From 80d962861d382e2da9536dbeab6b7ca39882f5e3 Mon Sep 17 00:00:00 2001 From: vhajk Date: Thu, 25 Jul 2024 01:24:20 +0200 Subject: [PATCH 1/3] Reworked secret update logic --- .../openshiftsync/CredentialsUtils.java | 159 +++++++++++------- 1 file changed, 96 insertions(+), 63 deletions(-) diff --git a/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java b/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java index 3e68d07ab..8f5fd1792 100644 --- a/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java +++ b/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java @@ -34,6 +34,7 @@ import org.acegisecurity.context.SecurityContext; import org.acegisecurity.context.SecurityContextHolder; import org.apache.commons.lang.StringUtils; +import org.codehaus.groovy.tools.StringHelper; import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl; import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl; @@ -183,73 +184,105 @@ public static String upsertCredential(Secret secret) throws IOException { } private static String insertOrUpdateCredentialsFromSecret(Secret secret) throws IOException { - if (secret != null) { - String customSecretName = getSecretCustomName(secret); - ObjectMeta metadata = secret.getMetadata(); - String namespace = metadata.getNamespace(); - String secretName = metadata.getName(); - Credentials creds = secretToCredentials(secret); - if (creds != null) { - // checking with updated secret name if custom name is not null - String id = generateCredentialsName(namespace, secretName, customSecretName); - Credentials existingCreds = lookupCredentials(id); - final SecurityContext previousContext = ACL.impersonate(ACL.SYSTEM); - try { - CredentialsStore creentialsStore = lookupStores(Jenkins.getActiveInstance()).iterator().next(); - String originalId = generateCredentialsName(namespace, secretName, null); - Credentials existingOriginalCreds = lookupCredentials(originalId); - NamespaceName secretNamespaceName = null; - - String secretUid = metadata.getUid(); - if (!originalId.equals(id)) { - boolean hasAddedCredential = creentialsStore.addCredentials(Domain.global(), creds); - if (!hasAddedCredential) { - logger.warning("Setting secret failed for secret with new Id " + id + " from Secret " - + secretNamespaceName + " with revision: " + metadata.getResourceVersion()); - logger.warning("Check if Id " + id + " is not already used."); - } else { - String oldId = UID_TO_SECRET_MAP.get(secretUid); - if (oldId != null) { - Credentials oldCredentials = lookupCredentials(oldId); - creentialsStore.removeCredentials(Domain.global(), oldCredentials); - } else if (existingOriginalCreds != null) { - creentialsStore.removeCredentials(Domain.global(), existingOriginalCreds); - } - UID_TO_SECRET_MAP.put(secretUid, id); - secretNamespaceName = NamespaceName.create(secret); - logger.info("Updated credential " + oldId + " with new Id " + id + " from Secret " - + secretNamespaceName + " with revision: " + metadata.getResourceVersion()); - } - } else { - if (existingCreds != null) { - creentialsStore.updateCredentials(Domain.global(), existingCreds, creds); - UID_TO_SECRET_MAP.put(secretUid, id); - secretNamespaceName = NamespaceName.create(secret); - logger.info("Updated credential " + id + " from Secret " + secretNamespaceName - + " with revision: " + metadata.getResourceVersion()); - } else { - boolean hasAddedCredential = creentialsStore.addCredentials(Domain.global(), creds); - if (!hasAddedCredential) { - logger.warning("Update failed for secret with new Id " + id + " from Secret " - + secretNamespaceName + " with revision: " + metadata.getResourceVersion()); - } else { - UID_TO_SECRET_MAP.put(secretUid, id); - secretNamespaceName = NamespaceName.create(secret); - logger.info("Created credential " + id + " from Secret " + secretNamespaceName - + " with revision: " + metadata.getResourceVersion()); - } - } + if (secret == null) return null; + + Credentials credsFromSecret = secretToCredentials(secret); + if (credsFromSecret == null) return null; + + Credentials annotatedCredentials = null; + Credentials defaultCredentials = null; + + final SecurityContext previousContext = ACL.impersonate(ACL.SYSTEM); + + ObjectMeta metadata = secret.getMetadata(); + String namespace = metadata.getNamespace(); + String secretName = metadata.getName(); + + String annotatedSecretName = null; + String defaultSecretName = generateCredentialsName(namespace, secretName, null); + String secretUid = metadata.getUid(); + String addOrUpdateCredentialName = null; + String removeCredentialName = null; + NamespaceName secretNamespaceName = null; + + Boolean updateUidMap = false; + + ConcurrentHashMap credentialMap = new ConcurrentHashMap(); + + CredentialsStore credentialStore = lookupStores(Jenkins.getActiveInstance()).iterator().next(); + + annotatedSecretName = getSecretCustomName(secret); + + if (annotatedSecretName != null) { + annotatedCredentials = lookupCredentials(annotatedSecretName); + if (annotatedCredentials != null) { + credentialMap.put(annotatedSecretName, annotatedCredentials); + } + } + + defaultCredentials = lookupCredentials(defaultSecretName); + if (defaultCredentials != null ) { + credentialMap.put(defaultSecretName, defaultCredentials); + } + + if (annotatedSecretName != null) { + addOrUpdateCredentialName = annotatedSecretName; + if (annotatedSecretName != defaultSecretName) {} + removeCredentialName = defaultSecretName; + } else { + addOrUpdateCredentialName = defaultSecretName; + } + + secretNamespaceName = NamespaceName.create(secret); + + Credentials existingCredentials = credentialMap.get(addOrUpdateCredentialName); + + if (existingCredentials == null) { + try { + if (credentialStore.addCredentials(Domain.global(), credsFromSecret)) { + logger.info("Added credential " + addOrUpdateCredentialName + " from Secret " + secretNamespaceName + + " with revision: " + metadata.getResourceVersion()); + updateUidMap = true; + } else { + logger.warning("Adding failed for secret with new Id " + addOrUpdateCredentialName + " from Secret " + + secretNamespaceName + " with revision: " + metadata.getResourceVersion()); } - creentialsStore.save(); - } finally { - SecurityContextHolder.setContext(previousContext); } - if (id != null && !id.isEmpty()) { - return id; + catch (Exception ex) { + logger.warning(ex.getMessage()); } + } else { + try { + credentialStore.updateCredentials(Domain.global(), existingCredentials, credsFromSecret); + logger.info("Updated credential " + addOrUpdateCredentialName + " from Secret " + secretNamespaceName + + " with revision: " + metadata.getResourceVersion()); + updateUidMap = true; + } catch (Exception ex) { + logger.warning(ex.getMessage()); } } - return null; + + if (removeCredentialName != null) { + Credentials removeMe = credentialMap.get(removeCredentialName); + if (removeMe != null) { + try { + credentialStore.removeCredentials(Domain.global(), removeMe); + logger.info("Deleted credential " + removeCredentialName); + } catch (Exception ex) { + logger.warning(ex.getMessage()); + } + } + } + + if (updateUidMap) { + UID_TO_SECRET_MAP.put(secretUid, addOrUpdateCredentialName); + } + + credentialStore.save(); + + SecurityContextHolder.setContext(previousContext); + + return addOrUpdateCredentialName; } private static void deleteCredential(String id, NamespaceName name, String resourceRevision) throws IOException { @@ -506,4 +539,4 @@ static String unlinkBCSecretToCrendential(String bc) { return SOURCE_SECRET_TO_CREDS_MAP.remove(bc); } -} +} \ No newline at end of file From ddadd5c967f549e93bac5bcb6228aa06fdb0318f Mon Sep 17 00:00:00 2001 From: vhajk Date: Thu, 25 Jul 2024 01:30:13 +0200 Subject: [PATCH 2/3] Removed obsolete ref --- .../java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java b/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java index 8f5fd1792..5a8abc975 100644 --- a/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java +++ b/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java @@ -34,7 +34,6 @@ import org.acegisecurity.context.SecurityContext; import org.acegisecurity.context.SecurityContextHolder; import org.apache.commons.lang.StringUtils; -import org.codehaus.groovy.tools.StringHelper; import org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl; import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl; From 200b3efc50bfcf4fa1397a7fcedb5daa3f1d2851 Mon Sep 17 00:00:00 2001 From: vhajk Date: Thu, 25 Jul 2024 23:57:45 +0200 Subject: [PATCH 3/3] Control flow fix --- .../io/fabric8/jenkins/openshiftsync/CredentialsUtils.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java b/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java index 5a8abc975..8f62134e6 100644 --- a/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java +++ b/src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java @@ -226,8 +226,9 @@ private static String insertOrUpdateCredentialsFromSecret(Secret secret) throws if (annotatedSecretName != null) { addOrUpdateCredentialName = annotatedSecretName; - if (annotatedSecretName != defaultSecretName) {} - removeCredentialName = defaultSecretName; + if (annotatedSecretName != defaultSecretName) { + removeCredentialName = defaultSecretName; + } } else { addOrUpdateCredentialName = defaultSecretName; }