JCASC plugin not managing correctly ssl certificate set to " - none - "

[mbuccarello]

Hello team
I shared detail about the problem in jenkins Jira in the JCASC section as described here:

https://issues.jenkins.io/browse/JENKINS-64492

Steps to Reproduce

Steps to reproduce the behavior:

1. configure jenkins using the cacerts insted of .p12 file as described here https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Integrations/jenkins-configure.htm?tocpath=Integrations%7CJenkins%7C_____2#Preparethecertificate
2. make sure jenkins as JCASC plugin installed and your conjur plugin is configured in this way
3. restart jenkins and run a pipeline that is expected to work because certificate is managed at cacerts level
4. The pipeline should not be able to fetch the secret from DAP / Conjur
   

Expected Results

Conjur / Cyberark plugin should work correctly with JCASC and manage correctly empty values in the plugin

Actual Results (including error logs, if applicable)

This is the error i have in all the pipele implementing the secret fetching

Reproducible

• [ X] Always
• Sometimes
• Non-Reproducible

Version/Tag number

1.0.2

Environment setup

jenkins 2.263.1
DAP 11.7
JCASC plugin
conjur plugin

Additional Information

A workaround we found is, reapply the configuration the " - none -" value in the SSL Certificate field make the plugin and the pipeline working as expected.

[izgeri]

Thanks for this bug report @mbuccarello. I've alerted the maintainer of this project, @cyberark-bizdev, to this issue and I hope they'll get back to you soon - given the holiday this week, it may take a bit longer than usual.

[mbuccarello]

I'm working on a PR, based on my first analisys the problem seems related on the combination of JCASC and Conjur plugin.

It seems only if we configure the plugin through JCASC plugin the Channel object is null and this lead in a null point exception on lin 52, because CredentialsMatchers.withId(configuration.getCertificateCredentialID()) is null

I'm trying to test a modifed version of the plugin in this way

by checking the certificate field, because if it is null this means the certificate should be null and work with the jenkins cacerts

[mbuccarello]

I opened a PR tested in our qa enviroment and it's working well, here the link jenkinsci#3

Please try to take a look @cyberark-bizdev,

Thanks

Michele

[izgeri]

Thanks @mbuccarello - I'm working on getting in touch with @cyberark-bizdev via other channels to try to make sure you get a review on this, but with the holidays response times are sure to be slow right now.