Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve authentication mechanisms #50

Merged
merged 8 commits into from
Oct 31, 2019
Merged

Improve authentication mechanisms #50

merged 8 commits into from
Oct 31, 2019

Conversation

nre-ableton
Copy link
Contributor

This somewhat-large PR (sorry! 😊) does the following:

  • Adds support for API tokens as an authentication mechanism
  • Supports the new web session ID cookies required for crumb-based authentication as of Jenkins 2.190.1 (see https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626)
  • Adds a new jenkins_auth variable to determine which authentication mechanism to use
    • Also adds a new none authentication type (for jenkins_auth) which won't bother with API tokens or crumbs, if requested
  • Adds a new section about authentication and security in the README
  • Adds a new molecule scenario test for API token-based authentication, which also lays the groundwork for testing other things like this

Fixes #47, ping @emmetog

@nre-ableton
Configure files before plugins
1d9430a 
This is necessary because certain files, such as user config.xml
files, may contain API tokens which are needed for authenticated
plugin installation. Therefore these files must be in place before
attempting to start up Jenkins for the first time.
@nre-ableton
Install custom plugins first
552f11b 
Since the custom plugins need to be installed by Jenkins when it
starts up, this minor optimization saves a bit of time during plugin
installation.
@nre-ableton
Add jenkins_auth variable to determine auth type
935f509 
This change is the first step in flexibly supporting multiple
authentication types to use when deploying Jenkins. In a future
commit, support for API tokens will be added.

This change also renames jenkins_token to jenkins_crumb_token, in
order to be more explicit about the token type.
@nre-ableton
Save the web session cookie along with the crumb
2ea49f0 
As of Jenkins 2.176.2, Jenkins' CSRF issuer requires a corresponding
web session ID to be submitted along with the crumb. For more info,
see:

https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626
@nre-ableton
Support API token authentication
f11091e
@nre-ableton
Add a molecule scenario test for API tokens
180c1a3 
This is hopefully the second of many additional non-sanity tests that
will be added to ensure that different behaviors of this role are
working properly.
@nre-ableton
Add some tasks to do basic sanity checking of vars
67f2a2a 
This could probably be expanded in the future for other states that we
need to verify before beginning a deployment.
@nre-ableton
Add documentation on authentication and security
60eb232
@emmetog emmetog merged commit a07b590 into emmetog:master Oct 31, 2019
@emmetog
Copy link
Owner

emmetog commented Oct 31, 2019

Thanks for the PR @nre-ableton !

@nre-ableton nre-ableton deleted the nre/master/api_tokens branch November 1, 2019 09:07
@nre-ableton nre-ableton mentioned this pull request Nov 5, 2019
Merged
emmetog pushed a commit that referenced this pull request Nov 6, 2019
@nre-ableton @emmetog
Add missing validate_certs attribute to tasks (#53)
bebdd57 
After #48 was merged,
it caused a merge conflict in
#50. The conflict was
resolved, but unfortunately, we should have also added the
validate_certs attribute to the new tasks added by that second PR.
This commit fixes that.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support API tokens in addition to the crumb issuer
2 participants
@nre-ableton @emmetog