[JIRA] (JENKINS-59331) withCredentials certificate(aliasVariable: ) stores description of credential, not keystore alias name

[Kalle.Niemitalo@procomp.fi (JIRA)]

Kalle Niemitalo updated an issue

Jenkins / JENKINS-59331 withCredentials certificate(aliasVariable: ) stores description of credential, not keystore alias name Change By: Kalle Niemitalo Summary: Empty 'Alias Variable' when using withCredentials certificate binding (aliasVariable: ) stores description of credential, not keystore alias name Issue Type: Task Bug Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[Kalle.Niemitalo@procomp.fi (JIRA)]

Kalle Niemitalo commented on JENKINS-59331

Re: withCredentials certificate(aliasVariable: ) stores description of credential, not keystore alias name Credentials Binding Plugin has done this ever since the certificate binding feature was added commit 7d789a8c590fd87cb9dd61c89c894a5df26a0605 and merged in PR#39. The commit message even mentions the assumption that the credential description matches the keystore alias name, but I don't think I have seen it documented anywhere else. When I edit the description of a certificate credential, the help text "An optional description to help tell similar credentials apart" certainly gives no hint of any such requirement. CertificateMultiBinding already calls credentials.getKeyStore(), so perhaps it could just enumerate the returned KeyStore and get the alias name from there, without needing changes in the Credentials Plugin. If the aliasVariable parameter is specified but the KeyStore actually contains more than one key, then CertificateMultiBinding could log a warning about that.

Add Comment

[Kalle.Niemitalo@procomp.fi (JIRA)]

Kalle Niemitalo edited a comment on JENKINS-59331

Re: withCredentials certificate(aliasVariable: ) stores description of credential, not keystore alias name

Credentials Binding Plugin has done this ever since the certificate binding feature was added in [commit 7d789a8c590fd87cb9dd61c89c894a5df26a0605|https://github.com/jenkinsci/credentials-binding-plugin/commit/7d789a8c590fd87cb9dd61c89c894a5df26a0605] and merged in [PR#39|https://github.com/jenkinsci/credentials-binding-plugin/pull/39]. The commit message even mentions the assumption that the credential description matches the keystore alias name, but I don't think I have seen it documented anywhere else. When I edit the description of a certificate credential, the help text "An optional description to help tell similar credentials apart" certainly gives no hint of any such requirement. CertificateMultiBinding already calls {{credentials.getKeyStore()}}, so perhaps it could just enumerate the returned KeyStore and get the alias name from there, without needing changes in the Credentials Plugin. If the {{aliasVariable}} parameter is specified but the KeyStore actually contains more than one key, then CertificateMultiBinding could log a warning about that.

Add Comment

[Kalle.Niemitalo@procomp.fi (JIRA)]

If each certificate credential normally contains only one certificate and private key, then the keystore alias name is not really needed for selecting the correct certificate, and I think users are likely to choose short words like "cert" as keystore alias names. If the {{withCredentials}} step is then changed to store these to the {{aliasVariable}}, there may be a risk that Jenkins starts unnecessarily masking this word in unrelated output. Perhaps the keystore alias name should be exempt from this masking.

Add Comment

[Kalle.Niemitalo@procomp.fi (JIRA)]

Kalle Niemitalo commented on JENKINS-59331

Re: withCredentials certificate(aliasVariable: ) stores description of credential, not keystore alias name

In the Certificate Plugin, CertificateCredentialsImpl.KeyStoreSourceDescriptor#validateCertificateKeystore apparently supports multiple certificate entries and multiple key entries in the same KeyStore. StandardCertificateCredentials.NameProvider#getSubjectDN only uses one key entry, though.

Add Comment

[Kalle.Niemitalo@procomp.fi (JIRA)]

Kalle Niemitalo edited a comment on JENKINS-59331

Re: withCredentials certificate(aliasVariable: ) stores description of credential, not keystore alias name

Credentials Binding Plugin has done this ever since the certificate binding feature was added in [commit 7d789a8c590fd87cb9dd61c89c894a5df26a0605|https://github.com/jenkinsci/credentials-binding-plugin/commit/7d789a8c590fd87cb9dd61c89c894a5df26a0605] and merged in [PR#39|https://github.com/jenkinsci/credentials-binding-plugin/pull/39]. The commit message even mentions the assumption that the credential description matches the keystore alias name, but I don't think I have seen it documented anywhere else. When I edit the description of a certificate credential, the help text "An optional description to help tell similar credentials apart" certainly gives no hint of any such requirement. CertificateMultiBinding already calls {{credentials.getKeyStore()}}, so perhaps it could just enumerate the returned KeyStore and get the alias name from there, without needing changes in the Credentials Plugin. If the {{aliasVariable}} parameter is specified but the KeyStore actually contains more than one key, then CertificateMultiBinding could log a warning about that.

If each certificate credential normally contains only one certificate and private key, then the keystore alias name is not really needed for selecting the correct certificate, and I think users are likely to choose short words like "cert" as keystore alias names. If the {{withCredentials}} step is then changed to store these to the {{aliasVariable}}, there may be a risk that Jenkins starts unnecessarily masking this word in unrelated output. Perhaps the keystore alias name should be exempt from this masking , like JENKINS-44860 requests for usernames .

Add Comment

[Kalle.Niemitalo@procomp.fi (JIRA)]

Kalle Niemitalo edited a comment on JENKINS-59331

Re: withCredentials certificate(aliasVariable: ) stores description of credential, not keystore alias name

Credentials Binding Plugin has done this ever since the certificate binding feature was added in [commit 7d789a8c590fd87cb9dd61c89c894a5df26a0605|https://github.com/jenkinsci/credentials-binding-plugin/commit/7d789a8c590fd87cb9dd61c89c894a5df26a0605] and merged in [PR#39|https://github.com/jenkinsci/credentials-binding-plugin/pull/39]. The commit message even mentions the assumption that the credential description matches the keystore alias name, but I don't think I have seen it documented anywhere else. When I edit the description of a certificate credential, the help text "An optional description to help tell similar credentials apart" certainly gives no hint of any such requirement.

CertificateMultiBinding already calls {{credentials.getKeyStore()}}, so perhaps it could just enumerate the returned KeyStore and get the alias name from there, without needing changes in the Credentials Plugin. If the {{aliasVariable}} parameter is specified but the KeyStore actually contains more than one key, then CertificateMultiBinding could log a warning about that , perhaps unless the description of the credential matches one of these aliases .

If each certificate credential normally contains only one certificate and private key, then the keystore alias name is not really needed for selecting the correct certificate, and I think users are likely to choose short words like "cert" as keystore alias names. If the {{withCredentials}} step is then changed to store these to the {{aliasVariable}}, there may be a risk that Jenkins starts unnecessarily masking this word in unrelated output. Perhaps the keystore alias name should be exempt from this masking, like JENKINS-44860 requests for usernames.

Add Comment