-
-
Notifications
You must be signed in to change notification settings - Fork 70
Expand file tree
/
Copy pathBasicSSHUserPrivateKeyTest.java
More file actions
128 lines (111 loc) · 5.44 KB
/
BasicSSHUserPrivateKeyTest.java
File metadata and controls
128 lines (111 loc) · 5.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
/*
* The MIT License
*
* Copyright 2014 Jesse Glick.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
package com.cloudbees.jenkins.plugins.sshcredentials.impl;
import com.cloudbees.hudson.plugins.folder.Folder;
import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
import com.cloudbees.plugins.credentials.CredentialsMatchers;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.plugins.credentials.domains.DomainRequirement;
import java.util.List;
import hudson.FilePath;
import hudson.cli.CLICommandInvoker;
import hudson.cli.UpdateJobCommand;
import hudson.model.Hudson;
import hudson.model.Job;
import hudson.security.ACL;
import jenkins.model.Jenkins;
import static hudson.cli.CLICommandInvoker.Matcher.failedWith;
import static hudson.cli.CLICommandInvoker.Matcher.succeeded;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.not;
import static org.junit.jupiter.api.Assertions.*;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.jvnet.hudson.test.Issue;
import org.jvnet.hudson.test.JenkinsRule;
import org.jvnet.hudson.test.junit.jupiter.WithJenkins;
import org.jvnet.hudson.test.recipes.LocalData;
@WithJenkins
class BasicSSHUserPrivateKeyTest {
private static final String TESTKEY_ID = "bc07f814-78bd-4b29-93d4-d25b93285f93";
private static final String TESTKEY_BEGIN = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAu1r+HHzmpybc4iwoP5+44FjvcaMkNEWeGQZlmPwLx70XW8+8";
private static final String TESTKEY_END = "sroT/IHW2jKMD0v8kKLUnKCZYzlw0By7+RvJ8lgzHB0D71f6EC1UWg==\n-----END RSA PRIVATE KEY-----\n";
private JenkinsRule r;
@BeforeEach
void setUp(JenkinsRule rule) {
r = rule;
}
@LocalData
@Test
void readOldCredentials() {
SSHUserPrivateKey supk = CredentialsMatchers.firstOrNull(
CredentialsProvider.lookupCredentials(SSHUserPrivateKey.class, Hudson.get(), ACL.SYSTEM,
(List<DomainRequirement>)null),
CredentialsMatchers.withId(TESTKEY_ID));
assertNotNull(supk);
List<String> keyList = supk.getPrivateKeys();
assertNotNull(keyList);
assertEquals(1, keyList.size());
String privateKey = keyList.get(0);
assertNotNull(privateKey);
assertTrue(privateKey.startsWith(TESTKEY_BEGIN));
assertTrue(privateKey.endsWith(TESTKEY_END));
}
@Test
void ensureDirectEntryHasTrailingNewline() {
String key = (new BasicSSHUserPrivateKey.DirectEntryPrivateKeySource("test")).getPrivateKey().getPlainText();
assertEquals("test\n", key);
}
// TODO demonstrate that all private key sources are round-tripped in XStream
@Test
@LocalData
@Issue("SECURITY-440")
void userWithoutRunScripts_cannotMigrateDangerousPrivateKeySource() throws Exception {
Folder folder = r.jenkins.createProject(Folder.class, "folder1");
FilePath updateFolder = r.jenkins.getRootPath().child("update_folder.xml");
{ // as user with just configure, you cannot migrate
CLICommandInvoker.Result result = new CLICommandInvoker(r, new UpdateJobCommand())
.authorizedTo(Jenkins.READ, Job.READ, Job.CONFIGURE)
.withStdin(updateFolder.read())
.invokeWithArgs("folder1");
assertThat(result.stderr(), containsString("user is missing the Overall/Administer permission"));
assertThat(result, failedWith(1));
// config file not touched
String configFileContent = folder.getConfigFile().asString();
assertThat(configFileContent, not(containsString("FileOnMasterPrivateKeySource")));
assertThat(configFileContent, not(containsString("BasicSSHUserPrivateKey")));
}
{ // but as admin with RUN_SCRIPTS, you can
CLICommandInvoker.Result result = new CLICommandInvoker(r, new UpdateJobCommand())
.authorizedTo(Jenkins.ADMINISTER)
.withStdin(updateFolder.read())
.invokeWithArgs("folder1");
assertThat(result, succeeded());
String configFileContent = folder.getConfigFile().asString();
assertThat(configFileContent, containsString("BasicSSHUserPrivateKey"));
assertThat(configFileContent, not(containsString("FileOnMasterPrivateKeySource")));
}
}
}