FB//px | ||
| CVeHngm54gwLTJJPtsnKKJwa6pCXbmANzsYCCj7tpGEQH1ZcyYzNNuABm5OZCCco | ||
| Si4TlwCkVe/Rrb5Ko04Kdqg5/XWA3sn1Ah0Au8eLbfMm7x7dhJ9/Yv55DLoU1Nq8 | ||
| waI6VGIdJQKCAQBZTWaquC3p30SXJ314Bh1zFPNEqcdsrNWnmZqzSKXfMuRPQRAQ | ||
| oAwMMWABtycYFPzK7/RsUihPdj1kIF46ArC+QXeo0zAQjKIcrNGIOBuvILsBx5On | ||
| F+Cw260PYIami45AqwhuACBoq6K6OxI24vSms72TMj+HRt8gtzWt1cP1MNxbyxho | ||
| rxKHUq/bLbBKfYbg4hSnvqMAw9mawEsRVYQzR+pAZqWE+otcvxkpR2PYWKR/i0dq | ||
| +PmJuqbHghMq6kss9a2d/tWQUGyUJkjr2qkjtn1CVuxpcDWcQ/0b0cpdCN83iSRA | ||
| EOJJY/g8B4kerasdPSO/e/gOfp6Pe57FI5iVA4IBBgACggEBAJnwtqFo43cc8en3 | ||
| hH2lbN7A3VDNkNejkl3kdhohHjgXNS2Cwlfn3y1QtYrw1BeG1Sdh4WTFCLIePc6t | ||
| 3quwLhRLDGzgD7YlvE4WYoE5JidAM+qcQiwdbXOhSljCeJFCdkg+7SH0LWwwW555 | ||
| I3K64XeE0/ONn9bjkhYPfDv5HG2fiEDL1bc6sgoraN6Cb0p2MmXQiSz+FMdHTLlg | ||
| yNrIdkNQxxKlYHJzNqwmesaSy9SmA/woGyrIrmX/XCExJwpasnaL+c/efU8H4zOC | ||
| 5eO8JUqUiWISTZn47YPrd/zFEDrk9heGgi5ZabUneAS69DaYa+sC/Xxa/ZCIMt0A | ||
| 9tN26gujITAfMB0GA1UdDgQWBBTDOjTyqpCiM996xYmndSV3QcGy+TALBglghkgB | ||
| ZQMEAwIDQAAwPQIdAJGqVySKZk1O4SQHsWAzTI+706myofPowzs1hvsCHCkZmLGG | ||
| ZrWsuaK1nMVltEQER+Eodz9oLRDgqew= | ||
| -----END CERTIFICATE----- |
12 changes: 12 additions & 0 deletions
12
.../resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloudFIPSTest/certs/ecdsa192
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIBwDCCAXagAwIBAgIUOwG28vjFm4KoiGieHrBRgzhrzGAwCgYIKoZIzj0EAwIw | ||
| RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu | ||
| dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MTgxNTQ4MzBaFw0yNDA4MTcx | ||
| NTQ4MzBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD | ||
| VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwSjAUBgcqhkjOPQIBBgkrJAMD | ||
| AggBAQQDMgAEpFiVE3YkcIaJVP9DsLIZE620gyX23AxQahhWjywp8hp+DKO4voH3 | ||
| HlKfdeDEZ5nfo1MwUTAdBgNVHQ4EFgQUCQxoboqlb8uG3RrOqtk4Dxil4xwwHwYD | ||
| VR0jBBgwFoAUCQxoboqlb8uG3RrOqtk4Dxil4xwwDwYDVR0TAQH/BAUwAwEB/zAK | ||
| BggqhkjOPQQDAgM4ADA1AhkAiI0732BOdYpjG1EgZ2y1Y1W9qLjgKLH7AhgwSQbA | ||
| qPWq3wYiP1gZsVMavRL9K1ggspE= | ||
| -----END CERTIFICATE----- |
12 changes: 12 additions & 0 deletions
12
.../resources/org/csanchez/jenkins/plugins/kubernetes/KubernetesCloudFIPSTest/certs/ecdsa224
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIBzzCCAX6gAwIBAgIUMxqDFkKRXOeP325owDz02IZomgUwCgYIKoZIzj0EAwIw | ||
| RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu | ||
| dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA3MTgxNTQ5MDVaFw0yNDA4MTcx | ||
| NTQ5MDVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD | ||
| VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwUjAUBgcqhkjOPQIBBgkrJAMD | ||
| AggBAQYDOgAEOuIfMAfhqilO6Q1VxiAjuQnTkpFH2MYcyFjyG9O2OG71KFuB4hC8 | ||
| r6NSSxVCx88TjKzcnm/u/HijUzBRMB0GA1UdDgQWBBQtPSBGTPqBRJQOVhf/c8Xh | ||
| 5s0aOjAfBgNVHSMEGDAWgBQtPSBGTPqBRJQOVhf/c8Xh5s0aOjAPBgNVHRMBAf8E | ||
| BTADAQH/MAoGCCqGSM49BAMCAz8AMDwCHAOWGI94ia/Ck3JgqIPFCGZUqR8uh9vC | ||
| ovacsJACHC8VSwu0hEqevytqT7HH9E/DCMYORANJBZz5GyY= | ||
| -----END CERTIFICATE----- |
Oops, something went wrong.