Adopt plugin openid-plugin

[Michael Nazzareno Trimarchi]

Hi all

https://github.com/jenkinsci/openid-plugin/pull/24

My github account
https://github.com/panicking

Pull request for the permission

https://github.com/jenkins-infra/repository-permissions-updater/pull/3776

Michael

[Adrien Lecharpentier]

Even if the plugin is not mark as up for adoption, it currently has no maintainer listed in the RPU. So +1 for me.

Please note that the plugin has multiple public security issues. I'm sure the security team will require you to resolve them before any release can be deployed. 

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAOf5uwnO4r%2B-upaC-5wCMXbez-bsBd3LajxyU483ftm%2BMLYq2A%40mail.gmail.com.

[Michael Nazzareno Trimarchi]

Hi

On Sun, Feb 18, 2024 at 5:56 PM Adrien Lecharpentier
<adrien.lec...@gmail.com> wrote:
>
> Even if the plugin is not mark as up for adoption, it currently has no maintainer listed in the RPU. So +1 for me.
>
> Please note that the plugin has multiple public security issues. I'm sure the security team will require you to resolve them before any release can be deployed.
>

Ok I see, mostly my problem is even resolve CI build on jenkins CI too

Michael

> Le dim. 18 févr. 2024, 16:35, Michael Nazzareno Trimarchi <mic...@amarulasolutions.com> a écrit :
>>
>> Hi all
>>
>> https://github.com/jenkinsci/openid-plugin/pull/24
>>
>> My github account
>> https://github.com/panicking
>>
>> Pull request for the permission
>>
>> https://github.com/jenkins-infra/repository-permissions-updater/pull/3776
>>
>> Michael
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAOf5uwnO4r%2B-upaC-5wCMXbez-bsBd3LajxyU483ftm%2BMLYq2A%40mail.gmail.com.
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAKwJSvyP%3DkpWEcumyRLhzYBrn4rfB9NguybafT4MwxnTq4f12g%40mail.gmail.com.



--
Michael Nazzareno Trimarchi
Co-Founder & Chief Executive Officer
M. +39 347 913 2170
mic...@amarulasolutions.com
__________________________________

Amarula Solutions BV
Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
T. +31 (0)85 111 9172
in...@amarulasolutions.com
www.amarulasolutions.com

[Adrien Lecharpentier]

The jenkins.version you set in your pom requires java 11 minimum (https://www.jenkins.io/doc/book/platform-information/support-policy-java/).

However, the jenkinsfile still tries to build the plugin using java 8 on windows.

As you are not the maintainer for now, changing the Jenkinsfile wouldn't change anything as it wouldn't be used.

Once you're the maintainer, I'd suggested to open a pull request updating the jenkinsfile configuration (there is a open rewrite recipe to help you). Merge that PR and then you can work more deeply on the plugin. 

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAOf5uwnQTw0z2bO3RRK6xvorCNmBUojQirg%2BpDJR%2BS3h81RxCg%40mail.gmail.com.

[Michael Nazzareno Trimarchi]

Hi all

I have some lack of experience but how can I resolve a problem like this?

20:04:25 Caused by: java.io.IOException: Failed to load: Matrix
Project Plugin (matrix-project 785.v06b_7f47b_c631)
20:04:25 - Update required: JUnit Plugin (junit 1.3) to be updated
to 1119.1121.vc43d0fc45561 or higher

Is something that is connected to the pom.xml?

Michael



On Sun, Feb 18, 2024 at 6:15 PM Adrien Lecharpentier

> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAKwJSvy-ozNe95WkobFbDEidjFz%3DzCeN2rVw_uY_YKY-21kHaw%40mail.gmail.com.

[Michael Nazzareno Trimarchi]

Hi

Solved this way

+ <dependency>
+ <groupId>org.jenkins-ci.plugins</groupId>
+ <artifactId>junit</artifactId>
+ <version>1119.1121.vc43d0fc45561</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jenkins-ci.plugins</groupId>
+ <artifactId>script-security</artifactId>
+ <version>1175.v4b_d517d6db_f0</version>
+ <scope>test</scope>
+ </dependency>

Is this the correct way?

Michael

[Alexander Brandes]

Additionally to bumping the jenkins.version, don’t forget to modernise the plugin to our standards for maintained plugins: https://github.com/jenkinsci/archetypes/tree/master/common-files (ignoring archetype-post-generate.groovy)

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAOf5uw%3DO%3DAWFNqYKC_U0C85Yfpx0_JnG6sdZ_W%2BAHnVxnk_LdQ%40mail.gmail.com.

[Mark Waite]

On Sunday, February 18, 2024 at 1:42:00 PM UTC-7 Michael wrote:

Hi

Solved this way

+ <dependency>
+ <groupId>org.jenkins-ci.plugins</groupId>
+ <artifactId>junit</artifactId>
+ <version>1119.1121.vc43d0fc45561</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jenkins-ci.plugins</groupId>
+ <artifactId>script-security</artifactId>
+ <version>1175.v4b_d517d6db_f0</version>
+ <scope>test</scope>
+ </dependency>

Is this the correct way?

That is a valid way to solve it, though most plugin maintainers prefer to let the plugin bill of materials manage the versions of dependencies when they are available from the plugin bill of materials.

The "Improve a  plugin" tutorial includes a section on using the plugin bill of materials.

It also has a section on updating the minimum Jenkins version (you probably want 2.414.3 rather than 2.410).

It also has a section on updating the parent pom that will allow you to run tests with Java 21 and Java 17 so that you're confident the plugin works on all the JDKs that Jenkins supports.

Thanks very much for adopting the plugin!

Mark Waite

 

[Michael Nazzareno Trimarchi]

Hi

Let me study this and I will adjust security problems now and then
bump again to 2.414.3

Michael

> Thanks very much for adopting the plugin!
>
> Mark Waite
>
>

> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/ca8c242d-1f6d-4ba8-aad6-fe28a29ed6b0n%40googlegroups.com.

[Michael Nazzareno Trimarchi]

Hi

This is really nice community

Thank you Mark for helping me and let me understand how now it works
with the BOM.

Michael

[Daniel Beck]

On Sun, Feb 18, 2024 at 5:56 PM Adrien Lecharpentier <adrien.lec...@gmail.com> wrote:

Please note that the plugin has multiple public security issues. I'm sure the security team will require you to resolve them before any release can be deployed. 

While we definitely prefer that (new) maintainers address unresolved vulnerabilities as early as possible, we do not generally require that for new releases, with two exceptions:

* Plugins blocked from releasing because we identified a vulnerability introduced since the latest release. Look for "releaseblock" in RPU for examples.

* Unsuspending plugins. In terms of security, we consider that to be similar to new plugin hosting, so to restore publication, we ask that security issues (publicly known or not) be addressed first.

For anything else, the security warnings shown in Jenkins and on the plugins site will remain active even for new releases.

Some (few) plugins are actively maintained while not addressing previously announced security vulnerabilities. Administrators can make an informed decision on whether they want to install (or keep installed) such plugins.

[Michael Nazzareno Trimarchi]

Hi Daniel, all

> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLDhhbUEHA-YvAARisdpvdAq59CC4Wkn8ET771bvoFSXw%40mail.gmail.com.

Working to address vulnerabilities.

Michael

[Michael Nazzareno Trimarchi]

Hi all

I have question about vulnerability in particular the
CSRF vulnerability in OpenID Plugin

The openid does not use state in protocolo so there is no concept of
it but a concept nounce and reading the openid 2.0 that is not
supposed to be. Can I know more information about it?

Michael

[Kevin Guerroudj]

Hi Michael,

Indeed it seems you're right, OpenID 2.0 doesn't use a state parameter.
However, you should still possible to implements a protection against this CSRF attack using the openid.return_to parameter.
An optional parameter where the OpenID Provider should redirect the user-agent after authentication which can include additional context about the request by attaching query parameters (https://openid.net/specs/openid-authentication-2_0.html#positive_assertions).

[Michael Nazzareno Trimarchi]

Hi

On Tue, Feb 27, 2024 at 7:49 AM 'Kevin Guerroudj' via Jenkins
Developers <jenkin...@googlegroups.com> wrote:
>
> Hi Michael,
>
> Indeed it seems you're right, OpenID 2.0 doesn't use a state parameter.
> However, you should still possible to implements a protection against this CSRF attack using the openid.return_to parameter.
> An optional parameter where the OpenID Provider should redirect the user-agent after authentication which can include additional context about the request by attaching query parameters (https://openid.net/specs/openid-authentication-2_0.html#positive_assertions).
>

return_to is mandatory to send to openid protocol and I think that
verification is already in process for the redirect url

Michael

> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/517f803a-036f-4593-b190-21b5f43f2a5en%40googlegroups.com.

[Kevin Guerroudj]

Hi,

I'm not very familiar with OpenID, but from what I've read in the spec, it appears that this parameter is optional.

Anyway, the important part is that the parameter is returned exactly as it was sent:
"openid.return_to: Value: An exact copy of the return_to URL parameter that was sent in the request."

This ensures that the information can be retrieved exactly as it was originally sent, allowing for the addition of a state-like mechanism (by attaching a query parameter, if it's already used).
And then, it will allow you to confirm that the "state" received in the response is still the same as the one sent.