Skip to content

Store token as Secret instead of String #335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 8, 2020
Merged

Store token as Secret instead of String #335

merged 1 commit into from
Sep 8, 2020

Conversation

bitwiseman
Copy link
Contributor

Description

Follow on to #326. We shouldn't keep the app installation token as a bare String.
I don't think this is a huge deal given how Secret is actually stored and serialized, but this is more correct regardless.

Submitter checklist

  • Link to JIRA ticket in description, if appropriate.
  • Change is code complete and matches issue description
  • Automated tests have been added to exercise the changes
  • Reviewer's manual test instructions provided in PR description. See Reviewer's first task below.

Reviewer checklist

  • Run the changes and verify that the change matches the issue description
  • Reviewed the code
  • Verified that the appropriate tests have been written or valid explanation given

Documentation changes

  • Link to jenkins.io PR, or an explanation for why no doc changes are needed

Users/aliases to notify

@bitwiseman bitwiseman requested a review from dwnusbaum September 4, 2020 16:48
bitwiseman
bitwiseman commented Sep 4, 2020
View reviewed changes
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java
@@ -115,6 +115,7 @@ public void setOwner(String owner) {

@SuppressWarnings("deprecation") // preview features are required for GitHub app integration, GitHub api adds deprecated to all preview methods
static AppInstallationToken generateAppInstallationToken(String appId, String appPrivateKey, String apiUrl, String owner) {
JenkinsJVM.checkJenkinsJVM();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method now only runs on a controller, let's enforce that.

bitwiseman
bitwiseman commented Sep 4, 2020
View reviewed changes
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java
@@ -149,7 +150,8 @@ static AppInstallationToken generateAppInstallationToken(String appId, String ap
.create();

long expiration = getExpirationSeconds(appInstallationToken);
AppInstallationToken token = new AppInstallationToken(appInstallationToken.getToken(),
AppInstallationToken token = new AppInstallationToken(
Secret.fromString(appInstallationToken.getToken()),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The app installation token only exists as a bare string inside this method.

@dwnusbaum
Copy link
Member

I don't think this is a huge deal given how Secret is actually stored and serialized

Yeah, I don't think this affects the security of the implementation, but if it makes things simpler/less error prone then it seems fine to me.

@bitwiseman bitwiseman requested a review from jglick September 4, 2020 17:57
jglick
jglick approved these changes Sep 4, 2020
View reviewed changes
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure.

@bitwiseman bitwiseman merged commit bb55742 into jenkinsci:master Sep 8, 2020
@bitwiseman bitwiseman deleted the task/token-secret branch September 8, 2020 07:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglick jglick jglick approved these changes

@dwnusbaum dwnusbaum dwnusbaum approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bitwiseman @dwnusbaum @jglick