jenkinsci · timja · Jun 22, 2022 · May 13, 2022 · May 19, 2022 · May 19, 2022
diff --git a/bom/pom.xml b/bom/pom.xml
@@ -256,11 +256,6 @@ THE SOFTWARE.
         <artifactId>remoting</artifactId>
         <version>${remoting.version}</version>
       </dependency>
-      <dependency>
-        <groupId>org.jenkins-ci.modules</groupId>
-        <artifactId>instance-identity</artifactId>
-        <version>2.2</version>
-      </dependency>
       <dependency>
         <groupId>org.jfree</groupId>
         <artifactId>jfreechart</artifactId>

diff --git a/core/src/main/java/hudson/slaves/JNLPLauncher.java b/core/src/main/java/hudson/slaves/JNLPLauncher.java
@@ -34,6 +34,7 @@
 import hudson.model.TaskListener;
 import hudson.util.FormValidation;
 import jenkins.model.Jenkins;
+import jenkins.model.identity.InstanceIdentityProvider;
 import jenkins.slaves.RemotingWorkDirSettings;
 import jenkins.util.SystemProperties;
 import jenkins.websocket.WebSockets;
@@ -251,6 +252,9 @@ public FormValidation doCheckWebSocket(@QueryParameter boolean webSocket, @Query
                 if (Jenkins.get().getTcpSlaveAgentListener() == null) {
                     return FormValidation.error("Either WebSocket mode is selected, or the TCP port for inbound agents must be enabled");
                 }
+                if (InstanceIdentityProvider.RSA.getCertificate() == null || InstanceIdentityProvider.RSA.getPrivateKey() == null) {
+                    return FormValidation.error("You must install the instance-identity plugin to use inbound agents in TCP mode");
+                }
             }
             return FormValidation.ok();
         }

diff --git a/core/src/main/java/jenkins/model/identity/IdentityRootAction.java b/core/src/main/java/jenkins/model/identity/IdentityRootAction.java
@@ -1,5 +1,7 @@
 package jenkins.model.identity;
 
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
 import hudson.model.UnprotectedRootAction;
 import java.nio.charset.StandardCharsets;
@@ -11,7 +13,7 @@
  * A simple root action that exposes the public key to users so that they do not need to search for the
  * {@code X-Instance-Identity} response header, also exposes the fingerprint of the public key so that people
  * can verify a fingerprint of a master before connecting to it.
- *
+ * <p>Do not use this class from plugins. Depend on {@code instance-identity} directly instead.
  * @since 2.16
  */
 @Extension
@@ -35,7 +37,9 @@ public String getUrlName() {
      * Returns the PEM encoded public key.
      *
      * @return the PEM encoded public key.
+     *         Null if the {@code instance-identity} plugin is not enabled.
      */
+    @CheckForNull
     public String getPublicKey() {
         RSAPublicKey key = InstanceIdentityProvider.RSA.getPublicKey();
         if (key == null) {
@@ -60,6 +64,7 @@ public String getPublicKey() {
      *
      * @return the fingerprint of the public key.
      */
+    @NonNull
     public String getFingerprint() {
         return KeyUtils.fingerprint(InstanceIdentityProvider.RSA.getPublicKey());
     }

diff --git a/core/src/main/java/jenkins/model/identity/InstanceIdentityProvider.java b/core/src/main/java/jenkins/model/identity/InstanceIdentityProvider.java
@@ -40,10 +40,13 @@
 import java.security.interfaces.RSAPublicKey;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
  * A source of instance identity.
- *
+ * <p>Should not be used from plugins, except to be implemented by {@code instance-identity}.
+ * Other plugins wishing to get the RSA key may depend on {@code instance-identity} directly.
  * @param <PUB>  the type of public key.
  * @param <PRIV> the type of private key.
  * @since 2.16
@@ -58,16 +61,23 @@ public abstract class InstanceIdentityProvider<PUB extends PublicKey, PRIV exten
     /**
      * RSA keys.
      */
+    @Restricted(NoExternalUse.class)
     public static final KeyTypes<RSAPublicKey, RSAPrivateKey> RSA =
             new KeyTypes<>(RSAPublicKey.class, RSAPrivateKey.class);
     /**
      * DSA keys.
+     * @deprecated unused
      */
+    @Restricted(NoExternalUse.class)
+    @Deprecated
     public static final KeyTypes<DSAPublicKey, DSAPrivateKey> DSA =
             new KeyTypes<>(DSAPublicKey.class, DSAPrivateKey.class);
     /**
      * EC keys
+     * @deprecated unused
      */
+    @Restricted(NoExternalUse.class)
+    @Deprecated
     public static final KeyTypes<ECPublicKey, ECPrivateKey> EC =
             new KeyTypes<>(ECPublicKey.class, ECPrivateKey.class);
 
@@ -77,6 +87,7 @@ public abstract class InstanceIdentityProvider<PUB extends PublicKey, PRIV exten
      * @return the {@link KeyPair} that comprises the instance identity. {@code null} could technically be returned in
      * the event that a keypair could not be generated, for example if the specific key type of this provider
      * is not permitted at the required length by the JCA policy.
+     * More commonly it just means that the {@code instance-identity} plugin needs to be installed.
      */
     @CheckForNull
     protected abstract KeyPair getKeyPair();
@@ -120,6 +131,7 @@ protected PRIV getPrivateKey() {
      * @param <PUB>  the type of public key.
      * @param <PRIV> the type of private key.
      */
+    @Restricted(NoExternalUse.class)
     public static final class KeyTypes<PUB extends PublicKey, PRIV extends PrivateKey> {
         /**
          * The interface for the public key.
@@ -154,6 +166,7 @@ private KeyTypes(Class<PUB> pubKeyType, Class<PRIV> privKeyType) {
         private static <PUB extends PublicKey, PRIV extends PrivateKey> InstanceIdentityProvider<PUB, PRIV> get(
                 @NonNull KeyTypes<PUB, PRIV> type) {
             for (InstanceIdentityProvider provider : ExtensionList.lookup(InstanceIdentityProvider.class)) {
+                LOGGER.fine(() -> "loaded " + provider + " from " + provider.getClass().getProtectionDomain().getCodeSource().getLocation());
                 try {
                     KeyPair keyPair = provider.getKeyPair();
                     if (keyPair != null
@@ -173,6 +186,7 @@ private static <PUB extends PublicKey, PRIV extends PrivateKey> InstanceIdentity
                             "Instance identity provider " + provider + " propagated an uncaught exception", e);
                 }
             }
+            LOGGER.fine("no providers");
             return null;
         }
 

diff --git a/core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol4.java b/core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol4.java
@@ -103,11 +103,11 @@ public JnlpSlaveAgentProtocol4() throws KeyStoreException, KeyManagementExceptio
         // prepare our local identity and certificate
         X509Certificate identityCertificate = InstanceIdentityProvider.RSA.getCertificate();
         if (identityCertificate == null) {
-            throw new KeyStoreException("JENKINS-41987: no X509Certificate found; perhaps instance-identity module is missing or too old");
+            throw new KeyStoreException("JENKINS-41987: no X509Certificate found; perhaps instance-identity plugin is not installed");
         }
         RSAPrivateKey privateKey = InstanceIdentityProvider.RSA.getPrivateKey();
         if (privateKey == null) {
-            throw new KeyStoreException("JENKINS-41987: no RSAPrivateKey found; perhaps instance-identity module is missing or too old");
+            throw new KeyStoreException("JENKINS-41987: no RSAPrivateKey found; perhaps instance-identity plugin is not installed");
         }
 
         // prepare our keyStore so we can provide our authentication

diff --git a/core/src/main/resources/jenkins/split-plugin-cycles.txt b/core/src/main/resources/jenkins/split-plugin-cycles.txt
@@ -36,3 +36,9 @@ jdk-tool jaxb
 javax-activation-api javax-mail-api
 javax-activation-api sshd
 javax-mail-api sshd
+
+# JENKINS-55582
+bouncycastle-api instance-identity
+bouncycastle-api sshd
+javax-activation-api instance-identity
+javax-mail-api instance-identity
diff --git a/core/src/main/resources/jenkins/split-plugins.txt b/core/src/main/resources/jenkins/split-plugins.txt
@@ -33,7 +33,10 @@ jaxb 2.163 2.3.0
 trilead-api 2.184 1.0.4
 
 # JENKINS-64107
-sshd 2.281 3.0.1
+sshd 2.281 3.236.ved5e1b_cb_50b_2
 
 javax-activation-api 2.330 1.2.0-2
 javax-mail-api 2.330 1.6.2-5
+
+# JENKINS-55582
+instance-identity 2.355 3.1
diff --git a/docs/MAINTAINERS.adoc b/docs/MAINTAINERS.adoc
@@ -14,7 +14,6 @@ and hence the Jenkins core pull request review and merge process is more sophist
 This document applies to the following components:
 
 * Jenkins core
-* Jenkins modules
 * Libraries included into the Jenkins core
 * Core components like Winstone, Executable WAR, etc.
 

diff --git a/test/pom.xml b/test/pom.xml
@@ -136,6 +136,12 @@ THE SOFTWARE.
       <artifactId>test-annotations</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.modules</groupId>
+      <artifactId>instance-identity</artifactId>
+      <version>3.1</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>antisamy-markup-formatter</artifactId>

diff --git a/test/src/test/java/hudson/slaves/JNLPLauncherRealTest.java b/test/src/test/java/hudson/slaves/JNLPLauncherRealTest.java
@@ -0,0 +1,78 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2022 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package hudson.slaves;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+import hudson.ExtensionList;
+import hudson.PluginWrapper;
+import hudson.model.FreeStyleBuild;
+import hudson.model.FreeStyleProject;
+import hudson.model.Slave;
+import hudson.util.FormValidation;
+import jenkins.slaves.JnlpSlaveAgentProtocol4;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.Description;
+import org.junit.runners.model.Statement;
+import org.jvnet.hudson.test.For;
+import org.jvnet.hudson.test.InboundAgentRule;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.RealJenkinsRule;
+
+@For({JNLPLauncher.class, JnlpSlaveAgentProtocol4.class})
+public class JNLPLauncherRealTest {
+
+    @Rule public RealJenkinsRule rr = new RealJenkinsRule().includeTestClasspathPlugins(false);
+
+    @Issue("JEP-230")
+    @Test public void smokes() throws Throwable {
+        /* Since RealJenkinsRuleInit.jpi will load detached plugins, to reproduce a failure use:
+        FileUtils.touch(new File(rr.getHome(), "plugins/instance-identity.jpi.disabled"));
+        */
+        rr.then(JNLPLauncherRealTest::_smokes);
+    }
+
+    private static void _smokes(JenkinsRule r) throws Throwable {
+        InboundAgentRule inboundAgents = new InboundAgentRule(); // cannot use @Rule since it would not be accessible from the controller JVM
+        inboundAgents.apply(new Statement() {
+            @Override public void evaluate() throws Throwable {
+                for (PluginWrapper plugin : r.jenkins.pluginManager.getPlugins()) {
+                    System.err.println(plugin + " active=" + plugin.isActive() + " enabled=" + plugin.isEnabled());
+                }
+                assertThat(ExtensionList.lookupSingleton(JNLPLauncher.DescriptorImpl.class).doCheckWebSocket(false, null).kind, is(FormValidation.Kind.OK));
+                Slave agent = inboundAgents.createAgent(r, "static");
+                FreeStyleProject p = r.createFreeStyleProject();
+                p.setAssignedNode(agent);
+                FreeStyleBuild b = r.buildAndAssertSuccess(p);
+                System.err.println(JenkinsRule.getLog(b));
+            }
+        }, Description.EMPTY).evaluate();
+
+    }
+
+}
diff --git a/test/src/test/java/jenkins/security/ClassFilterImplTest.java b/test/src/test/java/jenkins/security/ClassFilterImplTest.java
@@ -58,7 +58,6 @@
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.BuildWatcher;
-import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.LoggerRule;
 import org.jvnet.hudson.test.TestExtension;
@@ -165,14 +164,6 @@ public void xstreamRequiresWhitelist() throws Exception {
         assertThat(data.values().iterator().next().extra, allOf(containsString("LinkedListMultimap"), containsString("https://www.jenkins.io/redirect/class-filter/")));
     }
 
-    @Test
-    @Issue("JENKINS-49543")
-    public void moduleClassesShouldBeWhitelisted() {
-        ClassFilterImpl filter = new ClassFilterImpl();
-        filter.check("org.jenkinsci.modules.windows_slave_installer.WindowsSlaveInstaller");
-        filter.check("org.jenkinsci.main.modules.instance_identity.PageDecoratorImpl");
-    }
-
     @TestExtension("xstreamRequiresWhitelist")
     public static class Config extends GlobalConfiguration {
         LinkedListMultimap<?, ?> obj;

diff --git a/war/pom.xml b/war/pom.xml
@@ -96,10 +96,6 @@ THE SOFTWARE.
         </exclusion>
       </exclusions>
     </dependency>
-    <dependency>
-      <groupId>org.jenkins-ci.modules</groupId>
-      <artifactId>instance-identity</artifactId>
-    </dependency>
     <dependency>
       <!--
         We bundle slf4j binding since we got some components (sshd for example)
@@ -399,7 +395,7 @@ THE SOFTWARE.
                 <artifactItem>
                   <groupId>org.jenkins-ci.plugins</groupId>
                   <artifactId>bouncycastle-api</artifactId>
-                  <version>2.25</version>
+                  <version>2.26</version>
                   <type>hpi</type>
                 </artifactItem>
                 <artifactItem>
@@ -423,7 +419,7 @@ THE SOFTWARE.
                 <artifactItem>
                   <groupId>org.jenkins-ci.modules</groupId>
                   <artifactId>sshd</artifactId>
-                  <version>3.0.3</version>
+                  <version>3.236.ved5e1b_cb_50b_2</version>
                   <type>hpi</type>
                 </artifactItem>
                 <artifactItem>
@@ -444,6 +440,12 @@ THE SOFTWARE.
                   <version>1.6.2-5</version>
                   <type>hpi</type>
                 </artifactItem>
+                <artifactItem>
+                  <groupId>org.jenkins-ci.modules</groupId>
+                  <artifactId>instance-identity</artifactId>
+                  <version>3.1</version>
+                  <type>hpi</type>
+                </artifactItem>
               </artifactItems>
               <outputDirectory>${project.build.directory}/${project.build.finalName}/WEB-INF/detached-plugins</outputDirectory>
               <stripVersion>true</stripVersion>