Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26051

Workflow integration for Credentials Binding

    XMLWordPrintable

Details

    Description

      A replacement for SecretBuildWrapper that is a Step (with invokeBodyLater) rather than a BuildWrapper, probably returning the binding(s) in a map.

      Means some API changes to Binding. bind must take a FilePath workspace (and maybe Run run) rather than AbstractBuild build. And Environment must be declared Serializable, since unbind may be called in another session.

      Attachments

        Issue Links

          Activity

            jglick Jesse Glick created issue -
            jglick Jesse Glick added a comment -

            A SimpleBuildWrapper might be an easier implementation route.

            jglick Jesse Glick added a comment - A SimpleBuildWrapper might be an easier implementation route.
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue depends on JENKINS-24673 [ JENKINS-24673 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-23468 [ JENKINS-23468 ]
            jglick Jesse Glick added a comment -

            Not to be confused with credentials support in a Step or a compatible SCM or SimpleBuildStep implementation: this is about not just picking a credentialsId to pass on to another Step, but using the secrets held in the Credentials directly in some other way, such as in sh.

            Current workaround is to define a credentials parameter for the flow, giving it a default value. This means that Build Now is replaced with Build with Parameters, even though you do not need to actually do anything except confirm, which is unfortunate. (Scheduled builds should still run fine.)

            jglick Jesse Glick added a comment - Not to be confused with credentials support in a Step or a compatible SCM or SimpleBuildStep implementation: this is about not just picking a credentialsId to pass on to another Step , but using the secrets held in the Credentials directly in some other way, such as in sh . Current workaround is to define a credentials parameter for the flow, giving it a default value. This means that Build Now is replaced with Build with Parameters , even though you do not need to actually do anything except confirm, which is unfortunate. (Scheduled builds should still run fine.)
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-26299 [ JENKINS-26299 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-26099 [ JENKINS-26099 ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jglick Jesse Glick added a comment -

            There are several possible designs here:

            1. Use SimpleBuildWrapper, in some future LTS. No workflow dep from credentials-binding, which is nice, but will be months before it is available. Syntax would be a bit clunky due to use of step. Values are exposed only as environment variables, which is fine if they are being interpreted from external processes, but requires env.VARIABLE syntax if needed from Groovy code.
              step([$class: 'SecretBuildWrapper', bindings: [[$class: 'StringBinding', variable: 'SECRET', credentialsId: 'mysecret']]]) {
                sh 'echo $SECRET'
                writeFile file: 'secret.txt', text: env.SECRET
              }
              
            2. Have a Step which takes a List<MultiBinding> and sets EnvVars overrides. Again potentially awkward if you need the secrets from Groovy code as opposed to being picked up directly by an external process.
              withCredentials([[$class: 'StringBinding', variable: 'SECRET', credentialsId: 'mysecret']]) {
                sh 'echo $SECRET'
                writeFile file: 'secret.txt', text: env.SECRET
              }
              
            3. Have a Step which takes a List<MultiBinding> and returns the resulting Map<String,String> bindings, for use as you like. Unclear how this would work, since the step return value is not available from its body, and the SPI does not support passing local variables to a body.
              withCredentials(localVar: 'secrets', bindings: [[$class: 'StringBinding', variable: 'secret', credentialsId: 'mysecret']]) {
                sh "echo ${secrets.secret}"
                writeFile file: 'secret.txt', text: secrets.secret
              }
              
            4. Have a Step which takes some other binding-like interface which has not yet been created, but which does not require the variable names to be specified. Again would require steps to be able to bind local variables. Unclear how to support multi-variable bindings like username/password.
              withCredentials(localVar: 'secret', binding: [$class: 'NoVarStringBinding', credentialsId: 'mysecret']) {
                sh "echo ${secret}"
                writeFile file: 'secret.txt', text: secret
              }
              

            Currently going with #2 as this seems most practical.

            jglick Jesse Glick added a comment - There are several possible designs here: Use SimpleBuildWrapper , in some future LTS. No workflow dep from credentials-binding , which is nice, but will be months before it is available. Syntax would be a bit clunky due to use of step . Values are exposed only as environment variables, which is fine if they are being interpreted from external processes, but requires env.VARIABLE syntax if needed from Groovy code. step([$class: 'SecretBuildWrapper' , bindings: [[$class: 'StringBinding' , variable: 'SECRET' , credentialsId: 'mysecret' ]]]) { sh 'echo $SECRET' writeFile file: 'secret.txt' , text: env.SECRET } Have a Step which takes a List<MultiBinding> and sets EnvVars overrides. Again potentially awkward if you need the secrets from Groovy code as opposed to being picked up directly by an external process. withCredentials([[$class: 'StringBinding' , variable: 'SECRET' , credentialsId: 'mysecret' ]]) { sh 'echo $SECRET' writeFile file: 'secret.txt' , text: env.SECRET } Have a Step which takes a List<MultiBinding> and returns the resulting Map<String,String> bindings, for use as you like. Unclear how this would work, since the step return value is not available from its body, and the SPI does not support passing local variables to a body. withCredentials(localVar: 'secrets' , bindings: [[$class: 'StringBinding' , variable: 'secret' , credentialsId: 'mysecret' ]]) { sh "echo ${secrets.secret}" writeFile file: 'secret.txt' , text: secrets.secret } Have a Step which takes some other binding-like interface which has not yet been created, but which does not require the variable names to be specified. Again would require steps to be able to bind local variables. Unclear how to support multi-variable bindings like username/password. withCredentials(localVar: 'secret' , binding: [$class: 'NoVarStringBinding' , credentialsId: 'mysecret' ]) { sh "echo ${secret}" writeFile file: 'secret.txt' , text: secret } Currently going with #2 as this seems most practical.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/credentialsbinding/Binding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/MultiBinding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/SecretBuildWrapper.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/StringBinding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordBinding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordMultiBinding.java
            src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/config.jelly
            src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help-bindings.html
            src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html
            http://jenkins-ci.org/commit/credentials-binding-plugin/f23dd15d1098d1d2873f6f8c1c97a9cee82c9c53
            Log:
            JENKINS-26051 First draft of withCredentials step.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/credentialsbinding/Binding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/MultiBinding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/SecretBuildWrapper.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/StringBinding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordBinding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordMultiBinding.java src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/config.jelly src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help-bindings.html src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html http://jenkins-ci.org/commit/credentials-binding-plugin/f23dd15d1098d1d2873f6f8c1c97a9cee82c9c53 Log: JENKINS-26051 First draft of withCredentials step.
            jglick Jesse Glick made changes -
            Remote Link This issue links to "PR 3 (Web Link)" [ 12010 ]
            jglick Jesse Glick made changes -
            Link This issue depends on JENKINS-26137 [ JENKINS-26137 ]

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/707c1d82c1efa0c42e8daff6d487196c2c6dacbd
            Log:
            Trying to test JENKINS-26051 across restarts but blocked by JENKINS-26137.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/707c1d82c1efa0c42e8daff6d487196c2c6dacbd Log: Trying to test JENKINS-26051 across restarts but blocked by JENKINS-26137 .

            Code changed in jenkins
            User: Jesse Glick
            Path:
            aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
            support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/serialization/RiverWriter.java
            http://jenkins-ci.org/commit/workflow-plugin/3d3fa348ed9c34e4492b2733802bc47416824e30
            Log:
            JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
            Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
            Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
            Also need to wait for the build to finish (JENKINS-26399).

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/serialization/RiverWriter.java http://jenkins-ci.org/commit/workflow-plugin/3d3fa348ed9c34e4492b2733802bc47416824e30 Log: JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed. Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass ( JENKINS-26051 ). Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not. Also need to wait for the build to finish ( JENKINS-26399 ).
            jglick Jesse Glick made changes -
            Summary Workflow integration Workflow integration for Credentials Binding

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/credentialsbinding/Binding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/MultiBinding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/SecretBuildWrapper.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/StringBinding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordBinding.java
            src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordMultiBinding.java
            src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/config.jelly
            src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html
            src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java
            http://jenkins-ci.org/commit/credentials-binding-plugin/15908dbe49b8184ba327b3d480ac10ba2a09e6b4
            Log:
            Merge pull request #3 from jenkinsci/workflow-JENKINS-26051

            [FIXED JENKINS-26051] withCredentials step

            Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/91e5d8e1a9af...15908dbe49b8

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/org/jenkinsci/plugins/credentialsbinding/Binding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/MultiBinding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/FileBinding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/SecretBuildWrapper.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/StringBinding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordBinding.java src/main/java/org/jenkinsci/plugins/credentialsbinding/impl/UsernamePasswordMultiBinding.java src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/config.jelly src/main/resources/org/jenkinsci/plugins/credentialsbinding/impl/BindingStep/help.html src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/BindingStepTest.java http://jenkins-ci.org/commit/credentials-binding-plugin/15908dbe49b8184ba327b3d480ac10ba2a09e6b4 Log: Merge pull request #3 from jenkinsci/workflow- JENKINS-26051 [FIXED JENKINS-26051] withCredentials step Compare: https://github.com/jenkinsci/credentials-binding-plugin/compare/91e5d8e1a9af...15908dbe49b8
            jglick Jesse Glick made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]

            Code changed in jenkins
            User: Jesse Glick
            Path:
            COMPATIBILITY.md
            http://jenkins-ci.org/commit/workflow-plugin/5a9ae5b6704a95e548db86333ebccbbaceba56f3
            Log:
            JENKINS-26051 Noting.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: COMPATIBILITY.md http://jenkins-ci.org/commit/workflow-plugin/5a9ae5b6704a95e548db86333ebccbbaceba56f3 Log: JENKINS-26051 Noting.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/serialization/RiverWriter.java
            http://jenkins-ci.org/commit/workflow-support-plugin/18ad074331b663f565633bf4fa8523ac68dc1a69
            Log:
            JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
            Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
            Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
            Also need to wait for the build to finish (JENKINS-26399).
            Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: support/src/main/java/org/jenkinsci/plugins/workflow/support/pickles/serialization/RiverWriter.java http://jenkins-ci.org/commit/workflow-support-plugin/18ad074331b663f565633bf4fa8523ac68dc1a69 Log: JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed. Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass ( JENKINS-26051 ). Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not. Also need to wait for the build to finish ( JENKINS-26399 ). Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

            Code changed in jenkins
            User: Jesse Glick
            Path:
            aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
            http://jenkins-ci.org/commit/workflow-basic-steps-plugin/85812e78a3ab6c837b59002082e30bdc16294688
            Log:
            JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
            Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
            Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
            Also need to wait for the build to finish (JENKINS-26399).
            Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java http://jenkins-ci.org/commit/workflow-basic-steps-plugin/85812e78a3ab6c837b59002082e30bdc16294688 Log: JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed. Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass ( JENKINS-26051 ). Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not. Also need to wait for the build to finish ( JENKINS-26399 ). Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

            Code changed in jenkins
            User: Jesse Glick
            Path:
            aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
            http://jenkins-ci.org/commit/workflow-scm-step-plugin/7583bf18eda2968bebc10024b52aee00a3614149
            Log:
            JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
            Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
            Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
            Also need to wait for the build to finish (JENKINS-26399).
            Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java http://jenkins-ci.org/commit/workflow-scm-step-plugin/7583bf18eda2968bebc10024b52aee00a3614149 Log: JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed. Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass ( JENKINS-26051 ). Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not. Also need to wait for the build to finish ( JENKINS-26399 ). Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

            Code changed in jenkins
            User: Jesse Glick
            Path:
            aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
            http://jenkins-ci.org/commit/workflow-cps-plugin/89c28b4fca0eb81cf369ff699f7a4d801fc83e83
            Log:
            JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
            Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
            Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
            Also need to wait for the build to finish (JENKINS-26399).
            Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java http://jenkins-ci.org/commit/workflow-cps-plugin/89c28b4fca0eb81cf369ff699f7a4d801fc83e83 Log: JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed. Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass ( JENKINS-26051 ). Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not. Also need to wait for the build to finish ( JENKINS-26399 ). Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

            Code changed in jenkins
            User: Jesse Glick
            Path:
            aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java
            http://jenkins-ci.org/commit/workflow-multibranch-plugin/fe863c4a5ba855d65cd68588a71e5293f0bdf641
            Log:
            JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed.
            Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass (JENKINS-26051).
            Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not.
            Also need to wait for the build to finish (JENKINS-26399).
            Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: aggregator/src/test/java/org/jenkinsci/plugins/workflow/steps/PushdStepTest.java http://jenkins-ci.org/commit/workflow-multibranch-plugin/fe863c4a5ba855d65cd68588a71e5293f0bdf641 Log: JENKINS-26137 At least during restarting tests, serialization errors seem to be due to there being no PickleFactory’s installed. Merely calling PickleFactory.all() from the RiverWriter constructor, rather than later, seems to let PushdStepTest.restarting pass ( JENKINS-26051 ). Additionally asserting that there are in fact some factories loaded, since there is sure to be trouble if there are not. Also need to wait for the build to finish ( JENKINS-26399 ). Originally-Committed-As: 3d3fa348ed9c34e4492b2733802bc47416824e30
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 160041 ] JNJira + In-Review [ 196291 ]
            abayer Andrew Bayer made changes -
            Labels api workflow api pipeline workflow
            abayer Andrew Bayer made changes -
            Labels api pipeline workflow api pipeline

            People

              jglick Jesse Glick
              jglick Jesse Glick
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: