Fix folder credential usage #541
Conversation
|
|
||
| public StandardSlackService(String baseUrl, String teamDomain, String authTokenCredentialId, boolean botUser, String roomId) { | ||
| this(baseUrl, teamDomain, null, authTokenCredentialId, botUser, roomId, false); | ||
| public StandardSlackService(String baseUrl, String teamDomain, String authTokenCredentialId, boolean botUser, String roomId, Item item) { |
There was a problem hiding this comment.
- We can't modify existing constructors as this is part of the public API unless we are sure they aren't in use, normally you would deprecate first
- I don't think we should be passing the Item down to this level, I haven't looked closely enough at the API but I would like to see a new constructor that passes a token that is guaranteed to be not null.
The legacy constructors will still need to be able to find a credential but that will be deprecated and removed at a later date
There was a problem hiding this comment.
Hopefully I addressed the 2 issues. I deprecated the other constructors, but maybe it's too early for that?
| public class CredentialsObtainer { | ||
|
|
||
| public static StringCredentials lookupCredentials(String credentialId, Item item) { | ||
| List<StringCredentials> credentials = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(StringCredentials.class, item, ACL.SYSTEM, Collections.emptyList()); |
There was a problem hiding this comment.
Please import, 187 characters hurts readability 😄
| @@ -428,7 +430,14 @@ public SlackService newSlackService(AbstractBuild r, BuildListener listener) { | |||
| authToken = env.expand(authToken); | |||
| authTokenCredentialId = env.expand(authTokenCredentialId); | |||
| room = env.expand(room); | |||
| return new StandardSlackService(baseUrl, teamDomain, authToken, authTokenCredentialId, botUser, room, false, r.getProject()); | |||
| final String populatedToken = CredentialsObtainer.getTokenToUse(authTokenCredentialId, r.getProject(), authToken); | |||
There was a problem hiding this comment.
r.getParent() is more correct but alas this is an AbstractBuild why is this named r 😭
Would you mind renaming the variable?
| @@ -45,41 +45,70 @@ | |||
| private String host = "slack.com"; | |||
| private String baseUrl; | |||
| private String teamDomain; | |||
| private String token; | |||
| private String authTokenCredentialId; | |||
| private String token = null; | |||
There was a problem hiding this comment.
Removed all useless null initializations.
| if (credentials != null) { | ||
| response = credentials.getSecret().getPlainText(); | ||
| } else { | ||
| response = token; |
There was a problem hiding this comment.
can this throw an exception if token is null please?
We get lots of issues falling through to the bottom because token and credential are both null
same on line 29
There was a problem hiding this comment.
All code paths on StandardSlackService should now throw an IllegalArgumentException if token is null.
| if (populatedToken != null) { | ||
| return new StandardSlackService(baseUrl, teamDomain, botUser, room, false, populatedToken); | ||
| } else { | ||
| logger.log(Level.INFO, "No explicit token specified and could not obtain credentials for id: " + authTokenCredentialId); |
There was a problem hiding this comment.
this should throw an exception depending, or at least log a message to the build log as well
It shouldn't return a slack service as its not configured correctly
There was a problem hiding this comment.
Since now getTokenToUse throws an exception (as requested in another comment) this code is now unreachable so I'm removing it.
There was a problem hiding this comment.
... however, this will cause current misconfigured jobs to crash on notification calls, is that desirable? Should I surround the calls to slackFactory (which ends up calling this) with try catch blocks?
There was a problem hiding this comment.
Yes given that the existing code does this we should keep doing it for now.
|
|
||
| logger.fine("Using Integration Token."); |
There was a problem hiding this comment.
this doesn't throw an exception if its not found,
Could this be moved to the legacy constructors instead?
and add the throwing of the exception?
| final String populatedToken = CredentialsObtainer.getTokenToUse(tokenCredentialId, item, token); | ||
| if (populatedToken == null) { | ||
| listener.error(Messages | ||
| .NotificationFailedWithException(new IllegalArgumentException("the token with the provided ID could not be found and no token was specified"))); |
There was a problem hiding this comment.
| .NotificationFailedWithException(new IllegalArgumentException("the token with the provided ID could not be found and no token was specified"))); | |
| .NotificationFailedWithException(new IllegalArgumentException(String.format("The credential with ID %s could not be found and no token was specified", tokenCredentialId)))); |
| this.botUser = botUser; | ||
| this.roomIds = roomId.split("[,; ]+"); | ||
| this.replyBroadcast = replyBroadcast; | ||
| } | ||
|
|
||
|
|
| /** | ||
| * @deprecated use {@link #StandardSlackService(String, String, boolean, String, boolean, String)} instead} | ||
| */ | ||
| @Deprecated |
There was a problem hiding this comment.
I'll check this when I test the code out, but can you make sure that none of these constructors are called anymore internally to the codebase?
There was a problem hiding this comment.
just had a look, StandardSlackServiceTest are using the old constructors, could you update that please?
and any other places
There was a problem hiding this comment.
They're only used from tests. I'll adapt them.
Update IllegalArgumentException message Co-Authored-By: sirstrahd <sirstrahd@gmail.com>
| StringCredentials credentials = lookupCredentials(authTokenCredentialId); | ||
| private String getTokenToUse(String authTokenCredentialId, String token) { | ||
| if (!StringUtils.isEmpty(authTokenCredentialId)) { | ||
| StringCredentials credentials = CredentialsObtainer.lookupCredentials(authTokenCredentialId, null); |
There was a problem hiding this comment.
can this have an overloaded method please so we don't have to pass null around?
| StringCredentials credentials = CredentialsObtainer.lookupCredentials(authTokenCredentialId, null); | |
| StringCredentials credentials = CredentialsObtainer.lookupCredentials(authTokenCredentialId); |
| @@ -59,6 +64,7 @@ | |||
| private boolean replyBroadcast; | |||
|
|
|||
|
|
|||
|
|
|||
| else { | ||
| jsonString = JsonOutput.toJson(step.attachments); | ||
| } | ||
| final String jsonString; |
There was a problem hiding this comment.
what changed in this block? tabs to spaces or something? can't tell from github
There was a problem hiding this comment.
it seems something got merged into master that had a mix of tabs and spaces and my IDE "fixed" it...
|
Just done some testing, Pipeline syntax can't find credentials in a folder currently The project is null here: |
|
I've pushed a commit to fix it |
|
Fwiw, whatever you did here resulted in totally unhelpful debugging. The global config UI has a nice test button, and that apparently is happy w/ system scoped credentials, but the pipeline editor ui isn't happy w/ system scoped credentials. This, amongst other things, resulted in significant confusion and pain when debugging. |
|
Unfortunately that's how jenkins works =/ Edit: I guess you can probably check the scope in the validate function |
This allows for folder credentials to be used, additionally to the current global ones. Tested it with both freestyle and pipeline (workflow) jobs, as well as the freestyle configuration dialog.
Should address #500 .