Merge pull request #2340 from kunalmemane/JKNS-859-fix-jbcrypt-with-spring-security-rhel9

JKNS-859: Replace jbcrypt with Spring Security BCryptPasswordEncoder

Author: openshift-merge-bot[bot]

2/contrib/jenkins/jenkins-common.sh

@@ -9,26 +9,51 @@ export AUTH_TOKEN=${KUBE_SA_DIR}/token
 export JENKINS_PASSWORD KUBERNETES_SERVICE_HOST KUBERNETES_SERVICE_PORT
 export ITEM_ROOTDIR="\${ITEM_ROOTDIR}" # Preserve this variable Jenkins has in config.xml
 
-# Takes a password and an optional salt value, outputs the hashed password.
+# Jenkins LTS 2.516.1 removed the jbcrypt library from the WAR.
+# Password hashing now uses Spring Security's BCryptPasswordEncoder instead.
+#
+# The Java source for the password utilities lives in jenkins-bcrypt-util/.
+# At container startup, build_password_encoder_jar compiles these sources
+# into password-encoder.jar using spring-security-crypto from the WAR.
+#
+# At runtime, the WAR lib directory is added to the classpath because
+# BCryptPasswordEncoder also needs jcl-over-slf4j and slf4j-api for logging.
+#
+# ref: https://www.jenkins.io/changelog/2.516.1/
+#      https://www.jenkins.io/changelog/2.509/
+
+PASSWORD_ENCODER_SRC="/opt/openshift/jenkins-bcrypt-util"
+PASSWORD_ENCODER_JAR="/opt/openshift/password-encoder.jar"
+
+function build_password_encoder_jar {
+    if [ -f "${PASSWORD_ENCODER_JAR}" ]; then
+        return 0
+    fi
+    local spring_security_crypto=$(find /tmp/war/WEB-INF/lib ${JENKINS_HOME}/war/WEB-INF/lib -name "spring-security-crypto-*.jar" 2>/dev/null | head -1)
+    javac -classpath "${spring_security_crypto}" \
+        -d "${PASSWORD_ENCODER_SRC}" \
+        "${PASSWORD_ENCODER_SRC}/com/redhat/openshift/PasswordEncoder.java" \
+        "${PASSWORD_ENCODER_SRC}/com/redhat/openshift/PasswordChecker.java"
+    jar cf "${PASSWORD_ENCODER_JAR}" -C "${PASSWORD_ENCODER_SRC}" com
+}
+
+# Takes a password, outputs the hashed password.
 function obfuscate_password {
     local password="$1"
-    local salt="$2"
-    #local acegi_security_path=`find /tmp/war/WEB-INF/lib/ -name acegi-security-*.jar`
-    #local commons_codec_path=`find /tmp/war/WEB-INF/lib/ -name commons-codec-*.jar`
-    local jbcrypt_path=`find /tmp/war/WEB-INF/lib ${JENKINS_HOME}/war/WEB-INF/lib/ -name jbcrypt-*.jar 2> /dev/null | head -1`
-    # source for password-encoder.jar is inside the jar.
-    # acegi-security-1.0.7.jar is inside the jenkins war.
-#    java -classpath "${acegi_security_path}:${commons_codec_path}:/opt/openshift/password-encoder.jar" com.redhat.openshift.PasswordEncoder $password $salt
-     java -classpath "${jbcrypt_path}:/opt/openshift/password-encoder.jar" com.redhat.openshift.PasswordEncoder $password $salt
+    local war_lib=$(find /tmp/war/WEB-INF/lib ${JENKINS_HOME}/war/WEB-INF/lib -maxdepth 0 -type d 2>/dev/null | head -1)
+    
+    build_password_encoder_jar
+    
+    java -classpath "${war_lib}/*:${PASSWORD_ENCODER_JAR}" com.redhat.openshift.PasswordEncoder "$password"
 }
 
 # Returns 0 if password matches 1 otherwise
 function has_password_changed {
     local password="$1"
     local password_hash="$2"
-    local jbcrypt_path=`find /tmp/war/WEB-INF/lib ${JENKINS_HOME}/war/WEB-INF/lib/ -name jbcrypt-*.jar 2> /dev/null | head -1`
-    # source for password-encoder.jar is inside the jar.
-     java -classpath "${jbcrypt_path}:/opt/openshift/password-encoder.jar" com.redhat.openshift.PasswordChecker $password $password_hash
+    local war_lib=$(find /tmp/war/WEB-INF/lib ${JENKINS_HOME}/war/WEB-INF/lib -maxdepth 0 -type d 2>/dev/null | head -1)
+    
+    build_password_encoder_jar
+    
+    java -classpath "${war_lib}/*:${PASSWORD_ENCODER_JAR}" com.redhat.openshift.PasswordChecker "$password" "$password_hash"
 }
-
-

2/contrib/openshift/jenkins-bcrypt-util/com/redhat/openshift/PasswordChecker.java

@@ -0,0 +1,24 @@
+package com.redhat.openshift;
+
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+
+/**
+ * Checks bcrypt password against a raw password 
+ * using Spring Security's BCryptPasswordEncoder.
+ *
+ * @author kunalmemane
+ */
+
+public class PasswordChecker {
+	public static void main(String[] args) {
+		String rawPassword = args[0];
+		String encodedPassword = args[1];
+
+		BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
+		if (!encoder.matches(rawPassword, encodedPassword)) {
+			System.out.println("Detected password environment variable change, Jenkins configuration must be updated...");
+			System.exit(1);
+		}
+		System.exit(0);
+	}
+}

2/contrib/openshift/jenkins-bcrypt-util/com/redhat/openshift/PasswordEncoder.java

@@ -0,0 +1,28 @@
+package com.redhat.openshift;
+
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+
+/**
+ * Encodes a password using Spring Security's BCryptPasswordEncoder.
+ *
+ * Previously used org.mindrot.jbcrypt.BCrypt, but Jenkins 2.509+ and LTS 2.516.1 removed
+ * the jbcrypt library from the WAR and now uses Spring Security's BCryptPasswordEncoder
+ * implementation internally.
+ *
+ * The output format ($2a$10$...) is identical and backward-compatible
+ * with hashes produced by the old jbcrypt library.
+ *
+ * ref: https://www.jenkins.io/changelog/2.509/
+ *      https://www.jenkins.io/changelog/2.516.1/
+ *
+ * @author kunalmemane
+ */
+
+public class PasswordEncoder {
+	public static void main(String[] args) {
+		String password = args[0];
+		BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
+		String encodedPassword = encoder.encode(password);
+		System.out.println(encodedPassword);
+	}
+}