Improve authentication mechanisms (#50)

* Configure files before plugins

This is necessary because certain files, such as user config.xml
files, may contain API tokens which are needed for authenticated
plugin installation. Therefore these files must be in place before
attempting to start up Jenkins for the first time.

* Install custom plugins first

Since the custom plugins need to be installed by Jenkins when it
starts up, this minor optimization saves a bit of time during plugin
installation.

* Add jenkins_auth variable to determine auth type

This change is the first step in flexibly supporting multiple
authentication types to use when deploying Jenkins. In a future
commit, support for API tokens will be added.

This change also renames jenkins_token to jenkins_crumb_token, in
order to be more explicit about the token type.

* Save the web session cookie along with the crumb

As of Jenkins 2.176.2, Jenkins' CSRF issuer requires a corresponding
web session ID to be submitted along with the crumb. For more info,
see:

https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626

* Support API token authentication

* Add a molecule scenario test for API tokens

This is hopefully the second of many additional non-sanity tests that
will be added to ensure that different behaviors of this role are
working properly.

* Add some tasks to do basic sanity checking of vars

This could probably be expanded in the future for other states that we
need to verify before beginning a deployment.

* Add documentation on authentication and security

Author: nre-ableton

.travis.yml

@@ -7,4 +7,4 @@ services:
 install:
   - pip install -r requirements.txt
 script:
-  - molecule test
+  - molecule test --all

README.md

@@ -167,6 +167,72 @@ instance and deploying using docker you probably
 want to set the `jenkins_docker_expose_port` var to false so that the
 port is not exposed on the host, only to the reverse proxy.
 
+Authentication and Security
+---------------------------
+
+This role supports the following authentication mechanisms for Jenkins:
+
+1. API token-based authentication (recommended, requires at least Jenkins 2.96)
+2. Crumb-based authentication with the [Strict Crumb Issuer
+   plugin](https://plugins.jenkins.io/strict-crumb-issuer) (required if _not_
+   using API tokens and Jenkins 2.176.2 or newer)
+3. No security (not recommended)
+
+*API token-based authentication*
+
+API token-based authentication is recommended, but requires a bit of extra
+effort to configure. The advantage of API tokens is that they can be easily
+revoked in Jenkins, and their usage is also tracked. API tokens also do not
+require getting a crumb token, which has become more difficult since Jenkins
+version 2.172.2 (see [this security
+bulletin](https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626).
+
+To create an API token, you'll need to do the following:
+
+1. All API tokens must belong to a specific user. So either create a special
+   user for deployments, or log in as the administrator or another account.
+2. In the user's configuration page, click the "Add new Token" button.
+3. Save the token value, preferably in an Ansible vault.
+4. Define the following variables in your playbook:
+  - `jenkins_auth: "api"`
+  - `jenkins_api_token: "(defined in the Anible vault)"`
+  - `jenkins_api_username: "(defined in the Ansible vault)"`
+5. Create a backup of the file `$JENKINS_HOME/users/the_username/config.xml`,
+   where `the_username` corresponds to the user which owns the API token you
+   just created.
+6. Add this file to your control host, and make sure that is deployed to Jenkins
+   in the `jenkins_custom_files` list, like so:
+
+```
+jenkins_custom_files:
+  - src: "users/the_username/config.xml"
+    dest: "users/ci/config.xml"
+```
+
+Note that you may need to change the `src` value, depending on where you save
+the file on the control machine relative to the playbook.
+
+*Crumb-based authentication*
+
+Crumb-based authentication can be used to prevent cross-site request forgery
+attacks and is recommended if API tokens are impractical. However, it can also
+be a bit tricky to configure this due to security fixes in Jenkins. To configure
+CSRF, you'll need to do the following:
+
+1. If you are using Jenkins >= 2.176.2, you'll need to install the
+   Strict Crumb Issuer plugin. This can be done by this role by adding the
+   `strict-crumb-issuer` ID to the `jenkins_plugins` list.
+2. In Jenkins, click on "Manage Jenkins" -> "Configure Global Security"
+3. In the "CSRF Protection" section, enable "Prevent Cross Site Request Forgery
+   exploits", and then select "Strict Crumb Issuer" if using Jenkins >= 2.176.2,
+   or otherwise "Default Crumb Issuer". Note that to see this option, you'll
+   need to have the Strict Crumb Issuer plugin installed.  Afterwards, you'll
+   also need to backup the main Jenkins `config.xml` file to the control host.
+
+Likewise, for the above to work, you'll need at least Ansible 2.9.0pre5 or 2.10
+(which are, at the time of this writing, both in development. See [this Ansible
+issue](https://github.com/ansible/ansible/issues/61672) for more details).
+
 Jenkins Configs
 ---------------
 

defaults/main.yml

@@ -54,6 +54,24 @@ jenkins_plugin_timeout: 300
 # List of sources of custom jenkins plugins to install
 jenkins_custom_plugins: []
 
+#######################
+# Authentication vars #
+#######################
+
+# Mechanism to use when authenticating to Jenkins. Must be one of the following values:
+# - api: Use an API token which belongs to a specific user
+# - crumb: Use anonymous crumb-based authentication
+# - none: No security (not recommended)
+# For more information, please refer to the "Authentication and Security" section of the
+# README.
+jenkins_auth: "crumb"
+
+# When defined, use this API token instead of getting a crumb from the system. Requires
+# jenkins_api_username.
+jenkins_api_token: ""
+# Username which owns the above API token.
+jenkins_api_username: ""
+
 ###################################################
 # Docker vars: apply to deploying via docker only #
 ###################################################

molecule/api-token/Dockerfile.j2

@@ -0,0 +1,15 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 648ACFD622F3D138 && \
+    apt-get update && \
+    apt-get install -y apt-transport-https aptitude bash ca-certificates sudo python \
+        python-apt && \
+    apt-get clean
+
+RUN useradd -G sudo molecule

molecule/api-token/jenkins-configs/config.xml

@@ -0,0 +1,46 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<hudson>
+  <disabledAdministrativeMonitors/>
+  <version>2.190.1</version>
+  <installStateName>RESTART</installStateName>
+  <numExecutors>1</numExecutors>
+  <mode>EXCLUSIVE</mode>
+  <useSecurity>true</useSecurity>
+  <authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
+  <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
+    <disableSignup>false</disableSignup>
+    <enableCaptcha>false</enableCaptcha>
+  </securityRealm>
+  <disableRememberMe>false</disableRememberMe>
+  <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
+  <workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULLNAME}</workspaceDir>
+  <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
+  <markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
+  <jdks/>
+  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
+  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
+  <clouds/>
+  <quietPeriod>0</quietPeriod>
+  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
+  <views>
+    <hudson.model.AllView>
+      <owner class="hudson" reference="../../.."/>
+      <name>all</name>
+      <filterExecutors>false</filterExecutors>
+      <filterQueue>false</filterQueue>
+      <properties class="hudson.model.View$PropertyList"/>
+    </hudson.model.AllView>
+  </views>
+  <primaryView>all</primaryView>
+  <slaveAgentPort>0</slaveAgentPort>
+  <disabledAgentProtocols>
+    <string>JNLP-connect</string>
+    <string>JNLP2-connect</string>
+  </disabledAgentProtocols>
+  <label>master</label>
+  <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
+    <excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
+  </crumbIssuer>
+  <nodeProperties/>
+  <globalNodeProperties/>
+</hudson>

molecule/api-token/jenkins-configs/jobs/test_job/config.xml

@@ -0,0 +1,15 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<project>
+  <keepDependencies>false</keepDependencies>
+  <properties/>
+  <scm class="hudson.scm.NullSCM"/>
+  <canRoam>true</canRoam>
+  <disabled>false</disabled>
+  <blockBuildWhenDownstreamBuilding>false</blockBuildWhenDownstreamBuilding>
+  <blockBuildWhenUpstreamBuilding>false</blockBuildWhenUpstreamBuilding>
+  <triggers/>
+  <concurrentBuild>false</concurrentBuild>
+  <builders/>
+  <publishers/>
+  <buildWrappers/>
+</project>

molecule/api-token/jenkins-configs/users/molecule/config.xml

@@ -0,0 +1,76 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<user>
+  <version>10</version>
+  <id>molecule</id>
+  <fullName>Molecule Test User</fullName>
+  <description></description>
+  <properties>
+    <jenkins.security.ApiTokenProperty>
+      <tokenStore>
+        <tokenList>
+          <jenkins.security.apitoken.ApiTokenStore_-HashedToken>
+            <uuid>bdf647eb-10f3-46e3-8a2d-13d10962247f</uuid>
+            <name>Deployment Token</name>
+            <creationDate>2019-10-23 15:27:12.108 UTC</creationDate>
+            <value>
+              <version>11</version>
+              <hash>bf8962734f66b3a0e122d6c96cae2e85dfceb6d8b9b4cdc0333de5d73c956313</hash>
+            </value>
+          </jenkins.security.apitoken.ApiTokenStore_-HashedToken>
+        </tokenList>
+      </tokenStore>
+    </jenkins.security.ApiTokenProperty>
+    <io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty plugin="blueocean-autofavorite@1.2.4">
+      <autofavoriteEnabled>true</autofavoriteEnabled>
+    </io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty>
+    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.3.0">
+      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>
+    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
+    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.29">
+      <emailAddress>test@example.com</emailAddress>
+    </hudson.tasks.Mailer_-UserProperty>
+    <hudson.plugins.favorite.user.FavoriteUserProperty plugin="favorite@2.3.2">
+      <data class="concurrent-hash-map"/>
+    </hudson.plugins.favorite.user.FavoriteUserProperty>
+    <jenkins.security.LastGrantedAuthoritiesProperty>
+      <roles>
+        <string>authenticated</string>
+      </roles>
+      <timestamp>1571844399911</timestamp>
+    </jenkins.security.LastGrantedAuthoritiesProperty>
+    <hudson.model.MyViewsProperty>
+      <primaryViewName></primaryViewName>
+      <views>
+        <hudson.model.AllView>
+          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
+          <name>all</name>
+          <filterExecutors>false</filterExecutors>
+          <filterQueue>false</filterQueue>
+          <properties class="hudson.model.View$PropertyList"/>
+        </hudson.model.AllView>
+      </views>
+    </hudson.model.MyViewsProperty>
+    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.3.2">
+      <providerId>default</providerId>
+    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
+    <hudson.model.PaneStatusProperties>
+      <collapsed/>
+    </hudson.model.PaneStatusProperties>
+    <hudson.security.HudsonPrivateSecurityRealm_-Details>
+      <passwordHash>#jbcrypt:$2a$10$AwJxJ.RV0mv7nzROLZN1O.XarAZfFdxaYXM.MRbdnr/pgSp5m608i</passwordHash>
+    </hudson.security.HudsonPrivateSecurityRealm_-Details>
+    <org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
+      <authorizedKeys></authorizedKeys>
+    </org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
+    <jenkins.security.seed.UserSeedProperty>
+      <seed>ae4a45c415ddc43f</seed>
+    </jenkins.security.seed.UserSeedProperty>
+    <hudson.search.UserSearchProperty>
+      <insensitiveSearch>true</insensitiveSearch>
+    </hudson.search.UserSearchProperty>
+    <jenkins.plugins.slack.user.SlackUserProperty plugin="slack@2.34">
+      <userId></userId>
+      <disableNotifications>false</disableNotifications>
+    </jenkins.plugins.slack.user.SlackUserProperty>
+  </properties>
+</user>

molecule/api-token/molecule.yml

@@ -0,0 +1,44 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+platforms:
+  - name: instance
+    image: ubuntu:16.04
+    privileged: true
+    exposed_ports:
+      - 8080/tcp
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+    env:
+      JENKINS_HOME: /jenkins
+provisioner:
+  name: ansible
+  log: true
+  lint:
+    name: ansible-lint
+    options:
+      # E602: Don't compare to empty string
+      # All workarounds for this are uglier than just comparing to empty strings. See:
+      # https://github.com/ansible/ansible-lint/issues/457
+      x: ['602']
+scenario:
+  test_sequence:
+    - destroy
+    - create
+    - converge
+    # The idempotence check must be disabled for this scenario, because we are copying
+    # custom files for user accounts. These files (or rather, their parent directories)
+    # are renamed by Jenkins when it starts up in order to avoid naming conflicts. So
+    # "users/molecule/config.xml" becomes "users/molecule_7942252632599620805/config.xml",
+    # with a randomly-generated number.
+    # - idempotence
+    - lint
+    - verify
+verifier:
+  name: testinfra
+  lint:
+    name: flake8

molecule/api-token/playbook.yml

@@ -0,0 +1,24 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    jenkins_auth: "api"
+    jenkins_api_username: "molecule"
+    # NOTE: Do not store actual API tokens in plain-text in your playbooks. Always use an
+    # Ansible vault for such data.
+    jenkins_api_token: "110cd5010cc081551972181446639ba99f"
+    jenkins_config_owner: "jenkins"
+    jenkins_config_group: "jenkins"
+    jenkins_home: "/jenkins"
+    jenkins_install_via: "apt"
+    jenkins_custom_files:
+      - src: "users/molecule/config.xml"
+        dest: "users/molecule/config.xml"
+    jenkins_include_custom_files: true
+    jenkins_jobs:
+      - test_job
+    jenkins_plugins:
+      - git
+    jenkins_version: "2.190.1"
+  roles:
+    - ansible-jenkins

molecule/api-token/tests/.gitignore

@@ -0,0 +1 @@
+__pycache__/

molecule/api-token/tests/test_default.py

@@ -0,0 +1,38 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+from jenkins import Jenkins
+
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_jenkins_installed(host):
+    package = host.package('jenkins')
+
+    assert package.is_installed
+
+
+def test_jenkins_version():
+    master = Jenkins('http://127.0.0.1:8080')
+    version = master.get_version()
+
+    assert version == '2.190.1'
+
+
+def test_jenkins_plugins():
+    master = Jenkins('http://127.0.0.1:8080')
+    plugins = master.get_plugins()
+
+    assert plugins['git']['active']
+    assert plugins['git']['enabled']
+
+
+def test_jenkins_jobs():
+    master = Jenkins('http://127.0.0.1:8080')
+    test_job = master.get_job_info('test_job')
+
+    assert test_job['name'] == 'test_job'
+    assert test_job['buildable']

molecule/default/molecule.yml

@@ -20,6 +20,11 @@ provisioner:
   log: true
   lint:
     name: ansible-lint
+    options:
+      # E602: Don't compare to empty string
+      # All workarounds for this are uglier than just comparing to empty strings. See:
+      # https://github.com/ansible/ansible-lint/issues/457
+      x: ['602']
 verifier:
   name: testinfra
   lint: