jenkinsci · pankajy-dev · Oct 8, 2024 · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024
@@ -8,3 +8,6 @@ target/
 /.apt_generated/
 
 .*.swp
+
+work-cognito/
+work-keycloak/
@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
-    <version>4.87</version>
+    <version>5.3</version>
     <relativePath />
   </parent>
 
@@ -45,14 +45,14 @@
     <revision>4</revision>
     <changelist>999999-SNAPSHOT</changelist>
     <gitHubRepo>jenkinsci/${project.artifactId}-plugin</gitHubRepo>
-    <!-- update the jenkins-bom version when updating -->
-    <jenkins.version>2.426.3</jenkins.version>
     <spotless.check.skip>false</spotless.check.skip>
     <spotbugs.effort>Max</spotbugs.effort>
     <configuration-as-code.version>1836.vccda_4a_122a_a_e</configuration-as-code.version>
     <hpi.compatibleSinceVersion>4.383</hpi.compatibleSinceVersion>
     <!-- latest 5.x as 6 uses java 17 -->
-    <pac4jVersion>5.7.7</pac4jVersion>
+    <pac4jVersion>6.1.0</pac4jVersion>
+    <springVersion>6.1.14</springVersion>
+    <jacksonVersion>2.18.1</jacksonVersion>
   </properties>
 
   <dependencyManagement>
@@ -64,16 +64,6 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <!--
-      Let's use a FIPS compliant version of nimbus-jose-jwt
-      TODO Remove when pac4j includes this version or a newer one
-      -->
-      <dependency>
-        <groupId>com.nimbusds</groupId>
-        <artifactId>nimbus-jose-jwt</artifactId>
-        <version>9.47</version>
-      </dependency>
-      <!-- end -->
       <dependency>
         <!-- do not exlude the annotations so we can benifit from spotbugs checks but set the to provided so we do not bundle them -->
         <groupId>com.github.stephenc.jcip</groupId>
@@ -104,10 +94,17 @@
 
     <dependency>
       <groupId>org.pac4j</groupId>
-      <!-- replace with pac4j-jakartaee when we use a Jenkins version with jakartaee -->
-      <artifactId>pac4j-javaee</artifactId>
+      <artifactId>pac4j-jakartaee</artifactId>
       <version>${pac4jVersion}</version>
       <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-databind</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.datatype</groupId>
+          <artifactId>jackson-datatype-jsr310</artifactId>
+        </exclusion>
         <exclusion>
           <groupId>com.google.guava</groupId>
           <artifactId>guava</artifactId>
@@ -139,8 +136,18 @@
           <groupId>com.google.guava</groupId>
           <artifactId>guava</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.springframework</groupId>
+          <artifactId>spring-core</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.springframework</groupId>
+          <artifactId>spring-jcl</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
+    <!-- TODO remove spring version, it will come from the core -->
+
     <dependency>
       <groupId>com.google.code.gson</groupId>
       <artifactId>gson</artifactId>
@@ -301,5 +308,4 @@
       </plugin>
     </plugins>
   </build>
-
 </project>
@@ -24,7 +24,7 @@ public class AnythingGoesTokenValidator extends TokenValidator {
     public static final Logger LOGGER = Logger.getLogger(AnythingGoesTokenValidator.class.getName());
 
     public AnythingGoesTokenValidator() {
-        super(createFakeOidcConfiguration());
+        super(createFakeOidcConfiguration(), createFakeProviderMetadata());
     }
 
     @Override
@@ -51,17 +51,25 @@ public IDTokenClaimsSet validate(final JWT idToken, final Nonce expectedNonce) {
      * So we need a configuration with this set just so the validator can say "this is valid".
      */
     private static OidcConfiguration createFakeOidcConfiguration() {
+        OidcConfiguration config = new OidcConfiguration();
+        config.setClientId("ignored");
+        config.setSecret("ignored");
+        config.setPreferredJwsAlgorithm(JWSAlgorithm.HS256);
+        config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
+        return config;
+    }
+
+    /**
+     * Annoyingly the super class needs an OIDCProviderMetadata with some values set,
+     * which if we are not validating we may not actually have (e.g. jwks_url).
+     * So we need a metadata provider with this set just so the validator can say "this is valid".
+     */
+    private static OIDCProviderMetadata createFakeProviderMetadata() {
         try {
-            OidcConfiguration config = new OidcConfiguration();
-            config.setClientId("ignored");
-            config.setSecret("ignored");
             OIDCProviderMetadata providerMetadata = new OIDCProviderMetadata(
                     new Issuer("http://ignored"), List.of(SubjectType.PUBLIC), new URI("http://ignored.and.invalid./"));
             providerMetadata.setIDTokenJWSAlgs(List.of(JWSAlgorithm.HS256));
-            config.setProviderMetadata(providerMetadata);
-            config.setPreferredJwsAlgorithm(JWSAlgorithm.HS256);
-            config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
-            return config;
+            return providerMetadata;
         } catch (URISyntaxException e) {
             // should never happen the urls we are using are valid
             throw new IllegalStateException(e);

@@ -39,6 +39,9 @@ public void configureHttpRequest(HTTPRequest request) {
             }
         }
         request.setProxy(proxy);
+        // super class will configure the hostname verifier and the SSL socket factory and the default values in case
+        // the config object doesn't have those values must be overrriden in case the disableTLS is true
+        super.configureHttpRequest(request);
         if (disableTLS) {
             request.setHostnameVerifier(IgnoringHostNameVerifier.INSTANCE);
             try {
@@ -47,6 +50,5 @@ public void configureHttpRequest(HTTPRequest request) {
                 throw new IllegalStateException("could not configure the SSLFactory, this should not be possible", e);
             }
         }
-        super.configureHttpRequest(request);
     }
 }
@@ -2,11 +2,11 @@
 
 import hudson.Extension;
 import hudson.security.csrf.CrumbExclusion;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 
 /**
  * Excluding the escapeHatch login from CSRF protection as the crumb is calculated based on the authentication

@@ -3,11 +3,11 @@
 import hudson.Extension;
 import hudson.security.SecurityRealm;
 import hudson.security.csrf.CrumbExclusion;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import jenkins.model.Jenkins;
 
 /**