Base class for JSON-format secret data

Author: pjdarton

src/main/java/io/jenkins/plugins/credentials/secretsmanager/factory/BaseAwsJsonCredentials.java

@@ -0,0 +1,70 @@
+package io.jenkins.plugins.credentials.secretsmanager.factory;
+
+import java.util.function.Supplier;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import com.cloudbees.plugins.credentials.CredentialsUnavailableException;
+import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials;
+
+import hudson.util.Secret;
+import io.jenkins.plugins.credentials.secretsmanager.Messages;
+import net.sf.json.JSON;
+import net.sf.json.JSONException;
+import net.sf.json.JSONObject;
+import net.sf.json.JSONSerializer;
+
+/**
+ * Base class for credentials where the AWS secret data is JSON format instead
+ * of raw data.
+ */
+@Restricted(NoExternalUse.class)
+public abstract class BaseAwsJsonCredentials extends BaseStandardCredentials {
+    /** How to access the JSON */
+    private final Supplier<Secret> supplierOfSecretData;
+
+    protected BaseAwsJsonCredentials(String id, String description, Supplier<Secret> secretJsonSupplier) {
+        super(id, description);
+        this.supplierOfSecretData = secretJsonSupplier;
+    }
+
+    /**
+     * Reads the secret JSON and returns the field requested.
+     * 
+     * @param fieldname The (top-level) field that we want (which must be a
+     *                  {@link String}).
+     * @return The contents of that JSON field.
+     * @throws CredentialsUnavailableException if there is no JSON, or it is not
+     *                                         valid JSON, or it is missing the
+     *                                         field, or the field is not a
+     *                                         {@link String}.
+     */
+    protected String getFieldFromSecretJson(String fieldname) {
+        // Note:
+        // We MUST NOT tell anyone what the JSON is, or give any hints as to its
+        // contents, as that could then leak sensitive data so we have to suppress the
+        // informative exception(s) and just tell the user that it didn't work.
+        final Secret secret = supplierOfSecretData.get();
+        final String rawSecretJson = secret == null ? "" : secret.getPlainText();
+        if (rawSecretJson.isEmpty()) {
+            throw new CredentialsUnavailableException("secret", Messages.noValidJsonError(getId()));
+        }
+        final JSON parsedJson;
+        try {
+            parsedJson = JSONSerializer.toJSON(rawSecretJson);
+        } catch (JSONException ex) {
+            throw new CredentialsUnavailableException("secret", Messages.noValidJsonError(getId()));
+        }
+        // if we got this far then we have some syntactically-valid JSON
+        // ... but it might not be a JSON object containing the field we wanted.
+        final String fieldValue;
+        try {
+            final JSONObject jsonObject = (JSONObject) parsedJson;
+            fieldValue = jsonObject.getString(fieldname);
+        } catch (JSONException | ClassCastException | NullPointerException ex) {
+            throw new CredentialsUnavailableException("secret", Messages.wrongJsonError(getId(), fieldname));
+        }
+        return fieldValue;
+    }
+}

src/main/resources/io/jenkins/plugins/credentials/secretsmanager/Messages.properties

@@ -19,6 +19,8 @@ couldNotRetrieveCredentialError = Could not retrieve the credential {0} from AWS
 noUsernameError = Credential did not have a username
 noPrivateKeyError = Credential did not contain a valid private key in PEM format
 noCertificateError = Credential did not contain a valid certificate bundle in PKCS#12 format
+noValidJsonError = Credential {0} did not contain valid JSON
+wrongJsonError = Credential {0} did not contain a JSON object containing a field called {1}
 emptySecretError = AWS Secrets Manager entry {0} contained neither a secretString nor a secretBinary value
 roles = Roles
 role = Role

src/test/java/io/jenkins/plugins/credentials/secretsmanager/factory/BaseAwsJsonCredentialsTest.java

@@ -0,0 +1,226 @@
+package io.jenkins.plugins.credentials.secretsmanager.factory;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.lang.reflect.Method;
+import java.util.function.Supplier;
+
+import org.junit.Test;
+
+import com.cloudbees.plugins.credentials.CredentialsDescriptor;
+import com.cloudbees.plugins.credentials.CredentialsProvider;
+import com.cloudbees.plugins.credentials.CredentialsUnavailableException;
+import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
+
+import hudson.util.Secret;
+import io.jenkins.plugins.credentials.secretsmanager.AwsCredentialsProvider;
+import io.jenkins.plugins.credentials.secretsmanager.Messages;
+
+public class BaseAwsJsonCredentialsTest {
+    @Test
+    public void getFieldFromSecretJsonGivenValidJsonThenReturnsValue() {
+        // Given
+        final String expected = "myFieldValue";
+        final String fieldName = "myFieldName";
+        final String json = mkJson(fieldName, expected);
+        final Secret secretJson = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(secretJson);
+        final TestClass instance = new TestClass(stubSupplier);
+
+        // When
+        final String actual = instance.getFieldFromSecretJson(fieldName);
+
+        // Then
+        assertThat(actual).isEqualTo(expected);
+    }
+
+    @Test
+    public void getFieldFromSecretJsonGivenValidJsonWithUnwantedDataThenReturnsValue() {
+        // Given
+        final String expected = "myFieldValue";
+        final String fieldName = "myFieldName";
+        final String json = mkJson("someOtherField", "someOtherValue", fieldName, expected);
+        final Secret secretJson = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(secretJson);
+        final TestClass instance = new TestClass(stubSupplier);
+
+        // When
+        final String actual = instance.getFieldFromSecretJson(fieldName);
+
+        // Then
+        assertThat(actual).isEqualTo(expected);
+    }
+
+    @Test
+    public void getFieldFromSecretJsonGivenMissingJsonThenReturnsThrows() {
+        // Given
+        final Secret secretJson = null;
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(secretJson);
+        final TestClass instance = new TestClass(stubSupplier);
+        final String missingFieldName = "someFieldName";
+
+        // When
+        CredentialsUnavailableException actual = null;
+        try {
+            instance.getFieldFromSecretJson(missingFieldName);
+        } catch (CredentialsUnavailableException ex) {
+            actual = ex;
+        }
+
+        // Then
+        assertThat(actual).isNotNull();
+        assertThat(actual.getProperty()).isEqualTo("secret");
+        assertThat(actual.getMessage()).contains(Messages.noValidJsonError(instance.getId()));
+    }
+
+    @Test
+    public void getFieldFromSecretJsonGivenEmptyJsonThenReturnsThrows() {
+        // Given
+        final String json = "";
+        final Secret secretJson = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(secretJson);
+        final TestClass instance = new TestClass(stubSupplier);
+        final String missingFieldName = "someFieldName";
+
+        // When
+        CredentialsUnavailableException actual = null;
+        try {
+            instance.getFieldFromSecretJson(missingFieldName);
+        } catch (CredentialsUnavailableException ex) {
+            actual = ex;
+        }
+
+        // Then
+        assertThat(actual).isNotNull();
+        assertThat(actual.getProperty()).isEqualTo("secret");
+        assertThat(actual.getMessage()).contains(Messages.noValidJsonError(instance.getId()));
+    }
+
+    @Test
+    public void getFieldFromSecretJsonGivenInvalidJsonThenReturnsThrows() {
+        final String json = "1234 is not valid JSON";
+        final Secret secretJson = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(secretJson);
+        final TestClass instance = new TestClass(stubSupplier);
+        final String missingFieldName = "fieldName";
+
+        // When
+        CredentialsUnavailableException actual = null;
+        try {
+            instance.getFieldFromSecretJson(missingFieldName);
+        } catch (CredentialsUnavailableException ex) {
+            actual = ex;
+        }
+
+        // Then
+        assertThat(actual).isNotNull();
+        assertThat(actual.getProperty()).isEqualTo("secret");
+        assertThat(actual.getMessage()).contains(instance.getId());
+        assertThat(actual.getMessage()).contains(Messages.noValidJsonError(instance.getId()));
+        assertThat(actual.getMessage()).doesNotContain("1234");
+    }
+
+    @Test
+    public void getFieldFromSecretJsonGivenValidJsonMissingDesiredFieldThenReturnsThrows() {
+        // Given
+        final String unexpectedFieldName = "potentiallySecretFieldName";
+        final String unexpectedValue = "potentiallySecretValue";
+        final String json = mkJson(unexpectedFieldName, unexpectedValue, unexpectedFieldName + "2", unexpectedValue);
+        final Secret secretJson = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(secretJson);
+        final TestClass instance = new TestClass(stubSupplier);
+        final String missingFieldName = "someOtherFieldName";
+
+        // When
+        CredentialsUnavailableException actual = null;
+        try {
+            instance.getFieldFromSecretJson(missingFieldName);
+        } catch (CredentialsUnavailableException ex) {
+            actual = ex;
+        }
+
+        // Then
+        assertThat(actual).isNotNull();
+        assertThat(actual.getProperty()).isEqualTo("secret");
+        assertThat(actual.getMessage()).contains(instance.getId());
+        assertThat(actual.getMessage()).contains(missingFieldName);
+        assertThat(actual.getMessage()).contains(Messages.wrongJsonError(instance.getId(), missingFieldName));
+        assertThat(actual.getMessage()).doesNotContain(unexpectedFieldName);
+        assertThat(actual.getMessage()).doesNotContain(unexpectedValue);
+    }
+
+    public static void assertThatJsonCredentialsDescriptorIsTheSameAsTheDescriptorForNonJsonCredentials(
+            CredentialsDescriptor instanceUnderTest, CredentialsDescriptor nonJsonEquivalent) {
+        // Given
+        final CredentialsProvider awsCredProvider = new AwsCredentialsProvider();
+        final CredentialsProvider otherCredProvider = new SystemCredentialsProvider.ProviderImpl();
+        final String expectedDisplayName = nonJsonEquivalent.getDisplayName();
+        final String expectedIconClassName = nonJsonEquivalent.getIconClassName();
+        final boolean expectedApplicableToAws = nonJsonEquivalent.isApplicable(awsCredProvider);
+        final boolean expectedApplicableToOther = nonJsonEquivalent.isApplicable(otherCredProvider);
+        final String[] expectedDeclaredMethods = toClassAgnosticMethodDescription(
+                nonJsonEquivalent.getClass().getDeclaredMethods());
+
+        // When
+        final String actualDisplayName = instanceUnderTest.getDisplayName();
+        final String actualIconClassName = instanceUnderTest.getIconClassName();
+        final boolean actualApplicableToAws = instanceUnderTest.isApplicable(awsCredProvider);
+        final boolean actualApplicableToOther = instanceUnderTest.isApplicable(otherCredProvider);
+        final String[] actualDeclaredMethods = toClassAgnosticMethodDescription(
+                instanceUnderTest.getClass().getDeclaredMethods());
+
+        // Then
+        assertThat(actualDisplayName).isEqualTo(expectedDisplayName);
+        assertThat(actualIconClassName).isEqualTo(expectedIconClassName);
+        assertThat(actualApplicableToAws).isEqualTo(expectedApplicableToAws);
+        assertThat(actualApplicableToOther).isEqualTo(expectedApplicableToOther);
+        // Check no other unexpected behavior was added to one and not the other
+        assertThat(actualDeclaredMethods).containsExactly(expectedDeclaredMethods);
+    }
+
+    public static String mkJson(String fieldName1, String fieldValue1) {
+        return "{ " + fieldName1 + ": '" + fieldValue1 + "' }";
+    }
+
+    public static String mkJson(String fieldName1, String fieldValue1, String fieldName2, String fieldValue2) {
+        return "{ " + fieldName1 + ": '" + fieldValue1 + "', " + fieldName2 + ": '" + fieldValue2 + "' }";
+    }
+
+    private static String[] toClassAgnosticMethodDescription(Method[] m) {
+        final String[] results = new String[m.length];
+        for (int i = 0; i < m.length; i++) {
+            final Class<?> declaringClass = m[i].getDeclaringClass();
+            final String original = m[i].toGenericString();
+            final String definingClass = declaringClass.getName();
+            final String result = original.replace(definingClass + ".", "");
+            results[i] = result;
+        }
+        return results;
+    }
+
+    private static class TestClass extends BaseAwsJsonCredentials {
+        protected TestClass(Supplier<Secret> usernameAndPasswordJson) {
+            super("TestId", "TestDescription", usernameAndPasswordJson);
+        }
+
+        // expose so we can test it
+        public String getFieldFromSecretJson(String fieldname) {
+            return super.getFieldFromSecretJson(fieldname);
+        }
+    }
+
+    // if we had a mocking framework like Mockito on the classpath then we wouldn't
+    // need this.
+    public static class StubSupplier<T> implements Supplier<T> {
+        private final T supplied;
+
+        public StubSupplier(T supplied) {
+            this.supplied = supplied;
+        }
+
+        @Override
+        public T get() {
+            return supplied;
+        }
+    }
+}