[JENKINS-46103] Properly restrict which expressions can be passed to credentials(...) in Declarative - Jenkins Jira

XML

Word

Printable

Details

Type: Improvement
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Component/s: pipeline-model-definition-plugin
Labels:
- declarative-variable-and-method-resolution

Similar Issues:

Show
Epic Link:
Variables
Sprint:
Declarative - 1.2

Description

Right now, we allow ConstantExpression or GStringExpression as the parameters to an internal function call (i.e., to credentials(...), but that's a little wonky, because you can actually sneak anything you want into the GStringExpression, i.e., "${someMethodCall(...)}" is legal. Now, locking down the GStringExpression contents is a different matter that I'll deal with some day. Probably. But for now, the question is what else should be allowed as a parameter to credentials(...) - there's probably a valid argument for non-block-scoped steps or functions and variables, so perhaps we should add VariableExpression and method calls with the same rules limiting their parameters as credentials(...) itself.

Needs more thinking. But soon.

Attachments

Issue Links

relates to

JENKINS-42753 Generate runtime model directly from AST model

Closed

Activity

Ascending order - Click to sort in descending order

R. Tyler Croy added a comment - 2017-08-09 19:51

Here is an example in Scripted Pipeline which I think should be supported in Declarative for a custom credential type.

R. Tyler Croy added a comment - 2017-08-09 19:51 Here is an example in Scripted Pipeline which I think should be supported in Declarative for a custom credential type.

R. Tyler Croy added a comment - 2017-08-09 20:05

Here's a bit more thorough of an example:

pipeline {
    agent any
    stages {
        stage('Derp') {
            environment {
                AZ = azureServicePrincipal('service-principle')
            }
            steps {
                echo "principal is: ${AZ} (type: ${AZ.class.toString()})"
                echo "AZURE_CLIENT_ID should be in the env, but is: ${env.AZURE_CLIENT_ID}"
            }
        }
    }
}

Which, when run, emits:

Started by user admin
[Pipeline] node
Running on master in /var/jenkins_home/workspace/az
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Derp)
[Pipeline] withEnv
[Pipeline] {
[Pipeline] echo
principal is: @azureServicePrincipal(<anonymous>=service-principle) (type: class java.lang.String)
[Pipeline] echo
AZURE_CLIENT_ID should be in the env, but is: null
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

R. Tyler Croy added a comment - 2017-08-09 20:05 Here's a bit more thorough of an example: pipeline { agent any stages { stage( 'Derp' ) { environment { AZ = azureServicePrincipal( 'service-principle' ) } steps { echo "principal is: ${AZ} (type: ${AZ. class. toString()})" echo "AZURE_CLIENT_ID should be in the env, but is: ${env.AZURE_CLIENT_ID}" } } } } Which, when run, emits: Started by user admin [Pipeline] node Running on master in / var /jenkins_home/workspace/az [Pipeline] { [Pipeline] stage [Pipeline] { (Derp) [Pipeline] withEnv [Pipeline] { [Pipeline] echo principal is: @azureServicePrincipal(<anonymous>=service-principle) (type: class java.lang. String ) [Pipeline] echo AZURE_CLIENT_ID should be in the env, but is: null [Pipeline] } [Pipeline] // withEnv [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS

Andrew Bayer added a comment - 2017-08-09 20:29

Did you mean credentials(azureServicePrincipal('service-principle'))?

Andrew Bayer added a comment - 2017-08-09 20:29 Did you mean credentials(azureServicePrincipal('service-principle')) ?

R. Tyler Croy added a comment - 2017-08-09 20:39

abayer, I don't think so

WorkflowScript: 6: Internal function call parameters must be strings. @ line 6, column 26.
                   UNUSED = credentials(azureServicePrincipal('service-principle'))

R. Tyler Croy added a comment - 2017-08-09 20:39 abayer , I don't think so WorkflowScript: 6: Internal function call parameters must be strings. @ line 6, column 26. UNUSED = credentials(azureServicePrincipal( 'service-principle' ))

Andrew Bayer added a comment - 2017-08-09 20:59

Ooookay. Then I have no idea what azureServicePrincipal('service-principle') is supposed to be doing?

Andrew Bayer added a comment - 2017-08-09 20:59 Ooookay. Then I have no idea what azureServicePrincipal('service-principle') is supposed to be doing?

Andrew Bayer added a comment - 2017-08-09 21:03

ah, it's https://github.com/jenkinsci/azure-credentials-plugin/blob/dev/src/main/java/com/microsoft/azure/util/AzureCredentialsBinding.java? Support for MultiBinding subclasses is in https://github.com/jenkinsci/pipeline-model-definition-plugin/blob/master/pipeline-model-definition/src/main/java/org/jenkinsci/plugins/pipeline/modeldefinition/model/CredentialsBindingHandler.java - I think they'd have to add an extension of org.jenkinsci.plugins.pipeline.modeldefinition.model.CredentialsBindingHandler to their plugin for it to work here.

Andrew Bayer added a comment - 2017-08-09 21:03 ah, it's https://github.com/jenkinsci/azure-credentials-plugin/blob/dev/src/main/java/com/microsoft/azure/util/AzureCredentialsBinding.java? Support for MultiBinding subclasses is in https://github.com/jenkinsci/pipeline-model-definition-plugin/blob/master/pipeline-model-definition/src/main/java/org/jenkinsci/plugins/pipeline/modeldefinition/model/CredentialsBindingHandler.java - I think they'd have to add an extension of org.jenkinsci.plugins.pipeline.modeldefinition.model.CredentialsBindingHandler to their plugin for it to work here.

Andrew Bayer added a comment - 2017-08-09 21:03

cc rsandell, who wrote the CredentialsBindingHandler stuff and understands it better than I do.

Andrew Bayer added a comment - 2017-08-09 21:03 cc rsandell , who wrote the CredentialsBindingHandler stuff and understands it better than I do.

People

Assignee:: Unassigned

Reporter:: Andrew Bayer

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2017-08-09 19:48

Updated:: 2020-04-07 15:12