[JENKINS-74964] Fix: Display error message when adding invalid certificate credentials

Author: Priya-CB

src/main/java/com/cloudbees/plugins/credentials/CredentialsSelectHelper.java

@@ -57,6 +57,7 @@
 import org.kohsuke.args4j.Argument;
 import org.kohsuke.args4j.CmdLineException;
 import org.kohsuke.args4j.Localizable;
+import org.kohsuke.stapler.HttpResponses;
 import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerRequest2;
 import org.kohsuke.stapler.StaplerResponse2;
@@ -608,8 +609,14 @@ public JSONObject doAddCredentials(StaplerRequest2 req, StaplerResponse2 rsp) th
                         .element("notificationType", "ERROR");
             }
             store.checkPermission(CredentialsStoreAction.CREATE);
-            Credentials credentials = Descriptor.bindJSON(req, Credentials.class, data.getJSONObject("credentials"));
-            boolean credentialsWereAdded = store.addCredentials(wrapper.getDomain(), credentials);
+            boolean credentialsWereAdded;
+            try {
+                Credentials credentials = Descriptor.bindJSON(req, Credentials.class,
+                                                              data.getJSONObject("credentials"));
+                credentialsWereAdded = store.addCredentials(wrapper.getDomain(), credentials);
+            } catch (HttpResponses.HttpResponseException e) {
+                return new JSONObject().element("message", e.getMessage()).element("notificationType", "ERROR");
+            }
             if (credentialsWereAdded) {
                 return new JSONObject()
                         .element("message", "Credentials created")

src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java

@@ -129,17 +129,22 @@ public class CertificateCredentialsImpl extends BaseStandardCredentials implemen
     public CertificateCredentialsImpl(@CheckForNull CredentialsScope scope,
                                       @CheckForNull String id, @CheckForNull String description,
                                       @CheckForNull String password,
-                                      @NonNull KeyStoreSource keyStoreSource) {
+                                      @NonNull KeyStoreSource keyStoreSource) throws Descriptor.FormException {
         super(scope, id, description);
         Objects.requireNonNull(keyStoreSource);
+        if (FIPS140.useCompliantAlgorithms() && StringUtils.isNotBlank(password) && password.length() < 14) {
+            throw new Descriptor.FormException(Messages.CertificateCredentialsImpl_ShortPasswordFIPS(), "password");
+        }
         this.password = Secret.fromString(password);
         this.keyStoreSource = keyStoreSource;
         // ensure the keySore is valid
         // we check here as otherwise it will lead to hard to diagnose errors when used
         try {
             keyStoreSource.toKeyStore(toCharArray(this.password));
         } catch (GeneralSecurityException | IOException e) {
-            throw new IllegalArgumentException("KeyStore is not valid.", e);
+            LOGGER.log(Level.WARNING, Messages.CertificateCredentialsImpl_InvalidKeystore(), e);
+            throw new Descriptor.FormException(Messages.CertificateCredentialsImpl_InvalidKeystore(), e,
+                                               "keyStoreSource");
         }
     }
 

src/main/java/com/cloudbees/plugins/credentials/impl/UsernamePasswordCredentialsImpl.java

@@ -42,8 +42,6 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 
-import java.util.Objects;
-
 /**
  * Concrete implementation of {@link StandardUsernamePasswordCredentials}.
  *

src/main/resources/com/cloudbees/plugins/credentials/impl/Messages.properties

@@ -24,6 +24,7 @@
 UsernamePasswordCredentialsImpl.DisplayName=Username with password
 CertificateCredentialsImpl.DisplayName=Certificate
 CertificateCredentialsImpl.EmptyKeystore=Empty keystore
+CertificateCredentialsImpl.InvalidKeystore=KeyStore is not valid
 CertificateCredentialsImpl.LoadKeyFailed=Could retrieve key "{0}"
 CertificateCredentialsImpl.LoadKeyFailedQueryEmptyPassword=Could retrieve key "{0}". You may need to provide a password
 CertificateCredentialsImpl.LoadKeystoreFailed=Could not load keystore

src/main/resources/lib/credentials/select/select.js

@@ -123,6 +123,7 @@ window.credentials.addSubmit = function (_) {
             .catch((e) => {
                 // notificationBar.show(...) with logging ID could be handy here?
                 console.error("Could not add credentials:", e);
+                window.notificationBar.show("Credentials creation failed.", window.notificationBar["ERROR"]);
             })
     }
 };

src/test/java/com/cloudbees/plugins/credentials/CredentialsSelectHelperTest.java

@@ -1,18 +1,32 @@
 package com.cloudbees.plugins.credentials;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
+import static org.junit.Assert.assertTrue;
 
 import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
+import com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl;
+import com.cloudbees.plugins.credentials.impl.Messages;
 import hudson.model.UnprotectedRootAction;
+import java.io.IOException;
 import java.util.List;
+import net.sf.json.JSONObject;
 import org.hamcrest.Matchers;
+import org.htmlunit.Page;
+import org.htmlunit.html.DomNode;
+import org.htmlunit.html.DomNodeList;
 import org.htmlunit.html.HtmlButton;
+import org.htmlunit.html.HtmlElementUtil;
 import org.htmlunit.html.HtmlForm;
+import org.htmlunit.html.HtmlFormUtil;
 import org.htmlunit.html.HtmlInput;
+import org.htmlunit.html.HtmlOption;
 import org.htmlunit.html.HtmlPage;
+import org.htmlunit.html.HtmlRadioButtonInput;
 import org.junit.Rule;
 import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.TestExtension;
 
@@ -56,6 +70,59 @@ public void doAddCredentialsFromPopupWorksAsExpected() throws Exception {
         }
     }
 
+    @Test
+    @Issue("JENKINS-74964")
+    public void doAddCredentialsFromPopupForInvalidPEMCertificateKeystore() throws Exception {
+
+        try (JenkinsRule.WebClient wc = j.createWebClient()) {
+            HtmlPage htmlPage = wc.goTo("credentials-selection");
+
+            HtmlButton addCredentialsButton = htmlPage.querySelector(".credentials-add-menu");
+            addCredentialsButton.fireEvent("mouseenter");
+            addCredentialsButton.click();
+
+            HtmlButton jenkinsCredentialsOption = htmlPage.querySelector(".jenkins-dropdown__item");
+            jenkinsCredentialsOption.click();
+
+            wc.waitForBackgroundJavaScript(4000);
+            HtmlForm form = htmlPage.querySelector("#credentials-dialog-form");
+            String certificateDisplayName = j.jenkins.getDescriptor(CertificateCredentialsImpl.class).getDisplayName();
+            String KeyStoreSourceDisplayName = j.jenkins.getDescriptor(
+                    CertificateCredentialsImpl.PEMEntryKeyStoreSource.class).getDisplayName();
+            DomNodeList<DomNode> allOptions = htmlPage.getDocumentElement().querySelectorAll(
+                    "select.dropdownList option");
+            boolean optionFound = selectOption(allOptions, certificateDisplayName);
+            assertTrue("The Certificate option was not found in the credentials type select", optionFound);
+            List<HtmlRadioButtonInput> inputs = htmlPage.getDocumentElement().getByXPath(
+                    "//input[contains(@name, 'keyStoreSource') and following-sibling::label[contains(.,'"
+                    + KeyStoreSourceDisplayName + "')]]");
+            assertThat("query should return only a singular input", inputs, hasSize(1));
+            HtmlElementUtil.click(inputs.get(0));
+            wc.waitForBackgroundJavaScript(4000);
+            Page submit = HtmlFormUtil.submit(form);
+            JSONObject responseJson = JSONObject.fromObject(submit.getWebResponse().getContentAsString());
+            assertThat(responseJson.getString("message"), is(Messages.CertificateCredentialsImpl_InvalidKeystore()));
+            assertThat(responseJson.getString("notificationType"), is("ERROR"));
+        }
+    }
+
+    private static boolean selectOption(DomNodeList<DomNode> allOptions, String optionName) {
+        return allOptions.stream().anyMatch(domNode -> {
+            if (domNode instanceof HtmlOption option) {
+                if (option.getVisibleText().equals(optionName)) {
+                    try {
+                        HtmlElementUtil.click(option);
+                    } catch (IOException e) {
+                        throw new RuntimeException(e);
+                    }
+                    return true;
+                }
+            }
+
+            return false;
+        });
+    }
+
     @TestExtension
     public static class CredentialsSelectionAction implements UnprotectedRootAction {
         @Override

src/test/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImplTest.java

@@ -47,6 +47,7 @@
 import org.htmlunit.html.HtmlRadioButtonInput;
 
 import hudson.Util;
+import hudson.model.Descriptor;
 import hudson.model.ItemGroup;
 import hudson.security.ACL;
 import hudson.util.Secret;
@@ -106,7 +107,7 @@ public void setup() throws IOException {
     }
 
     @Test
-    public void displayName() throws IOException {
+    public void displayName() throws IOException, Descriptor.FormException {
         SecretBytes uploadedKeystore = SecretBytes.fromBytes(Files.readAllBytes(p12.toPath()));
         CertificateCredentialsImpl.UploadedKeyStoreSource storeSource = new CertificateCredentialsImpl.UploadedKeyStoreSource(uploadedKeystore);
         assertEquals(EXPECTED_DISPLAY_NAME, CredentialsNameProvider.name(new CertificateCredentialsImpl(null, "abc123", null, "password", storeSource)));