Merge pull request #335 from bitwiseman/task/token-secret

bitwiseman · web-flow · commit bb557428034e · 2020-09-08T00:51:11.000-07:00
Store token as Secret instead of String
diff --git a/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java b/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java
@@ -115,6 +115,7 @@ public void setOwner(String owner) {
 
     @SuppressWarnings("deprecation") // preview features are required for GitHub app integration, GitHub api adds deprecated to all preview methods
     static AppInstallationToken generateAppInstallationToken(String appId, String appPrivateKey, String apiUrl, String owner) {
+        JenkinsJVM.checkJenkinsJVM();
         // We expect this to be fast but if anything hangs in here we do not want to block indefinitely
         try (Timeout timeout = Timeout.limit(30, TimeUnit.SECONDS)) {
             String jwtToken = createJWT(appId, appPrivateKey);
@@ -149,7 +150,8 @@ static AppInstallationToken generateAppInstallationToken(String appId, String ap
                 .create();
 
             long expiration = getExpirationSeconds(appInstallationToken);
-            AppInstallationToken token = new AppInstallationToken(appInstallationToken.getToken(),
+            AppInstallationToken token = new AppInstallationToken(
+                Secret.fromString(appInstallationToken.getToken()),
                 expiration);
             LOGGER.log(Level.FINER,
                 "Generated App Installation Token for app ID {0}",
@@ -185,7 +187,6 @@ private static long getExpirationSeconds(GHAppInstallationToken appInstallationT
     @NonNull
     @Override
     public Secret getPassword() {
-        String appInstallationToken;
         synchronized (this) {
             try {
                 if (cachedToken == null || cachedToken.isStale()) {
@@ -208,12 +209,11 @@ public Secret getPassword() {
                     throw e;
                 }
             }
-            appInstallationToken = cachedToken.getToken();
-        }
+            LOGGER.log(Level.FINEST, "Returned GitHub App Installation Token for app ID {0}", appID);
 
-        LOGGER.log(Level.FINEST, "Returned GitHub App Installation Token for app ID {0}", appID);
+            return cachedToken.getToken();
+        }
 
-        return Secret.fromString(appInstallationToken);
     }
 
     /**
@@ -265,7 +265,7 @@ static class AppInstallationToken implements Serializable {
          */
         static long NOT_STALE_MINIMUM_SECONDS = Duration.ofMinutes(1).getSeconds();
 
-        private final String token;
+        private final Secret token;
         private final long expirationEpochSeconds;
         private final long staleEpochSeconds;
 
@@ -281,7 +281,7 @@ static class AppInstallationToken implements Serializable {
          * @param token the token string
          * @param expirationEpochSeconds the time in epoch seconds that this token will expire
          */
-        public AppInstallationToken(String token, long expirationEpochSeconds) {
+        public AppInstallationToken(Secret token, long expirationEpochSeconds) {
             long now = Instant.now().getEpochSecond();
             long minimumAllowedAge = Math.max(1, NOT_STALE_MINIMUM_SECONDS);
             long maximumAllowedAge = Math.max(1, 1 + STALE_AFTER_SECONDS);
@@ -306,7 +306,7 @@ public AppInstallationToken(String token, long expirationEpochSeconds) {
             this.staleEpochSeconds = now + secondsUntilStale;
         }
 
-        public String getToken() {
+        public Secret getToken() {
             return token;
         }
 
@@ -405,7 +405,6 @@ public String getUsername() {
         public Secret getPassword() {
             JenkinsJVM.checkNotJenkinsJVM();
             try {
-                String appInstallationToken;
                 synchronized (this) {
                     try {
                         if (cachedToken == null || cachedToken.isStale()) {
@@ -427,12 +426,11 @@ public Secret getPassword() {
                             throw e;
                         }
                     }
-                    appInstallationToken = cachedToken.getToken();
-                }
+                    LOGGER.log(Level.FINEST, "Returned GitHub App Installation Token for app ID {0} on agent", appID);
 
-                LOGGER.log(Level.FINEST, "Returned GitHub App Installation Token for app ID {0} on agent", appID);
+                    return cachedToken.getToken();
+                }
 
-                return Secret.fromString(appInstallationToken);
             } catch (IOException | InterruptedException x) {
                 throw new RuntimeException(x);
             }
diff --git a/src/test/java/org/jenkinsci/plugins/github_branch_source/GithubAppCredentialsAppInstallationTokenTest.java b/src/test/java/org/jenkinsci/plugins/github_branch_source/GithubAppCredentialsAppInstallationTokenTest.java
@@ -1,5 +1,6 @@
 package org.jenkinsci.plugins.github_branch_source;
 
+import hudson.util.Secret;
 import org.junit.Test;
 
 import java.time.Duration;
@@ -17,24 +18,25 @@ public void testAppInstallationTokenStale() throws Exception {
         long now;
 
         now = Instant.now().getEpochSecond();
-        token = new GitHubAppCredentials.AppInstallationToken("", now);
+        Secret secret = Secret.fromString("secret-token");
+        token = new GitHubAppCredentials.AppInstallationToken(secret, now);
         assertThat(token.isStale(), is(false));
         assertThat(token.getTokenStaleEpochSeconds(), equalTo(now + GitHubAppCredentials.AppInstallationToken.NOT_STALE_MINIMUM_SECONDS));
 
         now = Instant.now().getEpochSecond();
-        token = new GitHubAppCredentials.AppInstallationToken("",
+        token = new GitHubAppCredentials.AppInstallationToken(secret,
             now + Duration.ofMinutes(15).getSeconds());
         assertThat(token.isStale(), is(false));
         assertThat(token.getTokenStaleEpochSeconds(), equalTo(now + GitHubAppCredentials.AppInstallationToken.NOT_STALE_MINIMUM_SECONDS));
 
         now = Instant.now().getEpochSecond();
-        token = new GitHubAppCredentials.AppInstallationToken("",
+        token = new GitHubAppCredentials.AppInstallationToken(secret,
             now + GitHubAppCredentials.AppInstallationToken.STALE_BEFORE_EXPIRATION_SECONDS + 2);
         assertThat(token.isStale(), is(false));
         assertThat(token.getTokenStaleEpochSeconds(), equalTo(now + GitHubAppCredentials.AppInstallationToken.NOT_STALE_MINIMUM_SECONDS));
 
         now = Instant.now().getEpochSecond();
-        token = new GitHubAppCredentials.AppInstallationToken("",
+        token = new GitHubAppCredentials.AppInstallationToken(secret,
             now + GitHubAppCredentials.AppInstallationToken.STALE_BEFORE_EXPIRATION_SECONDS + Duration
                 .ofMinutes(7)
                 .getSeconds());
@@ -43,7 +45,7 @@ public void testAppInstallationTokenStale() throws Exception {
             equalTo(now + Duration.ofMinutes(7).getSeconds()));
 
         now = Instant.now().getEpochSecond();
-        token = new GitHubAppCredentials.AppInstallationToken("",
+        token = new GitHubAppCredentials.AppInstallationToken(secret,
             now + Duration.ofMinutes(90).getSeconds());
         assertThat(token.isStale(), is(false));
         assertThat(token.getTokenStaleEpochSeconds(),
@@ -55,7 +57,7 @@ public void testAppInstallationTokenStale() throws Exception {
             GitHubAppCredentials.AppInstallationToken.NOT_STALE_MINIMUM_SECONDS = -10;
 
             now = Instant.now().getEpochSecond();
-            token = new GitHubAppCredentials.AppInstallationToken("", now);
+            token = new GitHubAppCredentials.AppInstallationToken(secret, now);
             assertThat(token.isStale(), is(false));
             assertThat(token.getTokenStaleEpochSeconds(), equalTo(now + 1));
 
