piperExecuteBin: provide credentials directly without indirection into config (#2437)

`piperExecuteBin` is called with a credentials list. Each list entry is a map consisting of * the type of the credential (e.g. usernamePassword, token) * the identifier which is used for resolving the credential. * a list of environment variables which holds the resolved credentials. Inside `piperExecuteBin` the id was resolved against the config and the result was used for resolving the credentials against the jenkins-credentials-plugin. With this change here we introduce another key for the map mentioned above: * resolveCredentialsId When this key is provided with value `false` we do not resolve the credentials-id from the config. In that case the id is directly used for resolving the credential again the jenkins-credentials-plugin.
2025-02-11 13:53:53 +02:00 · 2020-12-07 08:54:49 +01:00 · 2020-12-07 08:54:49 +01:00 · 17bdbe2ef4
commit 17bdbe2ef4
parent fac4af231f
2 changed files with 54 additions and 16 deletions
--- a/test/groovy/PiperExecuteBinTest.groovy
+++ b/test/groovy/PiperExecuteBinTest.groovy
@ -152,6 +152,32 @@ class PiperExecuteBinTest extends BasePiperTest {
        assertThat(artifacts[0], allOf(hasEntry('artifacts', '1234.pdf'), hasEntry('allowEmptyArchive', false)))
    }

+    @Test
+    void testPiperExecuteBinDontResolveCredentialsAndNoCredId() {
+
+        // In case we have a credential entry without Id we drop that silenty.
+        // Maybe we should revisit that and fail in this case.
+
+        shellCallRule.setReturnValue('./piper getConfig --contextConfig --stepMetadata \'.pipeline/tmp/metadata/test.yaml\'', '{"dockerImage":"my.Registry/my/image:latest"}')
+
+        List stepCredentials = [
+            [type: 'token', env: ['PIPER_credTokenNoResolve'], resolveCredentialsId: false],
+        ]
+
+        stepRule.step.piperExecuteBin(
+            [
+                juStabUtils: utils,
+                jenkinsUtilsStub: jenkinsUtils,
+                testParam: "This is test content",
+                script: nullScript
+            ],
+            'testStep',
+            'metadata/test.yaml',
+            stepCredentials
+        )
+        assertThat(credentials.size(), is(0))
+    }
+
    @Test
    void testPiperExecuteBinSomeCredentials() {
        shellCallRule.setReturnValue('./piper getConfig --contextConfig --stepMetadata \'.pipeline/tmp/metadata/test.yaml\'', '{"fileCredentialsId":"credFile", "tokenCredentialsId":"credToken", "dockerImage":"my.Registry/my/image:latest"}')
@ -159,6 +185,9 @@ class PiperExecuteBinTest extends BasePiperTest {
        List stepCredentials = [
            [type: 'file', id: 'fileCredentialsId', env: ['PIPER_credFile']],
            [type: 'token', id: 'tokenCredentialsId', env: ['PIPER_credToken']],
+            // for the entry below we don't have a config lookup.
+            [type: 'token', id: 'tokenCredentialsIdNoResolve', env: ['PIPER_credTokenNoResolve'], resolveCredentialsId: false],
+            [type: 'token', id: 'tokenCredentialsIdNotContainedInConfig', env: ['PIPER_credToken_doesNotMatter']],
            [type: 'usernamePassword', id: 'credentialsId', env: ['PIPER_user', 'PIPER_password']],
        ]
        stepRule.step.piperExecuteBin(
@ -173,9 +202,10 @@ class PiperExecuteBinTest extends BasePiperTest {
            stepCredentials
        )
        // asserts
-        assertThat(credentials.size(), is(2))
+        assertThat(credentials.size(), is(3))
        assertThat(credentials[0], allOf(hasEntry('credentialsId', 'credFile'), hasEntry('variable', 'PIPER_credFile')))
        assertThat(credentials[1], allOf(hasEntry('credentialsId', 'credToken'), hasEntry('variable', 'PIPER_credToken')))
+        assertThat(credentials[2], allOf(hasEntry('credentialsId', 'tokenCredentialsIdNoResolve'), hasEntry('variable', 'PIPER_credTokenNoResolve')))
    }

    @Test
--- a/vars/piperExecuteBin.groovy
+++ b/vars/piperExecuteBin.groovy
@ -164,21 +164,29 @@ void credentialWrapper(config, List credentialInfo, body) {
        def creds = []
        def sshCreds = []
        credentialInfo.each { cred ->
-            switch(cred.type) {
-                case "file":
-                    if (config[cred.id]) creds.add(file(credentialsId: config[cred.id], variable: cred.env[0]))
-                    break
-                case "token":
-                    if (config[cred.id]) creds.add(string(credentialsId: config[cred.id], variable: cred.env[0]))
-                    break
-                case "usernamePassword":
-                    if (config[cred.id]) creds.add(usernamePassword(credentialsId: config[cred.id], usernameVariable: cred.env[0], passwordVariable: cred.env[1]))
-                    break
-                case "ssh":
-                    if (config[cred.id]) sshCreds.add(config[cred.id])
-                    break
-                default:
-                    error ("invalid credential type: ${cred.type}")
+            def credentialsId
+            if (cred.resolveCredentialsId == false) {
+                credentialsId = cred.id
+            } else {
+                credentialsId = config[cred.id]
+            }
+            if (credentialsId) {
+                switch(cred.type) {
+                    case "file":
+                        creds.add(file(credentialsId: credentialsId, variable: cred.env[0]))
+                        break
+                    case "token":
+                        creds.add(string(credentialsId: credentialsId, variable: cred.env[0]))
+                        break
+                    case "usernamePassword":
+                        creds.add(usernamePassword(credentialsId: credentialsId, usernameVariable: cred.env[0], passwordVariable: cred.env[1]))
+                        break
+                    case "ssh":
+                        sshCreds.add(credentialsId)
+                        break
+                    default:
+                        error ("invalid credential type: ${cred.type}")
+                }
            }
        }