Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46103

Properly restrict which expressions can be passed to credentials(...) in Declarative

    • Declarative - 1.2

      Right now, we allow ConstantExpression or GStringExpression as the parameters to an internal function call (i.e., to credentials(...), but that's a little wonky, because you can actually sneak anything you want into the GStringExpression, i.e., "${someMethodCall(...)}" is legal. Now, locking down the GStringExpression contents is a different matter that I'll deal with some day. Probably. But for now, the question is what else should be allowed as a parameter to credentials(...) - there's probably a valid argument for non-block-scoped steps or functions and variables, so perhaps we should add VariableExpression and method calls with the same rules limiting their parameters as credentials(...) itself.

      Needs more thinking. But soon.

          [JENKINS-46103] Properly restrict which expressions can be passed to credentials(...) in Declarative

          R. Tyler Croy added a comment -

          Here is an example in Scripted Pipeline which I think should be supported in Declarative for a custom credential type.

          R. Tyler Croy added a comment - Here is an example in Scripted Pipeline which I think should be supported in Declarative for a custom credential type.

          R. Tyler Croy added a comment -

          Here's a bit more thorough of an example:

          pipeline {
              agent any
              stages {
                  stage('Derp') {
                      environment {
                          AZ = azureServicePrincipal('service-principle')
                      }
                      steps {
                          echo "principal is: ${AZ} (type: ${AZ.class.toString()})"
                          echo "AZURE_CLIENT_ID should be in the env, but is: ${env.AZURE_CLIENT_ID}"
                      }
                  }
              }
          }
          

          Which, when run, emits:

          Started by user admin
          [Pipeline] node
          Running on master in /var/jenkins_home/workspace/az
          [Pipeline] {
          [Pipeline] stage
          [Pipeline] { (Derp)
          [Pipeline] withEnv
          [Pipeline] {
          [Pipeline] echo
          principal is: @azureServicePrincipal(<anonymous>=service-principle) (type: class java.lang.String)
          [Pipeline] echo
          AZURE_CLIENT_ID should be in the env, but is: null
          [Pipeline] }
          [Pipeline] // withEnv
          [Pipeline] }
          [Pipeline] // stage
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          Finished: SUCCESS
          

          R. Tyler Croy added a comment - Here's a bit more thorough of an example: pipeline { agent any stages { stage( 'Derp' ) { environment { AZ = azureServicePrincipal( 'service-principle' ) } steps { echo "principal is: ${AZ} (type: ${AZ. class. toString()})" echo "AZURE_CLIENT_ID should be in the env, but is: ${env.AZURE_CLIENT_ID}" } } } } Which, when run, emits: Started by user admin [Pipeline] node Running on master in / var /jenkins_home/workspace/az [Pipeline] { [Pipeline] stage [Pipeline] { (Derp) [Pipeline] withEnv [Pipeline] { [Pipeline] echo principal is: @azureServicePrincipal(<anonymous>=service-principle) (type: class java.lang. String ) [Pipeline] echo AZURE_CLIENT_ID should be in the env, but is: null [Pipeline] } [Pipeline] // withEnv [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS

          Andrew Bayer added a comment -

          Did you mean credentials(azureServicePrincipal('service-principle'))?

          Andrew Bayer added a comment - Did you mean credentials(azureServicePrincipal('service-principle')) ?

          R. Tyler Croy added a comment -

          abayer, I don't think so

          WorkflowScript: 6: Internal function call parameters must be strings. @ line 6, column 26.
                             UNUSED = credentials(azureServicePrincipal('service-principle'))
          

          R. Tyler Croy added a comment - abayer , I don't think so WorkflowScript: 6: Internal function call parameters must be strings. @ line 6, column 26. UNUSED = credentials(azureServicePrincipal( 'service-principle' ))

          Andrew Bayer added a comment -

          Ooookay. Then I have no idea what azureServicePrincipal('service-principle') is supposed to be doing?

          Andrew Bayer added a comment - Ooookay. Then I have no idea what azureServicePrincipal('service-principle') is supposed to be doing?

          Andrew Bayer added a comment -

          Andrew Bayer added a comment - ah, it's https://github.com/jenkinsci/azure-credentials-plugin/blob/dev/src/main/java/com/microsoft/azure/util/AzureCredentialsBinding.java? Support for MultiBinding subclasses is in https://github.com/jenkinsci/pipeline-model-definition-plugin/blob/master/pipeline-model-definition/src/main/java/org/jenkinsci/plugins/pipeline/modeldefinition/model/CredentialsBindingHandler.java - I think they'd have to add an extension of org.jenkinsci.plugins.pipeline.modeldefinition.model.CredentialsBindingHandler to their plugin for it to work here.

          Andrew Bayer added a comment -

          cc rsandell, who wrote the CredentialsBindingHandler stuff and understands it better than I do.

          Andrew Bayer added a comment - cc rsandell , who wrote the CredentialsBindingHandler stuff and understands it better than I do.

            Unassigned Unassigned
            abayer Andrew Bayer
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: