From a8a65207e7cae0ffe7385adfc348f59073a1abd2 Mon Sep 17 00:00:00 2001 From: "rajani.salunkhe" Date: Tue, 19 Nov 2024 05:29:18 -0500 Subject: [PATCH 1/2] Updated permission handling to ensure that users with appropriate roles can access and view the credentials list. --- .../global/cred/SecretServerCredentials.java | 89 ++++++++++++------- 1 file changed, 59 insertions(+), 30 deletions(-) diff --git a/src/main/java/com/delinea/secrets/jenkins/global/cred/SecretServerCredentials.java b/src/main/java/com/delinea/secrets/jenkins/global/cred/SecretServerCredentials.java index cd09ef3..bb76f14 100644 --- a/src/main/java/com/delinea/secrets/jenkins/global/cred/SecretServerCredentials.java +++ b/src/main/java/com/delinea/secrets/jenkins/global/cred/SecretServerCredentials.java @@ -1,15 +1,21 @@ package com.delinea.secrets.jenkins.global.cred; import java.io.IOException; +import java.util.Collections; +import javax.annotation.Nullable; import javax.servlet.ServletException; +import org.acegisecurity.context.SecurityContext; +import org.acegisecurity.context.SecurityContextHolder; import org.apache.commons.lang.StringUtils; import org.kohsuke.stapler.AncestorInPath; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.Stapler; import org.kohsuke.stapler.verb.POST; +import com.cloudbees.plugins.credentials.CredentialsProvider; import com.cloudbees.plugins.credentials.CredentialsScope; import com.cloudbees.plugins.credentials.common.StandardCredentials; import com.cloudbees.plugins.credentials.common.StandardListBoxModel; @@ -72,7 +78,7 @@ public String getSecretId() { */ @Override public String getUsername() { - return getVaultCredential().getUsername(); + return getVaultCredential(getContextItem()).getUsername(); } /** @@ -83,7 +89,20 @@ public String getUsername() { */ @Override public Secret getPassword() { - return Secret.fromString(getVaultCredential().getPassword()); + return Secret.fromString(getVaultCredential(getContextItem()).getPassword()); + } + + @Nullable + private Item getContextItem() { + // Retrieve the nearest item in the current request context + if (Stapler.getCurrentRequest() != null) { + Item contextItem = Stapler.getCurrentRequest().findAncestorObject(Item.class); + if (contextItem != null) { + return contextItem; + } + } + // Return null to signify global scope as fallback + return null; } /** @@ -94,10 +113,14 @@ public Secret getPassword() { * @throws RuntimeException if the credentials cannot be fetched from the Secret * Server. */ - private UsernamePassword getVaultCredential() { - if (vaultCredential == null) { // Fetch only if not already cached + private UsernamePassword getVaultCredential(@Nullable Item contextItem) { + if (vaultCredential == null) { try { - UserCredentials credential = UserCredentials.get(credentialId, null); + UserCredentials credential = UserCredentials.get(credentialId, contextItem); + if (credential == null) { + throw new RuntimeException( + "UserCredentials with the specified credentialId not found in the folder context."); + } vaultCredential = new VaultClient().fetchCredentials(vaultUrl, secretId, credential.getUsername(), credential.getPassword().getPlainText()); } catch (Exception e) { @@ -123,26 +146,35 @@ public String getDisplayName() { * @return A ListBoxModel containing the available Credential IDs. */ @POST - public ListBoxModel doFillCredentialIdItems(@AncestorInPath final Item item) { - if (item == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER) - || item != null && !item.hasPermission(Item.CONFIGURE)) { - return new StandardListBoxModel(); - } - return new StandardListBoxModel().includeAs(ACL.SYSTEM, item, UserCredentials.class).includeEmptyValue(); + public ListBoxModel doFillCredentialIdItems(@AncestorInPath final Item owner) { + // Check permissions for the current user + if ((owner == null && !Jenkins.get().hasPermission(CredentialsProvider.CREATE)) + || (owner != null && !owner.hasPermission(CredentialsProvider.CREATE))) { + return new StandardListBoxModel(); // Return an empty model if permissions are missing + } + return new StandardListBoxModel() + .includeEmptyValue() + .includeAs(ACL.SYSTEM, owner, UserCredentials.class); // Only include UserCredentials type } /** * Validates the Credential ID input by the user. */ @POST - public FormValidation doCheckCredentialId(@QueryParameter final String value) + public FormValidation doCheckCredentialId(@AncestorInPath Item item, @QueryParameter final String value) throws IOException, ServletException { - if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) { - return FormValidation.error("You do not have permission to perform this action"); - } + if ((item == null && !Jenkins.get().hasPermission(CredentialsProvider.CREATE)) + || (item != null && !item.hasPermission(CredentialsProvider.CREATE))) { + return FormValidation.error("You do not have permission to perform this action."); + } if (StringUtils.isBlank(value)) { return FormValidation.error("Credential ID is required."); } + // Check if the Credential ID exists within the specified item context + if (CredentialsProvider.lookupCredentials(UserCredentials.class, item, ACL.SYSTEM, Collections.emptyList()) + .stream().noneMatch(cred -> cred.getId().equals(value))) { + return FormValidation.error("Credential ID not found. Please provide a valid ID."); + } return FormValidation.ok(); } @@ -150,10 +182,12 @@ public FormValidation doCheckCredentialId(@QueryParameter final String value) * Validates the Secret ID input by the user. */ @POST - public FormValidation doCheckSecretId(@QueryParameter final String value) throws IOException, ServletException { - if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) { - return FormValidation.error("You do not have permission to perform this action"); - } + public FormValidation doCheckSecretId(@AncestorInPath final Item item, @QueryParameter final String value) + throws IOException, ServletException { + if ((item == null && !Jenkins.get().hasPermission(CredentialsProvider.CREATE)) + || (item != null && !item.hasPermission(CredentialsProvider.CREATE))) { + return FormValidation.error("You do not have permission to perform this action."); + } if (StringUtils.isBlank(value)) { return FormValidation.error("Secret ID is required."); } @@ -180,15 +214,11 @@ public FormValidation doTestConnection(@AncestorInPath Item owner, @QueryParameter("vaultUrl") final String vaultUrl, @QueryParameter("credentialId") final String credentialId, @QueryParameter("secretId") final String secretId) { + if ((owner == null && !Jenkins.get().hasPermission(CredentialsProvider.CREATE)) + || (owner != null && !owner.hasPermission(CredentialsProvider.CREATE))) { + return FormValidation.error("You do not have permission to perform this action."); + } - // Check for necessary permissions - if (owner == null) { - Jenkins.get().checkPermission(Jenkins.ADMINISTER); - } else { - owner.checkPermission(Item.CONFIGURE); - } - - // Validate inputs if (StringUtils.isBlank(credentialId)) { return FormValidation.error("Credential ID is required to test the connection."); } @@ -196,10 +226,9 @@ public FormValidation doTestConnection(@AncestorInPath Item owner, if (StringUtils.isBlank(vaultUrl)) { return FormValidation.error("Vault URL cannot be blank."); } - + try { - // Attempt to fetch credentials from Secret Server - UserCredentials credential = UserCredentials.get(credentialId, null); + UserCredentials credential = UserCredentials.get(credentialId, owner); new VaultClient().fetchCredentials(vaultUrl, secretId, credential.getUsername(), credential.getPassword().getPlainText()); return FormValidation.ok("Connection successful."); From f94cad7a1fbd9eda9091dfd0e0591aa5d6d88498 Mon Sep 17 00:00:00 2001 From: "rajani.salunkhe" Date: Fri, 22 Nov 2024 02:24:23 -0500 Subject: [PATCH 2/2] Enhance plugin to support creating credentials in specific Jenkins folders. --- .changes/1.1.1.md | 4 ++ CHANGELOG.md | 4 ++ Taskfile.yml | 2 +- pom.xml | 2 +- .../global/cred/SecretServerCredentials.java | 30 +++++++-------- .../jenkins/wrapper/cred/UserCredentials.java | 37 ++++++++++++------- 6 files changed, 46 insertions(+), 33 deletions(-) create mode 100644 .changes/1.1.1.md diff --git a/.changes/1.1.1.md b/.changes/1.1.1.md new file mode 100644 index 0000000..e98be83 --- /dev/null +++ b/.changes/1.1.1.md @@ -0,0 +1,4 @@ +## 1.1.1 - 2024-11-22 +### 🐛 Bug Fix + +- Enhanced plugin to support creating credentials in specific Jenkins folders. \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index b3319cb..972eee8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html), and is generated by [Changie](https://github.com/miniscruff/changie). +## 1.1.1 - 2024-11-22 +### 🐛 Bug Fix + +- Enhanced plugin to support creating credentials in specific Jenkins folders. ## 1.1.0 - 2024-10-07 ### 🐛 Bug Fix diff --git a/Taskfile.yml b/Taskfile.yml index 2711cea..476a61c 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -18,7 +18,7 @@ tasks: bump: desc: bump the version using changie cmds: - - changie batch 1.1.0 + - changie batch 1.1.1 - changie merge - git add .changes/* - git add CHANGELOG.md diff --git a/pom.xml b/pom.xml index 026ce30..11d2db8 100644 --- a/pom.xml +++ b/pom.xml @@ -9,7 +9,7 @@ io.jenkins.plugins thycotic-secret-server - 1.1.0 + 1.1.1 hpi diff --git a/src/main/java/com/delinea/secrets/jenkins/global/cred/SecretServerCredentials.java b/src/main/java/com/delinea/secrets/jenkins/global/cred/SecretServerCredentials.java index bb76f14..f6b1028 100644 --- a/src/main/java/com/delinea/secrets/jenkins/global/cred/SecretServerCredentials.java +++ b/src/main/java/com/delinea/secrets/jenkins/global/cred/SecretServerCredentials.java @@ -6,8 +6,6 @@ import javax.annotation.Nullable; import javax.servlet.ServletException; -import org.acegisecurity.context.SecurityContext; -import org.acegisecurity.context.SecurityContextHolder; import org.apache.commons.lang.StringUtils; import org.kohsuke.stapler.AncestorInPath; import org.kohsuke.stapler.DataBoundConstructor; @@ -50,7 +48,7 @@ public class SecretServerCredentials extends UsernamePasswordCredentialsImpl imp * @param secretId - The ID of the secret stored in the Secret Server. */ @DataBoundConstructor - public SecretServerCredentials(CredentialsScope scope, String id, String description, String vaultUrl, + public SecretServerCredentials(final CredentialsScope scope, final String id, final String description, String vaultUrl, String credentialId, String secretId) { super(scope, id, description, null, null); this.vaultUrl = vaultUrl; @@ -93,17 +91,16 @@ public Secret getPassword() { } @Nullable - private Item getContextItem() { - // Retrieve the nearest item in the current request context - if (Stapler.getCurrentRequest() != null) { - Item contextItem = Stapler.getCurrentRequest().findAncestorObject(Item.class); - if (contextItem != null) { - return contextItem; - } - } - // Return null to signify global scope as fallback - return null; - } + private Item getContextItem() { + // Retrieve the nearest item in the current request context + if (Stapler.getCurrentRequest() != null) { + Item contextItem = Stapler.getCurrentRequest().findAncestorObject(Item.class); + if (contextItem != null) { + return contextItem; + } + } + return null; + } /** * Fetches the credentials (username and password) from the Secret Server only @@ -147,14 +144,13 @@ public String getDisplayName() { */ @POST public ListBoxModel doFillCredentialIdItems(@AncestorInPath final Item owner) { - // Check permissions for the current user if ((owner == null && !Jenkins.get().hasPermission(CredentialsProvider.CREATE)) || (owner != null && !owner.hasPermission(CredentialsProvider.CREATE))) { - return new StandardListBoxModel(); // Return an empty model if permissions are missing + return new StandardListBoxModel(); } return new StandardListBoxModel() .includeEmptyValue() - .includeAs(ACL.SYSTEM, owner, UserCredentials.class); // Only include UserCredentials type + .includeAs(ACL.SYSTEM, owner, UserCredentials.class); } /** diff --git a/src/main/java/com/delinea/secrets/jenkins/wrapper/cred/UserCredentials.java b/src/main/java/com/delinea/secrets/jenkins/wrapper/cred/UserCredentials.java index 24b9af7..21f867f 100644 --- a/src/main/java/com/delinea/secrets/jenkins/wrapper/cred/UserCredentials.java +++ b/src/main/java/com/delinea/secrets/jenkins/wrapper/cred/UserCredentials.java @@ -5,6 +5,8 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; +import org.kohsuke.stapler.DataBoundConstructor; + import com.cloudbees.plugins.credentials.CredentialsMatchers; import com.cloudbees.plugins.credentials.CredentialsProvider; import com.cloudbees.plugins.credentials.CredentialsScope; @@ -12,10 +14,9 @@ import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl; import com.cloudbees.plugins.credentials.matchers.IdMatcher; -import org.kohsuke.stapler.DataBoundConstructor; - import hudson.Extension; import hudson.model.Item; +import hudson.model.ItemGroup; import hudson.security.ACL; import jenkins.model.Jenkins; @@ -29,18 +30,26 @@ public class UserCredentials extends UsernamePasswordCredentialsImpl implements * @param item the optional item (context) * @return the credentials or {@code null} if no matching credentials exist */ - public static UserCredentials get(@Nonnull final String credentialId, @Nullable final Item item) { - if(Jenkins.get().hasPermission(CredentialsProvider.VIEW)) - { - return CredentialsMatchers.firstOrNull( - CredentialsProvider.lookupCredentials(UserCredentials.class, item, ACL.SYSTEM, Collections.emptyList()), - new IdMatcher(credentialId)); - } - else - { - return null; - } - } + public static UserCredentials get(@Nonnull final String credentialId, @Nullable final Item item) { + if (item != null) { + // If we're inside a folder (item is non-null), check for the read permission at + // the folder level. + if (item.hasPermission(Item.READ)) { + return CredentialsProvider + .lookupCredentials(UserCredentials.class, item, ACL.SYSTEM, Collections.emptyList()).stream() + .filter(cred -> cred.getId().equals(credentialId)).findFirst().orElse(null); + } + } else { + // If there's no item (global context), check for global permission to view + // credentials. + if (Jenkins.get().hasPermission(CredentialsProvider.VIEW)) { + return CredentialsMatchers.firstOrNull(CredentialsProvider.lookupCredentials(UserCredentials.class, + (ItemGroup) null, ACL.SYSTEM, Collections.emptyList()), new IdMatcher(credentialId)); + } + } + + return null; + } @DataBoundConstructor public UserCredentials(final CredentialsScope scope, final String id, final String description,