From 4d7765c854f4f5e6e3c26ed950a26042a7527875 Mon Sep 17 00:00:00 2001 From: rsandell Date: Tue, 12 Nov 2024 15:16:00 +0100 Subject: [PATCH] SECURITY-3461 --- .../plugins/oic/OicSecurityRealm.java | 55 +++++++- .../oic/monitor/OicIdStrategyMonitor.java | 55 ++++++++ .../jenkinsci/plugins/oic/Messages.properties | 1 + .../plugins/oic/OicSecurityRealm/config.jelly | 6 + .../oic/OicSecurityRealm/config.properties | 2 + .../OicIdStrategyMonitor/description.jelly | 4 + .../description.properties | 1 + .../OicIdStrategyMonitor/message.jelly | 14 +++ .../OicIdStrategyMonitor/message.properties | 6 + .../plugins/oic/OicSecurityRealmFipsTest.java | 4 +- .../oic/OicSecurityRealmIdStrategyTest.java | 117 ++++++++++++++++++ .../SecurityRealmConfigurationFIPSTest.java | 6 +- .../org/jenkinsci/plugins/oic/TestRealm.java | 17 ++- .../oic/monitor/OicStrategyMonitorTest.java | 58 +++++++++ .../plugins/oic/ConfigurationAsCodeExport.yml | 2 + 15 files changed, 341 insertions(+), 7 deletions(-) create mode 100644 src/main/java/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor.java create mode 100644 src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/description.jelly create mode 100644 src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/description.properties create mode 100644 src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/message.jelly create mode 100644 src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/message.properties create mode 100644 src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmIdStrategyTest.java create mode 100644 src/test/java/org/jenkinsci/plugins/oic/monitor/OicStrategyMonitorTest.java diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java index c2bda997..27f35396 100644 --- a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java +++ b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java @@ -41,6 +41,7 @@ import edu.umd.cs.findbugs.annotations.NonNull; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import hudson.Extension; +import hudson.ExtensionList; import hudson.Util; import hudson.model.Descriptor; import hudson.model.Descriptor.FormException; @@ -88,6 +89,8 @@ import java.util.logging.Logger; import java.util.regex.Pattern; import javax.annotation.PostConstruct; +import jenkins.model.IdStrategy; +import jenkins.model.IdStrategyDescriptor; import jenkins.model.Jenkins; import jenkins.security.ApiTokenProperty; import jenkins.security.FIPS140; @@ -151,6 +154,8 @@ public class OicSecurityRealm extends SecurityRealm implements Serializable { private static final long serialVersionUID = 1L; private static final Logger LOGGER = Logger.getLogger(OicSecurityRealm.class.getName()); + private IdStrategy userIdStrategy; + private IdStrategy groupIdStrategy; public static enum TokenAuthMethod { client_secret_basic(ClientAuthenticationMethod.CLIENT_SECRET_BASIC), @@ -316,7 +321,9 @@ public OicSecurityRealm( String clientId, Secret clientSecret, OicServerConfiguration serverConfiguration, - Boolean disableSslVerification) + Boolean disableSslVerification, + IdStrategy userIdStrategy, + IdStrategy groupIdStrategy) throws IOException, FormException { // Needed in DataBoundSetter this.disableSslVerification = Util.fixNull(disableSslVerification, Boolean.FALSE); @@ -327,6 +334,8 @@ public OicSecurityRealm( this.clientId = clientId; this.clientSecret = clientSecret; this.serverConfiguration = serverConfiguration; + this.userIdStrategy = userIdStrategy; + this.groupIdStrategy = groupIdStrategy; } @SuppressWarnings("deprecated") @@ -420,6 +429,20 @@ public String getUserNameField() { return userNameField; } + @Restricted(NoExternalUse.class) + public boolean isMissingIdStrategy() { + return userIdStrategy == null || groupIdStrategy == null; + } + + @Override + public IdStrategy getUserIdStrategy() { + if (userIdStrategy != null) { + return userIdStrategy; + } else { + return IdStrategy.CASE_INSENSITIVE; + } + } + public String getTokenFieldToCheckKey() { return tokenFieldToCheckKey; } @@ -440,6 +463,15 @@ public String getGroupsFieldName() { return groupsFieldName; } + @Override + public IdStrategy getGroupIdStrategy() { + if (groupIdStrategy != null) { + return groupIdStrategy; + } else { + return IdStrategy.CASE_INSENSITIVE; + } + } + public boolean isDisableSslVerification() { return disableSslVerification; } @@ -1628,5 +1660,26 @@ public Descriptor getDefaultServerConfigurationType() { public boolean isFipsEnabled() { return FIPS140.useCompliantAlgorithms(); } + + @Restricted(NoExternalUse.class) + public List getIdStrategyDescriptors() { + return ExtensionList.lookup(IdStrategyDescriptor.class); + } + + /** + * The default username strategy for new OicSecurityRealm + */ + @Restricted(NoExternalUse.class) + public IdStrategy defaultUsernameIdStrategy() { + return new IdStrategy.CaseSensitive(); + } + + /** + * The default group strategy for new OicSecurityRealm + */ + @Restricted(NoExternalUse.class) + public IdStrategy defaultGroupIdStrategy() { + return new IdStrategy.CaseSensitive(); + } } } diff --git a/src/main/java/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor.java b/src/main/java/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor.java new file mode 100644 index 00000000..a03dbf28 --- /dev/null +++ b/src/main/java/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor.java @@ -0,0 +1,55 @@ +package org.jenkinsci.plugins.oic.monitor; + +import com.google.common.annotations.VisibleForTesting; +import hudson.Extension; +import hudson.ExtensionList; +import hudson.model.AdministrativeMonitor; +import hudson.security.SecurityRealm; +import java.io.IOException; +import jenkins.model.Jenkins; +import org.jenkinsci.plugins.oic.Messages; +import org.jenkinsci.plugins.oic.OicSecurityRealm; +import org.kohsuke.accmod.Restricted; +import org.kohsuke.accmod.restrictions.NoExternalUse; +import org.kohsuke.stapler.HttpResponse; +import org.kohsuke.stapler.HttpResponses; +import org.kohsuke.stapler.interceptor.RequirePOST; + +@Extension +@Restricted(NoExternalUse.class) +public class OicIdStrategyMonitor extends AdministrativeMonitor { + + // if null, means not evaluated yet + Boolean missingIdStrategy; + + public OicIdStrategyMonitor() {} + + @VisibleForTesting + protected static OicIdStrategyMonitor get() { + return ExtensionList.lookupSingleton(OicIdStrategyMonitor.class); + } + + @Override + public String getDisplayName() { + return Messages.OicSecurityRealm_monitor_DisplayName(); + } + + @Override + public boolean isActivated() { + if (!Boolean.FALSE.equals(missingIdStrategy)) { + SecurityRealm securityRealm = Jenkins.get().getSecurityRealm(); + if (securityRealm instanceof OicSecurityRealm) { + missingIdStrategy = ((OicSecurityRealm) securityRealm).isMissingIdStrategy(); + } else { + missingIdStrategy = Boolean.FALSE; + } + } + return missingIdStrategy; + } + + @RequirePOST + public HttpResponse doForward() throws IOException { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + return HttpResponses.redirectViaContextPath("configureSecurity"); + } +} diff --git a/src/main/resources/org/jenkinsci/plugins/oic/Messages.properties b/src/main/resources/org/jenkinsci/plugins/oic/Messages.properties index f86d37fe..ca952cd7 100644 --- a/src/main/resources/org/jenkinsci/plugins/oic/Messages.properties +++ b/src/main/resources/org/jenkinsci/plugins/oic/Messages.properties @@ -27,3 +27,4 @@ OicSecurityRealm.DisableSslVerificationFipsMode = SSL verification can not be di OicSecurityRealm.DisableTokenVerificationFipsMode = Token verification can not be disabled in FIPS mode OicServerWellKnownConfiguration.DisplayName = Discovery via well-known endpoint OicServerManualConfiguration.DisplayName = Manual entry +OicSecurityRealm.monitor.DisplayName= Openid Connect Id Strategy Configuration \ No newline at end of file diff --git a/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly b/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly index fed2da9c..313525b4 100644 --- a/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly +++ b/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly @@ -16,6 +16,9 @@ + + + @@ -25,6 +28,9 @@ + + + diff --git a/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.properties b/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.properties index fb8acda3..a52f4249 100644 --- a/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.properties +++ b/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.properties @@ -26,3 +26,5 @@ UserFields=User fields Username=Username UsernameFieldName=User name field name WellknownConfigurationEndpoint=Well-known configuration endpoint +UsernameIdStrategy=Username case sensitivity +GroupIdStrategy=Group name case sensitivity diff --git a/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/description.jelly b/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/description.jelly new file mode 100644 index 00000000..bb405e93 --- /dev/null +++ b/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/description.jelly @@ -0,0 +1,4 @@ + + + ${%blurb} + diff --git a/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/description.properties b/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/description.properties new file mode 100644 index 00000000..908f2eb2 --- /dev/null +++ b/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/description.properties @@ -0,0 +1 @@ +blurb=The OpenId Connect Security Realm's "Username case sensitivity" and "Group name case sensitivity" options have not been configured. diff --git a/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/message.jelly b/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/message.jelly new file mode 100644 index 00000000..08d7eb42 --- /dev/null +++ b/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/message.jelly @@ -0,0 +1,14 @@ + + +
+ +
+ + +
+ + ${%actionUrlContent} + + ${%blurb} +
+ diff --git a/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/message.properties b/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/message.properties new file mode 100644 index 00000000..114b5e87 --- /dev/null +++ b/src/main/resources/org/jenkinsci/plugins/oic/monitor/OicIdStrategyMonitor/message.properties @@ -0,0 +1,6 @@ +blurb=\ +

The Openid Connect Security Realm was configured before the introduction of the "Username case sensitivity" and "Group name case sensitivity" options.

\ +

As a result, the current configuration treats these values as case-insensitive, whereas the default for new configurations is case-sensitive.

\ +

This difference could introduce a security vulnerability depending on your specific use case. For further information, refer to the security advisory. Please review and select the appropriate case sensitivity settings for your environment, then save the updated security realm configuration.

\ +

Warning: Switching from case-insensitive to case-sensitive behavior can be a lossy operation if there are mixed-case usernames or group names. Users with externally-defined mixed-case names will effectively be treated as new users they next time they log in, and will lose their existing user preferences. Group-related configurations in Jenkins for externally-defined groups with mixed case names will no longer apply to members of those external groups. Users with mixed-case names previously defined in groups in Jenkins will also no longer be considered members of those groups after the switch.

+configureSecurityRealm=Configure the Security Realm diff --git a/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java b/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java index a51ec3c5..befb9410 100644 --- a/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java +++ b/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java @@ -37,10 +37,10 @@ public class OicSecurityRealmFipsTest { @Test @WithoutJenkins public void settingNonCompliantValuesNotAllowedTest() throws IOException, Descriptor.FormException { - OicSecurityRealm realm = new OicSecurityRealm("clientId", Secret.fromString("secret"), null, false); + OicSecurityRealm realm = new OicSecurityRealm("clientId", Secret.fromString("secret"), null, false, null, null); Descriptor.FormException ex = assertThrows( Descriptor.FormException.class, - () -> new OicSecurityRealm("clientId", Secret.fromString("secret"), null, true)); + () -> new OicSecurityRealm("clientId", Secret.fromString("secret"), null, true, null, null)); assertThat( "Exception contains the reason", ex.getMessage(), diff --git a/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmIdStrategyTest.java b/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmIdStrategyTest.java new file mode 100644 index 00000000..28e7da7b --- /dev/null +++ b/src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmIdStrategyTest.java @@ -0,0 +1,117 @@ +package org.jenkinsci.plugins.oic; + +import com.github.tomakehurst.wiremock.core.WireMockConfiguration; +import com.github.tomakehurst.wiremock.junit.WireMockRule; +import hudson.model.User; +import hudson.security.SecurityRealm; +import jenkins.model.IdStrategy; +import jenkins.model.Jenkins; +import org.junit.Rule; +import org.junit.Test; +import org.jvnet.hudson.test.Issue; +import org.jvnet.hudson.test.JenkinsSessionRule; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.core.IsInstanceOf.instanceOf; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; + +public class OicSecurityRealmIdStrategyTest { + + @Rule + public JenkinsSessionRule sessions = new JenkinsSessionRule(); + + @Rule + public WireMockRule wireMockRule = new WireMockRule(new WireMockConfiguration().dynamicPort(), true); + + @Test + @Issue("SECURITY-3461") + public void testUserIdStrategy_caseInsensitive() throws Throwable { + sessions.then(r -> { + TestRealm realm = new TestRealm(new TestRealm.Builder(wireMockRule) + .WithMinimalDefaults().WithUserIdStrategy(IdStrategy.CASE_INSENSITIVE)); + Jenkins.get().setSecurityRealm(realm); + User testuser = User.getById("testuser", true); + assertNotNull(testuser); + assertEquals("testuser", testuser.getDisplayName()); + testuser.save(); + + User testUSER = User.getById("testUSER", true); + assertNotNull(testUSER); + assertEquals("testuser", testUSER.getDisplayName()); + testUSER.save(); + + assertEquals(testuser, testUSER); + }); + sessions.then(r -> { + User testuser = User.getById("testuser", false); + assertNotNull(testuser); + assertEquals("testuser", testuser.getDisplayName()); + + User testUSER = User.getById("testUSER", false); + assertNotNull(testUSER); + assertEquals("testuser", testUSER.getDisplayName()); + assertEquals(testuser, testUSER); + }); + } + + @Test + @Issue("SECURITY-3461") + public void testUserIdStrategy_caseSensitive() throws Throwable { + sessions.then(r -> { + TestRealm realm = new TestRealm(new TestRealm.Builder(wireMockRule) + .WithMinimalDefaults().WithUserIdStrategy(new IdStrategy.CaseSensitive())); + Jenkins.get().setSecurityRealm(realm); + User testuser = User.getById("testuser", true); + assertNotNull(testuser); + assertEquals("testuser", testuser.getDisplayName()); + testuser.save(); + + User testUSER = User.getById("testUSER", true); + assertNotNull(testUSER); + assertEquals("testUSER", testUSER.getDisplayName()); + testUSER.save(); + + assertNotEquals(testuser, testUSER); + }); + sessions.then(r -> { + User testuser = User.getById("testuser", false); + assertNotNull(testuser); + assertEquals("testuser", testuser.getDisplayName()); + + User testUSER = User.getById("testUSER", false); + assertNotNull(testUSER); + assertEquals("testUSER", testUSER.getDisplayName()); + + assertNotEquals(testuser, testUSER); + }); + } + + @Test + @Issue("SECURITY-3461") + public void testUserIdStrategy_default() throws Throwable { + sessions.then(r -> { + TestRealm realm = new TestRealm(wireMockRule); + Jenkins.get().setSecurityRealm(realm); + }); + sessions.then(r -> { + // when restarting, ensure the default case-insensitive is used + SecurityRealm securityRealm = Jenkins.get().getSecurityRealm(); + assertThat(securityRealm, instanceOf(OicSecurityRealm.class)); + OicSecurityRealm oicSecurityRealm = (OicSecurityRealm) securityRealm; + assertTrue(oicSecurityRealm.isMissingIdStrategy()); + assertEquals(IdStrategy.CASE_INSENSITIVE, securityRealm.getUserIdStrategy()); + assertEquals(IdStrategy.CASE_INSENSITIVE, securityRealm.getGroupIdStrategy()); + + TestRealm realm = new TestRealm(new TestRealm.Builder(wireMockRule) + .WithMinimalDefaults() + .WithUserIdStrategy(IdStrategy.CASE_INSENSITIVE) + .WithGroupIdStrategy(IdStrategy.CASE_INSENSITIVE)); + Jenkins.get().setSecurityRealm(realm); + assertFalse(realm.isMissingIdStrategy()); + }); + } +} diff --git a/src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java b/src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java index 9d7c613e..4eb8aae1 100644 --- a/src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java +++ b/src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java @@ -15,19 +15,19 @@ public class SecurityRealmConfigurationFIPSTest { @Test(expected = Descriptor.FormException.class) public void escapeHatchThrowsException() throws Exception { - new OicSecurityRealm("clientId", null, null, null).setEscapeHatchEnabled(true); + new OicSecurityRealm("clientId", null, null, null, null, null).setEscapeHatchEnabled(true); } @Test public void escapeHatchToFalse() throws Exception { - OicSecurityRealm oicSecurityRealm = new OicSecurityRealm("clientId", null, null, null); + OicSecurityRealm oicSecurityRealm = new OicSecurityRealm("clientId", null, null, null, null, null); oicSecurityRealm.setEscapeHatchEnabled(false); assertThat(oicSecurityRealm.isEscapeHatchEnabled(), is(false)); } @Test public void readresolve() throws Exception { - OicSecurityRealm oicSecurityRealm = new OicSecurityRealm("clientId", null, null, null); + OicSecurityRealm oicSecurityRealm = new OicSecurityRealm("clientId", null, null, null, null, null); oicSecurityRealm.setEscapeHatchEnabled(false); assertThat(oicSecurityRealm.isEscapeHatchEnabled(), is(false)); oicSecurityRealm.readResolve(); diff --git a/src/test/java/org/jenkinsci/plugins/oic/TestRealm.java b/src/test/java/org/jenkinsci/plugins/oic/TestRealm.java index 58e01908..320edb20 100644 --- a/src/test/java/org/jenkinsci/plugins/oic/TestRealm.java +++ b/src/test/java/org/jenkinsci/plugins/oic/TestRealm.java @@ -8,6 +8,7 @@ import java.io.IOException; import java.io.ObjectStreamException; import java.text.ParseException; +import jenkins.model.IdStrategy; import org.kohsuke.stapler.StaplerRequest2; import org.kohsuke.stapler.StaplerResponse2; import org.pac4j.core.context.FrameworkParameters; @@ -53,6 +54,8 @@ public static class Builder { public String escapeHatchGroup = null; public boolean automanualconfigure = false; public boolean disableTokenValidation = true; // opt in for some specific tests + public IdStrategy userIdStrategy; + public IdStrategy groupIdStrategy; public Builder(WireMockRule wireMockRule, boolean useTLS) throws IOException { this( @@ -149,6 +152,16 @@ public Builder WithDisableSslVerification(boolean disableSslVerification) { return this; } + public Builder WithUserIdStrategy(IdStrategy userIdStrategy) { + this.userIdStrategy = userIdStrategy; + return this; + } + + public Builder WithGroupIdStrategy(IdStrategy groupIdStrategy) { + this.groupIdStrategy = groupIdStrategy; + return this; + } + public TestRealm build() throws Exception { return new TestRealm(this); } @@ -184,7 +197,9 @@ public TestRealm(Builder builder) throws Exception { builder.clientId, builder.clientSecret, builder.buildServerConfiguration(), - builder.disableSslVerification); + builder.disableSslVerification, + builder.userIdStrategy, + builder.groupIdStrategy); this.setUserNameField(builder.userNameField); this.setTokenFieldToCheckKey(builder.tokenFieldToCheckKey); this.setTokenFieldToCheckValue(builder.tokenFieldToCheckValue); diff --git a/src/test/java/org/jenkinsci/plugins/oic/monitor/OicStrategyMonitorTest.java b/src/test/java/org/jenkinsci/plugins/oic/monitor/OicStrategyMonitorTest.java new file mode 100644 index 00000000..d9693a58 --- /dev/null +++ b/src/test/java/org/jenkinsci/plugins/oic/monitor/OicStrategyMonitorTest.java @@ -0,0 +1,58 @@ +package org.jenkinsci.plugins.oic.monitor; + +import com.github.tomakehurst.wiremock.core.WireMockConfiguration; +import com.github.tomakehurst.wiremock.junit.WireMockRule; +import jenkins.model.IdStrategy; +import jenkins.model.Jenkins; +import org.jenkinsci.plugins.oic.TestRealm; +import org.junit.Rule; +import org.junit.Test; +import org.jvnet.hudson.test.Issue; +import org.jvnet.hudson.test.JenkinsSessionRule; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +public class OicStrategyMonitorTest { + + @Rule + public JenkinsSessionRule sessions = new JenkinsSessionRule(); + + @Rule + public WireMockRule wireMockRule = new WireMockRule(new WireMockConfiguration().dynamicPort(), true); + + @Test + @Issue("SECURITY-3461") + public void smokes_caseInsensitive() throws Throwable { + sessions.then(r -> { + TestRealm realm = new TestRealm(wireMockRule); + Jenkins.get().setSecurityRealm(realm); + assertTrue(OicIdStrategyMonitor.get().isActivated()); + }); + sessions.then(r -> { + assertTrue(OicIdStrategyMonitor.get().isActivated()); + TestRealm realm = new TestRealm(new TestRealm.Builder(wireMockRule) + .WithMinimalDefaults() + .WithGroupIdStrategy(IdStrategy.CASE_INSENSITIVE) + .WithUserIdStrategy(IdStrategy.CASE_INSENSITIVE)); + Jenkins.get().setSecurityRealm(realm); + assertFalse(OicIdStrategyMonitor.get().isActivated()); + }); + sessions.then(r -> { + assertFalse(OicIdStrategyMonitor.get().isActivated()); + }); + } + + @Test + @Issue("SECURITY-3461") + public void smokes_noChange() throws Throwable { + sessions.then(r -> { + TestRealm realm = new TestRealm(wireMockRule); + Jenkins.get().setSecurityRealm(realm); + assertTrue(OicIdStrategyMonitor.get().isActivated()); + }); + sessions.then(r -> { + assertTrue(OicIdStrategyMonitor.get().isActivated()); + }); + } +} diff --git a/src/test/resources/org/jenkinsci/plugins/oic/ConfigurationAsCodeExport.yml b/src/test/resources/org/jenkinsci/plugins/oic/ConfigurationAsCodeExport.yml index b8d603a2..feb52fe0 100644 --- a/src/test/resources/org/jenkinsci/plugins/oic/ConfigurationAsCodeExport.yml +++ b/src/test/resources/org/jenkinsci/plugins/oic/ConfigurationAsCodeExport.yml @@ -5,6 +5,7 @@ escapeHatchEnabled: true escapeHatchGroup: "escapeHatchGroup" escapeHatchUsername: "escapeHatchUsername" fullNameFieldName: "fullNameFieldName" +groupIdStrategy: "caseInsensitive" groupsFieldName: "groupsFieldName" nonceDisabled: true pkceEnabled: true @@ -17,4 +18,5 @@ serverConfiguration: jwksServerUrl: "http://localhost/jwks" scopes: "scopes" tokenServerUrl: "http://localhost/token" +userIdStrategy: "caseInsensitive" userNameField: "userNameField"