[JENKINS-50216] - Make RemotableGoogleCredentials compatible with JEP-200 in Jenkins 2.102+ #15
Conversation
pom.xml
Outdated
| @@ -18,7 +18,7 @@ | |||
| <parent> | |||
| <groupId>org.jenkins-ci.plugins</groupId> | |||
| <artifactId>plugin</artifactId> | |||
| <version>2.5</version> | |||
| <version>3.5</version> | |||
pom.xml
Outdated
| @@ -112,7 +94,7 @@ | |||
| <plugin> | |||
| <groupId>org.codehaus.mojo</groupId> | |||
| <artifactId>findbugs-maven-plugin</artifactId> | |||
| <version>3.0.1</version> | |||
| <version>3.0.5</version> | |||
| <configuration> | |||
| <effort>Max</effort> | |||
| <threshold>Medium</threshold> | |||
pom.xml
Outdated
| @@ -200,7 +183,6 @@ | |||
| <dependency> | |||
| <groupId>junit</groupId> | |||
| <artifactId>junit</artifactId> | |||
|
Forgot to submit Jenkinsfile. Will do it tomorrow along with the comments cleanup |
|
Needs #16 to be merged before we can proceed |
oleg-nenashev
changed the title
oleg-nenashev
changed the title
Jenkinsfile
Outdated
| @@ -0,0 +1,2 @@ | |||
| // Build the plugin using https://github.com/jenkins-infra/pipeline-library | |||
| buildPlugin(jenkinsVersions: [null, '2.107.2'], failFast: false) | |||
| @@ -70,7 +79,7 @@ public RemotableGoogleCredentials( | |||
| throw new GeneralSecurityException( | |||
| Messages.RemotableGoogleCredentials_NoAccessToken(), e); | |||
| } | |||
| this.accessToken = checkNotNull(credential.getAccessToken()); | |||
| this.accessToken = mock ? "MOCKED" : checkNotNull(credential.getAccessToken()); | |||
| this.expiration = new DateTime().plusSeconds( | |||
There was a problem hiding this comment.
I would rather just see this field converted to a simple long (msec since epoch), in which case JodaDateTimeConverter would be purely for compatibility with old settings and its marshal could throw UnsupportedOperationException.
|
"src/test/java/com/google/jenkins/plugins/credentials/oauth/P12ServiceAccountConfigTestUtil.java:[39,36] package org.bouncycastle.cert.jcajce does not exist" this is the biggest issue for me. Since we are not using PCT (needs jenkins-infra/pipeline-library#35), something is going on with BouncyCastle APIs. Likely I will need to add dependency on https://github.com/jenkinsci/bouncycastle-api-plugin or modify tests a bit |
| @@ -0,0 +1,115 @@ | |||
| /* | |||
| * Copyright 2018 CloudBees, Inc. | |||
There was a problem hiding this comment.
@astroilov I would appreciate guidance regarding it. Your current checkstyle configuration requires Google to be a copyright owner. AFAICT it is no longer required after #16, right?
There was a problem hiding this comment.
I believe that to be correct, but I'll check with our opensource compliance team just in case.
There was a problem hiding this comment.
@astroilov 👍 Note that the current title in Google licenses may also need clarification with this team ("Copyright 2013 Google Inc. All Rights Reserved."). "All Rights Reserved" IMHO contradicts with Apache v.2 license which is used in the plugin, but IANAL
…ired in the plugin
Currently it converts to a 1-liner string: <expiration millis="1523953488567" timezone="Europe/Zurich"/>IMHO it's good enough. Of course I could convert the field to |
…n JEP-200 blacklist
…o need to tweak converter priorities
Besides the timezone being irrelevant (AFAICT), this continues to persist a Joda type to XML, which is what I would like to avoid. So I am -0 on this approach. Rather, |
| GoogleRobotCredentials credentials, | ||
| GoogleOAuth2ScopeRequirement requirement, | ||
| GoogleRobotCredentialsModule module, | ||
| boolean mock) throws GeneralSecurityException { |
There was a problem hiding this comment.
I don't like having explicit mock or testing options in the core code; the code should ideally be constructed in such a way as to make this unnecessary, and having mock options in security-related code in particular is concerning.
It appears that the only effect of this is to ignore the access token's expiration and the token string. It seems like that could be achieved by having test code construct its GoogleRobotCredentials object with appropriate expiration and string data. The tests are already using a FakeGoogleCredentials class, so they should be able to control that - is there a reason not to take that approach?
I have just did some facelifting work during the investigation of https://issues.jenkins-ci.org/browse/JENKINS-50216 . This patch enables PCT runs for the recent versions
I have not signed the Google CLA yet though: https://cla.developers.google.com/ , but #16 states that it's not required anymore. I assume that the copyright requirement in Checkstyle is also outdated then.
DateTimeclass, which replaces the format by a JEP-200-free layout and also adds support of old object deserialization@reviewbybees @jglick