Skip to content
Permalink
Browse files
[FIXED JENKINS-23033] don’t use String but Secret to store password
UI binding will use a cipher and avoid it to be exposed as plain text in HTML form.
  • Loading branch information
ndeloof committed Sep 9, 2014
1 parent 9298264 commit 5e391d94d936c5837048d63eb83b7a11a9ffdcdd
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 8 deletions.
@@ -3,7 +3,7 @@
<parent>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>plugin</artifactId>
<version>1.436</version>
<version>1.532</version>
</parent>

<artifactId>tfs</artifactId>
@@ -12,6 +12,7 @@
import java.util.logging.Logger;
import java.util.regex.Pattern;

import hudson.util.Secret;
import net.sf.json.JSONObject;

import org.apache.commons.lang.StringUtils;
@@ -75,7 +76,8 @@ public class TeamFoundationServerScm extends SCM {
private final String projectPath;
private final String localPath;
private final String workspaceName;
private final String userPassword;
private transient @Deprecated String userPassword;
private /* almost final */ Secret password;
private final String userName;
private final boolean useUpdate;

@@ -84,17 +86,29 @@ public class TeamFoundationServerScm extends SCM {
private transient String normalizedWorkspaceName;
private transient String workspaceChangesetVersion;

private static final Logger logger = Logger.getLogger(TeamFoundationServerScm.class.getName());
private static final Logger logger = Logger.getLogger(TeamFoundationServerScm.class.getName());

@Deprecated
public TeamFoundationServerScm(String serverUrl, String projectPath, String localPath, boolean useUpdate, String workspaceName, String userName, String password) {
this(serverUrl, projectPath, localPath, useUpdate, workspaceName, userName, Secret.fromString(password));
}

@DataBoundConstructor
public TeamFoundationServerScm(String serverUrl, String projectPath, String localPath, boolean useUpdate, String workspaceName, String userName, String userPassword) {
public TeamFoundationServerScm(String serverUrl, String projectPath, String localPath, boolean useUpdate, String workspaceName, String userName, Secret password) {
this.serverUrl = serverUrl;
this.projectPath = projectPath;
this.useUpdate = useUpdate;
this.localPath = (Util.fixEmptyAndTrim(localPath) == null ? "." : localPath);
this.workspaceName = (Util.fixEmptyAndTrim(workspaceName) == null ? "Hudson-${JOB_NAME}-${NODE_NAME}" : workspaceName);
this.userName = userName;
this.userPassword = Scrambler.scramble(userPassword);
this.password = password;
}

/* Migrate legacy data */
private Object readResolve() {
if (password == null && userPassword != null)
password = Secret.fromString(Scrambler.scramble(userPassword));
return this;
}

// Bean properties need for job configuration
@@ -119,7 +133,11 @@ public boolean isUseUpdate() {
}

public String getUserPassword() {
return Scrambler.descramble(userPassword);
return Secret.toString(password);
}

public Secret getPassword() {
return password;
}

public String getUserName() {
@@ -16,7 +16,7 @@
</f:entry>

<f:entry title="User password">
<input type="password" class="setting-input" name="tfs.userPassword" value="${scm.userPassword}"/>
<input type="password" class="setting-input" name="tfs.password" value="${scm.password}"/>
</f:entry>

<f:advanced>
@@ -11,6 +11,7 @@

import java.net.URL;

import hudson.util.Secret;
import org.junit.Test;
import org.jvnet.hudson.test.Bug;

@@ -49,7 +50,7 @@ public void assertChangeSetLinkWithOnlyServerUrlWithTrailingSlash() throws Excep
AbstractBuild build = mock(AbstractBuild.class);
AbstractProject<?,?> project = mock(AbstractProject.class);
when(build.getProject()).thenReturn(project);
when(project.getScm()).thenReturn(new TeamFoundationServerScm("http://server:80", null, null, false, null, null, null));
when(project.getScm()).thenReturn(new TeamFoundationServerScm("http://server:80", null, null, false, null, null, (Secret) null));

ChangeSet changeset = new ChangeSet("62643", null, "user", "comment");
new ChangeLogSet(build, new ChangeSet[]{ changeset});

0 comments on commit 5e391d9

Please sign in to comment.