Jenkins two factor authentication plugin

[miniOrangeDev]

Repository URL

https://github.com/miniOrangeDev/miniorange-two-factor

New Repository Name

miniorange-two-factor-plugin

Description

Two-Factor Authentication for Jenkins Plugin adds a layer of security to Jenkins authentication by requiring users to provide a second factor of authentication along with their username and password. It enhances the overall security of your Jenkins environment. Additionally, this plugin does not require you to extend the security realm, making it easier to implement and use.

GitHub users to have commit permission

Jenkins project users to have release permission

Issue tracker

Jira

[jenkins-cert-app]

Security audit, information and commands

The security team is auditing all the hosting requests, to ensure a better security by default.

This message informs you that a Jenkins Security Scan was triggered on your repository. It takes ~10 minutes to complete.

Commands

The bot will parse all comments, and it will check if any line start with a command. Security team only:

• /audit-ok => the audit is complete, the hosting can continue :tada:.
• /audit-skip => the audit is not necessary, the hosting can continue :tada:.
• /audit-findings => the audit reveals some issues that require corrections :pencil2:.

Anyone:

• /request-security-scan => the findings from the [Jenkins Security Scan](https://www.jenkins.io/doc/developer/security/scan/) were corrected, this command will re-scan your repository :mag:.
• /audit-review => the findings from the audit were corrected, this command will ping the security team to review the findings :eyes:. It's only applicable when the previous audit required changes.

Only one command can be requested per comment.

(automatically generated message, version: 1.17.14)

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The origin repository 'https://github.com/miniOrangeDev/miniorange-two-factor.git' ends in .git, please remove this
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: Repository URL 'https://github.com/miniOrangeDev/miniorange-two-factor' is not a valid GitHub repository (check that you do not have .git at the end, GitHub API doesn't support this).
• :warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[jenkins-cert-app]

:x: Jenkins Security Scan failed. The Security team was notified about this.

[miniOrangeDev]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: Please add a readme file to your repo, GitHub provides an easy mechanism to do this from their user interface.
• :warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: Please add a readme file to your repo, GitHub provides an easy mechanism to do this from their user interface.
• :warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[miniOrangeDev]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: Please add a readme file to your repo, GitHub provides an easy mechanism to do this from their user interface.
• :warning: Warning: No pom.xml detected.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[miniOrangeDev]

/hosting re-check

[Kevin-CB]

[ASSIST] Hi @miniOrangeDev,

Since I see you're active there, I'm taking this opportunity to draw your attention to SECURITY-3001 as I haven't received any response to the ticket.

[miniOrangeDev]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.332.4</jenkins.version> to at least 2.361.4 in your pom.xml. Take a look at the baseline recommendations.
• :no_entry: Required: The parent pom version '4.41' should be at least '4.52' or higher.
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[miniOrangeDev]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[alecharp]

@miniOrangeDev I have some comments on your repository

• could you run mvn tidy:pom on your repository to ease the human reading of the pom.xml
• it seems that you have configured the Maven build instruction to use CD process but you haven't included the .mvn files nor the GitHub Action description. Please see https://www.jenkins.io/doc/developer/publishing/releasing-cd/
• you can simplify the help file location. They can be in src/main/resources/<path-to-class>/help-<field-name>.jelly. Please see https://www.jenkins.io/doc/developer/forms/jelly-form-controls/#add-an-inline-help-to-a-form-element
• I see that you have a lot of CSS definition in your jelly files. Please see https://www.jenkins.io/doc/developer/views/exposing-bundled-resources/#exposing-bundled-resources to centralize that
• I would suggest to add the license header on the Java classes
• star imports on Java classes should be avoided (see https://github.com/miniOrangeDev/miniorange-two-factor/blob/65cbfa5c7edf095f1741d626002dff875f46a124/src/main/java/com/miniorange/twofactor/jenkins/MoFilter.java#L12 https://github.com/miniOrangeDev/miniorange-two-factor/blob/65cbfa5c7edf095f1741d626002dff875f46a124/src/main/java/com/miniorange/twofactor/jenkins/MoUserAuth.java#L6)
• There are some code format issues across some Java classes. To ease the process, you could get some inspiration from https://groups.google.com/g/jenkinsci-dev/c/zUewd9LL5-g

[NotMyFault]

What is the purpose of this plugin which is not yet covered by existing plugins, like the plenty of openId, SAML, etc. plugins we already host.

[miniOrangeDev]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Jira: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)
• :no_entry: Required: The following usernames in 'Jenkins project users to have release permission' need to log into Artifactory: @miniOrangeDev (reports are re-synced hourly, wait to re-check for a bit after logging in)

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[miniOrangeDev]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A human volunteer will check over things that I am not able to check for (code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[miniOrangeDev]

/hosting host

[miniOrangeDev]

@alecharp Thanks for the suggestions. We will work on these suggestions and update the ticket as soon as possible.

[alecharp]

I'm also interested by the purpose of this, as stated by @NotMyFault on https://github.com/jenkins-infra/repository-permissions-updater/issues/3304#issuecomment-1544336383. Could you elaborate what this plugin would bring to the ecosystem which is not already provided by other plugins or integration?

[miniOrangeDev]

@alecharp @NotMyFault

This is a 2fa plugin which enables the admin to enforce a second factor on the Jenkins side. Such a plugin is not yet available on the marketplace. We plan on adding other several methods as your second factor to secure your Jenkins instance. This plugin works with all security realms. We had received several requests for this plugin.

[NotMyFault]

Thanks for the detailed answer. I don't believe the plugin is in a state yet, where I would expect it on the Jenkins plugins portal. Given, its name doesn't live up with its purpose (yet). I'd keep this proposal on hold, until the TODO list in the README has been worked through. Hosting half-baked plugins is not in our interest.

[miniOrangeDev]

@NotMyFault I appreciate your feedback regarding the Jenkins 2FA plugin and your concerns about its current state. The current version of the plugin supports complete flow for the security questions as the 2nd factor for authentication in Jenkins. This is not half-baked as the admin can enforce 2FA for their users thus improving the security for the Jenkins instance. Also, as mentioned earlier we had received requests for this plugin from some Jenkins users.

As far as the TODO list in README is concerned, we are going to prioritize and develop the other methods as per user requests. So many user-management-related features along with these methods will be rolled out in future timely releases by our team.

I kindly request you to reconsider putting it on hold. We are confident in our ability to address the remaining tasks promptly and would appreciate the opportunity to continue the approval process.

[miniOrangeDev]

@alecharp We have implemented the changes pointed out by you. Kindly let us know if anything else needs to be done and also let us know the further steps.

[NotMyFault]

complete flow for the security questions as the 2nd factor for authentication this is not half-baked as the admin can enforce 2FA

I sought sources backing these points up, but even OWASP recommends against it. Therefore, I won't reconsider my previous comment, until the plugins adds at least one actual 2FA method, which is not covered by existing plugins yet.

[miniOrangeDev]

@NotMyFault Thanks for providing the insight. We would like to assure you that we have taken your feedback into account, and we are committed to implementing at least one unique and distinct 2FA method as per your demand. Our team will work diligently to ensure that the plugin meets your expectations and provides added value to the Jenkins community.

We value your support and engagement in this process, and we will keep you updated on the progress of the plugin's development. If you have any further suggestions or specific requirements, please feel free to share them with us.

[miniOrangeDev]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.361.1</jenkins.version> to at least 2.387.3 in your pom.xml. Take a look at the baseline recommendations.
• :no_entry: Required: The parent pom version '4.62' should be at least '4.65' or higher.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[miniOrangeDev]

@NotMyFault we have added OTP Over Email method for authentication as per your comment and OWASP guidelines.

Please let us know if you have any further suggestions.

[miniOrangeDev]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It looks like you have everything in order for your hosting request. A member of the Jenkins hosting team will check over things that I am not able to check(code review, README content, etc) and process the request as quickly as possible. Thank you for your patience.

Hosting team members can host this request with /hosting host

[miniOrangeDev]

@alecharp @NotMyFault We have made changes in the plugin as per your suggestions and added the OTP Over Email method for authentication. Could you let us know if any more work is required from our side or the next steps which are needed to get the plugin on the marketplace?

[miniOrangeDev]

@NotMyFault @alecharp We recently updated the plugin accordingly to your requirements. We understand that you may be busy, but we wanted to check on the status of our submission and see if there were any updates or feedback. If there are any changes or improvements required to meet the submission guidelines, we are more than willing to work on them promptly.

Please let us know if there's any additional information you need from our end to process the submission or if there's an estimated timeline for review. Thank you for your time, and I'm looking forward to hearing back from you soon.

[NotMyFault]

Thanks for adding the changes requested. I am short on time and haven't had the chance yet to take a look at the changes done, but I have some feedback for you:

• Please create a .github within the repository root directory with the following files and subdirectories: https://github.com/jenkinsci/archetypes/tree/master/common-files/.github
• Please create a .mvn folder within the repository root directory with the following files: https://github.com/jenkinsci/archetypes/tree/master/common-files/.mvn
• https://github.com/miniOrangeDev/miniorange-two-factor/blob/577860b302b4f75141370f7a214d3a01389fbf65/Jenkinsfile#L1 Please update your Jenkinsfile according to https://github.com/jenkinsci/archetypes/blob/master/common-files/Jenkinsfile
• Please update your README.md including updating screenshots reflecting the options this plugin offers.
• The groupId io.jenkins.plugins doesn't match your actual groupId used: https://github.com/miniOrangeDev/miniorange-two-factor/tree/master/src/main/java/com/miniorange/ Please move classes and files from com.miniorange to io.jenkins.plugins matching the default groupId.
• https://github.com/miniOrangeDev/miniorange-two-factor/blob/577860b302b4f75141370f7a214d3a01389fbf65/pom.xml#L44 should always match your jenkins.version used.
• https://github.com/miniOrangeDev/miniorange-two-factor/blob/577860b302b4f75141370f7a214d3a01389fbf65/pom.xml#L52-L56 instead of shading jackson yourself, you can depend on the corresponding Jenkins plugin providing it for you: https://plugins.jenkins.io/jackson2-api/dependencies/
• https://github.com/miniOrangeDev/miniorange-two-factor/blob/577860b302b4f75141370f7a214d3a01389fbf65/pom.xml#L60 Please use an up to date version, such as 20230618.
• https://github.com/miniOrangeDev/miniorange-two-factor/blob/577860b302b4f75141370f7a214d3a01389fbf65/pom.xml#L62-L66 please update the plugin according to https://github.com/spotify/fmt-maven-plugin#fmt-maven-plugin and specify a lifecycle and goal. Currently, the maven plugin is shaded into the .hpi file, for no reason, given it's a development tool and doesn't need to be delivered at runtime.
• https://github.com/miniOrangeDev/miniorange-two-factor/blob/577860b302b4f75141370f7a214d3a01389fbf65/pom.xml#L67-L71 instead of shading the javax mail api yourself, you can depend on the corresponding Jenkins plugin: https://plugins.jenkins.io/javax-mail-api/dependencies/
• Please take a moment and address the open spotbugs issues, you can generate yourself a list with mvn clean verify package.
• https://github.com/search?q=repo%3AminiOrangeDev%2Fminiorange-two-factor%20symbol-arrow-up&type=code is obsolete and should be removed. For navigation, you can use the breadcrumbs, a dedicated sidepanel is not needed. Rather, use the one-column type, like in https://github.com/jenkinsci/jenkins/blob/d841f1d1f7bd3a164c00cdfa2048df0e2ed9746d/core/src/main/resources/jenkins/agents/CloudSet/new.jelly#L35
• If no security method is defined, numerous empty descriptors are added to the user profile, for no reason, that shouldn't be done.
• MoGlobalConfig shouldn't be stored in the controller's root directory, but rather in the plugin's directory.

[miniOrangeDev]

@NotMyFault Thank you for pointing out the above issues. We appreciate you taking out the time and posting the response. We are actively working on the above suggestions and will update once it's done.

[miniOrangeDev]

@NotMyFault We have diligently addressed the suggestions you highlighted and have taken every effort to ensure that the plugin meets the high standards set by the Jenkins Marketplace. We kindly request you to review the updated version of our plugin at your earliest convenience. We are ready and willing to provide any necessary information or make further modifications to expedite the review process as this is ongoing for a long time and few of our users are waiting for this plugin.

[NotMyFault]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan discovered 20 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

---

Stapler: Missing POST/RequirePOST annotation

You can find detailed information about this finding here.

MoOtpOverEmailAuth.java#228

``` Potential CSRF vulnerability: If MoOtpOverEmailAuth#doResendOtp connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

MoOtpOverEmailConfig.java#75

``` Potential CSRF vulnerability: If MoOtpOverEmailConfig#doReset connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

MoSecurityQuestionConfig.java#170

``` Potential CSRF vulnerability: If MoSecurityQuestionConfig#doReset connects to user-specified URLs, modifies state, or is expensive to run, it should be annotated with @POST or @RequirePOST ```

Stapler: Missing permission check

You can find detailed information about this finding here.

MoGlobalConfigView.java#136

``` Potential missing permission check in DescriptorImpl#doCheckSenderEmailAddress ```

MoOtpOverEmailAuth.java#240

``` Potential missing permission check in MoOtpOverEmailAuth#doSaveOrValidateOtpOverEmailConfig ```

MoOtpOverEmailAuth.java#228

``` Potential missing permission check in MoOtpOverEmailAuth#doResendOtp ```

MoSecurityQuestionAuth.java#146

``` Potential missing permission check in MoSecurityQuestionAuth#doSecurityQuestionAuthenticate ```

MoOtpOverEmailConfig.java#75

``` Potential missing permission check in MoOtpOverEmailConfig#doReset ```

MoSecurityQuestionConfig.java#372

``` Potential missing permission check in DescriptorImpl#doCheckCustomSecurityQuestionAnswer ```

MoSecurityQuestionConfig.java#364

``` Potential missing permission check in DescriptorImpl#doCheckCustomSecurityQuestion ```

MoSecurityQuestionConfig.java#356

``` Potential missing permission check in DescriptorImpl#doCheckSecondSecurityQuestionAnswer ```

MoSecurityQuestionConfig.java#345

``` Potential missing permission check in DescriptorImpl#doCheckSecondSecurityQuestion ```

MoSecurityQuestionConfig.java#336

``` Potential missing permission check in DescriptorImpl#doCheckFirstSecurityQuestionAnswer ```

MoSecurityQuestionConfig.java#325

``` Potential missing permission check in DescriptorImpl#doCheckFirstSecurityQuestion ```

MoSecurityQuestionConfig.java#312

``` Potential missing permission check in DescriptorImpl#doFillSecondSecurityQuestionItems ```

MoSecurityQuestionConfig.java#306

``` Potential missing permission check in DescriptorImpl#doFillFirstSecurityQuestionItems ```

MoSecurityQuestionConfig.java#170

``` Potential missing permission check in MoSecurityQuestionConfig#doReset ```

MoSecurityQuestionConfig.java#119

``` Potential missing permission check in MoSecurityQuestionConfig#doSaveSecurityQuestion ```

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

MoGlobalConfigConstant.java#6

``` Field should be reviewed whether it stores a password and is serialized to disk: key ```

MoSecurityQuestionsConstant.java#37

``` Field should be reviewed whether it stores a password and is serialized to disk: key ```

[miniOrangeDev]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan discovered 2 finding(s) :mag:. For each of them, either apply the recommended correction, suppress the warning or provide a justification.

Once you're done, either re-run the scan with /request-security-scan or request the Security team to review your justifications with /audit-review.

---

Jenkins: Plaintext password storage

You can find detailed information about this finding here.

MoGlobalConfigConstant.java#7

``` Field should be reviewed whether it stores a password and is serialized to disk: key ```

MoGlobalConfigConstant.java#20

``` Field should be reviewed whether it stores a password and is serialized to disk: key ```

[miniOrangeDev]

/request-security-scan

[jenkins-cert-app]

The Jenkins Security Scan did not find anything dangerous with your plugin, congratulations! :tada:

---

:bulb: The Security team recommends that you are setting up the scan in your repository by following our guide.

[miniOrangeDev]

@NotMyFault We have fixed all the issues pointed out by the security scan. Kindly let us know the next steps required to publish the plugin on the Jenkins marketplace.

[NotMyFault]

/hosting re-check

[github-actions[bot]]

Hello from your friendly Jenkins Hosting Checker

It appears you have some issues with your hosting request. Please see the list below and correct all issues marked Required. Your hosting request will not be approved until these issues are corrected. Issues marked with Warning or Info are just recommendations and will not stall the hosting process.

• :no_entry: Required: Your baseline specified does not meet the minimum Jenkins version required, please update <jenkins.version>2.361.4</jenkins.version> to at least 2.387.3 in your pom.xml. Take a look at the baseline recommendations.
• :no_entry: Required: The parent pom version '4.65' should be at least '4.71' or higher.

You can re-trigger a check by editing your hosting request or by commenting /hosting re-check

[NotMyFault]

The first two bullet points in https://github.com/jenkins-infra/repository-permissions-updater/issues/3304#issuecomment-1657121775 remained unaddressed.