Doesn't work after upgrade to Jenkins 2.150.2

[wschomburg]

After upgraded Jenkins from 2.150.1 to 2.150.2 (see Security Advisor https://jenkins.io/security/advisory/2019-01-16/), it's not possible to login into Jenkins anymore.

1. Jenkins 2.150.1 is running with OpenID Connect Plugin 1.4 and connected to our Keycloak server
2. Login redirects the users to the Keycloak login page and after authentication the users are redirected to Jenkins and authenticated in Jenkins with the correct user.
3. Upgrade Jenkins to version 2.150.2
4. Login redirects to the Keycloak login page and after authentication the users are redirected to Jenkins and again redirected to Keycloak. This loop will never end.
5. Downgrade Jenkins to version 2.150.1 recovers the old behavior from 2.

[SIkebe]

Same here.

Windows Server 2012R2
IdentitySever4

[Xyaren]

And here with the official Jenkins docker image.

[jbiel]

The latest weekly release (2.160) is broken too.

[mjmbischoff]

I'm able to reproduce as well, seems to silently fail. I'll look into it.

[mjmbischoff]

So the good news is that your still logged in and the code in the plugin works as expected.
The bad is that jenkins immediately invalidates the session due to the logic here:
https://github.com/jenkinsci/jenkins/blob/8c490d14c4ffe6162f6e97d25a66612330fe2ace/core/src/main/java/hudson/security/HttpSessionContextIntegrationFilter2.java#L82

which indeed was introduced due to SECURITY-901: jenkinsci/jenkins@8c490d1

So many thanks for pointing out the advisory @wschomburg because I would have been looking a long time for this.

WORKAROUND:
setting the jenkins.security.seed.UserSeedProperty.disableUserSeed as indicated here:
https://github.com/jenkinsci/jenkins/blob/2a268f7c71ad4ccef0af3ccc5b67b3768ee01d76/core/src/main/java/jenkins/security/seed/UserSeedProperty.java#L64 should make it work for now

Working on an actual fix.

[mjmbischoff]

Will pick it up in the next release, there where some pending things on it already have a fix for some things I spotted. Hopefully I can resolve them soon else I might opt to revert the other changes to get this out fast.

[bcmedeiros]

That's also happening to other plugins:
https://issues.jenkins-ci.org/browse/JENKINS-55668
https://issues.jenkins-ci.org/browse/JENKINS-55669 (reported by me after switching to this plugin and realising the bug happens on both)

Maybe this fix will require a more broad redesign.

[hypery2k]

in case any runs in this issue, the best way to set the var is to add to /etc/default/jenkins:

...
JAVA_ARGS="...   -Djenkins.security.seed.UserSeedProperty.disableUserSeed=true"

[daniel-beck]

Maybe this fix will require a more broad redesign.

Security realms need to invoke SecurityListener#authenticated or SecurityListener#loggedIn. Those that don't will encounter this problem.

[Wadeck]

FYI I am working on a fix for this plugin.

Could you test with the following PR: #56 ?

[mjmbischoff]

@daniel-beck that ties into #22 , @Wadeck are those all the events that need to be triggered?

[Wadeck]

@mjmbischoff for the moment only the authenticated is "mandatory" for the last security release.

[mildis]

Setting -Djenkins.security.seed.DISABLE_USER_SEED=true does not work here : still get login loop.
Also tried the artifact from build 2 of PR #56 but all I got was an NPE

Caused by: java.lang.NullPointerException
	at org.jenkinsci.plugins.oic.OicSecurityRealm.lookup(OicSecurityRealm.java:680)
	at org.jenkinsci.plugins.oic.OicSecurityRealm.getField(OicSecurityRealm.java:658)
	at org.jenkinsci.plugins.oic.OicSecurityRealm.getField(OicSecurityRealm.java:546)
	at org.jenkinsci.plugins.oic.OicSecurityRealm.loginAndSetUserData(OicSecurityRealm.java:490)
	at org.jenkinsci.plugins.oic.OicSecurityRealm.access$700(OicSecurityRealm.java:87)
	at org.jenkinsci.plugins.oic.OicSecurityRealm$3.onSuccess(OicSecurityRealm.java:391)
	at org.jenkinsci.plugins.oic.OicSession.doFinishLogin(OicSession.java:110)
	at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:618)
	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
	... 87 more

[hypery2k]

try -Djenkins.security.seed.UserSeedProperty.disableUserSeed=true

[mildis]

@hypery2k Working 👍 (I see you've updated your former post, that's good)

[mjmbischoff]

1.5 has been released, so the workaround shouldn't be necessary anymore. Can anyone reporting this issue confirm that the problem no longer persists after upgrading so I can close this?

[SIkebe]

I verified this issue resolved. Thanks!

[mjmbischoff]

ok, great. thanks!

[wschomburg]

New version works, great work. Thank you.

[slayer201]

@mjmbischoff 1.5 version you mentioned, is it for LTS ? As I can see only 2.150.2 on the website https://jenkins.io/changelog-stable/ as the latest one.

[mjmbischoff]

1.5 is the version of the plugin that fixes issues with the 2.150.2 jenkins LTS release. So yes you can pick up jenkins 2.150.2 (current latest LTS) and then add the openid connect plugin version 1.5 to it and it should all work.

[slayer201]

@mjmbischoff Thanks a lot for the reply. But in my case we dont use openid connect authentication. Only normal security from Jenkins was enabled before 2.150.2. But soon upgrading to 2.150.2 the login attempts are failing for all the users. I being the administrator cant log in as well. Thereby had to turn off the security for time being to allow members to login. Is this related to the same.

[mjmbischoff]

@slayer201 Ah, euh.. yeah while this is the issue tracker for the plugin I focused on this :-)

2.150.2 introduced changes around the handling of security see
https://jenkins.io/security/advisory/2019-01-16/
https://issues.jenkins-ci.org/browse/JENKINS-55697?jql=labels%20%3D%20security-901

If your setup doesn't match any of the issues under the 'security-901' label then I suggest creating a new issue highlighting your setup. Feel free to @ me (https://issues.jenkins-ci.org/secure/ViewProfile.jspa?name=mbischoff) and given time, I try to have a quick look.

[jineshsubedi]

My testing gets fails, with a 1 error but no error message display. :( what is the problem in Jenkins, locally all of my tests are done successfully.