Permalink
Please
sign in to comment.
Browse files
[JENKINS-47372] Add a new Administrative monitor for CSRF-protection (#…
…3072) * [JENKINS-47372] add administrative monitor when there is no CSRF issuer configured * - add line breaks * - add license header - put link in the properties instead of the previous mix - remove @author - simplify isActivated body * - correct line breaks
- Loading branch information...
1 parent
62c4408
commit 02b8e7f3563ac5c758e5829949533ff47bc81e65
Showing
with
143 additions
and 0 deletions.
- +51 −0 core/src/main/java/jenkins/security/csrf/CSRFAdministrativeMonitor.java
- +29 −0 core/src/main/resources/jenkins/security/csrf/CSRFAdministrativeMonitor/message.jelly
- +4 −0 core/src/main/resources/jenkins/security/csrf/CSRFAdministrativeMonitor/message.properties
- +1 −0 core/src/main/resources/jenkins/security/csrf/Messages.properties
- +58 −0 test/src/test/java/jenkins/security/csrf/CSRFAdministrativeMonitorTest.java
| @@ -0,0 +1,51 @@ | ||
| /* | ||
| * The MIT License | ||
| * | ||
| * Copyright (c) 2017, CloudBees, Inc. | ||
| * | ||
| * Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| * of this software and associated documentation files (the "Software"), to deal | ||
| * in the Software without restriction, including without limitation the rights | ||
| * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| * copies of the Software, and to permit persons to whom the Software is | ||
| * furnished to do so, subject to the following conditions: | ||
| * | ||
| * The above copyright notice and this permission notice shall be included in | ||
| * all copies or substantial portions of the Software. | ||
| * | ||
| * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | ||
| * THE SOFTWARE. | ||
| */ | ||
| package jenkins.security.csrf; | ||
|
|
||
| import hudson.Extension; | ||
| import hudson.model.AdministrativeMonitor; | ||
| import jenkins.model.Jenkins; | ||
| import org.jenkinsci.Symbol; | ||
| import org.kohsuke.accmod.Restricted; | ||
| import org.kohsuke.accmod.restrictions.NoExternalUse; | ||
|
|
||
| /** | ||
| * Monitor that the CSRF protection is enabled on the application. | ||
| * | ||
| * @since TODO | ||
| */ | ||
| @Extension | ||
| @Symbol("csrf") | ||
| @Restricted(NoExternalUse.class) | ||
| public class CSRFAdministrativeMonitor extends AdministrativeMonitor { | ||
| @Override | ||
| public String getDisplayName() { | ||
| return Messages.CSRFAdministrativeMonitor_displayName(); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean isActivated() { | ||
| return Jenkins.getInstance().getCrumbIssuer() == null; | ||
| } | ||
| } |
| @@ -0,0 +1,29 @@ | ||
| <!-- | ||
| The MIT License | ||
| Copyright (c) 2017, CloudBees, Inc. | ||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
| The above copyright notice and this permission notice shall be included in | ||
| all copies or substantial portions of the Software. | ||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | ||
| THE SOFTWARE. | ||
| --> | ||
| <?jelly escape-by-default='true'?> | ||
| <j:jelly xmlns:j="jelly:core"> | ||
| <div class="warning"> | ||
| ${%warningMessage(rootURL)} | ||
| </div> | ||
| </j:jelly> |
| @@ -0,0 +1,4 @@ | ||
| warningMessage=You have not configured the CSRF issuer. This could be a security issue. \ | ||
| For more information, please refer to <a href="https://jenkins.io/redirect/csrf-protection" target="_blank">this page</a>. \ | ||
| <br /> \ | ||
| You can change the current configuration using the Security section <a href="{0}/configureSecurity">CSRF Protection</a>. |
| @@ -0,0 +1 @@ | ||
| CSRFAdministrativeMonitor.displayName=CSRF Protection Monitor |
| @@ -0,0 +1,58 @@ | ||
| /* | ||
| * The MIT License | ||
| * | ||
| * Copyright (c) 2017, CloudBees, Inc. | ||
| * | ||
| * Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| * of this software and associated documentation files (the "Software"), to deal | ||
| * in the Software without restriction, including without limitation the rights | ||
| * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| * copies of the Software, and to permit persons to whom the Software is | ||
| * furnished to do so, subject to the following conditions: | ||
| * | ||
| * The above copyright notice and this permission notice shall be included in | ||
| * all copies or substantial portions of the Software. | ||
| * | ||
| * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | ||
| * THE SOFTWARE. | ||
| */ | ||
| package jenkins.security.csrf; | ||
|
|
||
| import hudson.model.AdministrativeMonitor; | ||
| import hudson.security.csrf.DefaultCrumbIssuer; | ||
| import org.junit.Rule; | ||
| import org.junit.Test; | ||
| import org.jvnet.hudson.test.Issue; | ||
| import org.jvnet.hudson.test.JenkinsRule; | ||
|
|
||
| import static org.junit.Assert.assertFalse; | ||
| import static org.junit.Assert.assertTrue; | ||
|
|
||
| public class CSRFAdministrativeMonitorTest { | ||
|
|
||
| @Rule | ||
| public JenkinsRule j = new JenkinsRule(); | ||
|
|
||
| @Test | ||
| @Issue("JENKINS-47372") | ||
| public void testWithoutIssuer() { | ||
| j.jenkins.setCrumbIssuer(null); | ||
|
|
||
| CSRFAdministrativeMonitor monitor = j.jenkins.getExtensionList(AdministrativeMonitor.class).get(CSRFAdministrativeMonitor.class); | ||
| assertTrue("Monitor must not be activated", monitor.isActivated()); | ||
| } | ||
|
|
||
| @Test | ||
| @Issue("JENKINS-47372") | ||
| public void testWithIssuer() { | ||
| j.jenkins.setCrumbIssuer(new DefaultCrumbIssuer(false)); | ||
|
|
||
| CSRFAdministrativeMonitor monitor = j.jenkins.getExtensionList(AdministrativeMonitor.class).get(CSRFAdministrativeMonitor.class); | ||
| assertFalse("Monitor must be activated", monitor.isActivated()); | ||
| } | ||
| } |
0 comments on commit
02b8e7f