feat: add declarative pipeline support (#9)

* Declarative pipeline support

* fix: hide essential data from the jenkins output

* fix: change version and add newlines

version 1.1.0

Co-authored-by: tdillenbeck <tmdillenbeck@gmail.com>

pom.xml

@@ -9,11 +9,11 @@
     </parent>
     <groupId>io.jenkins.plugins</groupId>
     <artifactId>thycotic-devops-secrets-vault</artifactId>
-    <version>1.0.1</version>
+    <version>1.1.0</version>
     <packaging>hpi</packaging>
     <properties>
         <!-- Baseline Jenkins version you use to build the plugin. Users must have this version or newer to run. -->
-        <jenkins.version>2.176.4</jenkins.version>
+        <jenkins.version>2.235.5</jenkins.version>
         <java.level>8</java.level>
         <!-- Other properties you may want to use:
           ~ jenkins-test-harness.version: Jenkins Test Harness version you use to test the plugin. For Jenkins version >= 1.580.1 use JTH 2.0 or higher.
@@ -33,8 +33,8 @@
         <dependencies>
             <dependency>
                 <groupId>io.jenkins.tools.bom</groupId>
-                <artifactId>bom-2.176.x</artifactId>
-                <version>4</version>
+                <artifactId>bom-2.235.x</artifactId>
+                <version>887.vae9c8ac09ff7</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
@@ -45,6 +45,15 @@
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>credentials</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.jenkins-ci.plugins.workflow</groupId>
+            <artifactId>workflow-step-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.jenkins-ci.plugins</groupId>
+            <artifactId>credentials-binding</artifactId>
+            <version>1.27</version>
+        </dependency>
         <dependency>
             <groupId>org.jenkins-ci</groupId>
             <artifactId>symbol-annotation</artifactId>
@@ -57,22 +66,22 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-beans</artifactId>
-            <version>${spring.version}</version>
+            <version>5.3.20</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-context</artifactId>
-            <version>${spring.version}</version>
+            <version>5.3.20</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-core</artifactId>
-            <version>${spring.version}</version>
+            <version>5.3.20</version>
         </dependency>
         <dependency>
             <groupId>com.thycotic.secrets</groupId>
             <artifactId>dsv-sdk-java</artifactId>
-            <version>1.0</version>
+            <version>1.0.1</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.slf4j</groupId>

src/main/java/com/thycotic/secrets/jenkins/VaultBuildWrapper.java

@@ -1,6 +1,7 @@
 package com.thycotic.secrets.jenkins;
 
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -16,6 +17,7 @@
 import org.springframework.context.annotation.AnnotationConfigApplicationContext;
 import org.springframework.core.env.MapPropertySource;
 
+import hudson.console.ConsoleLogFilter;
 import hudson.EnvVars;
 import hudson.Extension;
 import hudson.ExtensionList;
@@ -34,6 +36,7 @@ public class VaultBuildWrapper extends SimpleBuildWrapper {
     private static final String TLD_PROPERTY = "secrets_vault.tld";
 
     private List<VaultSecret> secrets;
+    private List<String> valuesToMask = new ArrayList<>();
 
     @DataBoundConstructor
     public VaultBuildWrapper(final List<VaultSecret> secrets) {
@@ -49,6 +52,11 @@ public void setSecrets(final List<VaultSecret> secrets) {
         this.secrets = secrets;
     }
 
+    @Override
+    public ConsoleLogFilter createLoggerDecorator(final Run<?, ?> build) {
+        return new VaultConsoleLogFilter(build.getCharset().name(), valuesToMask);
+    }
+
     @Override
     public void setUp(final Context context, final Run<?, ?> build, final FilePath workspace, final Launcher launcher,
             final TaskListener listener, final EnvVars initialEnvironment) throws IOException, InterruptedException {
@@ -65,7 +73,6 @@ public void setUp(final Context context, final Run<?, ?> build, final FilePath w
                 clientSecret = ClientSecret.get(configuration.getCredentialId(), null);
             }
             assert (clientSecret != null); // see VaultSecret.DescriptorImpl.doCheckCredentialId
-
             final AnnotationConfigApplicationContext applicationContext = new AnnotationConfigApplicationContext();
             // create a new Spring ApplicationContext using a Map as the PropertySource
             properties.put(CLIENT_ID_PROPERTY, clientSecret.getClientId());
@@ -86,6 +93,7 @@ public void setUp(final Context context, final Run<?, ?> build, final FilePath w
                 context.env(StringUtils.trimToEmpty(
                         ExtensionList.lookupSingleton(VaultConfiguration.class).getEnvironmentVariablePrefix())
                         + mapping.getEnvironmentVariable(), secret.getData().get(mapping.getDataField()));
+                valuesToMask.add(secret.getData().get(mapping.getDataField()));
             });
             applicationContext.close();
         });

src/main/java/com/thycotic/secrets/jenkins/VaultConsoleLogFilter.java

@@ -0,0 +1,37 @@
+package com.thycotic.secrets.jenkins;
+
+import hudson.console.ConsoleLogFilter;
+import hudson.model.Run;
+
+import java.io.OutputStream;
+import java.io.Serializable;
+import java.io.IOException;
+import java.util.List;
+import java.util.Objects;
+import java.util.stream.Collectors;
+
+import org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns;
+
+// borrowed from https://github.com/jenkinsci/azure-keyvault-plugin/blob/master/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/MaskingConsoleLogFilter.java
+public class VaultConsoleLogFilter extends ConsoleLogFilter implements Serializable {
+    private static final long serialVersionUID = 1L;
+    private final String charsetName;
+    private final List<String> valuesToMask;
+
+    public VaultConsoleLogFilter(final String charsetName, final List<String> valuesToMask) {
+        this.charsetName = charsetName;
+        this.valuesToMask = valuesToMask;
+    }
+
+    @Override
+    public OutputStream decorateLogger(Run run, final OutputStream logger) throws IOException, InterruptedException {
+        return new SecretPatterns.MaskingOutputStream(logger, () -> {
+                List<String> values = valuesToMask.stream().filter(Objects::nonNull).collect(Collectors.toList());
+                if (!values.isEmpty()) {
+                    return SecretPatterns.getAggregateSecretPattern(values);
+                } else {
+                    return null;
+                }
+            },charsetName);
+    }
+}

src/main/java/com/thycotic/secrets/jenkins/VaultSecretStep.java

@@ -0,0 +1,206 @@
+package com.thycotic.secrets.jenkins;
+
+import com.thycotic.secrets.vault.spring.Secret;
+import com.thycotic.secrets.vault.spring.SecretsVault;
+import com.thycotic.secrets.vault.spring.SecretsVaultFactoryBean;
+
+import hudson.console.ConsoleLogFilter;
+import hudson.Extension;
+import hudson.model.Run;
+import hudson.model.TaskListener;
+
+import org.apache.commons.lang.StringUtils;
+import org.jenkinsci.plugins.workflow.steps.AbstractStepExecutionImpl;
+import org.jenkinsci.plugins.workflow.steps.BodyExecutionCallback;
+import org.jenkinsci.plugins.workflow.steps.BodyInvoker;
+import org.jenkinsci.plugins.workflow.steps.Step;
+import org.jenkinsci.plugins.workflow.steps.StepContext;
+import org.jenkinsci.plugins.workflow.steps.StepDescriptor;
+import org.jenkinsci.plugins.workflow.steps.StepExecution;
+import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.DataBoundSetter;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.core.env.MapPropertySource;
+
+import javax.annotation.Nonnull;
+
+import java.io.Serializable;
+import java.io.ObjectOutputStream;
+import java.io.ObjectInputStream;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class VaultSecretStep extends Step implements Serializable {
+    private String tenant;
+    private String secretPath;
+    private String secretDataKey;
+    private String credentialsId;
+    private String tld;
+
+    @DataBoundConstructor
+    public VaultSecretStep(VaultSecretStepConfig config, String secretPath, String secretDataKey) {
+        this.tenant = config.getTenant();
+        this.secretPath = secretPath;
+        this.secretDataKey = secretDataKey;
+        this.credentialsId = config.getCredentialId();
+        this.tld = config.getTld();
+    }
+
+    @DataBoundSetter
+    public void setTenant(String tenant) {
+        this.tenant = tenant;
+    }
+
+    public String getTenant() {
+        return tenant;
+    }
+
+    @DataBoundSetter
+    public void setSecretPath(String secretPath) {
+        this.secretPath = secretPath;
+    }
+
+    public String getSecretPath() {
+        return secretPath;
+    }
+
+    @DataBoundSetter
+    public void setSecretDataKey(String secretDataKey) {
+        this.secretDataKey = secretDataKey;
+    }
+
+    public String getSecretDataKey() {
+        return secretDataKey;
+    }
+
+    @DataBoundSetter
+    public void setCredentialsId(String credentialsId) {
+        this.credentialsId = credentialsId;
+    }
+
+    public String getCredentialsId() {
+        return credentialsId;
+    }
+
+    @DataBoundSetter
+    public void setTld(String tld) {
+        this.tld = tld;
+    }
+
+    public String getTld() {
+        return tld;
+    }
+
+    @Override
+    public StepExecution start(StepContext stepContext) throws Exception {
+        return new VaultSecretStepExecution(this, stepContext);
+    }
+
+    private static final class VaultSecretStepExecution extends AbstractStepExecutionImpl {
+        private static final String CLIENT_ID_PROPERTY = "secrets_vault.client_id";
+        private static final String CLIENT_SECRET_PROPERTY = "secrets_vault.client_secret";
+        private static final String TENANT_PROPERTY = "secrets_vault.tenant";
+        private static final String TLD_PROPERTY = "secrets_vault.tld";
+
+        private static final long serialVersionUID = 1L;
+        private transient final VaultSecretStep step;
+
+        private VaultSecretStepExecution(VaultSecretStep step, StepContext context) {
+            super(context);
+            this.step = step;
+        }
+
+        @Override
+        public void onResume() {}
+
+        private void writeObject(ObjectOutputStream stream) throws Exception {
+            stream.defaultWriteObject();
+        }
+
+        private void readObject(ObjectInputStream stream) throws Exception, ClassNotFoundException {
+            stream.defaultReadObject();
+        }
+
+        @Override
+        public boolean start() throws Exception {
+            final ClientSecret clientSecret = ClientSecret.get(step.getCredentialsId(), null);
+            final VaultConfiguration configuration = VaultConfiguration.get();
+            final Map<String, Object> properties = new HashMap<>();
+            final List<String> valuesToMask = new ArrayList<>();
+
+            final AnnotationConfigApplicationContext applicationContext = new AnnotationConfigApplicationContext();
+            properties.put(CLIENT_ID_PROPERTY, clientSecret.getClientId());
+            properties.put(CLIENT_SECRET_PROPERTY, clientSecret.getSecret());
+            properties.put(TENANT_PROPERTY, StringUtils.defaultIfBlank(step.getTenant(), configuration.getTenant()));
+            properties.put(TLD_PROPERTY, StringUtils.defaultIfBlank(step.getTld(), configuration.getTld()));
+            applicationContext.getEnvironment().getPropertySources()
+                    .addLast(new MapPropertySource("properties", properties));
+
+            // Register the factoryBean from secrets-java-sdk
+            applicationContext.registerBean(SecretsVaultFactoryBean.class);
+            applicationContext.refresh();
+
+            StepContext context = getContext();
+
+            try {
+                // Fetch the secret
+                final Secret secret = applicationContext.getBean(SecretsVault.class).getSecret(step.getSecretPath());
+                valuesToMask.add(secret.getData().get(step.getSecretDataKey()));
+                context.onSuccess(secret.getData().get(step.getSecretDataKey()));
+            } catch (Exception e) {
+                context.onFailure(e);
+            }
+            applicationContext.close();
+
+            Run<?, ?> run = context.get(Run.class);
+            ConsoleLogFilter original = context.get(ConsoleLogFilter.class);
+            ConsoleLogFilter subsequent = new VaultConsoleLogFilter(run.getCharset().name(), valuesToMask);
+
+            context.newBodyInvoker().
+                withContext(BodyInvoker.mergeConsoleLogFilters(original, subsequent)).
+                withCallback(BodyExecutionCallback.wrap(context)).
+            	start();
+
+            return false;
+        }
+
+        @Override
+        public void stop(@Nonnull Throwable throwable) throws Exception {
+            getContext().onFailure(throwable);
+        }
+    }
+
+    @Extension
+    public static final class DescriptorImpl extends StepDescriptor implements Serializable {
+
+        @Override
+        public Set<? extends Class<?>> getRequiredContext() {
+            return new HashSet<Class<?>>() {{
+                add(Run.class);
+                add(TaskListener.class);
+            }};
+        }
+
+        @Override
+        public boolean takesImplicitBlockArgument() {
+            return true;
+        }
+
+        @Override
+        public String getFunctionName() {
+            return "dsvSecret";
+        }
+
+        private void writeObject(ObjectOutputStream stream) throws Exception {
+            stream.defaultWriteObject();
+        }
+
+        private void readObject(ObjectInputStream stream) throws Exception, ClassNotFoundException {
+            stream.defaultReadObject();
+        }
+    }
+}