-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support scoping of credentials to lists of ItemGroups #93
Conversation
@@ -62,6 +66,8 @@ public abstract class SecretUtils { | |||
|
|||
static final String JENKINS_IO_CREDENTIALS_SCOPE_LABEL = "jenkins.io/credentials-scope"; | |||
|
|||
/** Optional annotation containing a list of job folders this credential is available to */ | |||
static final String JENKINS_IO_CREDENTIALS_ITEM_GROUP_ANNOTATION = "jenkins.io/credentials-item-group"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
open for discussion on a better annotation name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
naming is hard :)
jenkins.io/credentials-store-location
(s
) ?
FYI: @jtnord @danielwegener |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about the UI/UX? Would this not show credentials as avaialble at the root which are not actually available (as they are only available in a specific folder)?
Additionally the docs should describe how to use the feature.
.../cloudbees/jenkins/plugins/kubernetes_credentials_provider/KubernetesCredentialProvider.java
Outdated
Show resolved
Hide resolved
.../cloudbees/jenkins/plugins/kubernetes_credentials_provider/KubernetesCredentialProvider.java
Outdated
Show resolved
Hide resolved
...om/cloudbees/jenkins/plugins/kubernetes_credentials_provider/KubernetesCredentialsStore.java
Show resolved
Hide resolved
// Only the global domain is supported | ||
if (Domain.global().equals(domain) && Jenkins.getInstance().hasPermission(CredentialsProvider.VIEW)) | ||
return provider.getCredentials(Credentials.class, Jenkins.getInstance(), ACL.SYSTEM); | ||
if(Jenkins.getInstance().hasPermission(CredentialsProvider.VIEW)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the Access check should be scoped to the context. if you have CredentialsProvider.View on a folder (but not Jenkins itself) you should be able to view credentials assigned to that folder
Additionally I beleive we still only support a global domain?
if(Jenkins.getInstance().hasPermission(CredentialsProvider.VIEW)) { | |
// Only the global domain is supported | |
if (Domain.global().equals(domain)) { | |
// walk the parent until we get the AccessControlled object | |
AccessControlled ac = null; | |
ItemGroup ig = context; | |
while (ac == null) { | |
if (ig instanceOf AccessControlled) { | |
ac = (AccessControlled)ig; | |
} else { | |
ig = ((Item) ig).getParent(); | |
} | |
} | |
if (ac.hasPermission(CredentialsProvider.VIEW) { | |
return provider.getCredentials(Credentials.class, context, ACL.SYSTEM); | |
} | |
return Collections.emptyList(); | |
} |
src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/SecretUtils.java
Outdated
Show resolved
Hide resolved
src/main/java/com/cloudbees/jenkins/plugins/kubernetes_credentials_provider/SecretUtils.java
Outdated
Show resolved
Hide resolved
.../cloudbees/jenkins/plugins/kubernetes_credentials_provider/KubernetesCredentialProvider.java
Outdated
Show resolved
Hide resolved
6fe7df8
to
28fb140
Compare
3191b6e
to
3a776a5
Compare
@jtnord any more feedback? |
I think it looks ok, but I want to find some time to fully check for any security related implications, I may not be able to get around to that until next week. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lines 43 to 47 in 3a776a5
@Override | |
public boolean hasPermission(@NonNull Authentication authentication, @NonNull Permission permission) { | |
return CredentialsProvider.VIEW.equals(permission) && | |
Jenkins.getInstance().getACL().hasPermission(authentication, permission); | |
} |
Lines 57 to 70 in 3a776a5
AccessControlled ac = null; | |
ItemGroup<?> ig = context; | |
while (ac == null) { | |
if (ig instanceof AccessControlled) { | |
ac = (AccessControlled)ig; | |
} else if(ig instanceof Item){ | |
ig = ((Item) ig).getParent(); | |
} else { | |
break; | |
} | |
} | |
if (ac == null || ac.hasPermission(CredentialsProvider.VIEW)) { | |
return provider.getCredentials(Credentials.class, context, ACL.SYSTEM); | |
} |
AccessControlled
be null
c2f8dc3
to
7de9f66
Compare
many thanks @schiasileon |
This comment was marked as off-topic.
This comment was marked as off-topic.
please use https://www.jenkins.io/participate/connect/#join-our-chats-and-forums |
It looks like this PR is produces credential leakage of Previous version 1.258.v95949f923a_a_e of the plugin is not affected. |
This supersedes #40.
Linked issues:
https://issues.jenkins.io/browse/JENKINS-63416
https://issues.jenkins.io/browse/JENKINS-53105
This PR introduces folder-scoping of credentials by adding the
jenkins.io/credentials-item-group
annotation. Credentials will then only be available to the specified ItemGroup/Folder/Job + children.Improvements to #40 :
["/job/thisIsJobA/", "/job/thisIsJobB/job/nestedJob/"]
allowing for all paths to be parsed to list