[JENKINS-18211] Encrypt db password and API key using Secret class

ljader · ljader · commit e7a8b4a1053b · 2016-10-22T17:38:33.000+02:00
Secret class is recommended way to store sensitive data in Jenkins.
Previously, the values was stored in plain text.
diff --git a/src/main/java/hudson/plugins/redmine/RedmineMetricsPublisher.java b/src/main/java/hudson/plugins/redmine/RedmineMetricsPublisher.java
@@ -2,6 +2,7 @@
 
 import hudson.Extension;
 import hudson.Launcher;
+import hudson.Util;
 import hudson.model.Action;
 import hudson.model.BuildListener;
 import hudson.model.AbstractBuild;
@@ -10,6 +11,7 @@
 import hudson.tasks.BuildStepMonitor;
 import hudson.tasks.Publisher;
 import hudson.util.FormValidation;
+import hudson.util.Secret;
 
 import java.io.IOException;
 import java.io.PrintStream;
@@ -22,7 +24,7 @@
 
 public class RedmineMetricsPublisher extends Publisher {
 
-	private String apiKey;
+	private Secret apiKey;
 	private String targetVersion;
 	private String ignoreTicketTracker;
 	private String ignoreTicketStatus;
@@ -31,7 +33,7 @@ public class RedmineMetricsPublisher extends Publisher {
 	@DataBoundConstructor
 	public RedmineMetricsPublisher(String apiKey, String targetVersion, String ignoreTicketTracker,
 			String ignoreTicketStatus) {
-		this.apiKey = apiKey;
+		this.apiKey = Secret.fromString(Util.fixEmptyAndTrim(apiKey));
 		this.targetVersion = targetVersion;
 		this.ignoreTicketTracker = ignoreTicketTracker;
 		this.ignoreTicketStatus = ignoreTicketStatus;
@@ -48,7 +50,7 @@ public boolean perform(AbstractBuild<?, ?> build, Launcher launcher,
         PrintStream logger = listener.getLogger();
 		
 		RedmineMetricsCalculator calculator = new RedmineMetricsCalculator(rpp.getRedmineWebsite().baseUrl,
-				apiKey, rpp.projectName, targetVersion, ignoreTicketTracker,
+				apiKey.getPlainText(), rpp.projectName, targetVersion, ignoreTicketTracker,
 				ignoreTicketStatus);
 		try {
 			List<MetricsResult> metricsList = calculator.calc();
@@ -66,7 +68,7 @@ public BuildStepMonitor getRequiredMonitorService() {
 		return BuildStepMonitor.NONE;
 	}
 
-	public String getApiKey() {
+	public Secret getApiKey() {
 		return apiKey;
 	}
 
diff --git a/src/main/java/hudson/plugins/redmine/RedmineSecurityRealm.java b/src/main/java/hudson/plugins/redmine/RedmineSecurityRealm.java
@@ -1,13 +1,15 @@
 package hudson.plugins.redmine;
 
 import hudson.Extension;
+import hudson.Util;
 import hudson.model.Descriptor;
 import hudson.plugins.redmine.dao.*;
 import hudson.plugins.redmine.util.CipherUtil;
 import hudson.plugins.redmine.util.Constants;
 import hudson.security.AbstractPasswordBasedSecurityRealm;
 import hudson.security.GroupDetails;
 import hudson.security.SecurityRealm;
+import hudson.util.Secret;
 
 import java.util.HashSet;
 import java.util.Set;
@@ -47,7 +49,7 @@ public class RedmineSecurityRealm extends AbstractPasswordBasedSecurityRealm {
     private final String dbUserName;
 
     /** Database Password */
-    private final String dbPassword;
+    private final Secret dbPassword;
 
     /** Redmine Version */
     private final String version;
@@ -92,7 +94,7 @@ public RedmineSecurityRealm(String dbms, String dbServer, String databaseName, S
             this.port = port;
 
         this.dbUserName   = dbUserName;
-        this.dbPassword   = dbPassword;
+        this.dbPassword   = Secret.fromString(Util.fixEmptyAndTrim(dbPassword));
         this.version      = StringUtils.isBlank(version)      ? Constants.VERSION_1_2_0           : version;
 
         this.loginTable   = StringUtils.isBlank(loginTable)   ? Constants.DEFAULT_LOGIN_TABLE     : loginTable;
@@ -152,7 +154,7 @@ protected UserDetails authenticate(String username, String password) throws Auth
             LOGGER.info("DB Port           : " + this.port);
             LOGGER.info("Database Name     : " + this.databaseName);
 
-            dao.open(this.dbServer, this.port, this.databaseName, this.dbUserName, this.dbPassword);
+            dao.open(this.dbServer, this.port, this.databaseName, this.dbUserName, this.dbPassword.getPlainText());
 
             if (!dao.isTable(this.loginTable))
                 throw new RedmineAuthenticationException("RedmineSecurity: Invalid Login Table");
@@ -200,7 +202,7 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
         try {
             dao = createAuthDao(this.dbms);
 
-            dao.open(this.dbServer, this.port, this.databaseName, this.dbUserName, this.dbPassword);
+            dao.open(this.dbServer, this.port, this.databaseName, this.dbUserName, this.dbPassword.getPlainText());
 
             if (!dao.isTable(this.loginTable))
                 throw new RedmineAuthenticationException("RedmineSecurity: Invalid Login Table");
@@ -301,7 +303,7 @@ public String getDbUserName() {
      *
      * @return
      */
-    public String getDbPassword() {
+    public Secret getDbPassword() {
         return dbPassword;
     }
 
