Merge branch 'SECURITY-1625' into master

Author: cashlalala

src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/Auth.java

@@ -26,6 +26,7 @@
 import hudson.model.Item;
 import hudson.security.ACL;
 import hudson.util.ListBoxModel;
+import hudson.util.Secret;
 
 /**
  * We need to keep this for compatibility - old config deserialization!
@@ -161,7 +162,7 @@ public static Auth auth2ToAuth(Auth2 auth) {
             return new Auth(Auth.NONE, null, null, null);
         } else if (auth instanceof TokenAuth) {
             TokenAuth tokenAuth = (TokenAuth) auth;
-            return new Auth(Auth.API_TOKEN, tokenAuth.getUserName(), tokenAuth.getApiToken(), null);
+            return new Auth(Auth.API_TOKEN, tokenAuth.getUserName(), tokenAuth.getApiToken().getPlainText(), null);
         } else if (auth instanceof CredentialsAuth) {
             CredentialsAuth credAuth = (CredentialsAuth) auth;
             try {
@@ -189,7 +190,7 @@ public static Auth2 authToAuth2(Auth oldAuth) {
         } else if (Auth.API_TOKEN.equals(authType)) {
             TokenAuth newAuth = new TokenAuth();
             newAuth.setUserName(oldAuth.getUsername());
-            newAuth.setApiToken(oldAuth.getApiToken());
+            newAuth.setApiToken(Secret.fromString(oldAuth.getApiToken()));
             return newAuth;
         } else if (Auth.CREDENTIALS_PLUGIN.equals(authType)) {
             CredentialsAuth newAuth = new CredentialsAuth();

src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/BearerTokenAuth.java

@@ -4,13 +4,13 @@
 import java.net.URLConnection;
 
 import org.jenkinsci.Symbol;
-
 import org.jenkinsci.plugins.ParameterizedRemoteTrigger.BuildContext;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 
 import hudson.Extension;
 import hudson.model.Item;
+import hudson.util.Secret;
 
 
 public class BearerTokenAuth extends Auth2 {
@@ -20,25 +20,25 @@ public class BearerTokenAuth extends Auth2 {
     @Extension
     public static final Auth2Descriptor DESCRIPTOR = new BearerTokenAuthDescriptor();
 
-    private String token;
+    private Secret token;
 
     @DataBoundConstructor
     public BearerTokenAuth() {
         this.token = null;
     }
 
     @DataBoundSetter
-    public void setToken(String token) {
+    public void setToken(Secret token) {
         this.token = token;
     }
 
-    public String getToken() {
+    public Secret getToken() {
         return this.token;
     }
 
     @Override
     public void setAuthorizationHeader(URLConnection connection, BuildContext context) throws IOException {
-        connection.setRequestProperty("Authorization", "Bearer: " + getToken());
+        connection.setRequestProperty("Authorization", "Bearer: " + getToken().getPlainText());
     }
 
     @Override

src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/TokenAuth.java

@@ -13,6 +13,7 @@
 
 import hudson.Extension;
 import hudson.model.Item;
+import hudson.util.Secret;
 
 public class TokenAuth extends Auth2 {
 
@@ -22,7 +23,7 @@ public class TokenAuth extends Auth2 {
     public static final Auth2Descriptor DESCRIPTOR = new TokenAuthDescriptor();
 
     private String userName;
-    private String apiToken;
+    private Secret apiToken;
 
     @DataBoundConstructor
     public TokenAuth() {
@@ -40,17 +41,17 @@ public String getUserName() {
     }
 
     @DataBoundSetter
-    public void setApiToken(String apiToken) {
+    public void setApiToken(Secret apiToken) {
         this.apiToken = apiToken;
     }
 
-    public String getApiToken() {
+    public Secret getApiToken() {
         return this.apiToken;
     }
 
     @Override
     public void setAuthorizationHeader(URLConnection connection, BuildContext context) throws IOException {
-        String authHeaderValue = Base64Utils.generateAuthorizationHeaderValue(AUTHTYPE_BASIC, getUserName(), getApiToken(), context, true);
+        String authHeaderValue = Base64Utils.generateAuthorizationHeaderValue(AUTHTYPE_BASIC, getUserName(), getApiToken().getPlainText(), context, true);
         connection.setRequestProperty("Authorization", authHeaderValue);
     }
 

src/main/resources/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteBuildConfiguration/help-auth2.html

@@ -13,6 +13,9 @@
   <li><b>No Authentication</b><br/>
     No Authorization header will be sent, independent of the global 'remote host' settings.
   </li>
+  <li><b>Bearer Authentication</b><br/>
+    The bearer token is used.
+  </li>
 </ul>
 
 <b>Note:</b> <i>Jenkins API Tokens</i> are recommended since, if stolen, they allow access only to a specific Jenkins

src/main/resources/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteJenkinsServer/help-auth2.html

@@ -10,6 +10,9 @@
   <li><b>Credentials Authentication</b><br/>
     The specified Jenkins Credentials are used. This can be either user/password or user/API Token.
   </li>
+  <li><b>Bearer Authentication</b><br/>
+    The bearer token is used.
+  </li>
 </ul>
 
 <b>Note:</b> <i>Jenkins API Tokens</i> are recommended since, if stolen, they allow access only to a specific Jenkins

src/main/resources/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/BearerTokenAuth/config.jelly

@@ -0,0 +1,9 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" 
+	xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:p="/lib/hudson/project">
+
+    <f:entry title="Bearer Token">
+        <f:password field="token"/>
+    </f:entry>
+
+</j:jelly>

src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteBuildConfigurationTest.java

@@ -44,6 +44,7 @@
 import hudson.security.AuthorizationStrategy.Unsecured;
 import hudson.security.csrf.DefaultCrumbIssuer;
 import hudson.util.LogTaskListener;
+import hudson.util.Secret;
 import jenkins.model.Jenkins;
 
 public class RemoteBuildConfigurationTest {
@@ -132,7 +133,7 @@ private void _testRemoteBuild(boolean authenticate, boolean withParam, FreeStyle
         if(authenticate) {
             TokenAuth tokenAuth = new TokenAuth();
             tokenAuth.setUserName(testUser.getId());
-            tokenAuth.setApiToken(testUserToken);
+            tokenAuth.setApiToken(Secret.fromString(testUserToken));
             configuration.setAuth2(tokenAuth);
         }
 

src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/RemoteJenkinsServerTest.java

@@ -8,7 +8,11 @@
 
 import org.jenkinsci.plugins.ParameterizedRemoteTrigger.auth2.CredentialsAuth;
 import org.jenkinsci.plugins.ParameterizedRemoteTrigger.auth2.TokenAuth;
+import org.junit.Rule;
 import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+
+import hudson.util.Secret;
 
 
 public class RemoteJenkinsServerTest {
@@ -18,11 +22,14 @@ public class RemoteJenkinsServerTest {
     private final static String ADDRESS = "http://www.example.org:8443";
     private final static String DISPLAY_NAME = "My example server.";
     private final static boolean HAS_BUILD_TOKEN_ROOT_SUPPORT = true;
+    
+    @Rule
+    public JenkinsRule jenkinsRule = new JenkinsRule();
 
     @Test
     public void testCloneBehaviour() throws Exception {
         TokenAuth auth = new TokenAuth();
-        auth.setApiToken(TOKEN);
+        auth.setApiToken(Secret.fromString(TOKEN));
         auth.setUserName(USER);
 
         RemoteJenkinsServer server = new RemoteJenkinsServer();
@@ -55,11 +62,11 @@ public void testCloneBehaviour() throws Exception {
         //Test if clone is deep-copy or if server fields can be modified
         TokenAuth cloneAuth = (TokenAuth)clone.getAuth2();
         assertNotNull(cloneAuth);
-        cloneAuth.setApiToken("changed");
+        cloneAuth.setApiToken(Secret.fromString("changed"));
         cloneAuth.setUserName("changed");
         TokenAuth serverAuth = (TokenAuth)server.getAuth2();
         assertNotNull(serverAuth);
-        assertEquals("auth.apiToken", TOKEN, serverAuth.getApiToken());
+        assertEquals("auth.apiToken", TOKEN, serverAuth.getApiToken().getPlainText());
         assertEquals("auth.userName", USER, serverAuth.getUserName());
 
         //Test if clone.setAuth() affects original object

src/test/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/auth2/Auth2Test.java

@@ -5,22 +5,29 @@
 import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertTrue;
 
+import org.junit.Rule;
 import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+
+import hudson.util.Secret;
 
 public class Auth2Test {
+	
+    @Rule
+    public JenkinsRule jenkinsRule = new JenkinsRule();
 
     @Test
     public void testBearerTokenAuthCloneBehaviour() throws CloneNotSupportedException {
         BearerTokenAuth original = new BearerTokenAuth();
-        original.setToken("original");
+        original.setToken(Secret.fromString("original"));
         BearerTokenAuth clone = (BearerTokenAuth)original.clone();
         verifyEqualsHashCode(original, clone);
 
         //Test changing clone
-        clone.setToken("changed");
+        clone.setToken(Secret.fromString("changed"));
         verifyEqualsHashCode(original, clone, false);
-        assertEquals("original", original.getToken());
-        assertEquals("changed", clone.getToken());
+        assertEquals("original", original.getToken().getPlainText());
+        assertEquals("changed", clone.getToken().getPlainText());
     }
 
     @Test
@@ -40,18 +47,18 @@ public void testCredentialsAuthCloneBehaviour() throws CloneNotSupportedExceptio
     @Test
     public void testTokenAuthCloneBehaviour() throws CloneNotSupportedException {
         TokenAuth original = new TokenAuth();
-        original.setApiToken("original");
+        original.setApiToken(Secret.fromString("original"));
         original.setUserName("original");
         TokenAuth clone = (TokenAuth)original.clone();
         verifyEqualsHashCode(original, clone);
 
         //Test changing clone
-        clone.setApiToken("changed");
+        clone.setApiToken(Secret.fromString("changed"));
         clone.setUserName("changed");
         verifyEqualsHashCode(original, clone, false);
-        assertEquals("original", original.getApiToken());
+        assertEquals("original", original.getApiToken().getPlainText());
         assertEquals("original", original.getUserName());
-        assertEquals("changed", clone.getApiToken());
+        assertEquals("changed", clone.getApiToken().getPlainText());
         assertEquals("changed", clone.getUserName());
     }