Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jenkins 65712/secret name annotation fix #127

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Jenkins 65712/secret name annotation fix #127

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
80d9628
Reworked secret update logic
vhajk Jul 24, 2024
ddadd5c
Removed obsolete ref
vhajk Jul 24, 2024
200b3ef
Control flow fix
vhajk Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
159 changes: 96 additions & 63 deletions src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,73 +183,106 @@
}

private static String insertOrUpdateCredentialsFromSecret(Secret secret) throws IOException {
if (secret != null) {
String customSecretName = getSecretCustomName(secret);
ObjectMeta metadata = secret.getMetadata();
String namespace = metadata.getNamespace();
String secretName = metadata.getName();
Credentials creds = secretToCredentials(secret);
if (creds != null) {
// checking with updated secret name if custom name is not null
String id = generateCredentialsName(namespace, secretName, customSecretName);
Credentials existingCreds = lookupCredentials(id);
final SecurityContext previousContext = ACL.impersonate(ACL.SYSTEM);
try {
CredentialsStore creentialsStore = lookupStores(Jenkins.getActiveInstance()).iterator().next();
String originalId = generateCredentialsName(namespace, secretName, null);
Credentials existingOriginalCreds = lookupCredentials(originalId);
NamespaceName secretNamespaceName = null;

String secretUid = metadata.getUid();
if (!originalId.equals(id)) {
boolean hasAddedCredential = creentialsStore.addCredentials(Domain.global(), creds);
if (!hasAddedCredential) {
logger.warning("Setting secret failed for secret with new Id " + id + " from Secret "
+ secretNamespaceName + " with revision: " + metadata.getResourceVersion());
logger.warning("Check if Id " + id + " is not already used.");
} else {
String oldId = UID_TO_SECRET_MAP.get(secretUid);
if (oldId != null) {
Credentials oldCredentials = lookupCredentials(oldId);
creentialsStore.removeCredentials(Domain.global(), oldCredentials);
} else if (existingOriginalCreds != null) {
creentialsStore.removeCredentials(Domain.global(), existingOriginalCreds);
}
UID_TO_SECRET_MAP.put(secretUid, id);
secretNamespaceName = NamespaceName.create(secret);
logger.info("Updated credential " + oldId + " with new Id " + id + " from Secret "
+ secretNamespaceName + " with revision: " + metadata.getResourceVersion());
}
} else {
if (existingCreds != null) {
creentialsStore.updateCredentials(Domain.global(), existingCreds, creds);
UID_TO_SECRET_MAP.put(secretUid, id);
secretNamespaceName = NamespaceName.create(secret);
logger.info("Updated credential " + id + " from Secret " + secretNamespaceName
+ " with revision: " + metadata.getResourceVersion());
} else {
boolean hasAddedCredential = creentialsStore.addCredentials(Domain.global(), creds);
if (!hasAddedCredential) {
logger.warning("Update failed for secret with new Id " + id + " from Secret "
+ secretNamespaceName + " with revision: " + metadata.getResourceVersion());
} else {
UID_TO_SECRET_MAP.put(secretUid, id);
secretNamespaceName = NamespaceName.create(secret);
logger.info("Created credential " + id + " from Secret " + secretNamespaceName
+ " with revision: " + metadata.getResourceVersion());
}
}
if (secret == null) return null;

Credentials credsFromSecret = secretToCredentials(secret);
if (credsFromSecret == null) return null;

Credentials annotatedCredentials = null;
Credentials defaultCredentials = null;

final SecurityContext previousContext = ACL.impersonate(ACL.SYSTEM);

ObjectMeta metadata = secret.getMetadata();
String namespace = metadata.getNamespace();
String secretName = metadata.getName();

String annotatedSecretName = null;
String defaultSecretName = generateCredentialsName(namespace, secretName, null);
String secretUid = metadata.getUid();
String addOrUpdateCredentialName = null;
String removeCredentialName = null;
NamespaceName secretNamespaceName = null;

Boolean updateUidMap = false;

ConcurrentHashMap<String, Credentials> credentialMap = new ConcurrentHashMap<String, Credentials>();

CredentialsStore credentialStore = lookupStores(Jenkins.getActiveInstance()).iterator().next();

annotatedSecretName = getSecretCustomName(secret);

if (annotatedSecretName != null) {
annotatedCredentials = lookupCredentials(annotatedSecretName);
if (annotatedCredentials != null) {
credentialMap.put(annotatedSecretName, annotatedCredentials);
}
}

defaultCredentials = lookupCredentials(defaultSecretName);
if (defaultCredentials != null ) {
credentialMap.put(defaultSecretName, defaultCredentials);
}

if (annotatedSecretName != null) {
addOrUpdateCredentialName = annotatedSecretName;
if (annotatedSecretName != defaultSecretName) {

Check warning on line 229 in src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java

View check run for this annotation

ci.jenkins.io / SpotBugs

ES_COMPARING_STRINGS_WITH_EQ 

NORMAL:
Comparison of String objects using == or != in io.fabric8.jenkins.openshiftsync.CredentialsUtils.insertOrUpdateCredentialsFromSecret(Secret)
Raw output 
<p>This code compares <code>java.lang.String</code> objects for reference equality using the == or != operators. Unless both strings are either constants in a source file, or have been interned using the <code>String.intern()</code> method, the same string value may be represented by two different String objects. Consider using the <code>equals(Object)</code> method instead.</p>
removeCredentialName = defaultSecretName;
}
} else {
addOrUpdateCredentialName = defaultSecretName;
}

secretNamespaceName = NamespaceName.create(secret);

Credentials existingCredentials = credentialMap.get(addOrUpdateCredentialName);

if (existingCredentials == null) {
try {
if (credentialStore.addCredentials(Domain.global(), credsFromSecret)) {
logger.info("Added credential " + addOrUpdateCredentialName + " from Secret " + secretNamespaceName
+ " with revision: " + metadata.getResourceVersion());
updateUidMap = true;
} else {
logger.warning("Adding failed for secret with new Id " + addOrUpdateCredentialName + " from Secret "
+ secretNamespaceName + " with revision: " + metadata.getResourceVersion());
}
creentialsStore.save();
} finally {
SecurityContextHolder.setContext(previousContext);
}
if (id != null && !id.isEmpty()) {
return id;
catch (Exception ex) {
logger.warning(ex.getMessage());
}
} else {
try {
credentialStore.updateCredentials(Domain.global(), existingCredentials, credsFromSecret);
logger.info("Updated credential " + addOrUpdateCredentialName + " from Secret " + secretNamespaceName
+ " with revision: " + metadata.getResourceVersion());
updateUidMap = true;
} catch (Exception ex) {
logger.warning(ex.getMessage());
}
}
return null;

if (removeCredentialName != null) {
Credentials removeMe = credentialMap.get(removeCredentialName);
if (removeMe != null) {
try {
credentialStore.removeCredentials(Domain.global(), removeMe);
logger.info("Deleted credential " + removeCredentialName);
} catch (Exception ex) {
logger.warning(ex.getMessage());
}
}
}

if (updateUidMap) {
UID_TO_SECRET_MAP.put(secretUid, addOrUpdateCredentialName);
}

credentialStore.save();

SecurityContextHolder.setContext(previousContext);

return addOrUpdateCredentialName;

Check warning on line 285 in src/main/java/io/fabric8/jenkins/openshiftsync/CredentialsUtils.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered lines 

Lines 186-285 are not covered by tests
}

private static void deleteCredential(String id, NamespaceName name, String resourceRevision) throws IOException {
Expand Down Expand Up @@ -506,4 +539,4 @@
return SOURCE_SECRET_TO_CREDS_MAP.remove(bc);
}

}
}