Skip to content

Add snapshot taker for special StandardUsernamePasswordCredentials impls#327

Merged
jglick merged 3 commits intojenkinsci:masterfrom
jamesrobson-secondmind:add-username-pwd-snapshottaker
Jul 1, 2022
Merged

Add snapshot taker for special StandardUsernamePasswordCredentials impls#327
jglick merged 3 commits intojenkinsci:masterfrom
jamesrobson-secondmind:add-username-pwd-snapshottaker

Conversation

@jamesrobson-secondmind
Copy link
Contributor

@jamesrobson-secondmind jamesrobson-secondmind commented Jun 21, 2022

This adds a snapshot taker for StandardUsernamePasswordCredentials. This is needed to fix an issue in hashicorp-vault plugin which currently prevents ssh keys being sent to agents which is being developed in jenkinsci/hashicorp-vault-plugin#218

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@jetersen
Copy link
Member

jetersen commented Jun 21, 2022

cc @jglick

@jglick jglick requested a review from jtnord June 23, 2022 19:04
jglick
jglick approved these changes Jun 23, 2022
View reviewed changes
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks right.

jglick
jglick previously requested changes Jun 23, 2022
View reviewed changes
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah no, it fails to copy the usernameSecret field.

I would suggest just returning the argument unchanged if it happens to be a UsernamePasswordCredentialsImpl.

@jglick jglick mentioned this pull request Jun 23, 2022
Merged
6 tasks
@jglick jglick changed the title Add snapshot taker for StandardUsernamePasswordCredentials Add snapshot taker for special StandardUsernamePasswordCredentials impls Jun 24, 2022
jglick
jglick reviewed Jun 24, 2022
View reviewed changes
...in/java/com/cloudbees/plugins/credentials/impl/UsernamePasswordCredentialsSnapshotTaker.java Outdated
if (credentials instanceof UsernamePasswordCredentialsImpl) {
return credentials;
}
return new UsernamePasswordCredentialsImpl(credentials.getScope(), credentials.getId(), credentials.getDescription(), credentials.getUsername(), Secret.toString(credentials.getPassword()));
Copy link
Member

@jglick jglick Jun 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return new UsernamePasswordCredentialsImpl(credentials.getScope(), credentials.getId(), credentials.getDescription(), credentials.getUsername(), Secret.toString(credentials.getPassword()));
UsernamePasswordCredentialsImpl snapshot = new UsernamePasswordCredentialsImpl(credentials.getScope(), credentials.getId(), credentials.getDescription(), credentials.getUsername(), Secret.toString(credentials.getPassword()));
snapshot.setUsernameSecret(credentials.isUsernameSecret());
return snapshot;

just in case other impls now implement this parameter as well.

@jglick jglick added the bug label Jun 24, 2022
@jglick jglick dismissed their stale review June 29, 2022 17:06

Main problem addressed. A minor suggestion remains.

@jamesrobson-secondmind
Copy link
Contributor Author

jamesrobson-secondmind commented Jul 1, 2022

We have a confirmation of this change working with vault (jenkinsci/hashicorp-vault-plugin#201 (comment)), from commit e331be4. I've tested the following changes my self so we should now be good to go.

@jglick jglick enabled auto-merge July 1, 2022 18:15
@jglick jglick merged commit eb9579f into jenkinsci:master Jul 1, 2022
@jetersen jetersen mentioned this pull request Jul 26, 2022
Closed
@jtnord
Copy link
Member

jtnord commented Aug 31, 2022

noting this seemingly breaks GitHubAppCredentials as it claims support for them and snapshots them 😱

org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:216)
  at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:298)
  at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getPassword(GitHubAppCredentials.java:327)
  at com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsSnapshotTaker.snapshot(UsernamePasswordCredentialsSnapshotTaker.java:28)
  at com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsSnapshotTaker.snapshot(UsernamePasswordCredentialsSnapshotTaker.java:9)
  at com.cloudbees.plugins.credentials.CredentialsProvider.snapshot(CredentialsProvider.java:821)

@jglick
Copy link
Member

jglick commented Aug 31, 2022
edited
Loading

@jtnord by “breaks” do you mean specifically the token refresh https://github.com/jenkinsci/github-branch-source-plugin/blob/7618247e672d2008fa8dc006ee8e87f4e64ab2c4/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L497?

If so, I guess the correct fix is to replace writeReplace with a new CredentialsSnapshotTaker taking precedence over UsernamePasswordCredentialsSnapshotTaker.

credentials-plugin/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java

Lines 808 to 814 in be8bbce

Class bestType = null;
CredentialsSnapshotTaker bestTaker = null;
for (CredentialsSnapshotTaker taker : ExtensionList.lookup(CredentialsSnapshotTaker.class)) {
if (clazz.isAssignableFrom(taker.type()) && taker.type().isInstance(credential)) {
if (bestTaker == null || bestType.isAssignableFrom(taker.type())) {
bestTaker = taker;
bestType = taker.type();
should make this straightforward: no need for https://javadoc.jenkins.io/hudson/Extension.html#ordinal()

@jtnord
Copy link
Member

jtnord commented Aug 31, 2022
edited
Loading

@jtnord by “breaks” do you mean specifically the token refresh https://github.com/jenkinsci/github-branch-source-plugin/blob/7618247e672d2008fa8dc006ee8e87f4e64ab2c4/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L497?

exactly that.

If so, I guess the correct fix is to replace writeReplace with a new CredentialsSnapshotTaker taking precedence over UsernamePasswordCredentialsSnapshotTaker.

credentials-plugin/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java

Lines 808 to 814 in be8bbce

Class bestType = null;
CredentialsSnapshotTaker bestTaker = null;
for (CredentialsSnapshotTaker taker : ExtensionList.lookup(CredentialsSnapshotTaker.class)) {
if (clazz.isAssignableFrom(taker.type()) && taker.type().isInstance(credential)) {
if (bestTaker == null || bestType.isAssignableFrom(taker.type())) {
bestTaker = taker;
bestType = taker.type();

should make this straightforward: no need for https://javadoc.jenkins.io/hudson/Extension.html#ordinal()

I'm working on it, there be some dragons I am trying to understand first.

@jglick
Copy link
Member

jglick commented Aug 31, 2022

See discussion in jenkinsci/github-branch-source-plugin#334.

@jtnord jtnord mentioned this pull request Sep 1, 2022
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jglick jglick jglick approved these changes

@jtnord jtnord jtnord approved these changes

+1 more reviewer

@jetersen jetersen jetersen approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jamesrobson-secondmind @jetersen @jtnord @jglick