Implemented validation logic for the webhook #593
Conversation
* Use grep -c flag in check for changes step to fix case when more than 1 website file was modified
sharmapulkit04
force-pushed
the
security-validator
branch
2 times, most recently
from
4027061
to
1725824
Compare
| @@ -41,21 +48,115 @@ var _ webhook.Validator = &Jenkins{} | |||
|
|
|||
| // ValidateCreate implements webhook.Validator so a webhook will be registered for the type | |||
| func (in *Jenkins) ValidateCreate() error { | |||
| jenkinslog.Info("validate create", "name", in.Name) | |||
| if in.Spec.ValidateSecurityWarnings { | |||
| jenkinslog.Info("validate create", "name", in.Name) | |||
There was a problem hiding this comment.
Are these logs useful in any way?
There was a problem hiding this comment.
Yeah for debugging purposes I was checking if the function is being called and get a look the the reconciller object.
| return nil | ||
| } | ||
|
|
||
| // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type | ||
| func (in *Jenkins) ValidateUpdate(old runtime.Object) error { | ||
| jenkinslog.Info("validate update", "name", in.Name) | ||
| if in.Spec.ValidateSecurityWarnings { | ||
| jenkinslog.Info("validate update", "name", in.Name) |
There was a problem hiding this comment.
Are these logs useful in any way?
api/v1alpha2/jenkins_webhook.go
Outdated
| lastVersion = pluginversion // setting default value in case of empty string | ||
| } | ||
|
|
||
| if pluginversion >= firstVersion && pluginversion <= lastVersion { |
There was a problem hiding this comment.
Is this the correct way to compare plugin versions?
There was a problem hiding this comment.
No, apparently it's not, I sent a message in the group, it's not the correct way to compare semantic versions, I am working on rectifying the algorithm.
api/v1alpha2/jenkins_webhook.go
Outdated
| client := &http.Client{} | ||
| request, err := http.NewRequest("GET", pluginURL, nil) | ||
| if err != nil { | ||
| log.Fatal("unable to create a new request", err.Error()) |
There was a problem hiding this comment.
Is log.Fatal the right choice here? It will call os.Exit(1) which exits the whole process. That might not be the wise thing to do.
There was a problem hiding this comment.
Yeah you are right it should return an error failing creating a new object but the operator should be able to run.
Thanks for the insightful comments, I will work on it.
There was a problem hiding this comment.
No problem! Thanks for contributing! 🙂
sharmapulkit04
force-pushed
the
security-validator
branch
from
1725824
to
8f4a92e
Compare
api/v1alpha2/jenkins_webhook.go
Outdated
| func Validate(r Jenkins) error { | ||
| basePlugins := plugins.BasePlugins() | ||
|
|
||
| for _, plugin := range basePlugins { | ||
| name := plugin.Name | ||
| version := plugin.Version | ||
| hasWarnings, err := CheckSecurityWarnings(name, version) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| if hasWarnings { | ||
| errormsg := "Security Vulnerabilities detected in base plugin:" + name | ||
| return errors.New(errormsg) | ||
| } | ||
| } | ||
|
|
||
| for _, plugin := range r.Spec.Master.Plugins { | ||
| name := plugin.Name | ||
| version := plugin.Version | ||
| hasWarnings, err := CheckSecurityWarnings(name, version) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| if hasWarnings { | ||
| errormsg := "Security Vulnerabilities detected in the user defined plugin: " + name | ||
| return errors.New(errormsg) | ||
| } | ||
| } | ||
|
|
||
| return nil | ||
| } |
There was a problem hiding this comment.
If you look closely, you are returning with the first warning you encountered, so if there's more than 1 warning you're skipping it. It would be better if you were appending warnings and leave only when you iterate through all the plugins. Right now you wouldn't even start checking user plugins. Please add some unit tests. For those cases too, eg. 2 warnings in user plugins and 2 warnings in user plugins and check if you've gotten them all.
There was a problem hiding this comment.
Okay sure, thanks for the suggestion, I can work on that, for unit tests, I will be able to work on it after first phase evaluation, right now I am facing some issues with helm tests, so I am devoting my time there.
There was a problem hiding this comment.
Okay :) You can always write to us about those problems.
There was a problem hiding this comment.
Yeah right now, there is some problem with webhook configuration, we can discuss about it in tomorrow's meet if I will stuck by then.
sharmapulkit04
force-pushed
the
security-validator
branch
3 times, most recently
from
1acd52b
to
8b19135
Compare
| kind: Issuer | ||
| metadata: | ||
| name: selfsigned | ||
| namespace: {{ .Values.jenkins.namespace }} |
There was a problem hiding this comment.
| namespace: {{ .Values.jenkins.namespace }} | |
| namespace: {{ .Release.Namespace } |
| kind: Certificate | ||
| metadata: | ||
| name: webhook-certificate | ||
| namespace: {{ .Values.jenkins.namespace }} |
There was a problem hiding this comment.
| namespace: {{ .Values.jenkins.namespace }} | |
| namespace: {{ .Release.Namespace }} |
Webhooks should be used per Operator, not per Jenkins and we recommend deploying Operator in separate namespace from Jenkins for better security :)
Makefile
Outdated
| @@ -96,7 +96,7 @@ e2e: deepcopy-gen manifests ## Runs e2e tests, you can use EXTRA_ARGS | |||
|
|
|||
| .PHONY: helm-e2e | |||
| IMAGE_NAME := $(DOCKER_REGISTRY):$(GITCOMMIT) | |||
| helm-e2e: helm container-runtime-build ## Runs helm e2e tests, you can use EXTRA_ARGS | |||
| helm-e2e: helm install-cert-manager container-runtime-build ## Runs helm e2e tests, you can use EXTRA_ARGS | |||
There was a problem hiding this comment.
| helm-e2e: helm install-cert-manager container-runtime-build ## Runs helm e2e tests, you can use EXTRA_ARGS | |
| helm-e2e: helm install-cert-manager container-runtime-build ## Runs helm e2e tests, you can use EXTRA_ARGS |
Also please add a TODO to refactor the logic for deploying cert manager in the helm charts later :)
| kind: Service | ||
| metadata: | ||
| name: webhook-service | ||
| namespace: {{ .Values.jenkins.namespace }} |
There was a problem hiding this comment.
| namespace: {{ .Values.jenkins.namespace }} | |
| namespace: {{ .Release.Namespace }} |
sharmapulkit04
force-pushed
the
security-validator
branch
2 times, most recently
from
cadcf9d
to
9659042
Compare
- Created a single Validate() function to validate both updating and creating Jenkins CR. - Implemented the Validate function to fetch warnings from the API and do security check if being enabled. - Updated the helm charts and helm-e2e target to run the helm tests.
sharmapulkit04
force-pushed
the
security-validator
branch
from
9659042
to
52fe5fe
Compare
* Explanation what's backed up and why
Co-authored-by: prryb <prryb@users.noreply.github.com>
Co-authored-by: Sig00rd <Sig00rd@users.noreply.github.com>
…late (jenkinsci#483) Add GitLFS pull after checkout behaviour to support also repositories which are relying on Git LFS Close jenkinsci#482
* Link to project's DockerHub in README's section on nightly builds, add paragraph about nightly builds in installation docs * Fix repositoryURL in sample seedJob configuration with SSH auth * Slightly expand on jenkinsci#348 * Fix formatting in docs on Jenkins' customization, update plugin versions * Add notes on Jenkins home Volume in Helm chart values.yaml and docs (jenkinsci#589)
Co-authored-by: Sig00rd <Sig00rd@users.noreply.github.com>
- Reimplemented the validator interface - Updated manifests to allocate more resources
sharmapulkit04
force-pushed
the
security-validator
branch
from
3b12daf
to
37d0eac
Compare
…kinsci#612) * Update note in installation docs * Update Helm chart default values.yaml * Update schema
Co-authored-by: Sig00rd <Sig00rd@users.noreply.github.com>
…kinsci#618) Also bump Helm Chart version to v0.5.2
sharmapulkit04
force-pushed
the
security-validator
branch
from
7fd3cee
to
7a56779
Compare
api/v1alpha2/jenkins_webhook.go
Outdated
| // Validates security warnings for both updating and creating a Jenkins CR | ||
| func Validate(r Jenkins) error { | ||
| pluginset := make(map[string]PluginData) | ||
| var faultybaseplugins string |
There was a problem hiding this comment.
| var faultybaseplugins string | |
| var faultyBasePlugins string |
api/v1alpha2/jenkins_webhook.go
Outdated
| func Validate(r Jenkins) error { | ||
| pluginset := make(map[string]PluginData) | ||
| var faultybaseplugins string | ||
| var faultyuserplugins string |
There was a problem hiding this comment.
| var faultyuserplugins string | |
| var faultyUserPlugins string |
sharmapulkit04
force-pushed
the
security-validator
branch
from
7a56779
to
2d2cfaf
Compare
…o security-validator - Refactored code in webhook and main - Merged changes from master
sharmapulkit04
force-pushed
the
security-validator
branch
from
2d2cfaf
to
9106582
Compare
…operator into security-validator
- Optimized the charts - Made the webhook optional - Added cert manager as dependency to be installed while running webhook
sharmapulkit04
force-pushed
the
security-validator
branch
4 times, most recently
from
d877bba
to
9c820c0
Compare
- Completed helm tests for various scenarios - Disabled startupapi check for cert manager webhook, defined a secret and updated templates - Made the webhook completely optional
sharmapulkit04
force-pushed
the
security-validator
branch
from
9c820c0
to
f527a8c
Compare
api/v1alpha2/jenkins_webhook.go
Outdated
| PluginDataFile string | ||
| IsCached bool | ||
| Attempts int | ||
| SleepTime int |
There was a problem hiding this comment.
| SleepTime int | |
| SleepTime time.Duration |
api/v1alpha2/jenkins_webhook.go
Outdated
| func NewPluginsDataManager(hosturl string, compressedFilePath string, pluginDataFile string, isCached bool, timeout time.Duration) *PluginDataManager { | ||
| return &PluginDataManager{ | ||
| Hosturl: hosturl, | ||
| CompressedFilePath: compressedFilePath, | ||
| PluginDataFile: pluginDataFile, | ||
| IsCached: isCached, | ||
| Timeout: timeout, | ||
| } | ||
| } |
There was a problem hiding this comment.
| func NewPluginsDataManager(hosturl string, compressedFilePath string, pluginDataFile string, isCached bool, timeout time.Duration) *PluginDataManager { | |
| return &PluginDataManager{ | |
| Hosturl: hosturl, | |
| CompressedFilePath: compressedFilePath, | |
| PluginDataFile: pluginDataFile, | |
| IsCached: isCached, | |
| Timeout: timeout, | |
| } | |
| } | |
| func NewPluginsDataManager(hosturl string, compressedFilePath string, pluginDataFile string, isCached bool, timeout time.Duration, sleepTime time.Duration) *PluginDataManager { | |
| return &PluginDataManager{ | |
| Hosturl: hosturl, | |
| CompressedFilePath: compressedFilePath, | |
| PluginDataFile: pluginDataFile, | |
| IsCached: isCached, | |
| Timeout: timeout, | |
| sleepTime: sleepTime, | |
| } | |
| } |
There was a problem hiding this comment.
Also move the Hosturl to const in this file. It is a const not a variable.
There was a problem hiding this comment.
But we are setting sleeptime it to 1 and 12 by default in the function so what's the point of setting it anyways.
api/v1alpha2/jenkins_webhook.go
Outdated
| var isDownloaded, isExtracted, isCached bool | ||
| var err error | ||
| for in.Attempts = 0; in.Attempts < 5; in.Attempts++ { | ||
| err = in.download() |
There was a problem hiding this comment.
You're losing the errors. Please print it in debug mode, like
if err != nil { in.logger.(V.Debug).Info(err)}
isDowloaded = true
break
it's a pattern to check if the error is nil first and later do something if it's not.
api/v1alpha2/jenkins_webhook.go
Outdated
| if isDownloaded { | ||
| for in.Attempts = 0; in.Attempts < 5; in.Attempts++ { | ||
| err = in.extract() | ||
| if err == nil { |
There was a problem hiding this comment.
as above. Check if the error is present and log it. Later execute the rest of the logic.
api/v1alpha2/jenkins_webhook.go
Outdated
| if isExtracted { | ||
| for in.Attempts = 0; in.Attempts < 5; in.Attempts++ { | ||
| err = in.cache() | ||
| if err == nil { |
api/v1alpha2/jenkins_webhook.go
Outdated
| if !in.IsCached { | ||
| isInitialized <- isCached | ||
| in.IsCached = isCached | ||
| } | ||
|
|
||
| if isCached { | ||
| in.SleepTime = 12 | ||
| } else { | ||
| in.SleepTime = 1 | ||
| } | ||
| time.Sleep(time.Duration(in.SleepTime) * time.Hour) |
There was a problem hiding this comment.
| if !in.IsCached { | |
| isInitialized <- isCached | |
| in.IsCached = isCached | |
| } | |
| if isCached { | |
| in.SleepTime = 12 | |
| } else { | |
| in.SleepTime = 1 | |
| } | |
| time.Sleep(time.Duration(in.SleepTime) * time.Hour) | |
| if !in.IsCached { | |
| isInitialized <- isCached | |
| in.IsCached = isCached | |
| in.sleepTime = 1 | |
| } | |
| in.sleepTime = 12 | |
| time.Sleep(in.sleepTime) | |
There was a problem hiding this comment.
in.IsCached defines that whether we have cached the data file or not,it will always be true once we successfully cached for the first time, isCached defines our current case, so if we are updating our cache and it fails we still are going to run the function after 1 hour.
test/helm/helm_test.go
Outdated
| Namespace: namespace.Name, | ||
| }, | ||
| } | ||
| It("Deploys Jenkins operator with webhook enabled along with the default jenkins image", func() { |
There was a problem hiding this comment.
| It("Deploys Jenkins operator with webhook enabled along with the default jenkins image", func() { | |
| Context("when deploying Helm Chart to cluster", func() { | |
| It("Deploys Jenkins operator with webhook", func() { |
There was a problem hiding this comment.
Also I think actually that this test case is for when there is no webhook?
test/helm/helm_test.go
Outdated
| "--set-string", fmt.Sprintf("operator.image=%s", *imageName), "--install") | ||
| output, err := cmd.CombinedOutput() | ||
| Expect(err).NotTo(HaveOccurred(), string(output)) | ||
| It("Deploys Jenkins operator along with webhook and cert-manager", func() { |
There was a problem hiding this comment.
Add context like "when deploying the operator and jenkins with security warnings validation enabled". what is being done in the test commands. and later there is 'It' so the desired outcome.
There was a problem hiding this comment.
Yeah sure,actually I am doing several cases in this it Spec because then I have to redeploy all the resources because of namespace issues
test/helm/helm_test.go
Outdated
|
|
||
| Expect(err).NotTo(HaveOccurred(), string(output)) | ||
| By("Denies a create request for a Jenkins custom resource with some plugins having security warnings and validation is turned on") |
There was a problem hiding this comment.
| By("Denies a create request for a Jenkins custom resource with some plugins having security warnings and validation is turned on") | |
| By("Denying the create request if [...etc]") |
There was a problem hiding this comment.
Keep it simple. Above is the whole context when this is happening
sharmapulkit04
force-pushed
the
security-validator
branch
3 times, most recently
from
5d435a5
to
13d0665
Compare
sharmapulkit04
force-pushed
the
security-validator
branch
from
13d0665
to
95c29d4
Compare
api/v1alpha2/jenkins_webhook.go
Outdated
| @@ -5,7 +5,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); | |||
| you may not use this file except in compliance with the License. | |||
| You may obtain a copy of the License at | |||
|
|
|||
| http://www.apache.org/licenses/LICENSE-2.0 | |||
| http://www.apache.org/lictenses/LICENSE-2.0 | |||
There was a problem hiding this comment.
Please revert this
| http://www.apache.org/lictenses/LICENSE-2.0 | |
| http://www.apache.org/licenses/LICENSE-2.0 |
api/v1alpha2/jenkins_webhook.go
Outdated
|
|
||
| //"github.com/jenkinsci/kubernetes-operator/pkg/configuration/base/resources" | ||
|
|
There was a problem hiding this comment.
| //"github.com/jenkinsci/kubernetes-operator/pkg/configuration/base/resources" |
Don't leave commented parts in code.
api/v1alpha2/jenkins_webhook.go
Outdated
| if err == nil { | ||
| break | ||
| } | ||
| jenkinslog.V(1).Info("Cache Plugin Data", "failed to download file", err) |
There was a problem hiding this comment.
| jenkinslog.V(1).Info("Cache Plugin Data", "failed to download file", err) | |
| jenkinslog.V(log.VDebug).Info("Cache Plugin Data", "failed to download file", err) |
We have a constant to not use magic numbers.
api/v1alpha2/jenkins_webhook.go
Outdated
| if err == nil { | ||
| break | ||
| } | ||
| jenkinslog.V(1).Info("Cache Plugin Data", "failed to extract file", err) |
There was a problem hiding this comment.
| jenkinslog.V(1).Info("Cache Plugin Data", "failed to extract file", err) | |
| jenkinslog.V(log.VDebug).Info("Cache Plugin Data", "failed to extract file", err) |
api/v1alpha2/jenkins_webhook.go
Outdated
| if err == nil { | ||
| break | ||
| } | ||
| jenkinslog.V(1).Info("Cache Plugin Data", "failed to read plugin data file", err) |
There was a problem hiding this comment.
| jenkinslog.V(1).Info("Cache Plugin Data", "failed to read plugin data file", err) | |
| jenkinslog.V(log.VDebug).Info("Cache Plugin Data", "failed to read plugin data file", err) |
sharmapulkit04
force-pushed
the
security-validator
branch
from
1c8f389
to
ba66ba4
Compare
* Fix workflow for autogenerating docs (#592) * Use grep -c flag in check for changes step to fix case when more than 1 website file was modified * Implemented validation logic for the webhook - Created a single Validate() function to validate both updating and creating Jenkins CR. - Implemented the Validate function to fetch warnings from the API and do security check if being enabled. - Updated the helm charts and helm-e2e target to run the helm tests. * Configure bot for labelling new issues as needing triage (#597) * Configure bot for managing stale issues (#598) * Docs: explanation what is backed up and why (#599) * Explanation what's backed up and why * Auto-updated docs (#600) Co-authored-by: prryb <prryb@users.noreply.github.com> * Docs: clarification of description of get latest command in backup (#601) * Auto-updated docs (#602) Co-authored-by: Sig00rd <Sig00rd@users.noreply.github.com> * Bump seedjobs agent image version to 4.9-1 (#604) * Add GitLFS pull after checkout behaviour to SeedJob GroovyScript Template (#483) Add GitLFS pull after checkout behaviour to support also repositories which are relying on Git LFS Close #482 * Docs: minor fixes (#608) * Link to project's DockerHub in README's section on nightly builds, add paragraph about nightly builds in installation docs * Fix repositoryURL in sample seedJob configuration with SSH auth * Slightly expand on #348 * Fix formatting in docs on Jenkins' customization, update plugin versions * Add notes on Jenkins home Volume in Helm chart values.yaml and docs (#589) * Auto-updated docs (#610) Co-authored-by: Sig00rd <Sig00rd@users.noreply.github.com> * Reimplemented the validation logic with caching the security warnings - Reimplemented the validator interface - Updated manifests to allocate more resources * Add an issue template for documentation (#613) * Docs: add info on restricted volumeMounts other than jenkins-home(#612) * Update note in installation docs * Update Helm chart default values.yaml * Update schema * Auto-updated docs (#616) Co-authored-by: Sig00rd <Sig00rd@users.noreply.github.com> * Auto-updated docs (#617) Co-authored-by: Sig00rd <Sig00rd@users.noreply.github.com> * Updated Validation logic - Defined a security manager struct to cache all the plugin data - Added flag to make validating security warnings optional while deploying the operator * Helm Chart: Remove empty priorityClassName from Jenkins template (#618) Also bump Helm Chart version to v0.5.2 * Added unit test cases for webhook * Updated Helm Charts - Optimized the charts - Made the webhook optional - Added cert manager as dependency to be installed while running webhook * Updated unit tests, helm charts and validation logic * Completed helm e2e tests and updated helm charts - Completed helm tests for various scenarios - Disabled startupapi check for cert manager webhook, defined a secret and updated templates - Made the webhook completely optional * Code optimization and cleanup * Modified helm tests * code cleanup and optimization
being enabled.
Changes
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Reviewer Notes
If API changes are included, additive changes must be approved by at least two OWNERS and backwards incompatible changes must be approved by more than 50% of the OWNERS.
Release Notes