Examples with InterpolatedSecretsAction org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction used on opensource projects

Example 1 with InterpolatedSecretsAction

use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.

the class DSL method logInterpolationWarnings.

private void logInterpolationWarnings(String stepName, @CheckForNull ArgumentsActionImpl argumentsAction, Set<String> interpolatedStrings, @CheckForNull EnvVars envVars, @NonNull Set<String> sensitiveVariables, TaskListener listener) throws IOException {
    if (UNSAFE_GROOVY_INTERPOLATION.equals("ignore")) {
        return;
    }
    boolean shouldFail;
    if (UNSAFE_GROOVY_INTERPOLATION.equals("fail")) {
        shouldFail = true;
    } else {
        shouldFail = false;
    }
    if (argumentsAction == null || interpolatedStrings.isEmpty() || envVars == null || envVars.isEmpty() || sensitiveVariables.isEmpty()) {
        return;
    }
    // Workaround for NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE false positive in lambdas: https://github.com/spotbugs/spotbugs/issues/552.
    final EnvVars nonNullEnvVars = envVars;
    List<String> scanResults = sensitiveVariables.stream().filter(e -> !nonNullEnvVars.get(e, "").isEmpty() && interpolatedStrings.stream().anyMatch(g -> g.contains(nonNullEnvVars.get(e)))).collect(Collectors.toList());
    if (scanResults != null && !scanResults.isEmpty()) {
        String warningType;
        if (shouldFail) {
            warningType = "Error";
        } else {
            warningType = "Warning";
        }
        String warning = String.format("%s: A secret was passed to \"%s\" using Groovy String interpolation, which is insecure.%n\t\t Affected argument(s) used the following variable(s): %s%n\t\t See https://jenkins.io/redirect/groovy-string-interpolation for details.", warningType, stepName, scanResults.toString());
        FlowExecutionOwner owner = exec.getOwner();
        if (owner != null && owner.getExecutable() instanceof Run) {
            InterpolatedSecretsAction runReport = ((Run) owner.getExecutable()).getAction(InterpolatedSecretsAction.class);
            if (runReport == null) {
                runReport = new InterpolatedSecretsAction();
                ((Run) owner.getExecutable()).addAction(runReport);
            }
            runReport.record(stepName, scanResults);
        } else {
            LOGGER.log(Level.FINE, "Unable to generate Interpolated Secrets Report");
        }
        if (shouldFail) {
            throw new AbortException(warning);
        } else {
            listener.getLogger().println(warning);
        }
    }
}

Example 2 with InterpolatedSecretsAction

use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.

the class DSLTest method passwordParametersSanitized.

@Issue("JENKINS-47101")
@Test
public void passwordParametersSanitized() throws Exception {
    String shellStep = Functions.isWindows() ? "bat" : "sh";
    p.setDefinition(new CpsFlowDefinition("" + "node {\n" + shellStep + " \"echo ${params.TEXT} ${params.PASSWORD}\"\n" + "}", true));
    p.addProperty(new ParametersDefinitionProperty(new StringParameterDefinition("TEXT", ""), new PasswordParameterDefinition("PASSWORD", "", null)));
    WorkflowRun run = r.assertBuildStatusSuccess(p.scheduleBuild2(0, new ParametersAction(new StringParameterValue("TEXT", "hello"), new PasswordParameterValue("PASSWORD", "s3cr3t"))));
    r.assertLogContains("Warning: A secret was passed to \"" + shellStep + "\"", run);
    r.assertLogContains("Affected argument(s) used the following variable(s): [PASSWORD]", run);
    InterpolatedSecretsAction reportAction = run.getAction(InterpolatedSecretsAction.class);
    Assert.assertNotNull(reportAction);
    List<InterpolatedSecretsAction.InterpolatedWarnings> warnings = reportAction.getWarnings();
    MatcherAssert.assertThat(warnings.size(), is(1));
    InterpolatedSecretsAction.InterpolatedWarnings stepWarning = warnings.get(0);
    MatcherAssert.assertThat(stepWarning.getStepName(), is(shellStep));
    MatcherAssert.assertThat(stepWarning.getInterpolatedVariables(), is(Arrays.asList("PASSWORD")));
    LinearScanner scan = new LinearScanner();
    FlowNode node = scan.findFirstMatch(run.getExecution().getCurrentHeads().get(0), new NodeStepTypePredicate(shellStep));
    ArgumentsAction argAction = node.getPersistentAction(ArgumentsAction.class);
    Assert.assertFalse(argAction.isUnmodifiedArguments());
    MatcherAssert.assertThat(argAction.getArguments().values().iterator().next(), is("echo hello ${PASSWORD}"));
}

Example 3 with InterpolatedSecretsAction

use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.

the class DSLTest method sensitiveVariableInterpolation.

@Issue("JENKINS-63254")
@Test
public void sensitiveVariableInterpolation() throws Exception {
    final String credentialsId = "creds-sensitiveVariableInterpolation";
    final String username = "bob";
    final String password = "secr3t";
    UsernamePasswordCredentialsImpl c = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, credentialsId, "sample", username, password);
    CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), c);
    String shellStep = Functions.isWindows() ? "bat" : "sh";
    p.setDefinition(new CpsFlowDefinition("" + "node {\n" + "withCredentials([usernamePassword(credentialsId: '" + credentialsId + "', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {\n" + shellStep + " \"echo $PASSWORD\"\n" + "}\n" + "}", true));
    WorkflowRun run = r.assertBuildStatusSuccess(p.scheduleBuild2(0));
    r.assertLogContains("Warning: A secret was passed to \"" + shellStep + "\"", run);
    r.assertLogContains("Affected argument(s) used the following variable(s): [PASSWORD]", run);
    InterpolatedSecretsAction reportAction = run.getAction(InterpolatedSecretsAction.class);
    Assert.assertNotNull(reportAction);
    List<InterpolatedSecretsAction.InterpolatedWarnings> warnings = reportAction.getWarnings();
    MatcherAssert.assertThat(warnings.size(), is(1));
    InterpolatedSecretsAction.InterpolatedWarnings stepWarning = warnings.get(0);
    MatcherAssert.assertThat(stepWarning.getStepName(), is(shellStep));
    MatcherAssert.assertThat(stepWarning.getInterpolatedVariables(), is(Arrays.asList("PASSWORD")));
    LinearScanner scan = new LinearScanner();
    FlowNode node = scan.findFirstMatch(run.getExecution().getCurrentHeads().get(0), new NodeStepTypePredicate(shellStep));
    ArgumentsAction argAction = node.getPersistentAction(ArgumentsAction.class);
    Assert.assertFalse(argAction.isUnmodifiedArguments());
    MatcherAssert.assertThat(argAction.getArguments().values().iterator().next(), is("echo ${PASSWORD}"));
}

Example 4 with InterpolatedSecretsAction

use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.

the class DSLTest method sensitiveVariableInterpolationWithNestedDescribable.

@Issue("JENKINS-63254")
@Test
public void sensitiveVariableInterpolationWithNestedDescribable() throws Exception {
    final String credentialsId = "creds-sensitiveVariableInterpolationWithNestedDescribable";
    final String username = "bob";
    final String password = "secr3t";
    UsernamePasswordCredentialsImpl c = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, credentialsId, "sample", username, password);
    CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), c);
    p.setDefinition(new CpsFlowDefinition("" + "node {\n" + "withCredentials([usernamePassword(credentialsId: '" + credentialsId + "', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {\n" + "monomorphWithSymbolStep(monomorphSymbol([firstArg:\"${PASSWORD}\", secondArg:'two']))" + "}\n" + "}", true));
    WorkflowRun run = r.assertBuildStatusSuccess(p.scheduleBuild2(0));
    r.assertLogContains("First arg: ****, second arg: two", run);
    r.assertLogContains("Warning: A secret was passed to \"monomorphWithSymbolStep\"", run);
    r.assertLogContains("Affected argument(s) used the following variable(s): [PASSWORD]", run);
    InterpolatedSecretsAction reportAction = run.getAction(InterpolatedSecretsAction.class);
    Assert.assertNotNull(reportAction);
    List<InterpolatedSecretsAction.InterpolatedWarnings> warnings = reportAction.getWarnings();
    MatcherAssert.assertThat(warnings.size(), is(1));
    InterpolatedSecretsAction.InterpolatedWarnings stepWarning = warnings.get(0);
    MatcherAssert.assertThat(stepWarning.getStepName(), is("monomorphWithSymbolStep"));
    MatcherAssert.assertThat(stepWarning.getInterpolatedVariables(), is(Arrays.asList("PASSWORD")));
    LinearScanner scan = new LinearScanner();
    FlowNode node = scan.findFirstMatch(run.getExecution().getCurrentHeads().get(0), new NodeStepTypePredicate("monomorphWithSymbolStep"));
    ArgumentsAction argAction = node.getPersistentAction(ArgumentsAction.class);
    Assert.assertFalse(argAction.isUnmodifiedArguments());
    Object var = argAction.getArguments().values().iterator().next();
    MatcherAssert.assertThat(var, instanceOf(UninstantiatedDescribable.class));
    MatcherAssert.assertThat(((UninstantiatedDescribable) var).getArguments().toString(), is("{firstArg=${PASSWORD}, secondArg=two}"));
}

Example 5 with InterpolatedSecretsAction

use of org.jenkinsci.plugins.workflow.cps.view.InterpolatedSecretsAction in project workflow-cps-plugin by jenkinsci.

the class DSLTest method complexSensitiveVariableInterpolationWithNestedDescribable.

@Issue("JENKINS-63254")
@Test
public void complexSensitiveVariableInterpolationWithNestedDescribable() throws Exception {
    final String credentialsId = "creds-complexSensitiveVariableInterpolationWithNestedDescribable";
    final String username = "bob";
    final String password = "secr3t";
    UsernamePasswordCredentialsImpl c = new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, credentialsId, "sample", username, password);
    c.setUsernameSecret(true);
    CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), c);
    p.setDefinition(new CpsFlowDefinition("" + "node {\n" + "withCredentials([usernamePassword(credentialsId: '" + credentialsId + "', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {\n" + "monomorphListSymbolStep([monomorphSymbol(firstArg: monomorphWithSymbolStep(monomorphSymbol([firstArg: \"innerFirstArgIs${PASSWORD}\", secondArg: \"innerSecondArgIs${USERNAME}\"])), secondArg: \"hereismy${PASSWORD}\"), monomorphSymbol(firstArg: \"${PASSWORD}\", secondArg: \"${USERNAME}\")])" + "}\n" + "}", true));
    WorkflowRun run = r.assertBuildStatusSuccess(p.scheduleBuild2(0));
    r.assertLogContains("Warning: A secret was passed to \"monomorphWithSymbolStep\"", run);
    r.assertLogContains("Affected argument(s) used the following variable(s): [PASSWORD, USERNAME]", run);
    r.assertLogContains("Warning: A secret was passed to \"monomorphListSymbolStep\"", run);
    r.assertLogNotContains("Affected argument(s) used the following variable(s): [PASSWORD]", run);
    InterpolatedSecretsAction reportAction = run.getAction(InterpolatedSecretsAction.class);
    Assert.assertNotNull(reportAction);
    List<InterpolatedSecretsAction.InterpolatedWarnings> warnings = reportAction.getWarnings();
    MatcherAssert.assertThat(warnings.size(), is(2));
    InterpolatedSecretsAction.InterpolatedWarnings stepWarning = warnings.get(0);
    MatcherAssert.assertThat(stepWarning.getStepName(), is("monomorphWithSymbolStep"));
    MatcherAssert.assertThat(stepWarning.getInterpolatedVariables(), equalTo(Arrays.asList("PASSWORD", "USERNAME")));
    InterpolatedSecretsAction.InterpolatedWarnings listStepWarning = warnings.get(1);
    MatcherAssert.assertThat(listStepWarning.getStepName(), is("monomorphListSymbolStep"));
    MatcherAssert.assertThat(listStepWarning.getInterpolatedVariables(), equalTo(Arrays.asList("PASSWORD", "USERNAME")));
}