Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CredentialsUseListener to improve tracking of Credentials usage #295

Merged
merged 7 commits into from
Apr 19, 2022
Merged

Add CredentialsUseListener to improve tracking of Credentials usage #295

merged 7 commits into from
Apr 19, 2022

Conversation

meiswjn
Copy link
Contributor

@meiswjn meiswjn commented Mar 25, 2022
edited
Loading

This change will allow tracking Credentials usage much easier, independent from Fingerprints. So far it was necessary to use the SaveableListener provided by the Fingerprints to subscribe to Credentials usage. Because certain credential consumers do not create fingerprints, this approach is flawed.

Creating the listener gives a lightweight method of tracking Credentials usage, improving overall security.

Tests are not provided, as the logic of the abstract functions is to be implemented by plugins using this approach. Tests are included in the plugin mentioned below.

Usecase: jenkinsci/audit-trail-plugin#68

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@meiswjn meiswjn mentioned this pull request Mar 25, 2022
Merged
6 tasks
jglick
jglick reviewed Mar 26, 2022
View reviewed changes
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a downstream PR in some plugin showing what this would be used for?

src/main/java/com/cloudbees/plugins/credentials/CredentialsUseListener.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/CredentialsUseListener.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/CredentialsUseListener.java Outdated Show resolved Hide resolved
src/main/java/com/cloudbees/plugins/credentials/CredentialsUseListener.java Outdated Show resolved Hide resolved
@meiswjn
Copy link
Contributor Author

meiswjn commented Mar 28, 2022

Thanks for your review, @jglick! I implemented all suggestions.

Is there a downstream PR in some plugin showing what this would be used for?

I am trying to track all objects that access credentials in an audit log (See downstream PR jenkinsci/audit-trail-plugin#68).

This works well for most cases, but not all. For example, the GitHub Branch Source plugin accesses credentials via CredentialMatchers as seen in the class GitHubSCMBuilder. If anyone has an idea how to track that kind of access, please let me know.

@jglick
Copy link
Member

jglick commented Mar 28, 2022

how to track that kind of access

Best to move track calls upstream into this plugin where possible. Recheck behavior after jenkinsci/github-branch-source-plugin#527, and see my comment in #293 (this PR would be a reasonable place to fix up any missing tracking).

@meiswjn meiswjn marked this pull request as ready for review March 30, 2022 11:07
@meiswjn meiswjn requested a review from jglick April 1, 2022 11:23
jglick
jglick approved these changes Apr 18, 2022
View reviewed changes
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine to me. Did you successfully use this API revision in the downstream PR?

@meiswjn
Copy link
Contributor Author

meiswjn commented Apr 19, 2022

Yes, the new API revision works perfectly.

@jglick jglick merged commit e05618c into jenkinsci:master Apr 19, 2022
@jglick
Copy link
Member

jglick commented Apr 19, 2022

If all goes well, a new release should appear shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglick jglick jglick approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@meiswjn @jglick