LiveTest, & fix for CCE in SamlSecurityRealm.doFinishLogin

[jglick]

Trying to provide meaningful test coverage inside this plugin, without relying on ATH. Otherwise tests pass even when the plugin is broken:

diff --git src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java
index 056584a..c9c6a72 100644
--- src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java
+++ src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java
@@ -250,6 +250,7 @@ public class SamlSecurityRealm extends SecurityRealm {
      */
     public HttpResponse doCommenceLogin(final StaplerRequest request, final StaplerResponse response, @QueryParameter
             String from, @Header("Referer") final String referer) {
+        assert false;
         LOG.fine("SamlSecurityRealm.doCommenceLogin called. Using consumerServiceUrl " + getSamlPluginConfig().getConsumerServiceUrl());
 
         String redirectOnFinish = calculateSafeRedirect(from, referer);
@@ -298,6 +299,7 @@ public class SamlSecurityRealm extends SecurityRealm {
      */
     @RequirePOST
     public HttpResponse doFinishLogin(final StaplerRequest request, final StaplerResponse response) {
+        assert false;
         LOG.finer("SamlSecurityRealm.doFinishLogin called");
         String referer = (String) request.getSession().getAttribute(REFERER_ATTRIBUTE);
         // redirect back to original page

Also fixes a regression: #93 (comment)

[jglick]

jenkinsci/jenkins-test-harness#281

[jglick]

Using RealJenkinsRule here because

saml-plugin/src/main/java/org/jenkinsci/plugins/saml/OpenSAMLWrapper.java

Line 65 in de609d4

thread.setContextClassLoader(InitializationService.class.getClassLoader());

or

saml-plugin/pom.xml

Line 96 in de609d4

<exclusions>

make it less than obvious that plain JenkinsRule would simulate plugin operation as accurately as ATH.

[jglick]

The acceptance test started failing as of #90, according to https://ci.jenkins.io/job/Core/job/acceptance-test-harness/job/master/309/testReport/plugins/SAMLPluginTest/java_8_split7___authenticationOK/:

java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List
	at org.jenkinsci.plugins.saml.SamlSecurityRealm.doFinishLogin(SamlSecurityRealm.java:339)

Reproduced that here, and fixed in 2d2cc3b.

[jglick]

https://www.jenkins.io/doc/developer/plugin-development/pipeline-integration/#constructor-vs-setters

[jglick]

(Would likely also be better for CasC: should be able to omit default values of attributes.)

[kuisathaverat]

this is a long-delayed task on my queue, I have an environment to make the manual test (https://github.com/kuisathaverat/jenkins-issues) I'll take a look on the weekend to see what is broken on the ATH

[jglick]

I wanted to try comparing the $JENKINS_HOME/config.xml as created by this test to that created by the ATH SAMLPluginTest but I could not get the ATH to even run locally: mvn test … from my host machine got a timeout in

	at org.jenkinsci.test.acceptance.po.PluginManager.checkForUpdates(PluginManager.java:104)
	at org.jenkinsci.test.acceptance.po.PluginManager.installPlugins(PluginManager.java:190)
	at org.jenkinsci.test.acceptance.junit.WithPlugins$RuleImpl$1.installPlugins(WithPlugins.java:195)

and from ath-container.sh it failed to mount files into the fixture.

[kuisathaverat]

Do you see it returning a String? IIRC the SAML definition for the emails is a list, so it always returns a list, even though getAttribute can return a String.

[kuisathaverat]

yep, it is a list of strings

      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
      </saml:Attribute>

[jglick]

I do not know anything about SAML, I just know that saml2Profile.getAttribute(getEmailAttributeName()) returns a String (an email address), both here and in the acceptance test that started failing as of 2.0.0.

[kuisathaverat]

LGTM

[viceice]

Minimum jenkins version raised to a 2 days old version in a patch release?
Should that be at least a minor release?
Is the minimum jenkins version raise required to fix something?

[kuisathaverat]

@viceice the minimum requirement Jenkins core version for the SAMl plugin 2.0.0 is 2.266 that it is a weekly, due there is an LTS version released it is fair to bump the minimum version of the plugin to the new LTS. This PR is included in SAML 2.0.1

For more details about the changes please read the release notes of the plugin and the Jenkins Core

https://github.com/jenkinsci/saml-plugin/releases/tag/saml-2.0.0
https://github.com/jenkinsci/saml-plugin/releases/tag/saml-2.0.1

https://www.jenkins.io/changelog-stable/#v2.277.1
https://www.jenkins.io/changelog/#v2.266

The changes that forced a major release is the change from Spring framework 2.5.x to 5.x

[viceice]

Ok, thanks for clarify. Sorry for the noise.