Merge branch 'hdabrows-enable-ssl-certificate-verification'

Kate Donaldson · Kate Donaldson · commit 91ceb0ad0a12 · 2018-03-17T16:42:48.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -40,3 +40,6 @@ tmtags
 
 # Skip the log file
 jenkins_api_client.log
+
+# Vagrant
+.vagrant
diff --git a/README.md b/README.md
@@ -89,6 +89,13 @@ Request Forgery exploits' to be disabled.  The API will check in with the
 Jenkins server to determine whether crumbs are enabled or not, and use them
 if appropriate.
 
+### SSL certificate verification
+
+When connecting over HTTPS if the server's certificate is not trusted the
+connection will be aborted. To trust a certificate specify the `ca_file`
+parameter when creating the client. The value should be a path to a PEM encoded
+file containing the certificates.
+
 ### Basic Usage
 
 As discussed earlier, you can either specify all the credentials and server
diff --git a/lib/jenkins_api_client/client.rb b/lib/jenkins_api_client/client.rb
@@ -69,6 +69,7 @@ class Client
       "ssl",
       "pkcs_file_path",
       "pass_phrase",
+      "ca_file",
       "follow_redirects",
       "identity_file",
       "cookies"
@@ -96,6 +97,7 @@ class Client
     # @option args [Boolean] :ssl (false) indicates if Jenkins is accessible over HTTPS
     # @option args [String] :pkcs_file_path ("/") the optional context path for pfx or p12 binary certificate file
     # @option args [String] :pass_phrase password for pkcs_file_path certificate file
+    # @option args [String] :ca_file the path to a PEM encoded file containing trusted certificates used to verify peer certificate
     # @option args [Boolean] :follow_redirects this argument causes the client to follow a redirect (jenkins can
     #   return a 30x when starting a build)
     # @option args [Fixnum] :timeout (120) This argument sets the timeout for operations that take longer (in seconds)
@@ -265,6 +267,7 @@ def to_s
     def inspect
       "#<JenkinsApi::Client:0x#{(self.__id__ * 2).to_s(16)}" +
         " @ssl=#{@ssl.inspect}," +
+        " @ca_file=#{@ca_file.inspect}," +
         " @log_location=#{@log_location.inspect}," +
         " @log_level=#{@log_level.inspect}," +
         " @crumbs_enabled=#{@crumbs_enabled.inspect}," +
@@ -282,13 +285,7 @@ def inspect
     #
     def get_artifact(job_name,filename)
       @artifact = job.find_artifact(job_name)
-      uri = URI.parse(@artifact)
-      http = Net::HTTP.new(uri.host, uri.port)
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-      http.use_ssl = @ssl
-      request = Net::HTTP::Get.new(uri.request_uri)
-      request.basic_auth(@username, @password)
-      response = http.request(request)
+      response = make_http_request(Net::HTTP::Get.new(@artifact))
       if response.code == "200"
         File.write(File.expand_path(filename), response.body)
       else
@@ -364,7 +361,9 @@ def make_http_request(request, follow_redirect = @follow_redirects)
         http.verify_mode = OpenSSL::SSL::VERIFY_NONE
       elsif @ssl
         http.use_ssl = true
-        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        http.ca_file = @ca_file if @ca_file
       end
       http.open_timeout = @http_open_timeout
       http.read_timeout = @http_read_timeout
diff --git a/spec/func_tests/client_spec.rb b/spec/func_tests/client_spec.rb
@@ -106,4 +106,31 @@
     end
 
   end
+
+  context "Given a server with a self-signed SSL certificate" do
+    let(:creds_file) { '~/.jenkins_api_client/spec.yml' }
+    let(:creds) {
+      creds = YAML.load_file(File.expand_path(creds_file, __FILE__))
+      creds[:server_port] = 8443
+      creds[:ssl] = true
+      creds
+    }
+    let(:client) { JenkinsApi::Client.new(creds) }
+
+    it "Should abort the connection with an SSL error" do
+      expect {
+        client.job.list_all
+      }.to raise_error(OpenSSL::SSL::SSLError, /certificate verify failed/)
+    end
+
+    context "Given a client configured to trust the server's certificate" do
+      before do
+        creds[:ca_file] = File.expand_path('~/.jenkins_api_client/server.cert.pem', __FILE__)
+      end
+
+      it "Should connect without an error" do
+        expect { client.job.list_all }.not_to raise_error
+      end
+    end
+  end
 end
diff --git a/travis/default.conf b/travis/default.conf
@@ -0,0 +1,79 @@
+# defaults for jenkins continuous integration server
+
+# pulled in from the init script; makes things easier.
+NAME=jenkins
+
+# location of java
+JAVA=/usr/bin/java
+
+# arguments to pass to java
+JAVA_ARGS="-Djava.awt.headless=true"  # Allow graphs etc. to work even when an X server is present
+#JAVA_ARGS="-Xmx256m"
+#JAVA_ARGS="-Djava.net.preferIPv4Stack=true" # make jenkins listen on IPv4 address
+
+PIDFILE=/var/run/$NAME/$NAME.pid
+
+# user and group to be invoked as (default to jenkins)
+JENKINS_USER=$NAME
+JENKINS_GROUP=$NAME
+
+# location of the jenkins war file
+JENKINS_WAR=/usr/share/$NAME/$NAME.war
+
+# jenkins home location
+JENKINS_HOME=/var/lib/$NAME
+
+# set this to false if you don't want Hudson to run by itself
+# in this set up, you are expected to provide a servlet container
+# to host jenkins.
+RUN_STANDALONE=true
+
+# log location.  this may be a syslog facility.priority
+JENKINS_LOG=/var/log/$NAME/$NAME.log
+#JENKINS_LOG=daemon.info
+
+# OS LIMITS SETUP
+#   comment this out to observe /etc/security/limits.conf
+#   this is on by default because http://github.com/jenkinsci/jenkins/commit/2fb288474e980d0e7ff9c4a3b768874835a3e92e
+#   reported that Ubuntu's PAM configuration doesn't include pam_limits.so, and as a result the # of file
+#   descriptors are forced to 1024 regardless of /etc/security/limits.conf
+MAXOPENFILES=8192
+
+# set the umask to control permission bits of files that Jenkins creates.
+#   027 makes files read-only for group and inaccessible for others, which some security sensitive users
+#   might consider benefitial, especially if Jenkins runs in a box that's used for multiple purposes.
+#   Beware that 027 permission would interfere with sudo scripts that run on the master (JENKINS-25065.)
+#
+#   Note also that the particularly sensitive part of $JENKINS_HOME (such as credentials) are always
+#   written without 'others' access. So the umask values only affect job configuration, build records,
+#   that sort of things.
+#
+#   If commented out, the value from the OS is inherited,  which is normally 022 (as of Ubuntu 12.04,
+#   by default umask comes from pam_umask(8) and /etc/login.defs
+
+# UMASK=027
+
+# port for HTTP connector (default 8080; disable with -1)
+HTTP_PORT=8080
+
+# port for AJP connector (disabled by default)
+AJP_PORT=-1
+
+# servlet context, important if you want to use apache proxying  
+PREFIX=/$NAME
+
+# arguments to pass to jenkins.
+# --javahome=$JAVA_HOME
+# --httpPort=$HTTP_PORT (default 8080; disable with -1)
+# --httpsPort=$HTTP_PORT
+# --ajp13Port=$AJP_PORT
+# --argumentsRealm.passwd.$ADMIN_USER=[password]
+# --argumentsRealm.roles.$ADMIN_USER=admin
+# --webroot=~/.jenkins/war
+# --prefix=$PREFIX
+
+HTTPS_PORT=8443
+HTTPS_CERTIFICATE=/opt/jenkins_api_client/travis/ssl/server.cert.pem
+HTTPS_PRIVATE_KEY=/opt/jenkins_api_client/travis/ssl/server.key.pem
+
+JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpsPort=$HTTPS_PORT --ajp13Port=$AJP_PORT --httpsCertificate=$HTTPS_CERTIFICATE --httpsPrivateKey=$HTTPS_PRIVATE_KEY"
diff --git a/travis/setup.sh b/travis/setup.sh
@@ -12,6 +12,7 @@ sudo cp -f travis/jenkins_config.xml /var/lib/jenkins/config.xml
 sudo cp -f travis/hudson.model.UpdateCenter.xml /var/lib/jenkins/hudson.model.UpdateCenter.xml
 sudo mkdir -p /var/lib/jenkins/users/testuser
 sudo cp -f travis/user_config.xml /var/lib/jenkins/users/testuser/config.xml
+sudo cp -f travis/default.conf /etc/default/jenkins
 sudo service jenkins start
 # Jenkins takes a bit to get dressed up and become ready, so be patient...
 sleep 60
@@ -21,3 +22,5 @@ echo `sudo service jenkins status`
 # Create the credentials file used by functional tests
 sudo mkdir ~/.jenkins_api_client
 sudo cp -f travis/spec.yml ~/.jenkins_api_client/spec.yml
+# Create the server certificate used by functional tests
+sudo cp -f travis/ssl/server.cert.pem ~/.jenkins_api_client/server.cert.pem
diff --git a/travis/ssl/server.cert.pem b/travis/ssl/server.cert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID4DCCAsigAwIBAgIJALVj1GL6SP+KMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMRswGQYDVQQKExJKZW5raW5zIEFQ
+SSBDbGllbnQxEjAQBgNVBAMTCTEyNy4wLjAuMTAeFw0xNjAyMTUyMjE2MjBaFw00
+MzA3MDIyMjE2MjBaMFMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRl
+MRswGQYDVQQKExJKZW5raW5zIEFQSSBDbGllbnQxEjAQBgNVBAMTCTEyNy4wLjAu
+MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmWHldmymeZf2VjQqzG
+2ENomJ2NEbdUXCL3uArzmK3Mqb2SyIbJokX8/2eFVbNQRoU/H9Pz84Q9kLfrcLQ2
+UO+Mr++/v7yZJR901Z5n5sX7k94Pa1aXcFMhF5jnzQn0GDnfzwAmavVM7QKpx+x6
+9a5NGGzMDWoAn0TLT/TTwGRCDtGQdMuKBkiVi4fjrrP68Ppm7I2c4IXnZvSb87dm
+1ZSLVIUt5AIeqXVMF4zW6Pe4AI0XHs4EZBPMuiG5SpBia23+mSsyrSvdJ+VOMIBA
+Jhd8m1kBe2jZ913obIrYGn8KFIgHmTkwZDysqFt5RYZQ/gQA736FmAiw7/Pb/W4a
+HPkCAwEAAaOBtjCBszAdBgNVHQ4EFgQU9fkWUyLVRLwg7d5AleAcp9jlOBkwgYMG
+A1UdIwR8MHqAFPX5FlMi1US8IO3eQJXgHKfY5TgZoVekVTBTMQswCQYDVQQGEwJB
+VTETMBEGA1UECBMKU29tZS1TdGF0ZTEbMBkGA1UEChMSSmVua2lucyBBUEkgQ2xp
+ZW50MRIwEAYDVQQDEwkxMjcuMC4wLjGCCQC1Y9Ri+kj/ijAMBgNVHRMEBTADAQH/
+MA0GCSqGSIb3DQEBBQUAA4IBAQBC31OuFUQ25pCNMCNIj7KEJC/Y5x1ui0wZyB6r
+k+SkgFm1NIeCKM/LI/MLkbaSErFXmh9QRmYrNfWif8P3TrEAUbtMhQFmJ2bFdOqK
+CP/F0qMqBGOBk1PyU78ZDTyUmfF1XiAwNTw76KopPvILKlpNDMYbCDRAGxmagbeF
+SteyfoqU27CpGCNSIu31mq2+p5onDbti4c+qkO1xGGtG2HYoqY6heWmw9HkOKxXN
+ourNqAvcTK3je9sOqDLLLIqDntBaiz2KTXD2oSqHw3+TrQ/NcSjdWdb9FTueCy3L
+eSy6nflY+hAviQjJvqjiOzPB/5F5jBkRk+B3IcSOwriF3ACJ
+-----END CERTIFICATE-----
diff --git a/travis/ssl/server.key.pem b/travis/ssl/server.key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2ZYeV2bKZ5l/ZWNCrMbYQ2iYnY0Rt1RcIve4CvOYrcypvZLI
+hsmiRfz/Z4VVs1BGhT8f0/PzhD2Qt+twtDZQ74yv77+/vJklH3TVnmfmxfuT3g9r
+VpdwUyEXmOfNCfQYOd/PACZq9UztAqnH7Hr1rk0YbMwNagCfRMtP9NPAZEIO0ZB0
+y4oGSJWLh+Ous/rw+mbsjZzghedm9Jvzt2bVlItUhS3kAh6pdUwXjNbo97gAjRce
+zgRkE8y6IblKkGJrbf6ZKzKtK90n5U4wgEAmF3ybWQF7aNn3XehsitgafwoUiAeZ
+OTBkPKyoW3lFhlD+BADvfoWYCLDv89v9bhoc+QIDAQABAoIBAE0zg151fTlW8Cm0
+F1MgVllMgmHcTL3kc7CAfk98cN6xsEQwEXApmKcGhkRfvbGauPrME+nrM6rnATMQ
+mXOHlh34p/AD8+7h05ceqDDFIs96XNO8WtRldRg5tJqvHEP81J+sNlESUH7qpWl9
+fg787bDDb/giSlwjDl+lV6BBhZDMa+IH0Z9v5BFVRWJKx+VgvfGl4PIJB49lxAGN
+Lo9p8qqLB8Y8aADBX9VXf4iZpsSDnI77ZpMPzjFz+Z64uHVmcgjH6CsQ6TmcpadH
+o6U5aM6HTxyv7JB/nf5liV77xb1dNoI0DhpNfD0TIfEK3PRCYNWpMUU+pha9Qk86
+vbbAuoUCgYEA7pCIo92kGgZOjnn1x9nBtlgnoQRGbBuT+YBAok/WKDVylbt91fHy
+jsBENsFShY6rNpeMkp06QV/scHo/8fiEwYtKXoVJ1T0MTxto90R3+5lMqFpj7z3C
++dX9Bt+Xg9EyOsITgvXplgA1Dp/635tWk0UGJ0wddzUQ3SJMWjeu/Q8CgYEA6X0W
++AJ1Oc5g2j9qGJGe+Ucw5jrDrssKDpKWFaZ9KCRjIb9voC1gOh6x12+b9Itn6Y92
+jz7/muZRrAl0DHC6j6MG1SoTYV4cTUd5wyYgPYSJ1VXi0MNH421680xcfUHMUHXV
+FNEPLjWasrXs2AGZRQRAAmuiV4cbShdQztN71XcCgYEA47POx+FwlWp5pqIgBs4A
+iCPiR1zGPr+f4KAakRH0zdId+W7Ir+FMbBZ1xXGGa3X+U5AZG4O4q9d73OvChxl2
+1Sk3JbrA+yhWzFbUPFb80ofC1FnaUuq3ZDFsXhgiDS4qbEz7xJ8lggfWnIv0L2Oc
+IdrbAb0zzqk23Gq1R9MoUd8CgYEAus2Sn8/Pm/UKtfIAXzG6X7PeYoRnZKQbIreS
+jjXKcmBSU4DGvP8wuq8uF6+6tXcHJuzZrRd5BqP4ecyCZSWXjS2gXNEx+jeCKy3h
+NAl/x9gPMnhpZB6omENSF+9jG++VmFX9qY7tN0o5v3sfx13YE0ioMYeNtbtpUOjA
+hQjcTVcCgYAEkYU/9eQja4S9Vytq6AZWOTvVZZoOGdtPeD5cn06HaG6dZ7tpOCHF
+Mm67/72N8+lYsFX50QkW62ZlD/J8QV6K1ayJcS6PxF71CgUBB7KYdys0QZisVmBX
+nkkyHEHpRybK3KDuUtq1FTYcmtEBBOKtJOTJXEyEMEFZgFwTCdmRjw==
+-----END RSA PRIVATE KEY-----
