Skip to content

Commit

Permalink
fix https://issues.jenkins-ci.org/browse/SECURITY-1625
Browse files Browse the repository at this point in the history
  • Loading branch information
@cashlalala
cashlalala committed May 25, 2020
1 parent 85fdcbf commit 2902ef5
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 12 deletions.
5 changes: 3 additions & 2 deletions src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/Auth.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import hudson.model.Item;
import hudson.security.ACL;
import hudson.util.ListBoxModel;
import hudson.util.Secret;

/**
* We need to keep this for compatibility - old config deserialization!
Expand Down Expand Up @@ -161,7 +162,7 @@ public static Auth auth2ToAuth(Auth2 auth) {
return new Auth(Auth.NONE, null, null, null);
} else if (auth instanceof TokenAuth) {
TokenAuth tokenAuth = (TokenAuth) auth;
return new Auth(Auth.API_TOKEN, tokenAuth.getUserName(), tokenAuth.getApiToken(), null);
return new Auth(Auth.API_TOKEN, tokenAuth.getUserName(), tokenAuth.getApiToken().getPlainText(), null);
} else if (auth instanceof CredentialsAuth) {
CredentialsAuth credAuth = (CredentialsAuth) auth;
try {
Expand Down Expand Up @@ -189,7 +190,7 @@ public static Auth2 authToAuth2(Auth oldAuth) {
} else if (Auth.API_TOKEN.equals(authType)) {
TokenAuth newAuth = new TokenAuth();
newAuth.setUserName(oldAuth.getUsername());
newAuth.setApiToken(oldAuth.getApiToken());
newAuth.setApiToken(Secret.fromString(oldAuth.getApiToken()));
return newAuth;
} else if (Auth.CREDENTIALS_PLUGIN.equals(authType)) {
CredentialsAuth newAuth = new CredentialsAuth();
Expand Down
9 changes: 5 additions & 4 deletions src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/TokenAuth.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@

import hudson.Extension;
import hudson.model.Item;
import hudson.util.Secret;

public class TokenAuth extends Auth2 {

Expand All @@ -22,7 +23,7 @@ public class TokenAuth extends Auth2 {
public static final Auth2Descriptor DESCRIPTOR = new TokenAuthDescriptor();

private String userName;
private String apiToken;
private Secret apiToken;

@DataBoundConstructor
public TokenAuth() {
Expand All @@ -40,17 +41,17 @@ public String getUserName() {
}

@DataBoundSetter
public void setApiToken(String apiToken) {
public void setApiToken(Secret apiToken) {
this.apiToken = apiToken;
}

public String getApiToken() {
public Secret getApiToken() {
return this.apiToken;
}

@Override
public void setAuthorizationHeader(URLConnection connection, BuildContext context) throws IOException {
String authHeaderValue = Base64Utils.generateAuthorizationHeaderValue(AUTHTYPE_BASIC, getUserName(), getApiToken(), context, true);
String authHeaderValue = Base64Utils.generateAuthorizationHeaderValue(AUTHTYPE_BASIC, getUserName(), getApiToken().getPlainText(), context, true);
connection.setRequestProperty("Authorization", authHeaderValue);
}

Expand Down
3 changes: 2 additions & 1 deletion ...t/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteBuildConfigurationTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
import hudson.security.AuthorizationStrategy.Unsecured;
import hudson.security.csrf.DefaultCrumbIssuer;
import hudson.util.LogTaskListener;
import hudson.util.Secret;
import jenkins.model.Jenkins;

public class RemoteBuildConfigurationTest {
Expand Down Expand Up @@ -132,7 +133,7 @@ private void _testRemoteBuild(boolean authenticate, boolean withParam, FreeStyle
if(authenticate) {
TokenAuth tokenAuth = new TokenAuth();
tokenAuth.setUserName(testUser.getId());
tokenAuth.setApiToken(testUserToken);
tokenAuth.setApiToken(Secret.fromString(testUserToken));
configuration.setAuth2(tokenAuth);
}

Expand Down
8 changes: 5 additions & 3 deletions src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteJenkinsServerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
import org.jenkinsci.plugins.ParameterizedRemoteTrigger.auth2.TokenAuth;
import org.junit.Test;

import hudson.util.Secret;


public class RemoteJenkinsServerTest {

Expand All @@ -22,7 +24,7 @@ public class RemoteJenkinsServerTest {
@Test
public void testCloneBehaviour() throws Exception {
TokenAuth auth = new TokenAuth();
auth.setApiToken(TOKEN);
auth.setApiToken(Secret.fromString(TOKEN));
auth.setUserName(USER);

RemoteJenkinsServer server = new RemoteJenkinsServer();
Expand Down Expand Up @@ -55,11 +57,11 @@ public void testCloneBehaviour() throws Exception {
//Test if clone is deep-copy or if server fields can be modified
TokenAuth cloneAuth = (TokenAuth)clone.getAuth2();
assertNotNull(cloneAuth);
cloneAuth.setApiToken("changed");
cloneAuth.setApiToken(Secret.fromString("changed"));
cloneAuth.setUserName("changed");
TokenAuth serverAuth = (TokenAuth)server.getAuth2();
assertNotNull(serverAuth);
assertEquals("auth.apiToken", TOKEN, serverAuth.getApiToken());
assertEquals("auth.apiToken", TOKEN, serverAuth.getApiToken().getPlainText());
assertEquals("auth.userName", USER, serverAuth.getUserName());

//Test if clone.setAuth() affects original object
Expand Down
6 changes: 4 additions & 2 deletions src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/Auth2Test.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@

import org.junit.Test;

import hudson.util.Secret;

public class Auth2Test {

@Test
Expand Down Expand Up @@ -40,13 +42,13 @@ public void testCredentialsAuthCloneBehaviour() throws CloneNotSupportedExceptio
@Test
public void testTokenAuthCloneBehaviour() throws CloneNotSupportedException {
TokenAuth original = new TokenAuth();
original.setApiToken("original");
original.setApiToken(Secret.fromString("original"));
original.setUserName("original");
TokenAuth clone = (TokenAuth)original.clone();
verifyEqualsHashCode(original, clone);

//Test changing clone
clone.setApiToken("changed");
clone.setApiToken(Secret.fromString("changed"));
clone.setUserName("changed");
verifyEqualsHashCode(original, clone, false);
assertEquals("original", original.getApiToken());
Expand Down

0 comments on commit 2902ef5

Please # to comment.