[JENKINS-57570] - Add support for JCasC using SecretBytes #48
Conversation
There was a problem hiding this comment.
Sorry but I couldn’t do a good review as I’m not a maintainer of this plugin and don’t know much about JCaaC.
I added some comments about general Jenkins issues and coding styles.
This is hard to review as I can’t see changes from #19 . I highly recommend you to create another review to see changes from #19.
| @@ -110,6 +110,7 @@ | |||
| <format>html</format> | |||
| <format>xml</format> | |||
| </formats> | |||
| <check/> | |||
There was a problem hiding this comment.
looks an inconsistent indentation.
There was a problem hiding this comment.
I wouldn't worry too much about formatting nits in this PR. We're about to make the code formatting automatic across all GCP supported plugins.
pom.xml
Outdated
| <dependency> | ||
| <groupId>org.jenkins-ci.plugins</groupId> | ||
| <artifactId>plain-credentials</artifactId> | ||
| <version>1.5</version> |
There was a problem hiding this comment.
Yes, this is required to be able to configure the credentials, at least during the CasC tests. I will see if I can restrict the scope to tests as well without breaking manual configuration with the Google Robot Private Key credentials
There was a problem hiding this comment.
It sounds like a bug of JCasC.
It’s strange that plugins require dependencies that aren’t necessary for plugin features.
Please consider to file a Jira ticket for JCasC.
There was a problem hiding this comment.
These dependencies are needed because JCasC does not do plugin installation.
You should scope these dependencies as either optional or test.
That should be handled by Jenkins Core or inside the POM.
See https://issues.jenkins-ci.org/browse/JENKINS-53767
JCasC uses GitHub issues.
There was a problem hiding this comment.
Should not be needed if the credential plugin had direct JCasC support
There was a problem hiding this comment.
I discovered that I was able to scope to tests by also marking optional as true. This is so that hpi does not include it, like this example from the parent plugin pom here.
The reason is that the hpi plugin includes test dependencies by default: https://jenkinsci.github.io/maven-hpi-plugin/run-mojo.html#dependencyResolution
pom.xml
Outdated
| <dependency> | ||
| <groupId>org.jenkins-ci.plugins</groupId> | ||
| <artifactId>ssh-credentials</artifactId> | ||
| <version>1.13</version> |
There was a problem hiding this comment.
This is not strictly necessary but when I run mvn hpi:run without this the configuration as code support plugin fails to load and leaves an error in the terminal. I don't know why that happens as everything CasC specific should remain scoped to testing. I'll see what I can do to suppress that warning without including this.
There was a problem hiding this comment.
These dependencies are needed because JCasC does not do plugin installation.
You should scope these dependencies as either optional or test.
That should be handled by Jenkins Core or inside the POM.
See https://issues.jenkins-ci.org/browse/JENKINS-53767
There was a problem hiding this comment.
this shouldn't be needed anymore on latest JCasc
| if (jsonKeyFile != null && jsonKeyFile.getSize() > 0) { | ||
| try { | ||
| JsonKey jsonKey = JsonKey.load(new JacksonFactory(), | ||
| jsonKeyFile.getInputStream()); | ||
| jsonKeyFile.getInputStream()); |
There was a problem hiding this comment.
I recommend you to use indentations in the same way as original codes.
src/main/java/com/google/jenkins/plugins/credentials/oauth/JsonServiceAccountConfig.java
Outdated
Show resolved
Hide resolved
src/main/java/com/google/jenkins/plugins/credentials/oauth/JsonServiceAccountConfig.java
Outdated
Show resolved
Hide resolved
src/main/java/com/google/jenkins/plugins/credentials/oauth/P12ServiceAccountConfig.java
Outdated
Show resolved
Hide resolved
|
If you look at the changes tab you should be able to select only the commits I added for review. |
| "type": "service_account", | ||
| "project_id": "jenkins-g-oauth-plugin", | ||
| "private_key_id": "b5bde820c66ffc456deeeca6c7a36b70f937f053", | ||
| "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCkQqPYbTVxB8Hw\nNSpfIJ5k+8B5Y5Ly5jW+hirOXwSOjJ38Baw1qQPADWc2U6GkKhZmyQscAJgIvFVW\nvfNrDDQgKolVr4GGf09m9vYlusnCPqFksL8L/qd92wi0sYMs5dNtm/OfW2zat1fD\nIXtCm9zglkwZKhln3p01E3HB3x1IDtZoZsIqxm+ImXsvFwADMt8uTB1Hq1n4YuFm\nFu2Um8CPHr59eV7REAEQc948AciYXGeIJTxUrWLXLJqk5zZgktZmWoShMW3UKl/k\nP8vNoQOsuR6sJ/gcld7EHScQtU22+FNrFEuE6RHO8nwjN+QqNjh0MR7DQxZoHMAw\n1IE83usxAgMBAAECggEAA2TA9pGibrDbHRocfRDJeo5E2dhe+SlDKT0waqk5IoC0\nEPiLiCP5paJvp4ZNcu/8XKUdt2qDBmQtf0bA0SbhHhyCEAAZuC4BzyxkcoXA3kqo\n6JgDtgaNwcDp/A5L5qkWLjl2rF9JMpDiek/Jfuge/wQjGctLCtOx/wTLsmNCCAkf\nTVJh9JjFH59stPJG8j4yjx0L+EKdwQyTKTahXrRm4rccjDwhvA7T7RSqmbjhDu2+\nX9ljP0Uch/udLYGEt+SnpcVJuJTJ+ivmG8zvKX5YPndC6hfY13eMXxtRMYuYQOuf\nA0rnnhDLMQPh5fg2eaXRNI7N4sNLmgYsp/mGWsftmQKBgQDn7rnlEBncJHJWRJB/\nlUZ5toGDE4nO+N9kkje2K2Zlyn5gwOmnakaFyVTbCjzSwyatOTxWyAsqVLLb8dXQ\n59m+A3YZ3QYNYggN8WgkHnt1EWB56EbEUFX0XaWccYBC+4G37V44FXeblVzLQIfF\n+uiJMqp2hsYEmgsn35jzyWVXWQKBgQC1TjSfUa4ZQs0AuTy0A55Mpmk1l4ZK4Ddx\n/vfQMbTnrReVZ7C/nSvoDy48hMzEmMbuMiivk7jnkFvx7M6LiNPhEqqoJ5Y5mBca\nNvnnN4TckuJdAtknygBogGGs13ypt1KaA4FetMT4IWqsoFI+g6Z7a+7pxnHHdmjb\nGk5J8juPmQKBgDd3Tvup2xVbngBli00HrQAElnp7XLSjrgEGOs6VGHr1bz3CRN6l\nutHZ8TIlA6C/zOsWSgjS9GCeOtwAvMql99vKRh8vTXg73oM/HVGt/IZlrnXZB7uB\nHt0+3BFKz4q1TTNoT+UHtT/++18cQpwlQiE1fbC00HxfPpW9kn2Sx2qZAoGAVays\nDzEw3P0FFLdz6PjgwAXPJ6T/r7g+Wx8KCZbDjsrrnw1Np25lBhbOWYjDno83Se3n\n7fgXY02DNVIa1DMHNI92l1mFkpe9KwUZmFpS7Ux3rU4gQb4h7T/laCC35xca8G6B\nnrg7b6mS2Bo2YxYhAKejUVMWBxR8PjUzE5xk6tkCgYB9ZqRD0cyCIphOdzAM9l1P\nDIZtesjraXDKZEiWJJq0yOE5qCnqF0pAVFSZF3pVJ0gnurzjm5tPx6xRS8qjbu1X\n2dux06e7uBQ1qVddP9buf3LmDDTDcVcBYs4dATAy+D8bpdNgnQgx0koo0bKNQSr6\npSpvb/7PiYTR7Lqmjn3RxA==\n-----END PRIVATE KEY-----\n", |
There was a problem hiding this comment.
Note: this key file and the p12 key are well formed but not usable for authentication
There was a problem hiding this comment.
However, after seeing your comment on the compute engine plugin I'll switch to using mocks here
| @@ -53,36 +63,109 @@ | |||
| private static final long serialVersionUID = 6818111194672325387L; | |||
| private static final Logger LOGGER = | |||
| Logger.getLogger(JsonServiceAccountConfig.class.getSimpleName()); | |||
| private String jsonKeyFile; | |||
| @CheckForNull | |||
There was a problem hiding this comment.
We'll want to migrate away from using FindBugs as it's no longer maintained. I've created a new issue for this, could you please add a TODO here referencing it: #49
There was a problem hiding this comment.
Additionally, this class duplicates much of the data/logic contained in this class: https://github.com/googleapis/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
I've created a new issue tracking de-duplication work with google-auth-library-java project, could you please add a TODO here referencing it: #50
There was a problem hiding this comment.
You can update the parent pom to get SpotBugs for free 😄
No need to switch annotation since SpotBugs have un-deprecated the FindBugs once
There was a problem hiding this comment.
src/main/java/com/google/jenkins/plugins/credentials/oauth/JsonServiceAccountConfig.java
Outdated
Show resolved
Hide resolved
| } | ||
| } | ||
|
|
||
| /**@param jsonKeyFileUpload uploaded json key file */ |
There was a problem hiding this comment.
This Javadoc header is improperly formatted and is missing a method description. Additionally capitalization and punctuation need correcting.
There was a problem hiding this comment.
I think for the most part getters and setters are self documenting and the parameter description clears up what is being set. I'm struggling to come up with a description to add here that is both not redundant and not exposing unnecessary details about the implementation. What are your thoughts?
| if (filename == null && prevJsonKeyFile != null) { | ||
| this.filename = extractFilename(prevJsonKeyFile); | ||
| this.secretJsonKey = getSecretBytesFromFile(prevJsonKeyFile); | ||
| } |
There was a problem hiding this comment.
What is the behavior if filename and secretJsonKey are still null at this point? Is it worth logging this case and/or throwing an exception for this case?
There was a problem hiding this comment.
If both are still null, then they would first see a log message from the call to setUploadJsonKeyFile. With both null, the credentials created wouldn't be usable so I think at the very least adding a log message here makes sense. I've purposefully avoided using exceptions in the databound setters to avoid the demon jenkins page, but for this constructor it may make sense to throw an exception instead because it is not called directly in the UI.
src/main/java/com/google/jenkins/plugins/credentials/oauth/JsonServiceAccountConfig.java
Outdated
Show resolved
Hide resolved
src/test/resources/com/google/jenkins/plugins/credentials/oauth/test-key.json
Outdated
Show resolved
Hide resolved
| File jsonKeyFile = KeyUtils.createKeyFile("key", ".json"); | ||
| KeyUtils.writeKeyToFileEncoded(jsonKey.toPrettyString(), jsonKeyFile); | ||
| return jsonKeyFile.getAbsolutePath(); | ||
| /** @param filename The json key file name. */ |
There was a problem hiding this comment.
s/json/JSON here and throughout.
| } catch (IOException ignored) { | ||
| } | ||
| } | ||
| return jsonKey; | ||
| } | ||
|
|
||
| /** | ||
| * descriptor for .json service account authentication | ||
| * Descriptor for .json service account authentication. |
| * provides authentication mechanism for a service account by setting a service | ||
| * account email address and .p12 private key file | ||
| * Provides authentication mechanism for a service account by setting a service | ||
| * account email address and .p12 private key file. |
… this is based on master and not develop.
…C tests as optional so that they are not included when using hpi to package or run.
…witching to the version that uses spotbugs instead of findbugs is required to use CasC.
…zation and punctuation in javadoc.
stephenashank
force-pushed
the
feature/jenkinscasc
branch
from
8af72c1 to
db6e79f
Compare
stephenashank
changed the title
* Use DataboundSetter throughout except for final field emailAddress for p12 keys. * Update dependencies required for using JCasC plugin in tests. * Remove unneeded imports. * Add test to verify Configuration as Code behavior, along with associated resources. * Temporarily use old format for license header for checkStyle, because this is based on master and not develop. * Preserve backwards compatibility of json keys. * Preverse compatibility of P12 keys. * Avoid using real keys in any form during JCasC tests. * Address checkstyle failures. * Fix indentation misalignment. Mark dependencies only required for CasC tests as optional so that they are not included when using hpi to package or run. * Remove findbugs dependency. Uses spotbugs from the parent pom since switching to the version that uses spotbugs instead of findbugs is required to use CasC. * Add eof new line to test-key.json * Add missing javadoc on JsonServiceAccountConfig. Use correct capitalization and punctuation in javadoc. * Add TODO tracking issue jenkinsci#50 for deduplication. * Fix secret bytes to account for newline in file. * Incorporate PR feedback. * Fix typos in yml comments.
* Use DataboundSetter throughout except for final field emailAddress for p12 keys. * Update dependencies required for using JCasC plugin in tests. * Remove unneeded imports. * Add test to verify Configuration as Code behavior, along with associated resources. * Temporarily use old format for license header for checkStyle, because this is based on master and not develop. * Preserve backwards compatibility of json keys. * Preverse compatibility of P12 keys. * Avoid using real keys in any form during JCasC tests. * Address checkstyle failures. * Fix indentation misalignment. Mark dependencies only required for CasC tests as optional so that they are not included when using hpi to package or run. * Remove findbugs dependency. Uses spotbugs from the parent pom since switching to the version that uses spotbugs instead of findbugs is required to use CasC. * Add eof new line to test-key.json * Add missing javadoc on JsonServiceAccountConfig. Use correct capitalization and punctuation in javadoc. * Add TODO tracking issue #50 for deduplication. * Fix secret bytes to account for newline in file. * Incorporate PR feedback. * Fix typos in yml comments.
| </dependency> | ||
| <dependency> | ||
| <groupId>io.jenkins.configuration-as-code</groupId> | ||
| <artifactId>configuration-as-code-support</artifactId> |
There was a problem hiding this comment.
Hopefully, you can get rid of this one soon:
jenkinsci/configuration-as-code-plugin#862
jenkinsci/configuration-as-code-plugin#863
oleg-nenashev
changed the title
|
Created https://issues.jenkins-ci.org/browse/JENKINS-57570 so that it gets displayed properly on the dashboard |
I am pulling this out separately before putting my changes on top of #19, this is a separate branch. The reason that the commits from the earlier PR include me is because I first rebased onto master, but I plan to merge the changes there first before merging my additional changes.
I've converted most fields to be set through @DataboundSetters, with the exception of emailAddress from the P12 config because it is final.
I had to rename jsonKeyFile/p12KeyFile (the String field) to prevJsonKeyFile/prevP12KeyFile, and use getters and setters for jsonKeyFile (the FileItem that is used in the UI). Stapler will only call the @DataboundSetter if there is a corresponding accessor with the correct type.
Given the amount that needed to be updated in terms of dependencies, I think this might warrant a major version increase, interesed in feedback on that.