[JENKINS-73904] [JEP-237] check algorithm used for creating oic config is fips compliant

[pankajy-dev]

https://issues.jenkins.io/browse/JENKINS-73904
https://github.com/jenkinsci/jep/tree/master/jep/237

Testing done

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[codecov]

Codecov Report

Attention: Patch coverage is 70.58824% with 35 lines in your changes missing coverage. Please review.

Project coverage is 71.58%. Comparing base (769f395) to head (a20ca48).
Report is 10 commits behind head on master.

Files with missing lines	Patch %	Lines
...va/org/jenkinsci/plugins/oic/OicSecurityRealm.java	69.23%	14 Missing and 6 partials ⚠️
...g/jenkinsci/plugins/oic/OicAlgorithmValidator.java	72.54%	9 Missing and 5 partials ⚠️
...i/plugins/oic/OicServerWellKnownConfiguration.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #424      +/-   ##
============================================
- Coverage     71.91%   71.58%   -0.34%     
- Complexity      199      233      +34     
============================================
  Files            16       17       +1     
  Lines           883     1017     +134     
  Branches        120      146      +26     
============================================
+ Hits            635      728      +93     
- Misses          185      212      +27     
- Partials         63       77      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[PereBueno]

We should be filtering existing algorithms, not launching an exception

[pankajy-dev]

Don't know what happened, previous comment was a change request, not a comment

Just realised I got review comments on this PR. Some of these reviews were already provided by James on the PR that I created on his Fork.

I addressed few of them.

[pankajy-dev]

Not able to add reviewers here.
@jtnord , @PereBueno , @olamy , @fcojfernandez - Please review.

[fcojfernandez]

This class is exposing methods to check FIPS-140. If those methods were private we could discuss if having a negated output is correct or not, but in a utility class like this, checking sometingNon makes the code hard to follow and maintain

[fcojfernandez]

Besides, modifying the lists received as parameter would be risky. It's better to always return an immutable list

[PereBueno]

Shouldn't we be filtering here allAlgorithms here?

[pankajy-dev]

these are the compliant algorithms, thats why haven't put filter here.

[fcojfernandez]

wrong filter

[PereBueno]

Looks dangerous, what if we're using an immutableList? All the set*JW*Algs methods are public

[PereBueno]

As a rule of thumb, "positive" method (e.g.: isJwsAlgorithmCompliant) are easier to follow (those double negations make this difficult to read)

[pankajy-dev]

Done

[PereBueno]

Test name is wrong, we're testing FIPS true here

[pankajy-dev]

Done

[PereBueno]

Same, wrong name

[pankajy-dev]

Done

[PereBueno]

Filtering isn't right, adding just the opposite check to this test fails

    @Test
    public void doCheckAlgorithmFilter() throws IOException, ParseException {
        OIDCProviderMetadata oidcProviderMetadata = OicSecurityRealmNonFIPSAlgoTest.getNonCompliantMockObject();
        int countIDTokenJWSAlgs = oidcProviderMetadata.getIDTokenJWSAlgs().size();
        int countIDTokenJWEAlgs = oidcProviderMetadata.getIDTokenJWEAlgs().size();
        OicSecurityRealm.filterNonCompliantAlgorithms(oidcProviderMetadata);
        assertEquals(
                countIDTokenJWSAlgs, oidcProviderMetadata.getIDTokenJWSAlgs().size());
        assertEquals(
                countIDTokenJWEAlgs, oidcProviderMetadata.getIDTokenJWEAlgs().size());

        // reset the mock, in FIPs mode now
        fips140Mock.reset();
        fips140Mock.when(FIPS140::useCompliantAlgorithms).thenReturn(true);
        // restart the object
        oidcProviderMetadata = OicSecurityRealmNonFIPSAlgoTest.getNonCompliantMockObject();
        // filter
        OicSecurityRealm.filterNonCompliantAlgorithms(oidcProviderMetadata);
        // We should not have the same number of algorithms as in non FIPS mode
        assertNotEquals(countIDTokenJWSAlgs, oidcProviderMetadata.getIDTokenJWSAlgs().size());
        assertNotEquals(countIDTokenJWEAlgs, oidcProviderMetadata.getIDTokenJWEAlgs().size());
    }

[PereBueno]

Class name must match file name

[fcojfernandez]

unused

[jtnord]

NIT: this class is already getting quire big and as this is static these methods could be moved to a utility class.

[jtnord]

to me it looks like none of the the ECDHCryptoProviders would be compliant?

[jtnord]

although it doesn't.
as this returns true for something that is not compliant when not in FIPS mode.
Would it be better to just not perform the call to do any filtering if we are not in FIPS mode and then these methods would do what they are documented to do and what is expected by the function names?

[jtnord]

remove the null checks and make the filter handle null input?

e.g by handling the null in filterFipsNonCompliantJwsAlgorithm you can have

oidcProviderMetadate.setIdTokenJWSAlgs(OicAlgorithmValidatorFIPS140.filterFipsNonCompliantJwsAlgorithm(oidcProviderMetadata.getIDTokenJWSAlgs());

[jtnord]

seems to use its own key derivation function (ConcatKDF) and so would not be compliant?

[jtnord]

Subsumed in #428