Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow access using a Jenkins API token without an OIDC Session #386

Merged
merged 8 commits into from
Sep 10, 2024
Merged

Allow access using a Jenkins API token without an OIDC Session #386

merged 8 commits into from
Sep 10, 2024

Conversation

mikecirioli
Copy link
Contributor

@mikecirioli mikecirioli commented Sep 3, 2024
edited
Loading

Proposing a new option of the OicSecurityRealm that will allow an administrator to Allow access using a Jenkins API token without an OIDC Session.

Currently, when using the oic-auth plugin, if a user explicitly logs out of the IdP then they will now longer be able to perform any sort of action using jenkins api tokens because the oic-auth plugin will reject the request due to the OicSession being null. This behavior may make sense for some users, but it can cause problems for other users who may be relying on external automation tools which make use of jenkins api tokens for authentication.

This PR introduces a new (optional, disabled by default) configuration which lets an admin re-enable the traditional jenkins api token access behavior. This is accomplished by checking to see if a request appears to be using a valid jenkins api token, and if so hands of the request processing to the next filter in the chain instead of procssessing it as an OIC based access request.

image

Testing done

new unit test has been added to validate the new functionality

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@mikecirioli mikecirioli requested a review from a team as a code owner September 3, 2024 13:07
@mikecirioli mikecirioli changed the title all support for "traditional api token access" Add support for "traditional jenkins api token access" Sep 3, 2024
@mikecirioli mikecirioli requested review from Vlatombe, michael-doubez and amuniz and removed request for a team September 3, 2024 13:07
@codecov Codecov
Copy link

codecov bot commented Sep 3, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 81.81818% with 2 lines in your changes missing coverage. Please review.

Project coverage is 72.47%. Comparing base (8e99549) to head (791ef3c).
Report is 35 commits behind head on master.

Files with missing lines Patch % Lines
...va/org/jenkinsci/plugins/oic/OicSecurityRealm.java 81.81% 0 Missing and 2 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master     #386      +/-   ##
============================================
+ Coverage     71.44%   72.47%   +1.03%     
- Complexity      232      244      +12     
============================================
  Files            11       12       +1     
  Lines           991     1021      +30     
  Branches        142      148       +6     
============================================
+ Hits            708      740      +32     
+ Misses          205      201       -4     
- Partials         78       80       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mikecirioli @Vlatombe
better checking of auth header
b5932fc 
Co-authored-by: Vincent Latombe <[email protected]>
amuniz
amuniz previously approved these changes Sep 4, 2024
View reviewed changes
Copy link
Member

@amuniz amuniz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me (needs spotless fixes).

@mikecirioli mikecirioli changed the title Add support for "traditional jenkins api token access" Allow access using a Jenkins API token without an OIDC Session Sep 4, 2024
@mikecirioli mikecirioli requested a review from a team September 5, 2024 16:17
@mikecirioli
Copy link
Contributor Author

I plan to merge this at the end of the day today unless anyone has an objection

cc: @jenkinsci/oic-auth-plugin-developers

@mikecirioli mikecirioli merged commit e70636c into jenkinsci:master Sep 10, 2024
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtnord jtnord jtnord left review comments

@Vlatombe Vlatombe Vlatombe left review comments

@amuniz amuniz amuniz left review comments

@michael-doubez michael-doubez Awaiting requested review from michael-doubez

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mikecirioli @Vlatombe @jtnord @amuniz