SONARJNKNS-301 Store tokens as Secret

src/main/java/hudson/plugins/sonar/MsBuildSQRunnerBegin.java

@@ -38,6 +38,8 @@
 import java.util.LinkedHashMap;
 import java.util.Map;
 import javax.annotation.Nullable;
+
+import hudson.util.Secret;
 import jenkins.model.Jenkins;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -108,9 +110,11 @@ private static Map<String, String> getSonarProps(SonarInstallation inst) {
     Map<String, String> map = new LinkedHashMap<>();
 
     map.put("sonar.host.url", inst.getServerUrl());
-
-    if (!StringUtils.isBlank(inst.getServerAuthenticationToken())) {
-      map.put("sonar.login", inst.getServerAuthenticationToken());
+
+    Secret token = inst.getServerAuthenticationToken();
+    String tokenPlainText = token.getPlainText();
+    if (!StringUtils.isBlank(tokenPlainText)) {
+      map.put("sonar.login", tokenPlainText);
     }
 
     return map;

src/main/java/hudson/plugins/sonar/MsBuildSQRunnerEnd.java

@@ -37,6 +37,8 @@
 import java.io.IOException;
 import java.util.LinkedHashMap;
 import java.util.Map;
+
+import hudson.util.Secret;
 import jenkins.model.Jenkins;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -102,8 +104,10 @@ private static void addArgs(ArgumentListBuilder args, EnvVars env, SonarInstalla
   private static Map<String, String> getSonarProps(SonarInstallation inst) {
     Map<String, String> map = new LinkedHashMap<>();
 
-    if (!StringUtils.isBlank(inst.getServerAuthenticationToken())) {
-      map.put("sonar.login", inst.getServerAuthenticationToken());
+    Secret token = inst.getServerAuthenticationToken();
+    String tokenPlainText = token.getPlainText();
+    if (!StringUtils.isBlank(tokenPlainText)) {
+      map.put("sonar.login", tokenPlainText);
     }
 
     return map;

src/main/java/hudson/plugins/sonar/SonarBuildWrapper.java

@@ -43,6 +43,8 @@
 import java.util.List;
 import java.util.Map;
 import javax.annotation.Nullable;
+
+import hudson.util.Secret;
 import jenkins.tasks.SimpleBuildWrapper;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.Symbol;
@@ -83,7 +85,7 @@ static Map<String, String> createVars(SonarInstallation inst, EnvVars initialEnv
     map.put("SONAR_CONFIG_NAME", inst.getName());
     String hostUrl = getOrDefault(initialEnvironment.expand(inst.getServerUrl()), "http://localhost:9000");
     map.put("SONAR_HOST_URL", hostUrl);
-    String token = getOrDefault(initialEnvironment.expand(inst.getServerAuthenticationToken()), "");
+    String token = getOrDefault(initialEnvironment.expand(inst.getServerAuthenticationToken().getPlainText()), "");
     map.put("SONAR_AUTH_TOKEN", token);
 
     String mojoVersion = inst.getMojoVersion();
@@ -143,8 +145,10 @@ public ConsoleLogFilter createLoggerDecorator(Run<?, ?> build) {
 
     List<String> passwords = new ArrayList<>();
 
-    if (!StringUtils.isBlank(inst.getServerAuthenticationToken())) {
-      passwords.add(inst.getServerAuthenticationToken());
+    Secret token = inst.getServerAuthenticationToken();
+    String tokenPlainText = token.getPlainText();
+    if (!StringUtils.isBlank(tokenPlainText)) {
+      passwords.add(tokenPlainText);
     }
 
     return new SonarQubePasswordLogFilter(passwords, build.getCharset().name());

src/main/java/hudson/plugins/sonar/SonarInstallation.java

@@ -24,6 +24,8 @@
 import hudson.plugins.sonar.model.TriggersConfig;
 import java.io.Serializable;
 import javax.annotation.CheckForNull;
+
+import hudson.util.Secret;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
 
@@ -39,7 +41,7 @@ public class SonarInstallation implements Serializable {
   /**
    * @since 2.4
    */
-  private String serverAuthenticationToken;
+  private Secret serverAuthenticationToken;
 
   /**
    * @since 1.5
@@ -62,7 +64,7 @@ public SonarInstallation(String name,
     String additionalAnalysisProperties) {
     this.name = name;
     this.serverUrl = serverUrl;
-    this.serverAuthenticationToken = serverAuthenticationToken;
+    this.serverAuthenticationToken = Secret.fromString(StringUtils.trimToNull(serverAuthenticationToken));
     this.additionalAnalysisProperties = additionalAnalysisProperties;
     this.mojoVersion = mojoVersion;
     this.additionalProperties = additionalProperties;
@@ -137,8 +139,8 @@ public String getServerUrl() {
   /**
    * @since 2.4
    */
-  public String getServerAuthenticationToken() {
-    return StringUtils.trimToNull(serverAuthenticationToken);
+  public Secret getServerAuthenticationToken() {
+    return serverAuthenticationToken;
   }
 
   /**

src/main/java/hudson/plugins/sonar/SonarRunnerBuilder.java

@@ -49,6 +49,8 @@
 import java.util.Properties;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
+
+import hudson.util.Secret;
 import jenkins.model.Jenkins;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
@@ -361,8 +363,10 @@ void populateConfiguration(ExtendedArgumentListBuilder args, Run<?, ?> build, Fi
     TaskListener listener, EnvVars env, @Nullable SonarInstallation si) throws IOException, InterruptedException {
     if (si != null) {
       args.append("sonar.host.url", si.getServerUrl());
-      if (StringUtils.isNotBlank(si.getServerAuthenticationToken())) {
-        args.appendMasked("sonar.login", si.getServerAuthenticationToken());
+      Secret token = si.getServerAuthenticationToken();
+      String tokenPlainText = token.getPlainText();
+      if (StringUtils.isNotBlank(tokenPlainText)) {
+        args.appendMasked("sonar.login", tokenPlainText);
       }
     }
 

src/main/java/hudson/plugins/sonar/client/SQProjectResolver.java

@@ -23,6 +23,8 @@
 import hudson.plugins.sonar.client.WsClient.CETask;
 import hudson.plugins.sonar.utils.Logger;
 import hudson.plugins.sonar.utils.Version;
+import org.apache.commons.lang.StringUtils;
+
 import java.util.logging.Level;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
@@ -52,8 +54,9 @@ public ProjectInformation resolve(@Nullable String serverUrl, @Nullable String p
     }
 
     try {
-
-      WsClient wsClient = new WsClient(client, serverUrl, inst.getServerAuthenticationToken());
+      String tokenPlainText = inst.getServerAuthenticationToken().getPlainText();
+      String tokenToPass = StringUtils.isBlank(tokenPlainText) ? null : tokenPlainText;
+      WsClient wsClient = new WsClient(client, serverUrl, tokenToPass);
       Version version = new Version(wsClient.getServerVersion());
 
       if (version.compareTo(new Version("5.6")) < 0) {

src/main/java/hudson/plugins/sonar/utils/SonarMaven.java

@@ -36,6 +36,8 @@
 import hudson.tasks.Maven;
 import hudson.util.ArgumentListBuilder;
 import java.io.IOException;
+
+import hudson.util.Secret;
 import jenkins.model.Jenkins;
 import jenkins.mvn.GlobalSettingsProvider;
 import jenkins.mvn.SettingsProvider;
@@ -95,8 +97,10 @@ protected void wrapUpArguments(ArgumentListBuilder args, String normalizedTarget
 
     argsBuilder.append("sonar.branch", publisher.getBranch());
 
-    if (StringUtils.isNotBlank(getInstallation().getServerAuthenticationToken())) {
-      argsBuilder.appendMasked("sonar.login", getInstallation().getServerAuthenticationToken());
+    Secret token = getInstallation().getServerAuthenticationToken();
+    String tokenPlainText = token.getPlainText();
+    if (StringUtils.isNotBlank(tokenPlainText)) {
+      argsBuilder.appendMasked("sonar.login", tokenPlainText);
     }
 
     if (build instanceof MavenModuleSetBuild) {

src/main/java/org/sonarsource/scanner/jenkins/pipeline/WaitForQualityGateStep.java

@@ -37,6 +37,8 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.Nullable;
+
+import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.Whitelisted;
 import org.jenkinsci.plugins.workflow.graph.FlowNode;
 import org.jenkinsci.plugins.workflow.steps.Step;
@@ -178,8 +180,10 @@ private boolean checkTaskCompleted() throws IOException, InterruptedException {
       }
 
       log("Checking status of SonarQube task '%s' on server '%s'", step.taskId, step.getInstallationName());
-
-      WsClient wsClient = new WsClient(new HttpClient(), step.getServerUrl(), inst.getServerAuthenticationToken());
+
+      String tokenPlainText = inst.getServerAuthenticationToken().getPlainText();
+      String tokenToPass = StringUtils.isBlank(tokenPlainText) ? null : tokenPlainText;
+      WsClient wsClient = new WsClient(new HttpClient(), step.getServerUrl(), tokenToPass);
       WsClient.CETask ceTask = wsClient.getCETask(step.getTaskId());
       log("SonarQube task '%s' status is '%s'", step.taskId, ceTask.getStatus());
       switch (ceTask.getStatus()) {

src/test/java/hudson/plugins/sonar/MsBuildSQRunnerBeginTest.java

@@ -26,6 +26,8 @@
 import hudson.plugins.sonar.AbstractMsBuildSQRunner.SonarQubeScannerMsBuildParams;
 import hudson.slaves.EnvironmentVariablesNodeProperty;
 import javax.annotation.Nullable;
+
+import hudson.util.Secret;
 import org.junit.Test;
 import org.jvnet.hudson.test.JenkinsRule;
 

src/test/java/hudson/plugins/sonar/SonarInstallationTest.java

@@ -23,6 +23,8 @@
 import hudson.plugins.sonar.model.TriggersConfig;
 import java.io.File;
 import java.io.IOException;
+
+import hudson.util.Secret;
 import jenkins.model.Jenkins;
 import org.junit.Test;
 
@@ -40,7 +42,7 @@ public void testRoundtrip() throws IOException {
     d.setInstallations(new SonarInstallation(
       "Name",
       "server.url",
-      " tokenWithSpace ",
+      "token",
       "mojoVersion",
       "props",
       triggers,
@@ -52,7 +54,7 @@ public void testRoundtrip() throws IOException {
 
     assertThat(i.getName()).isEqualTo("Name");
     assertThat(i.getServerUrl()).isEqualTo("server.url");
-    assertThat(i.getServerAuthenticationToken()).isEqualTo("tokenWithSpace");
+    assertThat(i.getServerAuthenticationToken().getPlainText()).isEqualTo("token");
     assertThat(i.getMojoVersion()).isEqualTo("mojoVersion");
     assertThat(i.getAdditionalProperties()).isEqualTo("props");
     assertThat(i.getAdditionalAnalysisProperties()).isEqualTo("key=value");

src/test/java/hudson/plugins/sonar/SonarRunnerBuilderTest.java

@@ -31,6 +31,8 @@
 import hudson.util.ArgumentListBuilder;
 import java.io.File;
 import java.io.IOException;
+
+import hudson.util.Secret;
 import org.apache.commons.io.FileUtils;
 import org.junit.After;
 import org.junit.Before;
@@ -130,7 +132,7 @@ public void shouldPopulateProjectSettingsParameter() throws IOException, Interru
   public void shouldPopulateSonarToken() throws IOException, InterruptedException {
     SonarInstallation installation = mock(SonarInstallation.class);
     when(installation.getServerUrl()).thenReturn("hostUrl");
-    when(installation.getServerAuthenticationToken()).thenReturn("token");
+    when(installation.getServerAuthenticationToken()).thenReturn(Secret.fromString("token"));
 
     SonarRunnerBuilder builder = new SonarRunnerBuilder(null, null, null, null, null, null, null, null);
     builder.populateConfiguration(argsBuilder, build, build.getWorkspace(), listener, env, installation);

src/test/java/hudson/plugins/sonar/client/WsClientTest.java

@@ -27,6 +27,8 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+
+import hudson.util.Secret;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;

src/test/java/hudson/plugins/sonar/utils/SonarMavenTest.java

@@ -27,6 +27,8 @@
 import hudson.plugins.sonar.SonarPublisher;
 import hudson.util.ArgumentListBuilder;
 import java.util.List;
+
+import hudson.util.Secret;
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.JenkinsRule;
@@ -45,7 +47,7 @@ public void shouldWrapUpArguments() throws Exception {
     SonarPublisher publisher = mock(SonarPublisher.class);
     SonarInstallation installation = mock(SonarInstallation.class);
     when(installation.getServerUrl()).thenReturn("hostUrl");
-    when(installation.getServerAuthenticationToken()).thenReturn("xyz");
+    when(installation.getServerAuthenticationToken()).thenReturn(Secret.fromString("xyz"));
     when(publisher.getInstallation()).thenReturn(installation);
     when(publisher.getBranch()).thenReturn("branch");