-
-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow disabling HTTPs cert validation of JNLP endpoint when starting Remoting from Main #210
Changes from 2 commits
833838a
328a766
db10434
9e2e1a9
2a8f663
77621ec
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,14 +27,12 @@ | |
import hudson.remoting.FileSystemJarCache; | ||
import java.io.ByteArrayInputStream; | ||
import java.io.FileInputStream; | ||
import java.io.FileNotFoundException; | ||
import java.io.UnsupportedEncodingException; | ||
import java.security.cert.CertificateException; | ||
import java.security.cert.CertificateFactory; | ||
import java.security.cert.X509Certificate; | ||
|
||
import org.jenkinsci.remoting.engine.WorkDirManager; | ||
import org.jenkinsci.remoting.util.IOUtils; | ||
import org.kohsuke.args4j.Option; | ||
import org.kohsuke.args4j.CmdLineParser; | ||
import org.kohsuke.args4j.Argument; | ||
|
@@ -44,14 +42,15 @@ | |
import java.util.logging.Logger; | ||
import java.util.logging.Level; | ||
import static java.util.logging.Level.INFO; | ||
import static java.util.logging.Level.WARNING; | ||
|
||
import java.util.List; | ||
import java.util.ArrayList; | ||
import java.net.URL; | ||
import java.io.IOException; | ||
|
||
import hudson.remoting.Engine; | ||
import hudson.remoting.EngineListener; | ||
import java.nio.file.Path; | ||
|
||
import javax.annotation.CheckForNull; | ||
import javax.annotation.Nonnull; | ||
|
@@ -102,6 +101,16 @@ public class Main { | |
"certificate file to read.") | ||
public List<String> candidateCertificates; | ||
|
||
/** | ||
* Disables HTTPs Certificate validation of the server when using {@link org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver}. | ||
* | ||
* This option is not recommended for production use. | ||
* @since TODO | ||
*/ | ||
@Option(name="-disableHttpsCertValidation", | ||
usage="Ignore SSL validation errors - use as a last resort only.") | ||
public boolean disableHttpsCertValidation = false; | ||
|
||
/** | ||
* Specifies a destination for error logs. | ||
* If specified, this option overrides the default destination within {@link #workDir}. | ||
|
@@ -242,6 +251,12 @@ public Engine createEngine() { | |
engine.setJarCache(new FileSystemJarCache(jarCache,true)); | ||
engine.setNoReconnect(noReconnect); | ||
engine.setKeepAlive(!noKeepAlive); | ||
|
||
if (disableHttpsCertValidation) { | ||
LOGGER.log(WARNING, "Certificate validation for HTTPs endpoints is disabled"); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could be nice to make the rest of the calls also consistent. In that class there are currently 3 ways to create logs : LOGGER.fine(...), LOGGER.log(INFO,..., and LOGGER.log(Level.WARNING,... There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's do refactoring as a follow-up |
||
} | ||
engine.setDisableHttpsCertValidation(disableHttpsCertValidation); | ||
|
||
|
||
// TODO: ideally logging should be initialized before the "Setting up slave" entry | ||
if (agentLog != null) { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,6 +24,10 @@ | |
package org.jenkinsci.remoting.engine; | ||
|
||
import hudson.remoting.Base64; | ||
import org.jenkinsci.remoting.util.https.NoCheckHostnameVerifier; | ||
import org.jenkinsci.remoting.util.https.NoCheckTrustManager; | ||
import sun.net.www.protocol.https.HttpsURLConnectionImpl; | ||
|
||
import java.io.IOException; | ||
import java.net.ConnectException; | ||
import java.net.HttpURLConnection; | ||
|
@@ -38,7 +42,10 @@ | |
import java.net.URL; | ||
import java.net.URLConnection; | ||
import java.security.KeyFactory; | ||
import java.security.KeyManagementException; | ||
import java.security.NoSuchAlgorithmException; | ||
import java.security.SecureRandom; | ||
import java.security.cert.X509Certificate; | ||
import java.security.interfaces.RSAPublicKey; | ||
import java.security.spec.InvalidKeySpecException; | ||
import java.security.spec.X509EncodedKeySpec; | ||
|
@@ -58,6 +65,12 @@ | |
import javax.net.ssl.HttpsURLConnection; | ||
import javax.net.ssl.SSLSocketFactory; | ||
|
||
import javax.net.ssl.HostnameVerifier; | ||
import javax.net.ssl.SSLContext; | ||
import javax.net.ssl.SSLSession; | ||
import javax.net.ssl.TrustManager; | ||
import javax.net.ssl.X509TrustManager; | ||
|
||
import static java.util.logging.Level.INFO; | ||
import static org.jenkinsci.remoting.util.ThrowableUtils.chain; | ||
|
||
|
@@ -80,6 +93,8 @@ public class JnlpAgentEndpointResolver { | |
|
||
private String tunnel; | ||
|
||
private boolean insecure; | ||
|
||
/** | ||
* If specified, only the protocols from the list will be tried during the connection. | ||
* The option provides protocol names, but the order of the check is defined internally and cannot be changed. | ||
|
@@ -137,6 +152,25 @@ public void setTunnel(String tunnel) { | |
this.tunnel = tunnel; | ||
} | ||
|
||
/** | ||
* Determine if certificate checking should be ignored for JNLP endpoint | ||
* | ||
* @return if disableHttpsCertValidation, endpoint check is ignored | ||
*/ | ||
|
||
public boolean isInsecure() { | ||
return insecure; | ||
} | ||
|
||
/** | ||
* Sets if disableHttpsCertValidation mode of endpoint should be used. | ||
* | ||
* @param insecure | ||
*/ | ||
public void setInsecure(boolean insecure) { | ||
this.insecure = insecure; | ||
} | ||
|
||
@CheckForNull | ||
public JnlpAgentEndpoint resolve() throws IOException { | ||
IOException firstError = null; | ||
|
@@ -154,7 +188,7 @@ public JnlpAgentEndpoint resolve() throws IOException { | |
|
||
// find out the TCP port | ||
HttpURLConnection con = | ||
(HttpURLConnection) openURLConnection(salURL, credentials, proxyCredentials, sslSocketFactory); | ||
(HttpURLConnection) openURLConnection(salURL, credentials, proxyCredentials, sslSocketFactory, insecure); | ||
try { | ||
try { | ||
con.setConnectTimeout(30000); | ||
|
@@ -310,7 +344,7 @@ public void waitForReady() throws InterruptedException { | |
t.setName(oldName + ": trying " + url + " for " + retries + " times"); | ||
|
||
HttpURLConnection con = | ||
(HttpURLConnection) openURLConnection(url, credentials, proxyCredentials, sslSocketFactory); | ||
(HttpURLConnection) openURLConnection(url, credentials, proxyCredentials, sslSocketFactory, insecure); | ||
con.setConnectTimeout(5000); | ||
con.setReadTimeout(5000); | ||
con.connect(); | ||
|
@@ -331,7 +365,6 @@ public void waitForReady() throws InterruptedException { | |
} finally { | ||
t.setName(oldName); | ||
} | ||
|
||
} | ||
|
||
@CheckForNull | ||
|
@@ -378,7 +411,7 @@ static InetSocketAddress getResolvedHttpProxyAddress(@Nonnull String host, int p | |
* Credentials can be passed e.g. to support running Jenkins behind a (reverse) proxy requiring authorization | ||
*/ | ||
static URLConnection openURLConnection(URL url, String credentials, String proxyCredentials, | ||
SSLSocketFactory sslSocketFactory) throws IOException { | ||
SSLSocketFactory sslSocketFactory, boolean insecure) throws IOException { | ||
String httpProxy = null; | ||
// If http.proxyHost property exists, openConnection() uses it. | ||
if (System.getProperty("http.proxyHost") == null) { | ||
|
@@ -407,8 +440,28 @@ static URLConnection openURLConnection(URL url, String credentials, String proxy | |
String encoding = Base64.encode(proxyCredentials.getBytes("UTF-8")); | ||
con.setRequestProperty("Proxy-Authorization", "Basic " + encoding); | ||
} | ||
if (con instanceof HttpsURLConnection && sslSocketFactory != null) { | ||
((HttpsURLConnection) con).setSSLSocketFactory(sslSocketFactory); | ||
|
||
if (con instanceof HttpsURLConnection) { | ||
final HttpsURLConnection httpsConnection = (HttpsURLConnection) con; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It prevents somebody from modifying a field in the logic just in case |
||
if (insecure) { | ||
System.out.println(String.format("Insecure Status: %s", insecure)); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The use of LOGGER.fine / info should be preferred no ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think so, but the file is full of stdout/stderr. @MattLud has followed the current implementation. I think it makes sense to stick to it for a while, but I will create a follow-up ticket to rework it |
||
|
||
try { | ||
SSLContext ctx = SSLContext.getInstance("TLS"); | ||
ctx.init(null, new TrustManager[]{new NoCheckTrustManager()}, new SecureRandom()); | ||
sslSocketFactory = ctx.getSocketFactory(); | ||
|
||
httpsConnection.setHostnameVerifier(new NoCheckHostnameVerifier()); | ||
httpsConnection.setSSLSocketFactory(sslSocketFactory); | ||
} catch (KeyManagementException | NoSuchAlgorithmException ex) { | ||
System.err.println(String.format("Error setting disableHttpsCertValidation; %s", ex.getMessage())); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there a reason to use System.err here instead of LOGGER ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. see above |
||
} | ||
|
||
} else if (sslSocketFactory != null) { | ||
httpsConnection.setSSLSocketFactory(sslSocketFactory); | ||
//FIXME: Is it really required in this path? Seems like a bug | ||
httpsConnection.setHostnameVerifier(new NoCheckHostnameVerifier()); | ||
} | ||
} | ||
return con; | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done