JENKINS-41348# BlueOcean specific CredentialsProvider

[vivek]

Provides User store/scoped credentials by using appropriate properties
on OrganizationFolder.

Description

BlueOcean credentials provider is a proxy to credentials stored in user store.

This is how it works:

• When an OrganizationFolder is created, we attach authenticated user's user Id and credential Id of the credential in authenticated user's store with USER scope.
• Later, when job runs, it asks BlueOceanCredentialsProvider to give credentialId for the OrganizationFolder created in previous step, it looks for these properties and returns right Credentials object by looking in to user's store.
• A github OrganizationFolder configuration page on classic lists the BlueOcean Provider credential

Changes to credential creation for git pipeline flow (for @cliffmeyers)

curl -v -XPOST -u admin:admin -H ‘content-type: application/json’ http://localhost:8080/jenkins/blue/rest/organizations/jenkins/credentials/user/

{
  "credentials" : {
    "privateKeySource" : {
      "privateKey" : "abcabc1212",
      "stapler-class" : "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource"
    },
    "passphrase" : "ssh2",
    "scope" : "USER",
    "domain" : "blueocean-git-domain",
    "description" : "ssh2 desc",
    "$class" : "com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey",
    "username" : "ssh2"
  }
}

There are three changes:

• POST URL is changed to /jenkins/blue/rest/organizations/jenkins/credentials/user/
• domain element in request body: for git use case its recommended UI passes domain name, for example 'blueocean-git-domain'. If its not supplied this credential will be created in default domain 'blueocean-domain'.
  See JENKINS-41348.
• scope element in request body should be set to USER.

Submitter checklist

• Link to JIRA ticket in description, if appropriate.
• Change is code complete and matches issue description
• Appropriate unit or acceptance tests or explanation to why this change has no tests
• Reviewer's manual test instructions provided in PR description. See Reviewer's first task below.
• Ran Acceptance Test Harness against PR changes.

Reviewer checklist

• Run the changes and verified the change matches the issue description
• Reviewed the code
• Verified that the appropriate tests have been written or valid explanation given

@reviewbybees

[i386]

Gosh you're fast :)

[vivek]

@stephenc PTAL, specially at BlueOceanCredentialsProvider.java

[vivek]

@i386 its been bothering me, better to get it out of the way sooner than later:) We also need similar approach for git ssh keys - these are stored in system store. Will chat with @cliffmeyers tomorrow to get it wrapped with this PR.

[stephenc]

Mostly OK as is, but i'd prefer if there were some changes.

[stephenc]

Not an optional extension.

[stephenc]

You may need to specify an ordinal to ensure your priority is ahead of the standard stores

[vivek]

ack.

[stephenc]

🐜 I18N this in a Messages resource bundle

[vivek]

yeah APIs have i18N missing, maybe good time to get started on it.

[stephenc]

🐜 please use a Blue Ocean specific icon

[vivek]

Hmm, I thought this is stock folder credential one and can be used for other CredentialsProvider extension. This is anyway read-only credential provider and is a proxy really. Not sure we really need an icon created for it. @i386?

[stephenc]

The stock icon is for the "stock" FolderCredentialsProvider from the folders plugin. You need your own so that a user/admin sees that the credentials are coming from this proxy/gateway provider

[vivek]

Or if there is way to display name of 'store' in that table, strangely it shows name of the folder? In the image below, top item is added by blueocean and the next is by folder credential provider.
cc:@i386

[stephenc]

Collections.singletonList(Domain.global())

[vivek]

@stephenc Why global? The credentials it exposes are in user scope.

[stephenc]

actually what I see now is that you want something different, you want

Collections.singletonList(/*domain for "blueocean-github-domain"*/)

The domain is about matching the URL the credentials are requested for against the URLs that the credentials are allowed to be used against.

Scope is a different cross-cutting requirement

[vivek]

I see. So it's more for routing to this proxy. I will give it a try.

[stephenc]

may need to tweak this, but ok for now

[stephenc]

Do need to tweak this, as this is a read only domain we want to always return false for the Credentials/CREATE, Credentials/DELETE, Credentials/MANAGE_DOMAIN and Credentials/UPDATE permissions

[vivek]

Agreed.

[stephenc]

Actually you are CredentailsScope.GLOBAL if we are to be strictly correct... this may require changes in the credentials API to allow you to "clone" a credential while changing it's scope

[vivek]

This provider is proxy exposing credentials from USER scope, for this reason I exposed it with USER scope. Exposing them with GLOBAL scope sounds incorrect to me.

[stephenc]

Because you are not using the authorise project plugin, the authentication will be ACL.SYSTEM so you want the scope GLOBAL as that allows the credential to be used by jobs running as SYSTEM or jobs running as an authentication with the USE_ITEM permission (limited to jobs in the org folder)

[vivek]

@stephenc It seems to be working how it is, but I will change it to GLOBAL. All I am making sure is that its not less secure and these credentials do not get outside of the scope of the org folder they are attached to. Which I think is not the case.

[stephenc]

I am now wondering if perhaps we shouldn't be more explicit and just target the credential stores scoped to the user and bypass the general lookupCredentials, e.g.

for (CredentialStore store: CredentialsProvider.lookupStores(user)) {
  // if store has credentials with id, return credential
}
// return empty list;

as matching based on scope here is ringing some alarm bells

[vivek]

I can give it try, but I saw other places your concern about using USER scope as not a good idea. I guess I need to understand why this is not a good idea - this provider is really a locked down provider very specific to keys generated by blueocean in user store with USER scope.

[stephenc]

Missing a test that the credential gets resolved, see this for inspiration but I do not thing you need to go quite so far as to actually trigger a build. I think you could get away with seeing if the credential can be looked up as SYSTEM using the standard credentials API when you add your property and if you remove the property the credential goes missing again, even though the credential is in "bob"'s user store

[vivek]

Ok, will add a test.

[stephenc]

This is a bad smell, should not need to match based on scope

[vivek]

Why is that? I want to keep it strict and if there is GitHub access key based credentials it better come from USER scope or we reject it.

[stephenc]

Still think this is a bad smell. Given that this credentials provider has very specific needs, I suspect we actually want to be directly checking the credential stores for the User and not bothering with the scope check at all

[vivek]

@stephenc Given I am going to be scanning in context of domain in user store, that is blueocean generated credentials are going to be created in user store in specific domain and searched accordingly, dropping USER scope is fine.

[stephenc]

@vivek said:

We also need similar approach for git ssh keys - these are stored in system store. Will chat with @cliffmeyers tomorrow to get it wrapped with this PR.

If you need to handle ssh keys also then actually the BlueOceanCredentialsProvider will have to expose up to two credential ids rather than the single id I initially pseudo-coded

[stephenc]

Sounds like you now need this to be a Collection<String> (probably a Set) rather than a single value

[vivek]

@stephenc jenkins organization folder is either going to be setup by blueocean either using ssh credential(BasicSSHUserPrivateKey) or GitHub accesskey based credential (StandardUsernamePassword), not both. So why a collection?

[stephenc]

Well if doing checkout with ssh keys you will need both the api credentials for scan/index and the ssh key for checkout

[vivek]

You don't necessarily need both. I can do MBP job creation only using my ssh key. https://gist.github.com/vivek/7a200b9cd6d645a78402b0ce5b1e56a8.

Our UI flow,

• For Git case, we let user create either api key or ssh keys. In case of git, its ssh, or access key (username/password) but not both.
• For GitHub, no ssh key, only GitHub accessKey.

[stephenc]

It's looking good and definitely a better approach than stuffing the credentials into the global store, just some polish recommended before merging

[vivek]

@stephenc applied your suggested changes, tests, i18n etc. except the one related to avoiding USER scope as I think this provider should continue doing it - more strict version of checks. If its a bad idea I want to know why.

The other one was keeping an array of credential id - the thing is it's always going to be one credential attached to the org folder (GitHub/BitBucket) or multi-branch pipeline(git).

[vivek]

@cliffmeyers git specific credential creation in user store and git pipeline creation with user store keys implementation is completed. PTAL. In general for this ticket, all cases have been covered.

[stephenc]

Looking a lot better, but I think there are some things you will want to improve before merging

[stephenc]

You probably will need some additional checks here, such as:

• Did the system admin disable the per-user credentials store?

• Did the system admin disable this Blue Ocean User Credentials Proxy/Gateway credential store

• Did the system admin block storage of the credential type we need to store in the user credentials store

Probably not a blocker for merging this, but rather something you will need to be aware of and decide what you want to do about it and how to behave if the system admin has made configuration choices about credentials storage that prevent the blue ocean pipeline functionality from working

[vivek]

Good point. I will open another ticket to get it addressed properly as it may need some UX change.

[stephenc]

Safer to use StringUtils.isNotBlank(scmConfig.getCredentialId())

[stephenc]

Or String credentialId = StringUtils.defaultString(scmConfig.getCredentialId())

[stephenc]

repeat of my comment w.r.t. the GitPipelineCreateRequest authorization check

[stephenc]

Will the getUri() return the GitHub Enterprise URL if the user is creating a pipeline against GHE?

[vivek]

Yes.

[stephenc]

actually what I see now is that you want something different, you want

Collections.singletonList(/*domain for "blueocean-github-domain"*/)

The domain is about matching the URL the credentials are requested for against the URLs that the credentials are allowed to be used against.

Scope is a different cross-cutting requirement

[stephenc]

Do need to tweak this, as this is a read only domain we want to always return false for the Credentials/CREATE, Credentials/DELETE, Credentials/MANAGE_DOMAIN and Credentials/UPDATE permissions

[stephenc]

if (domain == /*domain for "blueocean-github-domain"*/) {
    return BlueOceanCredentialsProvider.getCredentials(Credentials.class, abstractFolder);
}
return Collections.emptyList();

[vivek]

@stephenc blueocean allowes credentials to be stored in different domain. For example GitHub credentials could be stored in different domain than git credentials.

[stephenc]

this is a different domain name from that used elsewhere

[vivek]

@stephenc thats right, the way its is currently, GitHub credentials are stored in 'github-domain' got for git keys, UI/client can create credentials in domain of their choice. 'blueocean-domain' is default domain where they get saved. Is this problem?

[stephenc]

• Need a field to store the domain name(s) that this / these credentials are exposed through
• Need a field to store either the DomainSpecification or the URI (and instantiate the domain specification on demand)... my preference is to store the DomainSpecification

You also need to solve for the case of GitHub / BitBucket where there is the possibility of both scan credentials and checkout credentials... where you need the two different credentials, to further complicate matters the domain specifications for these will be different, e.g. the SSH key will need to match both the ssh and git protocols while the API token used for scanning will need to match http and https

[vivek]

@stephenc

(I think you meant DomainRequirement not DomainSpecification)

On further thought, this is not going to really work as the domain created is only once per user and its treated as storage of different credentials. I am going to skip enforcing domain specification checks. As long as domain in the user's store matches, we use it to access SCM.

[vivek]

@stephenc I think I have got everything landed here. Last items DomainRequirement/DomainSpecification has been added. It also goes over user credential store with correct impersonation. PTAL so that we can proceed further.

BlueOcean store specific icon is another item but it should not block this PR.

[stephenc]

BlueOcean store specific icon is another item but it should not block this PR.

That's why I gave it an 🐜 (which is more a niggle than a bug) :-D

Will take a look later today

[stephenc]

I really need to write the credentials plugin user / implementer and consumer guides

[stephenc]

ugh... methods start with lowercase character

[stephenc]

unnecessary boolean

[stephenc]

Missing a test where there is a credential with the same ID in the system store, verifying that your proxy store is a higher ordinal and hence will get asked first

[stephenc]

you ACKed but did nothing in this method

[stephenc]

and in fact you kind of got the idea backwards where you applied it in getCredentials ....

The DomainSpecification should be in the property so that you can only return the credential for usage against the GitHub server.

1. User enters https://github.com/jenkinsci/blueocean-plugin as SCM URL
2. doFillScanCredentialsItems creates a domain requirements from that URL and asks for all appropriate credentials
3. Your provider gets asked for credentials... you need to apply your property's DomainSpecification to see if this matches the domain that you are exposing the user's credentials as
4. Ok, so that matches, now we go and check the user store for credentials with ID (from property) and in a domain matching the DomainRequirement of the BlueOceanProxyDomainRequirement

You have done 4, you still need 3 or the users credentials will leak further than intended

[stephenc]

+1

[stephenc]

FYI by returning NEGATIVE we prevent the credential from being visible to the user until they are searching with the BlueOceanDomainRequirement. In other words, BlueOceanDomainRequirement is MUST HAVE.

If you want the user to be able to use the credential in other contexts without the context being aware of your requirement then you may want to return UNKNOWN.

[stephenc]

Redundant test IIUC

[stephenc]

Probably should be PARTIAL

[stephenc]

You are aware of https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/domains/URIRequirementBuilder.java

[vivek]

@stephenc I think I have all in place. Give a bee if it all looks good, once its in place I can ask Cliff to give it a try before calling it done:)

• proxy specific domain (with DomainSepcification creating using uri) attached to folder property.
• test case added to pick correct BO specific key and not from system. some other test enhancements.

[stephenc]

is this needed any more? AFAIK you can just store everything in a domain called blue-ocean-proxy

[vivek]

better to keep these id's in their own domain, for example GitHub enterprise is in it's own domain so is consistent that way.

[stephenc]

I cannot see from the diff, but are you mixing the github enterprise hostname with the id in case the user has more than one GHE server (e.g. a test and prod server)

[vivek]

Missed, that let me add that one.

[stephenc]

I think this is a bug, you should be testing against your BlueOceanDomainRequirement not DomainRequirement

[vivek]

yes it is, good catch.

[stephenc]

does addProperty handle duplicates correctly?

[vivek]

good point, will add validation of this.

[vivek]

No duplicate test needed, this code creates a new org folder and is add property right after creation.

[stephenc]

If there are any other issues they can be handled as bugs after merging

[vivek]

@stephenc the one issue we should open is handling case where admin turns off access to user credential provider or disables storing credentials in these providers. and another one is BO provider icon.

[cliffmeyers]

@vivek testing this on my end looks good. Proper access tokens appear to be used during both org scanning and branch scanning, and I've avoided any rate limit exceptions at least for the modest orgs I've been testing with. :) 🐝