[JENKINS-62375] Fix/secret token #91
Conversation
| private void generateSecretToken() { | ||
| byte[] random = new byte[16]; // 16x8=128bit worth of randomness, since we use md5 digest as the API token | ||
| RANDOM.nextBytes(random); | ||
| this.secretToken = Util.toHexString(random); | ||
| } | ||
|
|
There was a problem hiding this comment.
Yes, will be used by some UI element to trigger this method, thats a TODO on me.
src/main/java/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer.java
Outdated
Show resolved
Hide resolved
| private boolean isValidToken(String secretToken) { | ||
| List<GitLabServer> servers = GitLabServers.get().getServers(); | ||
| for(GitLabServer server: servers) { | ||
| if(server.getSecretToken().equals(secretToken)) { | ||
| return true; | ||
| } | ||
| } | ||
| return false; | ||
| } |
| String secretToken = request.getHeader("X-Gitlab-Token"); | ||
| if(!isValidToken(secretToken)) { | ||
| return HttpResponses.error(HttpServletResponse.SC_UNAUTHORIZED, | ||
| "Expecting a valid secret token"); | ||
| } |
There was a problem hiding this comment.
Not sure what you mean by that?
src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabHookCreator.java
Outdated
Show resolved
Hide resolved
src/main/java/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer.java
Outdated
Show resolved
Hide resolved
src/main/java/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer.java
Outdated
Show resolved
Hide resolved
src/main/java/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer.java
Outdated
Show resolved
Hide resolved
src/main/resources/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer/config.groovy
Outdated
Show resolved
Hide resolved
| private boolean isValidToken(String secretToken) { | ||
| List<GitLabServer> servers = GitLabServers.get().getServers(); | ||
| for(GitLabServer server: servers) { | ||
| if(server.getSecretToken().equals(secretToken)) { |
There was a problem hiding this comment.
Might not be the correct way as there are potential null pointers lurking.
| if(server.getSecretToken().equals(secretToken)) { | |
| if(server.getSecretToken().getPlainValue().equals(secretToken)) { |
There was a problem hiding this comment.
Adding a try catch should solve this?
|
|
|
if manage hooks are enabled they do not need to know the secret token. if manage hooks are disabled they can manually add a secret token and than they would have to go to gitlab and manually input that token. |
|
@jetersen I attempted to create a generateSecretToken button that sets the secret token field but since we are using JS to add value to the field, the token value is null. Can we revert back to String field instead of Secret? Is there a Java way to populate TextField on button click? |
|
This change forces secret token to be set. This definitely seems like a breaking change. |
| @@ -84,14 +84,15 @@ public static void register(GitLabSCMSource source, | |||
| return; | |||
| } | |||
| String hookUrl = getHookUrl(server, true); | |||
| String secretToken = server.getSecretToken().getPlainText(); | |||
There was a problem hiding this comment.
If secretToken is null it leads to Exception https://pastebin.com/ptxv5DLz
There was a problem hiding this comment.
I created a PR against this. #105
Please feel free to help me to review it.
https://issues.jenkins-ci.org/browse/JENKINS-62375