[JENKINS-42950] Support more credential masking scenarios

src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java

@@ -138,7 +138,7 @@ private void doStart() throws Exception {
             }
             if (!overrides.isEmpty()) {
                 boolean unix = launcher != null ? launcher.isUnix() : true;
-                listener.getLogger().println("Masking only exact matches of " + overrides.keySet().stream().map(
+                listener.getLogger().println("Masking supported pattern matches of " + overrides.keySet().stream().map(
                     v -> unix ? "$" + v : "%" + v + "%"
                 ).collect(Collectors.joining(" or ")));
             }

src/main/java/org/jenkinsci/plugins/credentialsbinding/masking/BashSecretPatternFactory.java

@@ -61,12 +61,12 @@ public class BashSecretPatternFactory implements SecretPatternFactory {
     }
 
     @Override
-    public @Nonnull Collection<Pattern> getSecretPatterns(@Nonnull String input) {
-        Collection<Pattern> patterns = new HashSet<>();
+    public @Nonnull Collection<String> getEncodedForms(@Nonnull String input) {
+        Collection<String> patterns = new HashSet<>();
         String quotedForm = getQuotedForm(input);
-        patterns.add(SecretPatternFactory.quotedCompile(quotedForm));
-        patterns.add(SecretPatternFactory.quotedCompile(surroundWithQuotes(quotedForm)));
-        patterns.add(SecretPatternFactory.quotedCompile(getUnquotedForm(input)));
+        patterns.add(quotedForm);
+        patterns.add(surroundWithQuotes(quotedForm));
+        patterns.add(getUnquotedForm(input));
         return patterns;
     }
 }

src/main/java/org/jenkinsci/plugins/credentialsbinding/masking/BatchSecretPatternFactory.java

@@ -39,9 +39,9 @@ public class BatchSecretPatternFactory implements SecretPatternFactory {
     private static final Pattern QUOTED_CHARS = Pattern.compile("(\\^)(\\^?)");
 
     @Override
-    public @Nonnull Collection<Pattern> getSecretPatterns(@Nonnull String input) {
+    public @Nonnull Collection<String> getEncodedForms(@Nonnull String input) {
         return input.contains("^")
-                ? Collections.singleton(SecretPatternFactory.quotedCompile(QUOTED_CHARS.matcher(input).replaceAll("$2")))
+                ? Collections.singleton(QUOTED_CHARS.matcher(input).replaceAll("$2"))
                 : Collections.emptySet();
     }
 }

src/main/java/org/jenkinsci/plugins/credentialsbinding/masking/LiteralSecretPatternFactory.java

@@ -31,7 +31,6 @@
 import javax.annotation.Nonnull;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.regex.Pattern;
 
 /**
  * Trivial secret pattern factory that matches the literal value of the secret.
@@ -41,7 +40,7 @@
 public class LiteralSecretPatternFactory implements SecretPatternFactory {
     @Nonnull
     @Override
-    public Collection<Pattern> getSecretPatterns(@Nonnull String input) {
-        return Collections.singleton(SecretPatternFactory.quotedCompile(input));
+    public Collection<String> getEncodedForms(@Nonnull String input) {
+        return Collections.singleton(input);
     }
 }

src/main/java/org/jenkinsci/plugins/credentialsbinding/masking/SecretPatternFactory.java

@@ -26,23 +26,24 @@
 
 import hudson.ExtensionList;
 import hudson.ExtensionPoint;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 import javax.annotation.Nonnull;
 import java.util.Collection;
-import java.util.regex.Pattern;
 
 /**
- * Creates regular expressions to match encoded forms of secrets in logs.
+ * Provides encoded forms to an input for use in masking those forms in logs.
  * These are typically implemented to handle various shell quoting algorithms (sometimes confused with escaping) to
  * pass literal string values to an interpreter.
  */
+@Restricted(NoExternalUse.class)
 public interface SecretPatternFactory extends ExtensionPoint {
 
     /**
-     * Returns a collection of alternative forms the given input may show up as in logs.
-     * Note that these patterns must embed their flags in the pattern rather than as parameters to Pattern.
+     * Returns a collection of alternative forms the given input may be encoded as in logs.
      */
-    @Nonnull Collection<Pattern> getSecretPatterns(@Nonnull String input);
+    @Nonnull Collection<String> getEncodedForms(@Nonnull String input);
 
     /**
      * Returns all SecretPatternFactory extensions known at runtime.
@@ -51,11 +52,4 @@ public interface SecretPatternFactory extends ExtensionPoint {
         return ExtensionList.lookup(SecretPatternFactory.class);
     }
 
-    /**
-     * Composes {@link Pattern#compile(String)} and {@link Pattern#quote(String)} for convenience.
-     */
-    static @Nonnull Pattern quotedCompile(@Nonnull String input) {
-        return Pattern.compile(Pattern.quote(input));
-    }
-
 }

src/main/java/org/jenkinsci/plugins/credentialsbinding/masking/SecretPatterns.java

@@ -30,16 +30,14 @@
 import javax.annotation.Nonnull;
 import java.util.Collection;
 import java.util.Comparator;
-import java.util.TreeSet;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
 @Restricted(NoExternalUse.class)
 public class SecretPatterns {
 
-    private static final Comparator<Pattern> EXTRACT_PATTERN = Comparator.comparing(Pattern::pattern);
-    private static final Comparator<Pattern> BY_LENGTH_DESCENDING = Comparator.comparing(Pattern::pattern,
-            Comparator.comparingInt(String::length).reversed().thenComparing(String::compareTo));
+    private static final Comparator<String> BY_LENGTH_DESCENDING =
+            Comparator.comparingInt(String::length).reversed().thenComparing(String::compareTo);
 
     /**
      * Constructs a regular expression to match against all known forms that the given collection of input strings may
@@ -51,18 +49,14 @@ public class SecretPatterns {
      * absence of quoting, the longer form is masked.
      */
     public static @Nonnull Pattern getAggregateSecretPattern(@Nonnull Collection<String> inputs) {
-        Collection<Pattern> patterns = new TreeSet<>(EXTRACT_PATTERN);
-        for (String input : inputs) {
-            if (input.isEmpty()) {
-                continue;
-            }
-            for (SecretPatternFactory provider : SecretPatternFactory.all()) {
-                patterns.addAll(provider.getSecretPatterns(input));
-            }
-        }
-        String pattern = patterns.stream()
+        String pattern = inputs.stream()
+                .filter(input -> !input.isEmpty())
+                .flatMap(input ->
+                        SecretPatternFactory.all().stream().flatMap(factory ->
+                                factory.getEncodedForms(input).stream()))
                 .sorted(BY_LENGTH_DESCENDING)
-                .map(Pattern::pattern)
+                .distinct()
+                .map(Pattern::quote)
                 .collect(Collectors.joining("|"));
         return Pattern.compile(pattern);
     }

src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java

@@ -146,7 +146,7 @@ public static class Execution extends AbstractSynchronousStepExecution<Void> {
                         + "}", true));
                 WorkflowRun b = p.scheduleBuild2(0).waitForStart();
                 SemaphoreStep.waitForStart("basics/1", b);
-                story.j.assertLogContains(Functions.isWindows() ? "Masking only exact matches of %USERNAME% or %PASSWORD%" : "Masking only exact matches of $USERNAME or $PASSWORD", b);
+                story.j.assertLogContains(Functions.isWindows() ? "Masking supported pattern matches of %USERNAME% or %PASSWORD%" : "Masking supported pattern matches of $USERNAME or $PASSWORD", b);
             }
         });
         story.addStep(new Statement() {