Skip to content

Prevent keypair from being rotated when saving credentials, only rotate on explicit button click#98

Open
ronak-701685 wants to merge 1 commit intojenkinsci:masterfrom
ronak-701685:ronak-701685-add-button-to-update-keypair
Open

Prevent keypair from being rotated when saving credentials, only rotate on explicit button click#98
ronak-701685 wants to merge 1 commit intojenkinsci:masterfrom
ronak-701685:ronak-701685-add-button-to-update-keypair

Conversation

@ronak-701685
Copy link
Copy Markdown

@ronak-701685 ronak-701685 commented Jul 14, 2025

What I Did

  • Prevented the default update of the keypair when the Save button is clicked in the IdTokenCredentials configuration.
  • Added logic to ensure the keypair is only updated when explicitly requested by the user.
  • Updated the UI and backend to support this behavior.
  • Modified related tests to reflect the new functionality.

Relevant Issues

Testing done

OpenIDConnectIdToken.mp4

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests that demonstrate the feature works or the issue is fixed

@ronak-701685 ronak-701685 requested a review from a team as a code owner July 14, 2025 06:32
@ronak-701685
Copy link
Copy Markdown
Author

ronak-701685 commented Jul 14, 2025

Review request: @jglick

github-advanced-security[bot]
github-advanced-security AI found potential problems Jul 14, 2025
View reviewed changes
Comment thread src/main/java/io/jenkins/plugins/oidc_provider/IdTokenCredentials.java Outdated

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing POST/RequirePOST annotation Warning

Potential CSRF vulnerability: If IdTokenCredentialsDescriptor#doRotateKeypair connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST
Comment thread src/main/java/io/jenkins/plugins/oidc_provider/IdTokenCredentials.java Outdated

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check Warning

Potential missing permission check in IdTokenCredentialsDescriptor#doRotateKeypair
@jglick
Copy link
Copy Markdown
Member

jglick commented Jul 21, 2025

Compare #30. Currently this plugin is not really maintained. If I have some time to actually set aside and think about what is safe and correct I have a list of important changes to make, starting with keypair rotation. From a quick glance this looks reasonable but any change to this plugin requires more than a quick glance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unwanted Key Rotation on CasC Reload

3 participants

@ronak-701685 @jglick @github-advanced-security