Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

Make the token used to authenticate the Jenkins plugin hook trigger usable only once

Download Browse

No functional changes expected, the token is opaque for the Jenkins Tuleap plugin. The way it is generated and managed on the Tuleap side does not affect it. The initial implementation made in 68785d2042ff30474bc336c14d682d362adaccc6 was using authenticated encryption to make sure the provided token was valid. It was made this way to avoid creating a new DB table to make backporting the fix accross multiple Tuleap versions seamless. This contribution replaces this initial approach for the same approach used in other places in the Tuleap codebase. This comes with the following advantages: * less cryptography (we only use hashing to store the token securely in the DB) * the token can be used only once Closes request #28257: Missing authentication of webhook requests made to the Jenkins Branch Source plugin Change-Id: I5776c25428615859b0ef4e0e32d2476339422029

+488 −170
Thomas Gerbet (tgerbet) 2022-09-16 11:35
Thomas Gerbet (tgerbet) 2022-09-16 11:44
5ab1899b7de67e8735dfca87b614025ffee27941
ca214f1d6da839bfcc6ca82b2c8da4fbaa154f54
git #tuleap/stable/5ab1899b7de67e8735dfca87b614025ffee27941

Modified Files

Side by side diff
Inline diff
Name
M plugins/hudson_git/db/install.sql +6 −0 Go to diff View file
A plugins/hudson_git/db/mysql/updates/2022/202209160945_create_table_trigger_hook_token.php +41 −0 Go to diff View file
M plugins/hudson_git/db/uninstall.sql +1 −0 Go to diff View file
R plugins/hudson_git/include/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenGeneratorCryptoBased.php Go to diff View file
A plugins/hudson_git/include/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenDAO.php +63 −0 Go to diff View file
A plugins/hudson_git/include/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenGeneratorDBStore.php +57 −0 Go to diff View file
D plugins/hudson_git/include/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenVerifierCryptoBased.php +0 −65 Go to diff View file
A plugins/hudson_git/include/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenVerifierDBStore.php +72 −0 Go to diff View file
M plugins/hudson_git/include/hudson_gitPlugin.php +17 −4 Go to diff View file
A plugins/hudson_git/tests/integration/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenDAOTest.php +68 −0 Go to diff View file
R plugins/hudson_git/tests/unit/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenGeneratorCryptoBasedTest.php Go to diff View file
A plugins/hudson_git/tests/unit/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenGeneratorDBStoreTest.php +50 −0 Go to diff View file
D plugins/hudson_git/tests/unit/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenVerifierCryptoBasedTest.php +0 −100 Go to diff View file
A plugins/hudson_git/tests/unit/HudsonGit/Hook/JenkinsTuleapBranchSourcePluginHook/JenkinsTuleapPluginHookTokenVerifierDBStoreTest.php +111 −0 Go to diff View file
M tests/integration/bin/setup.sh +2 −1 Go to diff View file