From 7a657c7fc6d9dfdf26be2baae0818f019c681ab0 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Wed, 23 Jun 2021 13:47:36 -0400 Subject: [PATCH 1/3] Use `SecretPatterns` from `SecretsMasker` --- pom.xml | 9 +++++-- .../kubernetes/pipeline/SecretsMasker.java | 25 ++----------------- 2 files changed, 9 insertions(+), 25 deletions(-) diff --git a/pom.xml b/pom.xml index cb6287d894..cc347d4cc5 100644 --- a/pom.xml +++ b/pom.xml @@ -47,7 +47,7 @@ 8 - 2.263 + 2.263.1 false 1.7.2 true @@ -137,6 +137,11 @@ caffeine-api 2.9.1-23.v51c4e2c879c8 + + org.jenkins-ci.plugins + credentials-binding + 1.26-rc457.6dc28f0f8735 + @@ -261,7 +266,7 @@ io.jenkins.tools.bom bom-2.263.x - 25 + 876.vc43b4c6423b6 import pom diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/SecretsMasker.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/SecretsMasker.java index caabccb2b3..95b36f828d 100644 --- a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/SecretsMasker.java +++ b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/SecretsMasker.java @@ -17,7 +17,6 @@ package org.csanchez.jenkins.plugins.kubernetes.pipeline; import hudson.Extension; -import hudson.console.LineTransformationOutputStream; import hudson.remoting.Channel; import hudson.util.LogTaskListener; import io.fabric8.kubernetes.api.model.Container; @@ -45,6 +44,7 @@ import okhttp3.Response; import org.csanchez.jenkins.plugins.kubernetes.KubernetesComputer; import org.csanchez.jenkins.plugins.kubernetes.KubernetesSlave; +import org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns; import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuthException; import org.jenkinsci.plugins.workflow.log.TaskListenerDecorator; import org.jenkinsci.plugins.workflow.steps.DynamicContext; @@ -67,28 +67,7 @@ private SecretsMasker(Set values) { @Override public OutputStream decorate(OutputStream logger) throws IOException, InterruptedException { - // TODO better to pick up a standard API from credentials-binding (more efficient) - // https://github.com/jenkinsci/credentials-binding-plugin/pull/59#discussion_r288735761 - return new LineTransformationOutputStream() { - @Override - protected void eol(byte[] b, int len) throws IOException { - String s = new String(b, 0, len, StandardCharsets.UTF_8); - for (String value : values) { - s = s.replace(value, "********"); - } - logger.write(s.getBytes(StandardCharsets.UTF_8)); - } - @Override - public void flush() throws IOException { - logger.flush(); - } - @Override - public void close() throws IOException { - super.close(); - logger.close(); - } - - }; + return new SecretPatterns.MaskingOutputStream(logger, () -> SecretPatterns.getAggregateSecretPattern(values), "UTF-8"); } @Extension From 86daa820fc9e45f2a5b76782b23f76c7900b0920 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Wed, 23 Jun 2021 14:31:27 -0400 Subject: [PATCH 2/3] Adapt `KubernetesPipelineTest` to expect `****` rather than `********` --- .../kubernetes/pipeline/KubernetesPipelineTest.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/test/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesPipelineTest.java b/src/test/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesPipelineTest.java index cfc90ad90a..b0ccb8ffb5 100644 --- a/src/test/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesPipelineTest.java +++ b/src/test/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesPipelineTest.java @@ -274,7 +274,7 @@ public void runInPodFromYaml() throws Exception { r.assertBuildStatusSuccess(r.waitForCompletion(b)); r.assertLogContains("script file contents: ", b); r.assertLogNotContains(CONTAINER_ENV_VAR_FROM_SECRET_VALUE, b); - r.assertLogContains("INSIDE_CONTAINER_ENV_VAR_FROM_SECRET = ******** or " + CONTAINER_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", b); + r.assertLogContains("INSIDE_CONTAINER_ENV_VAR_FROM_SECRET = **** or " + CONTAINER_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", b); assertFalse("There are pods leftover after test execution, see previous logs", deletePods(cloud.connect(), getLabels(cloud, this, name), true)); } @@ -389,9 +389,9 @@ private void assertEnvVars(JenkinsRuleNonLocalhost r2, WorkflowRun b) throws Exc r.assertLogContains("INSIDE_CONTAINER_ENV_VAR = " + CONTAINER_ENV_VAR_VALUE + "\n", b); r.assertLogContains("INSIDE_CONTAINER_ENV_VAR_LEGACY = " + CONTAINER_ENV_VAR_VALUE + "\n", b); - r.assertLogContains("INSIDE_CONTAINER_ENV_VAR_FROM_SECRET = ******** or " + CONTAINER_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", b); + r.assertLogContains("INSIDE_CONTAINER_ENV_VAR_FROM_SECRET = **** or " + CONTAINER_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", b); r.assertLogContains("INSIDE_POD_ENV_VAR = " + POD_ENV_VAR_VALUE + "\n", b); - r.assertLogContains("INSIDE_POD_ENV_VAR_FROM_SECRET = ******** or " + POD_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", b); + r.assertLogContains("INSIDE_POD_ENV_VAR_FROM_SECRET = **** or " + POD_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", b); r.assertLogContains("INSIDE_EMPTY_POD_ENV_VAR_FROM_SECRET = ''", b); r.assertLogContains("INSIDE_GLOBAL = " + GLOBAL + "\n", b); @@ -399,7 +399,7 @@ private void assertEnvVars(JenkinsRuleNonLocalhost r2, WorkflowRun b) throws Exc r.assertLogContains("OUTSIDE_CONTAINER_ENV_VAR_LEGACY =\n", b); r.assertLogContains("OUTSIDE_CONTAINER_ENV_VAR_FROM_SECRET = or\n", b); r.assertLogContains("OUTSIDE_POD_ENV_VAR = " + POD_ENV_VAR_VALUE + "\n", b); - r.assertLogContains("OUTSIDE_POD_ENV_VAR_FROM_SECRET = ******** or " + POD_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", b); + r.assertLogContains("OUTSIDE_POD_ENV_VAR_FROM_SECRET = **** or " + POD_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT) + "\n", b); r.assertLogContains("OUTSIDE_EMPTY_POD_ENV_VAR_FROM_SECRET = ''", b); r.assertLogContains("OUTSIDE_GLOBAL = " + GLOBAL + "\n", b); } @@ -661,8 +661,8 @@ public void secretMaskingWindows() throws Exception { assumeWindows(); cloud.setDirectConnection(false); r.assertBuildStatusSuccess(r.waitForCompletion(b)); - r.assertLogContains("INSIDE_POD_ENV_VAR_FROM_SECRET = ******** or " + POD_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT), b); - r.assertLogContains("INSIDE_CONTAINER_ENV_VAR_FROM_SECRET = ******** or " + CONTAINER_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT), b); + r.assertLogContains("INSIDE_POD_ENV_VAR_FROM_SECRET = **** or " + POD_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT), b); + r.assertLogContains("INSIDE_CONTAINER_ENV_VAR_FROM_SECRET = **** or " + CONTAINER_ENV_VAR_FROM_SECRET_VALUE.toUpperCase(Locale.ROOT), b); r.assertLogNotContains(POD_ENV_VAR_FROM_SECRET_VALUE, b); r.assertLogNotContains(CONTAINER_ENV_VAR_FROM_SECRET_VALUE, b); } From 6758629b34a47ddf9d5f5a9f38a99402d8a427a6 Mon Sep 17 00:00:00 2001 From: Jesse Glick Date: Wed, 23 Jun 2021 16:54:12 -0400 Subject: [PATCH 3/3] https://github.com/jenkinsci/credentials-binding-plugin/pull/139 released --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index cc347d4cc5..7e1a4d914a 100644 --- a/pom.xml +++ b/pom.xml @@ -140,7 +140,7 @@ org.jenkins-ci.plugins credentials-binding - 1.26-rc457.6dc28f0f8735 + 1.26