use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.
the class DSL method logInterpolationWarnings.
private void logInterpolationWarnings(String stepName, @CheckForNull ArgumentsActionImpl argumentsAction, Set<String> interpolatedStrings, @CheckForNull EnvVars envVars, @NonNull Set<String> sensitiveVariables, TaskListener listener) throws IOException {
if (UNSAFE_GROOVY_INTERPOLATION.equals("ignore")) {
return;
}
boolean shouldFail;
if (UNSAFE_GROOVY_INTERPOLATION.equals("fail")) {
shouldFail = true;
} else {
shouldFail = false;
}
if (argumentsAction == null || interpolatedStrings.isEmpty() || envVars == null || envVars.isEmpty() || sensitiveVariables.isEmpty()) {
return;
}
// Workaround for NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE false positive in lambdas: https://github.com/spotbugs/spotbugs/issues/552.
final EnvVars nonNullEnvVars = envVars;
List<String> scanResults = sensitiveVariables.stream().filter(e -> !nonNullEnvVars.get(e, "").isEmpty() && interpolatedStrings.stream().anyMatch(g -> g.contains(nonNullEnvVars.get(e)))).collect(Collectors.toList());
if (scanResults != null && !scanResults.isEmpty()) {
String warningType;
if (shouldFail) {
warningType = "Error";
} else {
warningType = "Warning";
}
String warning = String.format("%s: A secret was passed to \"%s\" using Groovy String interpolation, which is insecure.%n\t\t Affected argument(s) used the following variable(s): %s%n\t\t See https://jenkins.io/redirect/groovy-string-interpolation for details.", warningType, stepName, scanResults.toString());
FlowExecutionOwner owner = exec.getOwner();
if (owner != null && owner.getExecutable() instanceof Run) {
InterpolatedSecretsAction runReport = ((Run) owner.getExecutable()).getAction(InterpolatedSecretsAction.class);
if (runReport == null) {
runReport = new InterpolatedSecretsAction();
((Run) owner.getExecutable()).addAction(runReport);
}
runReport.record(stepName, scanResults);
} else {
LOGGER.log(Level.FINE, "Unable to generate Interpolated Secrets Report");
}
if (shouldFail) {
throw new AbortException(warning);
} else {
listener.getLogger().println(warning);
}
}
}
use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.
the class DSLTest method passwordParametersSanitized.
@Issue("JENKINS-47101")
@Test
public void passwordParametersSanitized() throws Exception {
String shellStep = Functions.isWindows() ? "bat" : "sh";
p.setDefinition(new CpsFlowDefinition("" + "node {\n" + shellStep + " \"echo ${params.TEXT} ${params.PASSWORD}\"\n" + "}", true));
p.addProperty(new ParametersDefinitionProperty(new StringParameterDefinition("TEXT", ""), new PasswordParameterDefinition("PASSWORD", "", null)));
WorkflowRun run = r.assertBuildStatusSuccess(p.scheduleBuild2(0, new ParametersAction(new StringParameterValue("TEXT", "hello"), new PasswordParameterValue("PASSWORD", "s3cr3t"))));
r.assertLogContains("Warning: A secret was passed to \"" + shellStep + "\"", run);
r.assertLogContains("Affected argument(s) used the following variable(s): [PASSWORD]", run);
InterpolatedSecretsAction reportAction = run.getAction(InterpolatedSecretsAction.class);
Assert.assertNotNull(reportAction);
List<InterpolatedSecretsAction.InterpolatedWarnings> warnings = reportAction.getWarnings();
MatcherAssert.assertThat(warnings.size(), is(1));
InterpolatedSecretsAction.InterpolatedWarnings stepWarning = warnings.get(0);
MatcherAssert.assertThat(stepWarning.getStepName(), is(shellStep));
MatcherAssert.assertThat(stepWarning.getInterpolatedVariables(), is(Arrays.asList("PASSWORD")));
LinearScanner scan = new LinearScanner();
FlowNode node = scan.findFirstMatch(run.getExecution().getCurrentHeads().get(0), new NodeStepTypePredicate(shellStep));
ArgumentsAction argAction = node.getPersistentAction(ArgumentsAction.class);
Assert.assertFalse(argAction.isUnmodifiedArguments());
MatcherAssert.assertThat(argAction.getArguments().values().iterator().next(), is("echo hello ${PASSWORD}"));
}
use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.
the class DSLTest method sensitiveVariableInterpolation.
@Issue("JENKINS-63254")
@Test
public void sensitiveVariableInterpolation() throws Exception {
final String credentialsId = "creds-sensitiveVariableInterpolation";
final String username = "bob";
final String password = "secr3t";
UsernamePasswordCredentialsImpl c = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, credentialsId, "sample", username, password);
CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), c);
String shellStep = Functions.isWindows() ? "bat" : "sh";
p.setDefinition(new CpsFlowDefinition("" + "node {\n" + "withCredentials([usernamePassword(credentialsId: '" + credentialsId + "', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {\n" + shellStep + " \"echo $PASSWORD\"\n" + "}\n" + "}", true));
WorkflowRun run = r.assertBuildStatusSuccess(p.scheduleBuild2(0));
r.assertLogContains("Warning: A secret was passed to \"" + shellStep + "\"", run);
r.assertLogContains("Affected argument(s) used the following variable(s): [PASSWORD]", run);
InterpolatedSecretsAction reportAction = run.getAction(InterpolatedSecretsAction.class);
Assert.assertNotNull(reportAction);
List<InterpolatedSecretsAction.InterpolatedWarnings> warnings = reportAction.getWarnings();
MatcherAssert.assertThat(warnings.size(), is(1));
InterpolatedSecretsAction.InterpolatedWarnings stepWarning = warnings.get(0);
MatcherAssert.assertThat(stepWarning.getStepName(), is(shellStep));
MatcherAssert.assertThat(stepWarning.getInterpolatedVariables(), is(Arrays.asList("PASSWORD")));
LinearScanner scan = new LinearScanner();
FlowNode node = scan.findFirstMatch(run.getExecution().getCurrentHeads().get(0), new NodeStepTypePredicate(shellStep));
ArgumentsAction argAction = node.getPersistentAction(ArgumentsAction.class);
Assert.assertFalse(argAction.isUnmodifiedArguments());
MatcherAssert.assertThat(argAction.getArguments().values().iterator().next(), is("echo ${PASSWORD}"));
}
use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.
the class DSLTest method sensitiveVariableInterpolationWithNestedDescribable.
@Issue("JENKINS-63254")
@Test
public void sensitiveVariableInterpolationWithNestedDescribable() throws Exception {
final String credentialsId = "creds-sensitiveVariableInterpolationWithNestedDescribable";
final String username = "bob";
final String password = "secr3t";
UsernamePasswordCredentialsImpl c = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, credentialsId, "sample", username, password);
CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), c);
p.setDefinition(new CpsFlowDefinition("" + "node {\n" + "withCredentials([usernamePassword(credentialsId: '" + credentialsId + "', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {\n" + "monomorphWithSymbolStep(monomorphSymbol([firstArg:\"${PASSWORD}\", secondArg:'two']))" + "}\n" + "}", true));
WorkflowRun run = r.assertBuildStatusSuccess(p.scheduleBuild2(0));
r.assertLogContains("First arg: ****, second arg: two", run);
r.assertLogContains("Warning: A secret was passed to \"monomorphWithSymbolStep\"", run);
r.assertLogContains("Affected argument(s) used the following variable(s): [PASSWORD]", run);
InterpolatedSecretsAction reportAction = run.getAction(InterpolatedSecretsAction.class);
Assert.assertNotNull(reportAction);
List<InterpolatedSecretsAction.InterpolatedWarnings> warnings = reportAction.getWarnings();
MatcherAssert.assertThat(warnings.size(), is(1));
InterpolatedSecretsAction.InterpolatedWarnings stepWarning = warnings.get(0);
MatcherAssert.assertThat(stepWarning.getStepName(), is("monomorphWithSymbolStep"));
MatcherAssert.assertThat(stepWarning.getInterpolatedVariables(), is(Arrays.asList("PASSWORD")));
LinearScanner scan = new LinearScanner();
FlowNode node = scan.findFirstMatch(run.getExecution().getCurrentHeads().get(0), new NodeStepTypePredicate("monomorphWithSymbolStep"));
ArgumentsAction argAction = node.getPersistentAction(ArgumentsAction.class);
Assert.assertFalse(argAction.isUnmodifiedArguments());
Object var = argAction.getArguments().values().iterator().next();
MatcherAssert.assertThat(var, instanceOf(UninstantiatedDescribable.class));
MatcherAssert.assertThat(((UninstantiatedDescribable) var).getArguments().toString(), is("{firstArg=${PASSWORD}, secondArg=two}"));
}
use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.
the class DSLTest method complexSensitiveVariableInterpolationWithNestedDescribable.
@Issue("JENKINS-63254")
@Test
public void complexSensitiveVariableInterpolationWithNestedDescribable() throws Exception {
final String credentialsId = "creds-complexSensitiveVariableInterpolationWithNestedDescribable";
final String username = "bob";
final String password = "secr3t";
UsernamePasswordCredentialsImpl c = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, credentialsId, "sample", username, password);
c.setUsernameSecret(true);
CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), c);
p.setDefinition(new CpsFlowDefinition("" + "node {\n" + "withCredentials([usernamePassword(credentialsId: '" + credentialsId + "', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {\n" + "monomorphListSymbolStep([monomorphSymbol(firstArg: monomorphWithSymbolStep(monomorphSymbol([firstArg: \"innerFirstArgIs${PASSWORD}\", secondArg: \"innerSecondArgIs${USERNAME}\"])), secondArg: \"hereismy${PASSWORD}\"), monomorphSymbol(firstArg: \"${PASSWORD}\", secondArg: \"${USERNAME}\")])" + "}\n" + "}", true));
WorkflowRun run = r.assertBuildStatusSuccess(p.scheduleBuild2(0));
r.assertLogContains("Warning: A secret was passed to \"monomorphWithSymbolStep\"", run);
r.assertLogContains("Affected argument(s) used the following variable(s): [PASSWORD, USERNAME]", run);
r.assertLogContains("Warning: A secret was passed to \"monomorphListSymbolStep\"", run);
r.assertLogNotContains("Affected argument(s) used the following variable(s): [PASSWORD]", run);
InterpolatedSecretsAction reportAction = run.getAction(InterpolatedSecretsAction.class);
Assert.assertNotNull(reportAction);
List<InterpolatedSecretsAction.InterpolatedWarnings> warnings = reportAction.getWarnings();
MatcherAssert.assertThat(warnings.size(), is(2));
InterpolatedSecretsAction.InterpolatedWarnings stepWarning = warnings.get(0);
MatcherAssert.assertThat(stepWarning.getStepName(), is("monomorphWithSymbolStep"));
MatcherAssert.assertThat(stepWarning.getInterpolatedVariables(), equalTo(Arrays.asList("PASSWORD", "USERNAME")));
InterpolatedSecretsAction.InterpolatedWarnings listStepWarning = warnings.get(1);
MatcherAssert.assertThat(listStepWarning.getStepName(), is("monomorphListSymbolStep"));
MatcherAssert.assertThat(listStepWarning.getInterpolatedVariables(), equalTo(Arrays.asList("PASSWORD", "USERNAME")));
}
Aggregations