Clean up test references of removed methods

Author: Vlatombe

src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

@@ -550,18 +550,6 @@ public boolean isSendScopesInTokenRequest() {
         return sendScopesInTokenRequest;
     }
 
-    public boolean isPkceEnabled() {
-        return pkceEnabled;
-    }
-
-    public boolean isDisableTokenVerification() {
-        return disableTokenVerification;
-    }
-
-    public boolean isNonceDisabled() {
-        return nonceDisabled;
-    }
-
     public boolean isTokenExpirationCheckDisabled() {
         return tokenExpirationCheckDisabled;
     }

src/main/java/org/jenkinsci/plugins/oic/properties/DisableTokenVerification.java

@@ -1,6 +1,5 @@
 package org.jenkinsci.plugins.oic.properties;
 
-import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
 import java.io.Serial;
@@ -35,7 +34,8 @@ public OidcPropertyExecution newExecution(@NonNull OicServerConfiguration server
     @Serial
     protected Object readResolve() {
         if (FIPS140.useCompliantAlgorithms()) {
-            throw new IllegalStateException(org.jenkinsci.plugins.oic.Messages.OicSecurityRealm_DisableTokenVerificationFipsMode());
+            throw new IllegalStateException(
+                    org.jenkinsci.plugins.oic.Messages.OicSecurityRealm_DisableTokenVerificationFipsMode());
         }
         return this;
     }

src/main/java/org/jenkinsci/plugins/oic/properties/EscapeHatch.java

@@ -56,7 +56,7 @@ public class EscapeHatch extends OidcProperty {
     public EscapeHatch(@NonNull String username, @CheckForNull String group, @NonNull Secret secret)
             throws Descriptor.FormException {
         if (FIPS140.useCompliantAlgorithms()) {
-            throw new IllegalStateException("Cannot use Escape Hatch in FIPS-140 mode");
+            throw new Descriptor.FormException("Cannot use Escape Hatch in FIPS-140 mode", "escapeHatch");
         }
         var sanitizedUsername = Util.fixEmptyAndTrim(username);
         if (sanitizedUsername == null) {
@@ -106,8 +106,9 @@ private void randomWait() {
     public Optional<Authentication> authenticate(@NonNull Authentication authentication) {
         if (authentication instanceof UsernamePasswordAuthenticationToken) {
             randomWait(); // to slowdown brute forcing
-            if (authentication.getPrincipal().toString().equals(this.username)
-                    && BCrypt.checkpw(authentication.getCredentials().toString(), Secret.toString(this.secret))) {
+            if (check(
+                    authentication.getPrincipal().toString(),
+                    authentication.getCredentials().toString())) {
                 List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
                 grantedAuthorities.add(SecurityRealm.AUTHENTICATED_AUTHORITY2);
                 if (isNotBlank(group)) {
@@ -126,6 +127,13 @@ public Optional<Authentication> authenticate(@NonNull Authentication authenticat
         return Optional.empty();
     }
 
+    /**
+     * Check a given username and password against the configured ones.
+     */
+    public boolean check(@NonNull String username, @CheckForNull String password) {
+        return username.equals(this.username) && BCrypt.checkpw(password, Secret.toString(this.secret));
+    }
+
     public static class DescriptorImpl extends OidcPropertyDescriptor {
         @Extension
         @CheckForNull

src/test/java/org/jenkinsci/plugins/oic/ConfigurationAsCodeTest.java

@@ -8,6 +8,7 @@
 import static io.jenkins.plugins.casc.misc.Util.toStringFromYamlFile;
 import static io.jenkins.plugins.casc.misc.Util.toYamlString;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.empty;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
@@ -87,7 +88,6 @@ void testConfig(JenkinsConfiguredWithCodeRule j) {
         assertEquals("userNameField", oicSecurityRealm.getUserNameField());
         assertTrue(oicSecurityRealm.isRootURLFromRequest());
         assertEquals("http://localhost/jwks", serverConf.getJwksServerUrl());
-        assertFalse(oicSecurityRealm.isDisableTokenVerification());
         var loginQueryParameters = oicSecurityRealm.getProperties().get(LoginQueryParameters.class);
         assertThat(loginQueryParameters, notNullValue());
         assertEquals(
@@ -145,7 +145,6 @@ void testMinimal(JenkinsConfiguredWithCodeRule j) {
         assertEquals("clientSecret", Secret.toString(oicSecurityRealm.getClientSecret()));
         assertFalse(oicSecurityRealm.isDisableSslVerification());
         assertNull(oicSecurityRealm.getEmailFieldName());
-        assertFalse(oicSecurityRealm.isEscapeHatchEnabled());
         assertNull(oicSecurityRealm.getFullNameFieldName());
         assertNull(oicSecurityRealm.getGroupsFieldName());
         assertEquals("openid email", serverConf.getScopes());
@@ -155,9 +154,7 @@ void testMinimal(JenkinsConfiguredWithCodeRule j) {
         assertTrue(oicSecurityRealm.isLogoutFromOpenidProvider());
         assertFalse(oicSecurityRealm.isRootURLFromRequest());
         assertNull(serverConf.getJwksServerUrl());
-        assertFalse(oicSecurityRealm.isDisableTokenVerification());
-        assertNull(oicSecurityRealm.getLoginQueryParameters());
-        assertNull(oicSecurityRealm.getLogoutQueryParameters());
+        assertThat(oicSecurityRealm.getProperties(), empty());
     }
 
     @Test
@@ -175,7 +172,6 @@ void testMinimalWellKnown(JenkinsConfiguredWithCodeRule j) {
 
         assertFalse(oicSecurityRealm.isDisableSslVerification());
         assertNull(oicSecurityRealm.getEmailFieldName());
-        assertFalse(oicSecurityRealm.isEscapeHatchEnabled());
         assertNull(oicSecurityRealm.getFullNameFieldName());
         assertNull(oicSecurityRealm.getGroupsFieldName());
 
@@ -184,12 +180,9 @@ void testMinimalWellKnown(JenkinsConfiguredWithCodeRule j) {
 
         assertEquals("sub", oicSecurityRealm.getUserNameField());
         assertTrue(oicSecurityRealm.isLogoutFromOpenidProvider());
-        assertFalse(oicSecurityRealm.isDisableTokenVerification());
 
         assertEquals(urlBase + "/well.known", serverConf.getWellKnownOpenIDConfigurationUrl());
-
-        assertNull(oicSecurityRealm.getLoginQueryParameters());
-        assertNull(oicSecurityRealm.getLogoutQueryParameters());
+        assertThat(oicSecurityRealm.getProperties(), empty());
     }
 
     /** Class to setup WellKnownMockExtension for well known with stub and setting port in env variable

src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java

@@ -7,10 +7,8 @@
 import static org.hamcrest.Matchers.startsWith;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
 import hudson.util.Secret;
@@ -32,7 +30,6 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.crypto.bcrypt.BCrypt;
 
 @WithJenkins
 class OicSecurityRealmTest {
@@ -118,41 +115,6 @@ void testShouldReturnRootUrlWhenRedirectUrlIsInvalid(JenkinsRule jenkinsRule) th
         assertEquals(rootUrl, realm.getValidRedirectUrl("http://localhost/jenkins/../bar/"));
     }
 
-    @Test
-    void testShouldCheckEscapeHatchWithPlainPassword(JenkinsRule jenkinsRule) throws Exception {
-        final String escapeHatchUsername = "aUsername";
-        final String escapeHatchPassword = "aSecretPassword";
-
-        TestRealm realm = new TestRealm.Builder(wireMock)
-                .WithMinimalDefaults()
-                        .WithEscapeHatch(true, escapeHatchUsername, escapeHatchPassword, "Group")
-                        .build();
-
-        assertEquals(escapeHatchUsername, realm.getEscapeHatchUsername());
-        assertNotEquals(escapeHatchPassword, Secret.toString(realm.getEscapeHatchSecret()));
-        assertTrue(realm.doCheckEscapeHatch(escapeHatchUsername, escapeHatchPassword));
-        assertFalse(realm.doCheckEscapeHatch("otherUsername", escapeHatchPassword));
-        assertFalse(realm.doCheckEscapeHatch(escapeHatchUsername, "wrongPassword"));
-    }
-
-    @Test
-    void testShouldCheckEscapeHatchWithHashedPassword(JenkinsRule jenkinsRule) throws Exception {
-        final String escapeHatchUsername = "aUsername";
-        final String escapeHatchPassword = "aSecretPassword";
-        final String escapeHatchCryptedPassword = BCrypt.hashpw(escapeHatchPassword, BCrypt.gensalt());
-
-        TestRealm realm = new TestRealm.Builder(wireMock)
-                .WithMinimalDefaults()
-                        .WithEscapeHatch(true, escapeHatchUsername, escapeHatchCryptedPassword, "Group")
-                        .build();
-
-        assertEquals(escapeHatchUsername, realm.getEscapeHatchUsername());
-        assertEquals(escapeHatchCryptedPassword, Secret.toString(realm.getEscapeHatchSecret()));
-        assertTrue(realm.doCheckEscapeHatch(escapeHatchUsername, escapeHatchPassword));
-        assertFalse(realm.doCheckEscapeHatch("otherUsername", escapeHatchPassword));
-        assertFalse(realm.doCheckEscapeHatch(escapeHatchUsername, "wrongPassword"));
-    }
-
     @Test
     @WithoutJenkins
     public void testMaybeOpenIdLogoutEndpoint() throws Exception {

src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java

@@ -1,11 +1,13 @@
 package org.jenkinsci.plugins.oic;
 
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.nullValue;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import hudson.model.Descriptor;
+import hudson.util.Secret;
 import jenkins.security.FIPS140;
+import org.jenkinsci.plugins.oic.properties.EscapeHatch;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
@@ -31,22 +33,22 @@ static void tearDown() {
     @Test
     void escapeHatchThrowsException() {
         assertThrows(
-                Descriptor.FormException.class,
-                () -> new OicSecurityRealm("clientId", null, null, null, null, null).setEscapeHatchEnabled(true));
+                Descriptor.FormException.class, () -> new OicSecurityRealm("clientId", null, null, null, null, null)
+                        .getProperties()
+                        .add(new EscapeHatch("admin", null, Secret.fromString("very-secret"))));
     }
 
     @Test
     void escapeHatchToFalse() throws Exception {
         OicSecurityRealm oicSecurityRealm = new OicSecurityRealm("clientId", null, null, null, null, null);
-        oicSecurityRealm.setEscapeHatchEnabled(false);
-        assertThat(oicSecurityRealm.isEscapeHatchEnabled(), is(false));
+        assertThat(oicSecurityRealm.getProperties().get(EscapeHatch.class), nullValue());
     }
 
     @Test
     void readResolve() throws Exception {
         OicSecurityRealm oicSecurityRealm = new OicSecurityRealm("clientId", null, null, null, null, null);
-        oicSecurityRealm.setEscapeHatchEnabled(false);
-        assertThat(oicSecurityRealm.isEscapeHatchEnabled(), is(false));
+        assertThat(oicSecurityRealm.getProperties().get(EscapeHatch.class), nullValue());
         oicSecurityRealm.readResolve();
+        assertThat(oicSecurityRealm.getProperties().get(EscapeHatch.class), nullValue());
     }
 }

src/test/java/org/jenkinsci/plugins/oic/TestRealm.java

@@ -12,7 +12,9 @@
 import java.util.ArrayList;
 import java.util.List;
 import jenkins.model.IdStrategy;
+import org.jenkinsci.plugins.oic.properties.DisableNonce;
 import org.jenkinsci.plugins.oic.properties.DisableTokenVerification;
+import org.jenkinsci.plugins.oic.properties.EscapeHatch;
 import org.jenkinsci.plugins.oic.properties.LoginQueryParameters;
 import org.jenkinsci.plugins.oic.properties.LogoutQueryParameters;
 import org.kohsuke.stapler.StaplerRequest2;
@@ -54,10 +56,6 @@ public static class Builder {
         public Boolean logoutFromOpenidProvider = false;
         public String endSessionEndpoint = null;
         public String postLogoutRedirectUrl = null;
-        public boolean escapeHatchEnabled = false;
-        public String escapeHatchUsername = null;
-        public Secret escapeHatchSecret = null;
-        public String escapeHatchGroup = null;
         public boolean automanualconfigure = false;
         public IdStrategy userIdStrategy;
         public IdStrategy groupIdStrategy;
@@ -151,11 +149,14 @@ public Builder WithEscapeHatch(
                 boolean escapeHatchEnabled,
                 String escapeHatchUsername,
                 String escapeHatchSecret,
-                String escapeHatchGroup) {
-            this.escapeHatchEnabled = escapeHatchEnabled;
-            this.escapeHatchUsername = escapeHatchUsername;
-            this.escapeHatchSecret = escapeHatchSecret == null ? null : Secret.fromString(escapeHatchSecret);
-            this.escapeHatchGroup = escapeHatchGroup;
+                String escapeHatchGroup)
+                throws Descriptor.FormException {
+            if (escapeHatchEnabled) {
+                this.properties.add(
+                        new EscapeHatch(escapeHatchUsername, escapeHatchGroup, Secret.fromString(escapeHatchSecret)));
+            } else {
+                this.properties.removeIf(EscapeHatch.class::isInstance);
+            }
             return this;
         }
 
@@ -234,10 +235,6 @@ public TestRealm(Builder builder) throws Exception {
         this.setGroupsFieldName(builder.groupsFieldName);
         this.setLogoutFromOpenidProvider(builder.logoutFromOpenidProvider);
         this.setPostLogoutRedirectUrl(builder.postLogoutRedirectUrl);
-        this.setEscapeHatchEnabled(builder.escapeHatchEnabled);
-        this.setEscapeHatchUsername(builder.escapeHatchUsername);
-        this.setEscapeHatchSecret(builder.escapeHatchSecret);
-        this.setEscapeHatchGroup(builder.escapeHatchGroup);
         this.setProperties(builder.properties);
         // need to call the following method annotated with @PostConstruct and called
         // from readResolve and as such
@@ -307,7 +304,8 @@ public void doFinishLogin(StaplerRequest2 request, StaplerResponse2 response) th
         /*
          * PluginTest uses a hardCoded nonce "nonce"
          */
-        if (!isNonceDisabled()) {
+
+        if (getProperties().get(DisableNonce.class) == null) {
             // only hack the nonce if the nonce is enabled
             FrameworkParameters parameters = new JEEFrameworkParameters(request, response);
             WebContext webContext = JEEContextFactory.INSTANCE.newContext(parameters);
@@ -331,8 +329,4 @@ public String getStringFieldFromJMESPath(Object object, String jmespathField) {
     public Object readResolve() throws ObjectStreamException {
         return super.readResolve();
     }
-
-    public boolean doCheckEscapeHatch(String username, String password) {
-        return super.checkEscapeHatch(username, password);
-    }
 }

src/test/java/org/jenkinsci/plugins/oic/properties/EscapeHatchTest.java

@@ -1,14 +1,18 @@
 package org.jenkinsci.plugins.oic.properties;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import hudson.util.Secret;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import org.jenkinsci.plugins.oic.MockHttpServletRequest;
 import org.junit.jupiter.api.Test;
+import org.springframework.security.crypto.bcrypt.BCrypt;
 
 class EscapeHatchTest {
     private EscapeHatch.CrumbExclusionImpl crumb = new EscapeHatch.CrumbExclusionImpl();
@@ -47,4 +51,27 @@ void process_WithGoodPath() throws IOException, ServletException {
         MockHttpServletRequest request = newRequestWithPath("/securityRealm/escapeHatch");
         assertTrue(crumb.process(request, response, chain));
     }
+
+    @Test
+    void testShouldCheckEscapeHatchWithPlainPassword() throws Exception {
+        final String escapeHatchUsername = "aUsername";
+        final String escapeHatchPassword = "aSecretPassword";
+        var escapeHatch = new EscapeHatch(escapeHatchUsername, null, Secret.fromString(escapeHatchPassword));
+        assertEquals(escapeHatchUsername, escapeHatch.getUsername());
+        assertNotEquals(escapeHatchPassword, Secret.toString(escapeHatch.getSecret()));
+        assertTrue(escapeHatch.check(escapeHatchUsername, escapeHatchPassword));
+        assertFalse(escapeHatch.check("otherUsername", escapeHatchPassword));
+        assertFalse(escapeHatch.check(escapeHatchUsername, "wrongPassword"));
+    }
+
+    @Test
+    void testShouldCheckEscapeHatchWithHashedPassword() throws Exception {
+        final String escapeHatchUsername = "aUsername";
+        final String escapeHatchPassword = "aSecretPassword";
+        final String escapeHatchCryptedPassword = BCrypt.hashpw(escapeHatchPassword, BCrypt.gensalt());
+
+        var escapeHatch = new EscapeHatch(escapeHatchUsername, null, Secret.fromString(escapeHatchCryptedPassword));
+        assertEquals(escapeHatchUsername, escapeHatch.getUsername());
+        assertEquals(escapeHatchCryptedPassword, Secret.toString(escapeHatch.getSecret()));
+    }
 }