/** * Returns the unique identifier of this Jenkins that has been historically used to identify * this Jenkins to the outside world. * * <p> * This form of identifier is weak in that it can be impersonated by others. See * https://wiki.jenkins-ci.org/display/JENKINS/Instance+Identity for more modern form of instance ID * that can be challenged and verified. * * @since 1.498 */ @SuppressWarnings("deprecation") public String getLegacyInstanceId() { return Util.getDigestOf(getSecretKey()); }
@Nonnull @Restricted(NoExternalUse.class) /*package*/ String getApiTokenInsecure() { if(apiToken == null){ return Messages.ApiTokenProperty_NoLegacyToken(); } String p = apiToken.getPlainText(); if (p.equals(Util.getDigestOf(Jenkins.getInstance().getSecretKey()+":"+user.getId()))) { // if the current token is the initial value created by pre SECURITY-49 Jenkins, we can't use that. // force using the newer value apiToken = Secret.fromString(p=API_KEY_SEED.mac(user.getId())); } return Util.getDigestOf(p); }
@SuppressWarnings("deprecation") private static RememberMeServices createRememberMeService(UserDetailsService uds) { // create our default TokenBasedRememberMeServices, which depends on the availability of the secret key TokenBasedRememberMeServices2 rms = new TokenBasedRememberMeServices2(); rms.setUserDetailsService(uds); /* TokenBasedRememberMeServices needs to be used in conjunction with RememberMeAuthenticationProvider, and both needs to use the same key (this is a reflection of a poor design in AcgeiSecurity, if you ask me) and various security plugins have its own groovy script that configures them. So if we change this, it creates a painful situation for those plugins by forcing them to choose to work with earlier version of Jenkins or newer version of Jenkins, and not both. So we keep this here. */ rms.setKey(Jenkins.getInstance().getSecretKey()); rms.setParameter("remember_me"); // this is the form field name in login.jelly return rms; } }
/** * Returns the unique identifier of this Jenkins that has been historically used to identify * this Jenkins to the outside world. * * <p> * This form of identifier is weak in that it can be impersonated by others. See * https://wiki.jenkins-ci.org/display/JENKINS/Instance+Identity for more modern form of instance ID * that can be challenged and verified. * * @since 1.498 */ @SuppressWarnings("deprecation") public String getLegacyInstanceId() { return Util.getDigestOf(getSecretKey()); }
@Override protected byte[] load(ConfidentialKey key) throws IOException { if(key instanceof CryptoConfidentialKey) { MessageDigest digest; try { digest = MessageDigest.getInstance("SHA-256"); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException(e); } digest.reset(); digest.update(Jenkins.getInstance().getSecretKey().getBytes("UTF-8")); return digest.digest(); } throw new IllegalArgumentException("Unsupported key type " + key.getClass().getName()); }
public void init(byte[] secretKey) throws IOException { Jenkins jenkins = Jenkins.setup(rootDir, secretKey); TextFile secretFile = new TextFile(new File(rootDir, "secret.key")); secretFile.write(jenkins.getSecretKey()); // don't let jenkins complain about old encryption secret scheme new FileBoolean(new File(rootDir, "secret.key.not-so-secret")).on(); // but force rekey on start new FileBoolean(new File(new File(rootDir, "jenkins.security.RekeySecretAdminMonitor"), "scanOnBoot")).on(); }
@Nonnull @Restricted(NoExternalUse.class) /*package*/ String getApiTokenInsecure() { String p = apiToken.getPlainText(); if (p.equals(Util.getDigestOf(Jenkins.getInstance().getSecretKey()+":"+user.getId()))) { // if the current token is the initial value created by pre SECURITY-49 Jenkins, we can't use that. // force using the newer value apiToken = Secret.fromString(p=API_KEY_SEED.mac(user.getId())); } return Util.getDigestOf(p); }
public SecurityComponents createSecurityComponents() { BeanBuilder builder = new BeanBuilder(getClass().getClassLoader()); Binding binding = new Binding(); binding.setVariable("realm", this); InputStream i = getClass().getResourceAsStream("ActiveDirectory.groovy"); try { builder.parse(i, binding); } finally { IOUtils.closeQuietly(i); } WebApplicationContext context = builder.createApplicationContext(); //final AbstractActiveDirectoryAuthenticationProvider adp = findBean(AbstractActiveDirectoryAuthenticationProvider.class, context); findBean(AbstractActiveDirectoryAuthenticationProvider.class, context); //Keeping the call because there might be side effects? final UserDetailsService uds = findBean(UserDetailsService.class, context); TokenBasedRememberMeServices2 rms = new TokenBasedRememberMeServices2() { public Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) { try { return super.autoLogin(request, response); } catch (Exception e) {// TODO: this check is made redundant with 1.556, but needed with earlier versions cancelCookie(request, response, "Failed to handle remember-me cookie: "+Functions.printThrowable(e)); return null; } } }; rms.setUserDetailsService(uds); rms.setKey(Jenkins.getActiveInstance().getSecretKey()); rms.setParameter("remember_me"); // this is the form field name in login.jelly return new SecurityComponents( findBean(AuthenticationManager.class, context), uds, rms); }
@SuppressWarnings("deprecation") private static RememberMeServices createRememberMeService(UserDetailsService uds) { // create our default TokenBasedRememberMeServices, which depends on the availability of the secret key TokenBasedRememberMeServices2 rms = new TokenBasedRememberMeServices2(); rms.setUserDetailsService(uds); /* TokenBasedRememberMeServices needs to be used in conjunction with RememberMeAuthenticationProvider, and both needs to use the same key (this is a reflection of a poor design in AcgeiSecurity, if you ask me) and various security plugins have its own groovy script that configures them. So if we change this, it creates a painful situation for those plugins by forcing them to choose to work with earlier version of Jenkins or newer version of Jenkins, and not both. So we keep this here. */ rms.setKey(Jenkins.getInstance().getSecretKey()); rms.setParameter("remember_me"); // this is the form field name in login.jelly return rms; } }