[JIRA] (JENKINS-61824) Git plugin credential lookup uses too low level API

4 views
Skip to first unread message

msicker@cloudbees.com (JIRA)

unread,
Apr 6, 2020, 8:09:04 PM4/6/20
to jenkinsc...@googlegroups.com
Matt Sicker created an issue
 
Jenkins / Bug JENKINS-61824
Git plugin credential lookup uses too low level API
Issue Type: Bug Bug
Assignee: Mark Waite
Components: git-plugin
Created: 2020-04-06 20:08
Priority: Minor Minor
Reporter: Matt Sicker

In UserRemoteConfig.DescriptorImpl.lookupCredentials(), this bypasses several features provided natively by the credentials plugin including user-scoped credentials, authorize project scoped credentials, other sources, and the credential parameter shadowing feature. This should instead use CredentialsProvider.findCredentialsById() with the listed domain requirements and the associated run.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo

msicker@cloudbees.com (JIRA)

unread,
Apr 6, 2020, 8:17:04 PM4/6/20
to jenkinsc...@googlegroups.com
Matt Sicker updated an issue
Change By: Matt Sicker
In {{ UserRemoteConfig GitSCMFileSystem . DescriptorImpl.lookupCredentials build ()}}, this bypasses several features provided natively by the credentials plugin including user-scoped credentials, authorize project scoped credentials, other sources, and the credential parameter shadowing feature. This should instead use {{CredentialsProvider.findCredentialsById()}} with the listed domain requirements and the associated run.

msicker@cloudbees.com (JIRA)

unread,
Apr 6, 2020, 8:19:02 PM4/6/20
to jenkinsc...@googlegroups.com
Matt Sicker commented on Bug JENKINS-61824
 
Re: Git plugin credential lookup uses too low level API

I'm also open to updating the credentials plugin API if there's a limitation here I missed back when I first updated that.

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 6, 2020, 11:03:05 PM4/6/20
to jenkinsc...@googlegroups.com

Thanks for the report Matt Sicker. Since GitSCMFileSystem.build() was implemented by Stephen Connolly in 2016, I assume that the credentials API support for user-scoped credentials, authorize project scoped credentials, other credentials, and the credential shadowing feature were added to the credentials API after 2016. Can you confirm my assumption?

If my assumption is correct, then I assume all uses of credentials in the git plugin and the git client plugin should probably be visited to assure they are using the correct and current credential APIs.

If those features were not added to the credentials API after 2016, then I assume there was a compelling reason that they were not used in that implementation.

msicker@cloudbees.com (JIRA)

unread,
Apr 6, 2020, 11:24:03 PM4/6/20
to jenkinsc...@googlegroups.com
Matt Sicker updated an issue
Change By: Matt Sicker
Issue Type: Bug Improvement

msicker@cloudbees.com (JIRA)

unread,
Apr 6, 2020, 11:24:04 PM4/6/20
to jenkinsc...@googlegroups.com
Matt Sicker commented on Bug JENKINS-61824
 
Re: Git plugin credential lookup uses too low level API

Yes, the shadowing is from 2018 or 2019, and the user scoped credentials are just poorly supported in general. Seems like this is less a bug and more so an improvement. I'm able to work around this by using git credentialsId: params.foo instead of git credentialsId: 'foo', but that will only work for global scoped credentials. If I wanted to use credentials from my account to, say, tag a sensitive git repo interactively, it wouldn't work without a lookup attempt using findCredentialsById.

msicker@cloudbees.com (JIRA)

unread,
Apr 6, 2020, 11:26:02 PM4/6/20
to jenkinsc...@googlegroups.com

One other note: the low level API for interacting with credential parameters on builds is via https://github.com/jenkinsci/credentials-plugin/blob/master/docs/consumer.adoc#binding-user-supplied-credentials-parameters-to-builds

msicker@cloudbees.com (JIRA)

unread,
Apr 6, 2020, 11:28:03 PM4/6/20
to jenkinsc...@googlegroups.com
Matt Sicker edited a comment on Improvement JENKINS-61824
One other note: the low level API for interacting with credential parameters on builds is via https://github.com/jenkinsci/credentials-plugin/blob/master/docs/consumer.adoc#binding-user-supplied-credentials-parameters-to-builds

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 6, 2020, 11:58:02 PM4/6/20
to jenkinsc...@googlegroups.com

Matt Sicker pull requests are welcomed to adapt the plugin to the new APIs.

May be related to JENKINS-58902 and JENKINS-44773

mark.earl.waite@gmail.com (JIRA)

unread,
Apr 7, 2020, 4:12:02 AM4/7/20
to jenkinsc...@googlegroups.com
Mark Waite assigned an issue to Unassigned
 
Change By: Mark Waite
Assignee: Mark Waite

msicker@cloudbees.com (JIRA)

unread,
Apr 7, 2020, 3:51:03 PM4/7/20
to jenkinsc...@googlegroups.com
Matt Sicker commented on Improvement JENKINS-61824
 
Re: Git plugin credential lookup uses too low level API

Likely related! I started looking at patching this yesterday, though since the affected code seemed to be a little fancier than expected, I think I may need to take a step back to examine credentials-plugin and see if there's any more APIs that needed to be updated in it to properly integrate the fancier credential resolution. This API has clearly evolved over a long period of time, so not every plugin seems to be using the most effective APIs.

msicker@cloudbees.com (JIRA)

unread,
Apr 30, 2020, 4:03:02 PM4/30/20
to jenkinsc...@googlegroups.com

I came across a similar issue today in the slack plugin which uses even lower level APIs: https://github.com/jenkinsci/slack-plugin/blob/master/src/main/java/jenkins/plugins/slack/CredentialsObtainer.java

Seems like there's too much choice!
Reply all
Reply to author
Forward
0 new messages