Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58138

Confusing saml plugin keystore breakage

    Details

    • Type: Bug
    • Status: Fixed but Unreleased (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: saml-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      • Have authentication set up using SAML with no custom encryption options
      • Wait (I suspect waiting a year for validity expiration is what triggers this)
      • Log in attempts break with a verbose backtrace on the login page
        Stack trace
        org.pac4j.core.exception.TechnicalException: Unsupported resource format: jar:file:/srv/jenkins/home/plugins/saml/WEB-INF/lib/saml.jar!/samlKeystore.jks. Use a relative or absolute path
        	at org.pac4j.core.util.CommonHelper$1.getFilename(CommonHelper.java:373)
        	at org.pac4j.saml.client.SAML2ClientConfiguration.getKeystorePath(SAML2ClientConfiguration.java:313)
        	at org.pac4j.saml.crypto.KeyStoreCredentialProvider.<init>(KeyStoreCredentialProvider.java:92)
        	at org.pac4j.saml.client.SAML2Client.initCredentialProvider(SAML2Client.java:174)
        	at org.pac4j.saml.client.SAML2Client.internalInit(SAML2Client.java:111)
        	at org.pac4j.core.util.InitializableWebObject.init(InitializableWebObject.java:24)
        	at org.jenkinsci.plugins.saml.OpenSAMLWrapper.createSAML2Client(OpenSAMLWrapper.java:145)
        	at org.jenkinsci.plugins.saml.SamlRedirectActionWrapper.process(SamlRedirectActionWrapper.java:45)
        	at org.jenkinsci.plugins.saml.SamlRedirectActionWrapper.process(SamlRedirectActionWrapper.java:30)
        	at org.jenkinsci.plugins.saml.OpenSAMLWrapper.get(OpenSAMLWrapper.java:64)
        	at org.jenkinsci.plugins.saml.SamlSecurityRealm.doCommenceLogin(SamlSecurityRealm.java:258)
        	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
        	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
        	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
        	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
        	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
        	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:537)
        	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
        	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:739)
        

      The call stack above is misleading. It appears to be caused by the "demo keystore" path (PAC4J_DEMO_KEYSTORE) being invalid in principle. The real issue is however that the plugin tries to use the demo key store in the first place, which is hinted at in a brief log line with no backtrace:

      WARNING: Using bundled keystore : /srv/jenkins/home/saml-jenkins-keystore.jks (Permission denied)
      Jun 19, 2019 8:19:44 AM org.jenkinsci.plugins.saml.OpenSAMLWrapper createSAML2Client
      WARNING: Using bundled keystore : resource:samlKeystore.jks
      

      The configuration used no custom encryption settings, so whatever default key store the plugin wanted was used. Trying to disable and enable the saml authentication did not help, trying to use a custom key store in encryption settings an dreverting back to the default did not work.

      Looking at the code I realized it has code to create the key store from scratch if it doesn't exist and sure enough, removing (moving away)

      rm $JENKINS_HOME/saml-jenkins-keystore.jks
      rm $JENKINS_HOME/saml-jenkins-keystore.xml
      

      and reconfiguring the plugin made login work again.

      I'm filing this mainly to have a reference to the workaround, because I couldn't find anything about this error anywhere. I do think that at the very least, the error path in the keystore loading code should give more info before trying to load the demo keystroke. It's confusing that the call stack is not from the actual problem.

      Perhaps the plugin should also handle the key store corruption / expiration in a more graceful way, but that's less obvious to me.

        Attachments

          Issue Links

            Activity

            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            The key store is needed by the pac4j library even do you do not use encryption, because of that the plugin manages a dummy keystore, it is created and the key is maintained in case it expired. It should be transparent for the user, but seems like for some reason cannot write the JENKINS_HOME/saml-jenkins-keystore.jks and also fails to read the keystore inside the jar, I will add the exception and the workaround to the Troubleshooting guide, also I will review if there is a better solution, probably I will remove the use of the demo keystore and show an error in the logs in that way you are aware that it is not possible to create the dummy keystore.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - The key store is needed by the pac4j library even do you do not use encryption, because of that the plugin manages a dummy keystore, it is created and the key is maintained in case it expired. It should be transparent for the user, but seems like for some reason cannot write the JENKINS_HOME/saml-jenkins-keystore.jks and also fails to read the keystore inside the jar, I will add the exception and the workaround to the Troubleshooting guide, also I will review if there is a better solution, probably I will remove the use of the demo keystore and show an error in the logs in that way you are aware that it is not possible to create the dummy keystore.
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            finally, I'd not remove the use of the keystore in the bundle to avoid break some installations, I've added a more explanatory message.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - finally, I'd not remove the use of the keystore in the bundle to avoid break some installations, I've added a more explanatory message.

              People

              • Assignee:
                ifernandezcalvo Ivan Fernandez Calvo
                Reporter:
                tsniatowski Tomasz Ĺšniatowski
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: