From 2902ef5ea6eb077f43fd25c880e4920faea4e828 Mon Sep 17 00:00:00 2001 From: cashlalala Date: Mon, 25 May 2020 22:56:42 +0800 Subject: [PATCH] fix https://issues.jenkins-ci.org/browse/SECURITY-1625 --- .../plugins/ParameterizedRemoteTrigger/Auth.java | 5 +++-- .../ParameterizedRemoteTrigger/auth2/TokenAuth.java | 9 +++++---- .../RemoteBuildConfigurationTest.java | 3 ++- .../RemoteJenkinsServerTest.java | 8 +++++--- .../ParameterizedRemoteTrigger/auth2/Auth2Test.java | 6 ++++-- 5 files changed, 19 insertions(+), 12 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/Auth.java b/src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/Auth.java index d7ae9ce3..c497ec2e 100644 --- a/src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/Auth.java +++ b/src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/Auth.java @@ -26,6 +26,7 @@ import hudson.model.Item; import hudson.security.ACL; import hudson.util.ListBoxModel; +import hudson.util.Secret; /** * We need to keep this for compatibility - old config deserialization! @@ -161,7 +162,7 @@ public static Auth auth2ToAuth(Auth2 auth) { return new Auth(Auth.NONE, null, null, null); } else if (auth instanceof TokenAuth) { TokenAuth tokenAuth = (TokenAuth) auth; - return new Auth(Auth.API_TOKEN, tokenAuth.getUserName(), tokenAuth.getApiToken(), null); + return new Auth(Auth.API_TOKEN, tokenAuth.getUserName(), tokenAuth.getApiToken().getPlainText(), null); } else if (auth instanceof CredentialsAuth) { CredentialsAuth credAuth = (CredentialsAuth) auth; try { @@ -189,7 +190,7 @@ public static Auth2 authToAuth2(Auth oldAuth) { } else if (Auth.API_TOKEN.equals(authType)) { TokenAuth newAuth = new TokenAuth(); newAuth.setUserName(oldAuth.getUsername()); - newAuth.setApiToken(oldAuth.getApiToken()); + newAuth.setApiToken(Secret.fromString(oldAuth.getApiToken())); return newAuth; } else if (Auth.CREDENTIALS_PLUGIN.equals(authType)) { CredentialsAuth newAuth = new CredentialsAuth(); diff --git a/src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/TokenAuth.java b/src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/TokenAuth.java index d3d25bf7..1b265af3 100644 --- a/src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/TokenAuth.java +++ b/src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/TokenAuth.java @@ -13,6 +13,7 @@ import hudson.Extension; import hudson.model.Item; +import hudson.util.Secret; public class TokenAuth extends Auth2 { @@ -22,7 +23,7 @@ public class TokenAuth extends Auth2 { public static final Auth2Descriptor DESCRIPTOR = new TokenAuthDescriptor(); private String userName; - private String apiToken; + private Secret apiToken; @DataBoundConstructor public TokenAuth() { @@ -40,17 +41,17 @@ public String getUserName() { } @DataBoundSetter - public void setApiToken(String apiToken) { + public void setApiToken(Secret apiToken) { this.apiToken = apiToken; } - public String getApiToken() { + public Secret getApiToken() { return this.apiToken; } @Override public void setAuthorizationHeader(URLConnection connection, BuildContext context) throws IOException { - String authHeaderValue = Base64Utils.generateAuthorizationHeaderValue(AUTHTYPE_BASIC, getUserName(), getApiToken(), context, true); + String authHeaderValue = Base64Utils.generateAuthorizationHeaderValue(AUTHTYPE_BASIC, getUserName(), getApiToken().getPlainText(), context, true); connection.setRequestProperty("Authorization", authHeaderValue); } diff --git a/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteBuildConfigurationTest.java b/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteBuildConfigurationTest.java index 9450879f..b4a58975 100644 --- a/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteBuildConfigurationTest.java +++ b/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteBuildConfigurationTest.java @@ -44,6 +44,7 @@ import hudson.security.AuthorizationStrategy.Unsecured; import hudson.security.csrf.DefaultCrumbIssuer; import hudson.util.LogTaskListener; +import hudson.util.Secret; import jenkins.model.Jenkins; public class RemoteBuildConfigurationTest { @@ -132,7 +133,7 @@ private void _testRemoteBuild(boolean authenticate, boolean withParam, FreeStyle if(authenticate) { TokenAuth tokenAuth = new TokenAuth(); tokenAuth.setUserName(testUser.getId()); - tokenAuth.setApiToken(testUserToken); + tokenAuth.setApiToken(Secret.fromString(testUserToken)); configuration.setAuth2(tokenAuth); } diff --git a/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteJenkinsServerTest.java b/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteJenkinsServerTest.java index 9a741577..20d8a0ea 100644 --- a/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteJenkinsServerTest.java +++ b/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteJenkinsServerTest.java @@ -10,6 +10,8 @@ import org.jenkinsci.plugins.ParameterizedRemoteTrigger.auth2.TokenAuth; import org.junit.Test; +import hudson.util.Secret; + public class RemoteJenkinsServerTest { @@ -22,7 +24,7 @@ public class RemoteJenkinsServerTest { @Test public void testCloneBehaviour() throws Exception { TokenAuth auth = new TokenAuth(); - auth.setApiToken(TOKEN); + auth.setApiToken(Secret.fromString(TOKEN)); auth.setUserName(USER); RemoteJenkinsServer server = new RemoteJenkinsServer(); @@ -55,11 +57,11 @@ public void testCloneBehaviour() throws Exception { //Test if clone is deep-copy or if server fields can be modified TokenAuth cloneAuth = (TokenAuth)clone.getAuth2(); assertNotNull(cloneAuth); - cloneAuth.setApiToken("changed"); + cloneAuth.setApiToken(Secret.fromString("changed")); cloneAuth.setUserName("changed"); TokenAuth serverAuth = (TokenAuth)server.getAuth2(); assertNotNull(serverAuth); - assertEquals("auth.apiToken", TOKEN, serverAuth.getApiToken()); + assertEquals("auth.apiToken", TOKEN, serverAuth.getApiToken().getPlainText()); assertEquals("auth.userName", USER, serverAuth.getUserName()); //Test if clone.setAuth() affects original object diff --git a/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/Auth2Test.java b/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/Auth2Test.java index 917f5074..c512b444 100644 --- a/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/Auth2Test.java +++ b/src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/Auth2Test.java @@ -7,6 +7,8 @@ import org.junit.Test; +import hudson.util.Secret; + public class Auth2Test { @Test @@ -40,13 +42,13 @@ public void testCredentialsAuthCloneBehaviour() throws CloneNotSupportedExceptio @Test public void testTokenAuthCloneBehaviour() throws CloneNotSupportedException { TokenAuth original = new TokenAuth(); - original.setApiToken("original"); + original.setApiToken(Secret.fromString("original")); original.setUserName("original"); TokenAuth clone = (TokenAuth)original.clone(); verifyEqualsHashCode(original, clone); //Test changing clone - clone.setApiToken("changed"); + clone.setApiToken(Secret.fromString("changed")); clone.setUserName("changed"); verifyEqualsHashCode(original, clone, false); assertEquals("original", original.getApiToken());