SecretResolver support file and base64 variable expansion (#1408)

Co-authored-by: Victor Martinez <[email protected]>

Author: jetersen

.gitattributes

@@ -1 +1,3 @@
 * text=auto eol=lf
+*.jks binary
+*.p12 binary

.gitignore

@@ -20,3 +20,5 @@ plugins.txt
 # Ignore DS_Store (Mac)
 .DS_Store
 
+# Ignore benchmark reports
+jmh-report*.json

demos/artifactory/README.md

@@ -15,7 +15,7 @@ unclassified:
           credentialsId: "artifactory"
         resolverCredentialsConfig:
           username: artifactory_user
-          password: ${ARTIFACTORY_PASSWORD}
+          password: "${ARTIFACTORY_PASSWORD}"
 ```
 
 ## implementation note

demos/credentials/README.md

@@ -2,7 +2,14 @@
 
 Requires `credentials` >= 2.2.0
 
-## sample configuration
+All values with `"${SOME_SECRET}"` is resolved by our Secret Sources Resolver you can [read more about which sources are supported](../../docs/features/secrets.adoc#secret-sources)
+
+Since JCasC version v1.42 we have added support for variable expansion for `base64`, `readFileBase64` and `readFile`
+[Read more about the syntax](../../docs/features/secrets.adoc#passing-secrets-through-variables)
+
+You can also see an [example below](#example)
+
+## Sample Configuration
 
 ```yaml
 credentials:
@@ -19,33 +26,15 @@ credentials:
               scope: SYSTEM
               id: sudo_password
               username: root
-              password: ${SUDO_PASSWORD}
+              password: "${SUDO_PASSWORD}"
 ```
 
-## implementation note
-
-Credentials plugin support relies on a custom adaptor components `CredentialsRootConfigurator` and `SystemCredentialsProviderConfigurator`.
-
-Global credentials can be registered by just not providing a domain (i.e `null`).
-
-Credentials symbol name is inferred from implementation class simple name: `UsernamePasswordCredentialsImpl`
-descriptor's clazz is `Credentials`
-we consider the `Impl` suffix as a common pattern to flag implementation class.
-=> symbol name is `usernamePassword`
-
-## Examples
-
-A list of some of the more common credentials.
-
-### SSH Credentials
-
-Requires `ssh-credentials` >= 1.16
-
-Example that uses the [SSH credentials plugin](https://plugins.jenkins.io/ssh-credentials).
-
-As of version 1.14, it is no longer possible to load a ssh key from a file. It has been deprecated due to [CVE-2018-1000601](https://jenkins.io/security/advisory/2018-06-25/#SECURITY-440).
+## Example
 
 ```yaml
+jenkins:
+  systemMessage: "Example of configuring credentials in Jenkins"
+
 credentials:
   system:
     domainCredentials:
@@ -58,5 +47,61 @@ credentials:
               description: "SSH passphrase with private key file. Private key provided"
               privateKeySource:
                 directEntry:
-                  privateKey: ${SSH_PRIVATE_KEY}
+                  privateKey: "${SSH_PRIVATE_KEY}"
+          # Another option passing via a file via ${readFile:/path/to/file}
+          - basicSSHUserPrivateKey:
+              scope: SYSTEM
+              id: ssh_with_passphrase_provided_via_file
+              username: ssh_root
+              passphrase: "${SSH_KEY_PASSWORD}"
+              description: "SSH passphrase with private key file. Private key provided"
+              privateKeySource:
+                directEntry:
+                  privateKey: "${readFile:${SSH_PRIVATE_FILE_PATH}}" # Path to file loaded from Environment Variable
+          - usernamePassword:
+              scope: GLOBAL
+              id: "username"
+              username: "some-user"
+              password: "${SOME_USER_PASSWORD}"
+              description: "Username/Password Credentials for some-user"
+          - string:
+              scope: GLOBAL
+              id: "secret-text"
+              secret: "${SECRET_TEXT}"
+              description: "Secret Text"
+          - aws:
+              scope: GLOBAL
+              id: "AWS"
+              accessKey: "${AWS_ACCESS_KEY}"
+              secretKey: "${AWS_SECRET_ACCESS_KEY}"
+              description: "AWS Credentials"
+          - file:
+              scope: GLOBAL
+              id: "secret-file"
+              fileName: "mysecretfile.txt"
+              secretBytes: "${base64:${readFile:${SECRET_FILE_PATH}}}" # secretBytes requires base64 encoded content
+          - file:
+              scope: GLOBAL
+              id: "secret-file_via_binary_file"
+              fileName: "mysecretfile.txt"
+              secretBytes: "${readFileBase64:${SECRET_FILE_PATH}}" # secretBytes requires base64 encoded content
+          - certificate:
+              scope: GLOBAL
+              id: "secret-certificate"
+              password: "${SECRET_PASSWORD_CERT}"
+              description: "my secret cert"
+              keyStoreSource:
+                uploaded:
+                  uploadedKeystore: "${readFileBase64:${SECRET_CERT_FILE_PATH}}" # uploadedKeystore requires BINARY base64 encoded content
 ```
+
+## implementation note
+
+Credentials plugin support relies on a custom adaptor components `CredentialsRootConfigurator` and `SystemCredentialsProviderConfigurator`.
+
+Global credentials can be registered by just not providing a domain (i.e `null`).
+
+Credentials symbol name is inferred from implementation class simple name: `UsernamePasswordCredentialsImpl`
+descriptor's clazz is `Credentials`
+we consider the `Impl` suffix as a common pattern to flag implementation class.
+=> symbol name is `usernamePassword`

demos/credentials/credentials.yaml

@@ -58,7 +58,7 @@ unclassified:
         artifactoryUrl: http://acme.com/artifactory
         resolverCredentialsConfig:
           username: artifactory_user
-          password: ${ARTIFACTORY_PASSWORD}
+          password: "${ARTIFACTORY_PASSWORD}"
 
   globalLibraries:
     libraries:

demos/jenkins/jenkins.yaml

@@ -10,7 +10,7 @@ jenkins:
         - server: ldap.acme.com
           rootDN: dc=acme,dc=fr
           managerDN: "manager"
-          managerPasswordSecret: ${LDAP_PASSWORD}
+          managerPasswordSecret: "${LDAP_PASSWORD}"
           userSearch: "(&(objectCategory=User)(sAMAccountName={0}))"
           groupSearchFilter: "(&(cn={0})(objectclass=group))"
           groupMembershipStrategy:

demos/ldap/README.md

@@ -48,6 +48,19 @@ For example, `key: "${VALUE:-defaultvalue}"` will evaluate to `defaultvalue` if
 To escape a string from secret interpolation, put `^` in front of the value. 
 For example, `Jenkins: "^${some_var}"` will produce the literal `Jenkins: "${some_var}"`.
 
+=== Additional variable substitution
+
+Currently we have `base64`, `readFile` and `readFileBase64` all serving a different purpose.
+`readFileBase64` is useful for credential plugin or any other plugin that needs binary base64 encoding of a file, in this specific case that would be useful for link:https://tools.ietf.org/html/rfc7292[a PKCS#12 certificate file].
+
+- `${base64:HELLO WORLD}` into `SEVMTE8gV09STEQ=`
+- `${readFile:/secret/file.txt}` into the content of a file.
+- `${base64:${readFile:/secret/file.txt}` into a base64 representation of the content in a file
+- `${base64:${readFile:${SECRET_FILE_PATH}}` nest it all together with regular secret expansion.
+- `${readFileBase64:/secret/certificate.p12}` into a base64 representation of the binary file.
+- `${readFile:/secret/file.txt}` an alias for readFile
+- `${fileBase64:/secret/certificate.p12}` an alias for readFileBase64
+
 === Security and compatibility considerations
 
 // TODO(oleg_nenashev): Add a link to the advisory once ready

docs/features/secrets.adoc

@@ -547,7 +547,7 @@
       <dependency>
         <groupId>org.apache.commons</groupId>
         <artifactId>commons-text</artifactId>
-        <version>1.7</version>
+        <version>1.8</version>
       </dependency>
       <dependency>
         <groupId>io.netty</groupId>

integrations/pom.xml

@@ -0,0 +1,159 @@
+package io.jenkins.plugins.casc;
+
+import com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl;
+import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey;
+import com.cloudbees.plugins.credentials.Credentials;
+import com.cloudbees.plugins.credentials.CredentialsNameProvider;
+import com.cloudbees.plugins.credentials.CredentialsProvider;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.SecretBytes;
+import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
+import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
+import com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl;
+import com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.UploadedKeyStoreSource;
+import io.jenkins.plugins.casc.misc.ConfiguredWithReadme;
+import io.jenkins.plugins.casc.misc.Env;
+import io.jenkins.plugins.casc.misc.EnvVarsRule;
+import io.jenkins.plugins.casc.misc.Envs;
+import io.jenkins.plugins.casc.misc.JenkinsConfiguredWithReadmeRule;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+import jenkins.model.Jenkins;
+import org.apache.commons.io.IOUtils;
+import org.jenkinsci.plugins.plaincredentials.FileCredentials;
+import org.jenkinsci.plugins.plaincredentials.StringCredentials;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.RuleChain;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.anyOf;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.is;
+import static org.jvnet.hudson.test.JenkinsMatchers.hasPlainText;
+
+public class CredentialsReadmeTest {
+
+    public static final String PASSPHRASE = "passphrase";
+    public static final String PRIVATE_KEY = "-----BEGIN RSA PRIVATE KEY-----\n"
+        + "MIICXgIBAAKBgQC2xOoDBS+RQiwYN+rY0YXYQ/WwmC9ICH7BCXfLUBSHAkF2Dvd0\n"
+        + "cvM2Ph2nOPiHdntrvD8JkzIv+S1RIqlBrzK6NRQ0ojoCvyawzY3cgzfQ4dfaOqUF\n"
+        + "2bn4PscioLlq+Pbi3KYYwWUFue2iagRIxp0+/3F5WqOWPPy1twW7ddWPLQIDAQAB\n"
+        + "AoGBAKOX7DKZ4LLvfRKMcpxyJpCme/L+tUuPtw1IUT7dxhH2deubh+lmvsXtoZM9\n"
+        + "jk+KQPz0+aOzanfAXMzD7qZJkGfQ91aG8OiD+YJnRqOc6C6vQBXiZgeHRqWH0VMG\n"
+        + "rp9Xqd8MxEYScaJYMwoHiBCG/cb3c4kpEpZ03IzkekZdXlmhAkEA7iFEk5k1BZ1+\n"
+        + "BnKN9LxLR0EOKoSFJjxBihRP6+UD9BF+/1AlKlLW4hSq4458ppV5Wt4glHTcAQi/\n"
+        + "U+wOOz6DyQJBAMR8G0yjtmLjMBy870GaDxmwWjqSeYwPoHbvRTOml8Fz9fP4gBMi\n"
+        + "PUEGJaEHMuPECIegZ93kwAGBT51Q7AZcukUCQGGmnNOWISsjUXndYh85U/ltURzY\n"
+        + "aS2rygiQmdGXgY6F2jliqUr424ushAN6+9zoMPK1YlDetxVpe+QzSga7dRkCQQCB\n"
+        + "+DI6rORdXziZGeUNuPGaJYxZyEA8hK25Xqag9ubVYXZlLpDRl0l7dKx5awCfpzGZ\n"
+        + "PWLXZZQYqsfWIQwvXTEdAkEA2bziyReYAb9fi17alcvwZXGzyyMY8WOGns8NZKcq\n"
+        + "INF8D3PDpcCyOvQI/TS3qHYmGyWdHiKCWsgBqE6kyjqpNQ==\n"
+        + "-----END RSA PRIVATE KEY-----\n";
+    public static final String PASSWORD = "password";
+    public static final String TEXT = "text";
+    public static final String ACCESS_KEY = "access-key";
+    public static final String SECRET_ACCESS_KEY = "secret-access-key";
+    public static final String MYSECRETFILE_TXT = "mysecretfile.txt";
+    public static final String TEST_CERT = "test.p12";
+    public JenkinsConfiguredWithReadmeRule j = new JenkinsConfiguredWithReadmeRule();
+
+    public EnvVarsRule environment = new EnvVarsRule();
+
+    @Rule
+    public RuleChain chain = RuleChain
+        .outerRule(environment)
+        .around(j);
+
+    @Test
+    @ConfiguredWithReadme("credentials/README.md#0")
+    @Envs({
+        @Env(name = "SUDO_PASSWORD", value = "SUDO")
+    })
+    public void testDomainScopedCredentials() {
+        List<StandardUsernamePasswordCredentials> creds = CredentialsProvider
+            .lookupCredentials(StandardUsernamePasswordCredentials.class,
+                Jenkins.getInstanceOrNull(), null, Collections.emptyList());
+        assertThat(creds.size(), is(1));
+        StandardUsernamePasswordCredentials cred = creds.get(0);
+        assertThat(cred.getId(), is("sudo_password"));
+        assertThat(cred.getUsername(), is("root"));
+        assertThat(cred.getPassword(), hasPlainText("SUDO"));
+    }
+
+    @Test
+    @ConfiguredWithReadme("credentials/README.md#1")
+    @Envs({
+        @Env(name = "SSH_KEY_PASSWORD", value = PASSPHRASE),
+        @Env(name = "SSH_PRIVATE_KEY", value = PRIVATE_KEY),
+        @Env(name = "SSH_PRIVATE_FILE_PATH", value = "private-key.pem"),
+        @Env(name = "SOME_USER_PASSWORD", value = PASSWORD),
+        @Env(name = "SECRET_TEXT", value = TEXT),
+        @Env(name = "AWS_ACCESS_KEY", value = ACCESS_KEY),
+        @Env(name = "AWS_SECRET_ACCESS_KEY", value = SECRET_ACCESS_KEY),
+        @Env(name = "SECRET_FILE_PATH", value = MYSECRETFILE_TXT),
+        @Env(name = "SECRET_PASSWORD_CERT", value = PASSWORD),
+        @Env(name = "SECRET_CERT_FILE_PATH", value = TEST_CERT),
+    })
+    public void testGlobalScopedCredentials() throws Exception {
+        List<Credentials> creds = CredentialsProvider.lookupCredentials(
+            Credentials.class, Jenkins.get(), null, Collections.emptyList());
+        assertThat(creds, hasSize(8));
+        for (Credentials credentials : creds) {
+            if (credentials instanceof BasicSSHUserPrivateKey) {
+                BasicSSHUserPrivateKey key = (BasicSSHUserPrivateKey) credentials;
+                assertThat(key.getPassphrase(), hasPlainText(PASSPHRASE));
+                assertThat(key.getPrivateKey(), equalTo(PRIVATE_KEY));
+                assertThat(key.getId(), anyOf(
+                    is("ssh_with_passphrase_provided"),
+                    is("ssh_with_passphrase_provided_via_file")));
+                assertThat(key.getUsername(), is("ssh_root"));
+                assertThat(key.getScope(), is(CredentialsScope.SYSTEM));
+            } else if (credentials instanceof UsernamePasswordCredentials) {
+                UsernamePasswordCredentials user = (UsernamePasswordCredentials) credentials;
+                assertThat(user.getUsername(), is("some-user"));
+                assertThat(user.getPassword(), hasPlainText(PASSWORD));
+                assertThat(user.getScope(), is(CredentialsScope.GLOBAL));
+            } else if (credentials instanceof StringCredentials) {
+                StringCredentials string = (StringCredentials) credentials;
+                assertThat(string.getId(), is("secret-text"));
+                assertThat(string.getSecret(), hasPlainText(TEXT));
+                assertThat(string.getScope(), is(CredentialsScope.GLOBAL));
+            } else if (credentials instanceof AWSCredentialsImpl) {
+                AWSCredentialsImpl aws = (AWSCredentialsImpl) credentials;
+                assertThat(aws.getId(), is("AWS"));
+                assertThat(aws.getAccessKey(), equalTo(ACCESS_KEY));
+                assertThat(aws.getSecretKey(), hasPlainText(SECRET_ACCESS_KEY));
+                assertThat(aws.getScope(), is(CredentialsScope.GLOBAL));
+            } else if (credentials instanceof FileCredentials) {
+                FileCredentials file = (FileCredentials) credentials;
+                assertThat(file.getId(), anyOf(is("secret-file"), is("secret-file_via_binary_file")));
+                assertThat(file.getFileName(), is(MYSECRETFILE_TXT));
+                String fileContent = IOUtils.toString(file.getContent(), StandardCharsets.UTF_8);
+                assertThat(fileContent, containsString("SUPER SECRET"));
+                assertThat(file.getScope(), is(CredentialsScope.GLOBAL));
+            } else if (credentials instanceof CertificateCredentialsImpl) {
+                CertificateCredentialsImpl cert = (CertificateCredentialsImpl) credentials;
+                assertThat(cert.getId(), is("secret-certificate"));
+                assertThat(cert.getPassword(), hasPlainText(PASSWORD));
+                byte[] fileContent = Files.readAllBytes(Paths.get(getClass().getResource(TEST_CERT).toURI()));
+                SecretBytes secretBytes = SecretBytes
+                    .fromString(Base64.getEncoder().encodeToString(fileContent));
+                UploadedKeyStoreSource keyStoreSource = (UploadedKeyStoreSource) cert.getKeyStoreSource();
+                assertThat(keyStoreSource.getUploadedKeystore().getPlainData(),
+                        is(secretBytes.getPlainData()));
+                assertThat(cert.getKeyStore().containsAlias("1"), is(true));
+                assertThat(cert.getKeyStore().getCertificate("1").getType(), is("X.509"));
+                assertThat(CredentialsNameProvider.name(cert), is("[email protected], CN=pkcs12, O=Fort-Funston, L=SanFrancisco, ST=CA, C=US (my secret cert)"));
+                assertThat(cert.getScope(), is(CredentialsScope.GLOBAL));
+            }
+        }
+    }
+
+}

integrations/src/test/java/io/jenkins/plugins/casc/CredentialsReadmeTest.java

@@ -0,0 +1 @@
+SUPER SECRET