Merge pull request #12 from atistler/revoke-lease-vault-disposer

Revoke lease vault disposer

src/main/java/com/datapipe/jenkins/vault/VaultAccessor.java

@@ -1,17 +1,20 @@
 package com.datapipe.jenkins.vault;
 
-import java.util.Map;
-
+import java.io.Serializable;
 import com.bettercloud.vault.Vault;
 import com.bettercloud.vault.VaultConfig;
 import com.bettercloud.vault.VaultException;
+import com.bettercloud.vault.response.LogicalResponse;
+import com.bettercloud.vault.response.VaultResponse;
 import com.datapipe.jenkins.vault.credentials.VaultCredential;
 import com.datapipe.jenkins.vault.exception.VaultPluginException;
 
-public class VaultAccessor {
-    private Vault vault;
+public class VaultAccessor implements Serializable {
+	private static final long serialVersionUID = 1L;
+
+	private transient Vault vault;
 
-    private VaultConfig config;
+    private transient VaultConfig config;
 
     public void init(String url) {
         try {
@@ -26,11 +29,19 @@ public void auth(VaultCredential vaultCredential) {
         vault = vaultCredential.authorizeWithVault(vault, config);
     }
 
-    public Map<String, String> read(String path) {
+    public LogicalResponse read(String path) {
         try {
-            return vault.logical().read(path).getData();
+            return vault.logical().read(path);
         } catch (VaultException e) {
             throw new VaultPluginException("could not read from vault: " + e.getMessage() + " at path: " + path, e);
         }
     }
+
+    public VaultResponse revoke(String leaseId) {
+        try {
+            return vault.leases().revoke(leaseId);
+        } catch (VaultException e) {
+            throw new VaultPluginException("could not revoke vault lease (" + leaseId + "):" + e.getMessage());
+        }
+    }
 }

src/main/java/com/datapipe/jenkins/vault/VaultBuildWrapper.java

@@ -34,6 +34,7 @@
 import javax.annotation.Nonnull;
 
 import hudson.tasks.BuildWrapperDescriptor;
+import com.bettercloud.vault.response.LogicalResponse;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
@@ -87,7 +88,8 @@ public void setUp(Context context, Run<?, ?> build, FilePath workspace,
         // JENKINS-44163 - Build fails with a NullPointerException when no secrets are given for a job
         if (null != vaultSecrets && !vaultSecrets.isEmpty()) {
             try {
-                provideEnvironmentVariablesFromVault(context, build);
+                List<LogicalResponse> responses = provideEnvironmentVariablesFromVault(context, build);
+                context.setDisposer(new VaultDisposer(getConfiguration(), retrieveVaultCredentials(build), retrieveLeaseIds(responses)));
             } catch (VaultException e) {
                 e.printStackTrace(logger);
                 throw new AbortException(e.getMessage());
@@ -114,8 +116,18 @@ public void setVaultAccessor(VaultAccessor vaultAccessor) {
         this.vaultAccessor = vaultAccessor;
     }
 
+    private List<String> retrieveLeaseIds(List<LogicalResponse> logicalResponses) {
+        List<String> leaseIds = new ArrayList<>();
+        for (LogicalResponse response : logicalResponses) {
+            String leaseId = response.getLeaseId();
+            if (leaseId != null && !leaseId.isEmpty()) {
+                leaseIds.add(leaseId);
+            }
+        }
+        return leaseIds;
+    }
 
-    private void provideEnvironmentVariablesFromVault(Context context, Run build) throws VaultException {
+    private List<LogicalResponse> provideEnvironmentVariablesFromVault(Context context, Run build) throws VaultException {
         String url = getConfiguration().getVaultUrl();
 
         if (StringUtils.isBlank(url)) {
@@ -125,15 +137,18 @@ private void provideEnvironmentVariablesFromVault(Context context, Run build) th
         VaultCredential credential = retrieveVaultCredentials(build);
 
         vaultAccessor.init(url);
+        ArrayList<LogicalResponse> responses = new ArrayList<>();
         for (VaultSecret vaultSecret : vaultSecrets) {
             vaultAccessor.auth(credential);
-            Map<String, String> values = vaultAccessor.read(vaultSecret.getPath());
-
+            LogicalResponse response = vaultAccessor.read(vaultSecret.getPath());
+            responses.add(response);
+            Map<String, String> values = response.getData();
             for (VaultSecretValue value : vaultSecret.getSecretValues()) {
                 valuesToMask.add(values.get(value.getVaultKey()));
                 context.env(value.getEnvVar(), values.get(value.getVaultKey()));
             }
         }
+        return responses;
     }
 
     private VaultCredential retrieveVaultCredentials(Run build) {
@@ -159,7 +174,7 @@ private void pullAndMergeConfiguration(Run<?, ?> build) {
                 configuration = resolver.forJob(build.getParent());
             }
         }
-        if (configuration == null){
+        if (configuration == null) {
             throw new VaultPluginException("No configuration found - please configure the VaultPlugin.");
         }
     }

src/main/java/com/datapipe/jenkins/vault/VaultDisposer.java

@@ -0,0 +1,40 @@
+package com.datapipe.jenkins.vault;
+
+import com.bettercloud.vault.response.LogicalResponse;
+import com.datapipe.jenkins.vault.configuration.VaultConfiguration;
+import com.datapipe.jenkins.vault.credentials.VaultCredential;
+import hudson.FilePath;
+import hudson.Launcher;
+import hudson.model.Run;
+import hudson.model.TaskListener;
+import jenkins.tasks.SimpleBuildWrapper;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * Created by adamtistler on 8/29/17.
+ */
+public class VaultDisposer extends SimpleBuildWrapper.Disposer {
+    private final List<String> leaseIds;
+    private final VaultConfiguration vaultConfiguration;
+    private final VaultCredential vaultCredential;
+
+    public VaultDisposer(final VaultConfiguration vaultConfiguration, final VaultCredential vaultCredential, final List<String> leaseIds) {
+        this.vaultConfiguration = vaultConfiguration;
+        this.vaultCredential = vaultCredential;
+        this.leaseIds = leaseIds;
+    }
+
+    @Override
+    public void tearDown(final Run<?, ?> build, final FilePath workspace, final Launcher launcher, final TaskListener listener) throws IOException, InterruptedException {
+        VaultAccessor vaultAccessor = new VaultAccessor();
+        vaultAccessor.init(vaultConfiguration.getVaultUrl());
+        vaultAccessor.auth(vaultCredential);
+        for (String leaseId : leaseIds) {
+            if (leaseId != null && !leaseId.isEmpty()) {
+                vaultAccessor.revoke(leaseId);
+            }
+        }
+    }
+}

src/main/java/com/datapipe/jenkins/vault/configuration/VaultConfiguration.java

@@ -1,5 +1,6 @@
 package com.datapipe.jenkins.vault.configuration;
 
+import java.io.Serializable;
 import java.util.List;
 
 import org.apache.commons.lang.StringUtils;
@@ -20,7 +21,7 @@
 import hudson.security.ACL;
 import hudson.util.ListBoxModel;
 
-public class VaultConfiguration extends AbstractDescribableImpl<VaultConfiguration> {
+public class VaultConfiguration extends AbstractDescribableImpl<VaultConfiguration> implements Serializable {
     private String vaultUrl;
 
     private String vaultCredentialId;

src/main/java/com/datapipe/jenkins/vault/credentials/VaultCredential.java

@@ -8,8 +8,10 @@
 import com.cloudbees.plugins.credentials.NameWith;
 import com.cloudbees.plugins.credentials.common.StandardCredentials;
 
+import java.io.Serializable;
+
 @NameWith(VaultCredential.NameProvider.class)
-public interface VaultCredential extends StandardCredentials {
+public interface VaultCredential extends StandardCredentials, Serializable {
     Vault authorizeWithVault(Vault vault, VaultConfig config);
 
     class NameProvider extends CredentialsNameProvider<VaultCredential> {

src/test/java/com/datapipe/jenkins/vault/VaultBuildWrapperWithMockAccessor.java

@@ -1,5 +1,8 @@
 package com.datapipe.jenkins.vault;
 
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -8,6 +11,7 @@
 
 import org.kohsuke.stapler.DataBoundConstructor;
 
+import com.bettercloud.vault.response.LogicalResponse;
 import com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential;
 import com.datapipe.jenkins.vault.credentials.VaultCredential;
 import com.datapipe.jenkins.vault.model.VaultSecret;
@@ -44,13 +48,15 @@ public void auth(VaultCredential vaultCredential) {
             }
 
             @Override
-            public Map<String, String> read(String path) {
+            public LogicalResponse read(String path) {
                 if (!path.equals("secret/path1")) {
                     throw new AssertionError("path " + path + " does not match expected: secret/path1");
                 }
                 Map<String, String> returnValue = new HashMap<>();
                 returnValue.put("key1", "some-secret");
-                return returnValue;
+                LogicalResponse resp = mock(LogicalResponse.class);
+                when(resp.getData()).thenReturn(returnValue);
+                return resp;
             }
         });
     }

src/test/java/com/datapipe/jenkins/vault/it/VaultConfigurationIT.java

@@ -8,6 +8,7 @@
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.withSettings;
 
 import java.io.IOException;
 import java.util.ArrayList;
@@ -25,6 +26,9 @@
 import org.junit.Test;
 import org.jvnet.hudson.test.JenkinsRule;
 
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.VaultConfig;
+import com.bettercloud.vault.response.LogicalResponse;
 import com.cloudbees.plugins.credentials.Credentials;
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
@@ -81,7 +85,9 @@ private VaultAccessor mockVaultAccessor() {
       VaultAccessor vaultAccessor = mock(VaultAccessor.class);
       Map<String, String> returnValue = new HashMap<>();
       returnValue.put("key1", "some-secret");
-      when(vaultAccessor.read("secret/path1")).thenReturn(returnValue);
+      LogicalResponse resp = mock(LogicalResponse.class);
+      when(resp.getData()).thenReturn(returnValue);
+      when(vaultAccessor.read("secret/path1")).thenReturn(resp);
       return vaultAccessor;
    }
 
@@ -289,7 +295,15 @@ public void shouldFailIfCredentialsDoNotExist() throws Exception {
       jenkins.assertLogContains("CredentialsUnavailableException", build);
    }
 
-   public static Credentials createTokenCredential(final String credentialId) {
-      return new VaultAppRoleCredential(CredentialsScope.GLOBAL, credentialId, "description", "role-id-"+credentialId, Secret.fromString("secret-id-"+credentialId));
+   public static VaultAppRoleCredential createTokenCredential(final String credentialId) {
+       Vault vault = mock(Vault.class, withSettings().serializable());
+       VaultAppRoleCredential cred = mock(VaultAppRoleCredential.class, withSettings().serializable());
+       when(cred.getId()).thenReturn(credentialId);
+       when(cred.getDescription()).thenReturn("description");
+       when(cred.getRoleId()).thenReturn("role-id-" + credentialId);
+       when(cred.getSecretId()).thenReturn(Secret.fromString("secret-id-" + credentialId));
+       when(cred.authorizeWithVault((Vault)any(), (VaultConfig)any())).thenReturn(vault);
+       return cred;
+
    }
-}
+}

src/test/java/com/datapipe/jenkins/vault/it/folder/FolderIT.java

@@ -6,7 +6,7 @@
 import static com.datapipe.jenkins.vault.it.VaultConfigurationIT.createTokenCredential;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.core.Is.is;
-import static org.mockito.Mockito.any;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.anyString;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
@@ -29,6 +29,7 @@
 import org.junit.Test;
 import org.jvnet.hudson.test.JenkinsRule;
 
+import com.bettercloud.vault.response.LogicalResponse;
 import com.cloudbees.hudson.plugins.folder.Folder;
 import com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider;
 import com.cloudbees.plugins.credentials.Credentials;
@@ -105,9 +106,11 @@ public void setupJenkins() throws IOException {
 
     private VaultAccessor mockVaultAccessor() {
         VaultAccessor vaultAccessor = mock(VaultAccessor.class);
+        LogicalResponse resp = mock(LogicalResponse.class);
         Map<String, String> returnValue = new HashMap<>();
         returnValue.put("key1", "some-secret");
-        when(vaultAccessor.read("secret/path1")).thenReturn(returnValue);
+        when(resp.getData()).thenReturn(returnValue);
+        when(vaultAccessor.read("secret/path1")).thenReturn(resp);
         return vaultAccessor;
     }