-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rework configuration of the plugin #399
Conversation
ae8f74a
to
276c6b8
Compare
<f:radioBlock title="${%Basic}" name="tokenAuthMethod" | ||
checked="${instance.tokenAuthMethod == 'client_secret_basic'}" value="client_secret_basic" inline="true" help="${null}"/> | ||
<f:radioBlock title="${%Post}" name="tokenAuthMethod" | ||
checked="${instance.tokenAuthMethod == null || instance.tokenAuthMethod == 'client_secret_post'}" value="client_secret_post" inline="true" help="${null}"/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the previous did not have help=${null}
but it was added here as they did (prior to the change and with this change before help=${null]
) actually render with a help button, but the help was unrelated to the option.
0a585d0
to
c2ef3e6
Compare
<f:radioBlock title="${%Basic}" name="tokenAuthMethod" | ||
checked="${instance.tokenAuthMethod == 'client_secret_basic'}" value="client_secret_basic" inline="true" help="${null}"/> | ||
<f:radioBlock title="${%Post}" name="tokenAuthMethod" | ||
checked="${instance.tokenAuthMethod == null || instance.tokenAuthMethod == 'client_secret_post'}" value="client_secret_post" inline="true" help="${null}"/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
set the default here for new installs with the == null
check (slightly fewer clicks for the defaults)
@@ -0,0 +1,4 @@ | |||
<div> | |||
Recommended. json webtoken key signature url of the openid connect provider |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
original had Recommended. jswon webtoken
which is fixed here and causing this not to show as a rename
src/main/resources/org/jenkinsci/plugins/oic/OicServerManualConfiguration/config.properties
Outdated
Show resolved
Hide resolved
c2ef3e6
to
e1676c1
Compare
src/main/java/org/jenkinsci/plugins/oic/OicServerManualConfiguration.java
Dismissed
Show dismissed
Hide dismissed
4cdb879
to
9799c0b
Compare
pom.xml
Outdated
@@ -49,6 +49,7 @@ | |||
<spotless.check.skip>false</spotless.check.skip> | |||
<spotbugs.effort>Max</spotbugs.effort> | |||
<configuration-as-code.version>1836.vccda_4a_122a_a_e</configuration-as-code.version> | |||
<hpi.compatibleSinceVersion>4.431</hpi.compatibleSinceVersion> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
config is migrated, but the Jenkins config-as-code format is no longer compatable, so noting so users get a warning before updating.
Will need updating if anything gets merged before this
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #399 +/- ##
============================================
+ Coverage 72.47% 76.03% +3.55%
- Complexity 244 259 +15
============================================
Files 12 15 +3
Lines 1021 1043 +22
Branches 148 149 +1
============================================
+ Hits 740 793 +53
+ Misses 201 174 -27
+ Partials 80 76 -4 ☔ View full report in Codecov by Sentry. |
9799c0b
to
7430677
Compare
Boolean useRefreshTokens) | ||
Secret clientSecret, | ||
OicServerConfiguration serverConfiguration, | ||
Boolean disableSslVerification) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for a future refactoring, given this is a Boolean
it is obvious that this should not be a required field and moved to a @DataboundSetter
try { | ||
Field field = getClass().getDeclaredField("endSessionEndpoint"); | ||
field.setAccessible(true); | ||
field.set(this, endSessionUrl + "/"); | ||
} catch (IllegalArgumentException | IllegalAccessException | NoSuchFieldException | SecurityException e) { | ||
LOGGER.log(Level.SEVERE, "Can't set endSessionEndpoint from old value", e); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could see no need for reflection here - the field is available so we can just use it directly.
} | ||
} | ||
} catch (FormException e) { | ||
// FormException does not override toString() so looses info on the fields set and the message may not have |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -421,28 +458,9 @@ public Secret getClientSecret() { | |||
return clientSecret == null ? Secret.fromString(NO_SECRET) : clientSecret; | |||
} | |||
|
|||
public String getWellKnownOpenIDConfigurationUrl() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are no reported OSS plugins or known private plugins that depend on this plugin, so the only backwards compatibility we need to worry about is the config.xml migration
OicSecurityRealm.UsingDefaultScopes = Using ''openid email''. | ||
OicSecurityRealm.RUSureOpenIdNotInScope = Are you sure you don''t want to include ''openid'' as an scope? | ||
OicSecurityRealm.RUSureOpenIdNotInScope = Are you sure you don''t want to include ''openid'' as a scope? | ||
OicSecurityRealm.ScopesRequired = Scopes is required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds like bad English, but "scopes" is the field, not a plural of "scope" so the field is singular.
Probably should be reworded so that it has something other than just "the field is required"
7430677
to
b1e87c0
Compare
@@ -3,19 +3,21 @@ OicLogoutAction.OicLogout = Oic Logout | |||
OicSecurityRealm.DisplayName = Login with Openid Connect | |||
OicSecurityRealm.ClientIdRequired = Client id is required. | |||
OicSecurityRealm.ClientSecretRequired = Client secret is required. | |||
OicSecurityRealm.URLNotAOpenIdEnpoint = URL does seem to describe OpenID Connect endpoints | |||
OicSecurityRealm.URLNotAOpenIdEnpoint = URL does not seem to describe OpenID Connect endpoints |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelated, but noticed this was wrong when moving the tests.
OicSecurityRealm.NotAValidURL = Not a valid url. | ||
OicSecurityRealm.CouldNotRetreiveWellKnownConfig = Could not retrieve well-known config {0,number,integer} {1} | ||
OicSecurityRealm.CouldNotParseResponse = Could not parse response | ||
OicSecurityRealm.ErrorRetreivingWellKnownConfig = Error when retrieving well-known config | ||
OicSecurityRealm.TokenServerURLKeyRequired = Token Server Url Key is required. | ||
OicSecurityRealm.TokenAuthMethodRequired = Token auth method is required. | ||
OicSecurityRealm.UsingDefaultUsername = Using ''sub''. | ||
OicSecurityRealm.UsingDefaultScopes = Using ''openid email''. | ||
OicSecurityRealm.RUSureOpenIdNotInScope = Are you sure you don''t want to include ''openid'' as an scope? | ||
OicSecurityRealm.RUSureOpenIdNotInScope = Are you sure you don''t want to include ''openid'' as a scope? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelated, but noticed this when moving the tests.
b1e87c0
to
6cbd0c6
Compare
new OicServerWellKnownConfiguration(wellKnownOpenIDConfigurationUrl); | ||
conf.setScopesOverride(this.overrideScopes); | ||
serverConfiguration = conf; | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
consider making this else
into an explicit if
to protect against future changes? if the expected values of automanualconfigure
ever change and this is not updated then you would get the default case even when you don't want it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The field is dead from this version onward so there would be no issues with it changing in future.
Just here for the readRosolve
and is transient so it's either "auto"``"manual"
or null
The server configuration (token URLs, scopes etc) are now in separate describable. This makes the UX cleaner, and the code cleaner in the realm. The config.xml is backwards compatable with previous versions, but the casc format is not. when in discovery mode via well known endpoint the override scopes are now used explicitly rather than using the overlapping scopes from the overrides and those provided by the server
6cbd0c6
to
3e8cbca
Compare
private transient LocalDateTime wellKnownExpires = null; | ||
|
||
@DataBoundConstructor | ||
public OicServerWellKnownConfiguration(String wellKnownOpenIDConfigurationUrl) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JCasC wise you would normally drop the class prefix so this field would be called openIDConfigurationUrl
as its already in a well known configuration class the well known bit is implied
That way you don't get the double wellKnown in the yaml:
securityRealm:
oic:
serverConfiguration:
wellKnown:
openIDConfigurationUrl: [https://idp.example.com:/someRealm/.well-known/openid-configuration](https://idp.example.com/someRealm/.well-known/openid-configuration)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way to do this with an annotation so that the config.xml format stays the same or is the only choice now to fix this to use a custom piece of code(at which point I think it may be better to live with it)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Symbol
only works on types (enum, class, interfaces) not on fields or methods, so I will bear this in mind for any future work, but am not planning on adding another data migration at this time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure readResolve
would be the normal approach, there's no alias via annotation.
The server configuration (token URLs, scopes etc) are now in separate describable, flags to contol setting of options is removed and is based on the actual option/type
This makes the UX marginally cleaner, but helps the backend code to not need flags to know if something is set.
The configuration format is backwards compatible with previous versions, but the casc format is not.
configuration of the provider side has been moved into a
serverConfiguration
section and split to 2 different typeswellKnown
for configuration via a auto discovery andmanual
for manual configuration.e.g.
for manual configuration:
and for auto configuration:
Screen Shots
Before
After
Testing done
config.xml
mvn verify
locallySubmitter checklist