Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify SECURITY-3315 error code on client side #9930

Merged
merged 1 commit into from
Nov 9, 2024

Conversation

jglick
Copy link
Member

@jglick jglick commented Oct 31, 2024

I wasted a fair amount of time trying to figure out why the CLI was not working on a test controller in WebSocket mode

$ java -jar jenkins-cli.jar -auth … -s … who-am-i
CLI handshake failed with status code 403
Content-Length: 0
Date: …
Ngrok-Agent-Ips: …
Vary: Accept-Encoding
X-Content-Type-Options: nosniff

before I realized that the problem was with the reverse proxy setup. There was an admin monitor showing that but it did not occur to me that this would have anything to do with WebSocket CLI. As of de45096, it does.

I had to inspect sources and turn on a fine logger on the controller to see this. As of #9591 we have the opportunity to make this clearer to people.

Testing done

None really. I did try

diff --git test/src/test/java/hudson/cli/CLIActionTest.java test/src/test/java/hudson/cli/CLIActionTest.java
index ebda2dec58..3a2edeeb04 100644
--- test/src/test/java/hudson/cli/CLIActionTest.java
+++ test/src/test/java/hudson/cli/CLIActionTest.java
@@ -43,7 +43,6 @@ import org.apache.commons.io.IOUtils;
 import org.apache.commons.io.input.NullInputStream;
 import org.apache.commons.io.output.CountingOutputStream;
 import org.apache.commons.io.output.TeeOutputStream;
-import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
@@ -136,9 +135,10 @@ public class CLIActionTest {
         assertEquals(code, proc.join());
     }
 
-    @Ignore("TODO flaky test") @Test public void authenticationFailed() throws Exception {
+    @Test public void authenticationFailed() throws Exception {
         j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
         j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().grant(Jenkins.ADMINISTER).everywhere().toAuthenticated());
+        CLIAction.ALLOW_WEBSOCKET = false;
         var jar = tmp.newFile("jenkins-cli.jar");
         FileUtils.copyURLToFile(j.jenkins.getJnlpJars("jenkins-cli.jar").getURL(), jar);
         var baos = new ByteArrayOutputStream();

to see what the failed assertion said, but pending #9688 this test does not run at all.

Proposed changelog entries

  • Clearer error message for the CLI in default -webSocket mode when a 403 error results from a reverse proxy misconfiguration.

Proposed upgrade guidelines

N/A

Submitter checklist

Preview Give feedback

Desired reviewers

@daniel-beck

Before the changes are marked as ready-for-merge:

Maintainer checklist

Preview Give feedback

@jglick jglick requested a review from daniel-beck October 31, 2024 21:32
Comment on lines +126 to +128
return new HttpResponse() {
@Override
public void generateResponse(StaplerRequest2 req, StaplerResponse2 rsp, Object node) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that if anyone had been using this as a @FunctionalInterface before, that would break as of jenkinsci/stapler#482. Not sure if this was only source-incompatible rather than binary-incompatible? https://docs.oracle.com/javase/specs/jls/se23/html/jls-13.html#jls-13.5.4 does not seem to mention SAMs.

@Vlatombe Vlatombe added the rfe For changelog: Minor enhancement. use `major-rfe` for changes to be highlighted label Nov 4, 2024
Copy link
Contributor

@MarkEWaite MarkEWaite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is now ready for merge. We will merge it after approximately 24 hours if there is no negative feedback.

/label ready-for-merge

@comment-ops-bot comment-ops-bot bot added the ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback label Nov 4, 2024
@timja timja merged commit ec448b5 into jenkinsci:master Nov 9, 2024
15 checks passed
@jglick jglick deleted the CLIAction.doWs branch November 12, 2024 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback rfe For changelog: Minor enhancement. use `major-rfe` for changes to be highlighted
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants