Encrypt stored client secret value

src/main/java/org/jenkinsci/plugins/GitLabSecurityRealm.java

@@ -30,6 +30,7 @@
 import java.util.List;
 import java.util.logging.Logger;
 
+import hudson.util.Secret;
 import jenkins.security.SecurityListener;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.AuthenticationException;
@@ -59,6 +60,7 @@
 import org.gitlab.api.models.GitlabUser;
 import org.jfree.util.Log;
 import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.Header;
 import org.kohsuke.stapler.HttpRedirect;
 import org.kohsuke.stapler.HttpResponse;
@@ -103,7 +105,7 @@ public class GitLabSecurityRealm extends SecurityRealm implements UserDetailsSer
     private String gitlabWebUri;
     private String gitlabApiUri;
     private String clientID;
-    private String clientSecret;
+    private Secret clientSecret;
 
     /**
      * @param gitlabWebUri
@@ -116,6 +118,8 @@ public class GitLabSecurityRealm extends SecurityRealm implements UserDetailsSer
      *            The client ID for the created OAuth Application.
      * @param clientSecret
      *            The client secret for the created GitLab OAuth Application.
+     *            Should be encrypted value of a {@link hudson.util.Secret},
+     *            for compatibility also plain text values are accepted.
      */
     @DataBoundConstructor
     public GitLabSecurityRealm(String gitlabWebUri, String gitlabApiUri, String clientID, String clientSecret) {
@@ -124,7 +128,7 @@ public GitLabSecurityRealm(String gitlabWebUri, String gitlabApiUri, String clie
         this.gitlabWebUri = Util.fixEmptyAndTrim(gitlabWebUri);
         this.gitlabApiUri = Util.fixEmptyAndTrim(gitlabApiUri);
         this.clientID = Util.fixEmptyAndTrim(clientID);
-        this.clientSecret = Util.fixEmptyAndTrim(clientSecret);
+        setClientSecret(Util.fixEmptyAndTrim(clientSecret));
     }
 
     private GitLabSecurityRealm() {
@@ -152,7 +156,7 @@ private void setClientID(String clientID) {
      *            the clientSecret to set
      */
     private void setClientSecret(String clientSecret) {
-        this.clientSecret = clientSecret;
+        this.clientSecret = Secret.fromString(clientSecret);
     }
 
     /**
@@ -195,7 +199,7 @@ public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingC
             writer.endNode();
 
             writer.startNode("clientSecret");
-            writer.setValue(realm.getClientSecret());
+            writer.setValue(realm.clientSecret.getEncryptedValue());
             writer.endNode();
         }
 
@@ -254,13 +258,6 @@ public String getClientID() {
         return clientID;
     }
 
-    /**
-     * @return the clientSecret
-     */
-    public String getClientSecret() {
-        return clientSecret;
-    }
-
     // "from" is coming from SecurityRealm/loginLink.jelly
     public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter String from, @Header("Referer") final String referer) throws IOException {
         // 2. Requesting authorization :
@@ -274,20 +271,20 @@ public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter Stri
         } else {
             redirectOnFinish = Jenkins.get().getRootUrl();
         }
+        request.getSession().setAttribute(REFERER_ATTRIBUTE, redirectOnFinish);
 
         List<NameValuePair> parameters = new ArrayList<>();
-        parameters.add(new BasicNameValuePair("redirect_uri", buildRedirectUrl(request, redirectOnFinish)));
+        parameters.add(new BasicNameValuePair("redirect_uri", buildRedirectUrl(request)));
         parameters.add(new BasicNameValuePair("response_type", "code"));
         parameters.add(new BasicNameValuePair("client_id", clientID));
         parameters.add(new BasicNameValuePair("scope", "api"));
 
         return new HttpRedirect(gitlabWebUri + "/oauth/authorize?" + URLEncodedUtils.format(parameters, StandardCharsets.UTF_8));
     }
 
-    private String buildRedirectUrl(StaplerRequest request, String referer) throws MalformedURLException {
+    private String buildRedirectUrl(StaplerRequest request) throws MalformedURLException {
         URL currentUrl = new URL(Jenkins.get().getRootUrl());
         List<NameValuePair> parameters = new ArrayList<>();
-        parameters.add(new BasicNameValuePair("state", referer));
 
         URL redirect_uri = new URL(currentUrl.getProtocol(), currentUrl.getHost(), currentUrl.getPort(),
                 request.getContextPath() + "/securityRealm/finishLogin?" + URLEncodedUtils.format(parameters, StandardCharsets.UTF_8));
@@ -305,16 +302,18 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
             Log.info("doFinishLogin: missing code or private_token.");
             return HttpResponses.redirectToContextRoot();
         }
-
-        String state = request.getParameter("state");
-
+        if (clientSecret == null) {
+            Log.info("doFinishLogin: missing client secret.");
+            return HttpResponses.redirectToContextRoot();
+        }
+        String referer = (String)request.getSession().getAttribute(REFERER_ATTRIBUTE);
         HttpPost httpPost = new HttpPost(gitlabWebUri + "/oauth/token");
         List<NameValuePair> parameters = new ArrayList<>();
         parameters.add(new BasicNameValuePair("client_id", clientID));
-        parameters.add(new BasicNameValuePair("client_secret", clientSecret));
+        parameters.add(new BasicNameValuePair("client_secret", clientSecret.getPlainText()));
         parameters.add(new BasicNameValuePair("code", code));
         parameters.add(new BasicNameValuePair("grant_type", "authorization_code"));
-        parameters.add(new BasicNameValuePair("redirect_uri", buildRedirectUrl(request, state)));
+        parameters.add(new BasicNameValuePair("redirect_uri", buildRedirectUrl(request)));
         httpPost.setEntity(new UrlEncodedFormEntity(parameters, StandardCharsets.UTF_8));
 
         CloseableHttpClient httpclient = HttpClients.createDefault();
@@ -366,8 +365,8 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
             Log.info("GitLab did not return an access token.");
         }
 
-        if (StringUtils.isNotBlank(state)) {
-            return HttpResponses.redirectTo(state);
+        if (StringUtils.isNotBlank(referer)) {
+            return HttpResponses.redirectTo(referer);
         }
         return HttpResponses.redirectToContextRoot();
     }
@@ -542,7 +541,7 @@ public boolean equals(Object object) {
         if (object instanceof GitLabSecurityRealm) {
             GitLabSecurityRealm obj = (GitLabSecurityRealm) object;
             return this.getGitlabWebUri().equals(obj.getGitlabWebUri()) && this.getGitlabApiUri().equals(obj.getGitlabApiUri()) && this.getClientID().equals(obj.getClientID())
-                    && this.getClientSecret().equals(obj.getClientSecret());
+                    && this.clientSecret.equals(obj.clientSecret);
         } else {
             return false;
         }

src/main/resources/org/jenkinsci/plugins/GitLabSecurityRealm/config.jelly

@@ -17,7 +17,7 @@
         </f:entry>
 
         <f:entry title="Client Secret" field="clientSecret" help="/plugin/gitlab-oauth/help/realm/client-secret-help.html">
-            <f:textbox />
+            <f:password />
         </f:entry>
 
     </f:section>