Feature: Add the possibility to define SP Credential scope via env/system properties (#331)

Author: vivienfricadelamadeus

README.md

@@ -57,6 +57,7 @@ User or System Assigned Managed Identity:
 
 ```bash
 -Djenkins.azure-keyvault.uami.enabled=true
+-Djenkins.azure-keyvault.sp.scope=(GLOBAL|SYSTEM) # defaults to global
 ```
 
 Service principal:
@@ -66,6 +67,7 @@ Service principal:
 -Djenkins.azure-keyvault.sp.client_secret=...
 -Djenkins.azure-keyvault.sp.subscription_id=...
 -Djenkins.azure-keyvault.sp.tenant_id=...
+-Djenkins.azure-keyvault.sp.scope=(GLOBAL|SYSTEM) # defaults to global
 ```
 
 ### Via environment variables
@@ -80,6 +82,7 @@ User or System Assigned Managed Identity:
 
 ```bash
 AZURE_KEYVAULT_UAMI_ENABLED=true
+AZURE_KEYVAULT_SP_SCOPE=(GLOBAL|SYSTEM) # defaults to global
 ```
 
 Service principal:
@@ -89,6 +92,7 @@ AZURE_KEYVAULT_SP_CLIENT_ID=...
 AZURE_KEYVAULT_SP_CLIENT_SECRET=...
 AZURE_KEYVAULT_SP_SUBSCRIPTION_ID=...
 AZURE_KEYVAULT_SP_TENANT_ID=...
+AZURE_KEYVAULT_SP_SCOPE=(GLOBAL|SYSTEM) # defaults to global
 ```
 
 ## Passing a Secret File
@@ -99,13 +103,15 @@ It's possible to pass the secret from a file instead of passing the client secre
 -Djenkins.azure-keyvault.sp.client_secret_file=/path/to/secret/secretFile
 -Djenkins.azure-keyvault.sp.subscription_id=...
 -Djenkins.azure-keyvault.sp.tenant_id=...
+-Djenkins.azure-keyvault.sp.scope=(GLOBAL|SYSTEM) # defaults to global
 ```
 
 ```bash
 AZURE_KEYVAULT_SP_CLIENT_ID=...
 AZURE_KEYVAULT_SP_CLIENT_SECRET_FILE=/path/to/secret/secretFile
 AZURE_KEYVAULT_SP_SUBSCRIPTION_ID=...
 AZURE_KEYVAULT_SP_TENANT_ID=...
+AZURE_KEYVAULT_SP_SCOPE=(GLOBAL|SYSTEM) # defaults to global
 ```
 
 The plugin will parse the contents of the file as is.  The file should only contain the client_secret value.

src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultGlobalConfiguration.java

@@ -24,6 +24,7 @@
 import java.util.logging.Logger;
 import jenkins.model.GlobalConfiguration;
 import jenkins.model.Jenkins;
+import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.jenkinsci.Symbol;
 import org.kohsuke.stapler.AncestorInPath;
@@ -97,18 +98,23 @@ private Optional<String> resolveCredentialIdFromEnvironment() {
                 .filter(credentials -> (credentials instanceof AzureCredentials || credentials instanceof AzureImdsCredentials) && ((IdCredentials) credentials).getId().equals(GENERATED_ID))
                 .findAny();
 
-        String uami = getPropertyByEnvOrSystemProperty("AZURE_KEYVAULT_UAMI_ENABLED", "jenkins.azure-keyvault.uami.enabled")
-                .orElse("false");
+        boolean isUami = getPropertyByEnvOrSystemProperty("AZURE_KEYVAULT_UAMI_ENABLED", "jenkins.azure-keyvault.uami.enabled")
+                .map(u -> "true".equals(u))
+                .orElse(false);
+
+        CredentialsScope scope = getPropertyByEnvOrSystemProperty("AZURE_KEYVAULT_SP_SCOPE", "jenkins.azure-keyvault.sp.scope")
+                .map(s -> "SYSTEM".equalsIgnoreCase(s) ? CredentialsScope.SYSTEM : CredentialsScope.GLOBAL)
+                .orElse(CredentialsScope.GLOBAL);
 
         AzureBaseCredentials credentials;
-        if (uami.equals("true")) {
-            if (optionalCredentials.isPresent() && optionalCredentials.get() instanceof AzureImdsCredentials) {
+        if (isUami) {
+            if (optionalCredentials.filter(c -> c instanceof AzureImdsCredentials && scope.equals(c.getScope())).isPresent()) {
                 // don't overwrite the credential if it matches what we currently have so as we don't save to disk all the time
                 return Optional.empty();
             }
 
             credentials = new AzureImdsCredentials(
-                    CredentialsScope.GLOBAL, GENERATED_ID, GENERATED_DESCRIPTION
+                    scope, GENERATED_ID, GENERATED_DESCRIPTION
             );
             storeCredential(credentials);
             return Optional.of(credentials.getId());
@@ -134,24 +140,26 @@ private Optional<String> resolveCredentialIdFromEnvironment() {
                         clientId,
                         clientSecret,
                         subscriptionId,
-                        tenantId)
+                        tenantId,
+                        scope)
         ) {
             // don't overwrite the credential if it matches what we currently have so as we don't save to disk all the time
             return Optional.empty();
         }
 
-        AzureCredentials azureCredentials = new AzureCredentials(CredentialsScope.GLOBAL, GENERATED_ID, GENERATED_DESCRIPTION, subscriptionId, clientId, clientSecret);
+        AzureCredentials azureCredentials = new AzureCredentials(scope, GENERATED_ID, GENERATED_DESCRIPTION, subscriptionId, clientId, clientSecret);
         azureCredentials.setTenant(tenantId);
 
         storeCredential(azureCredentials);
         return Optional.of(azureCredentials.getId());
     }
 
-    private boolean azureCredentialIsEqual(AzureCredentials creds, String clientId, String clientSecret, String subscriptionId, String tenantId) {
+    private boolean azureCredentialIsEqual(AzureCredentials creds, String clientId, String clientSecret, String subscriptionId, String tenantId, CredentialsScope scope) {
         return StringUtils.equals(creds.getClientId(), clientId) &&
                 StringUtils.equals(creds.getPlainClientSecret(), clientSecret) &&
                 StringUtils.equals(creds.getSubscriptionId(), subscriptionId) &&
-                StringUtils.equals(creds.getTenant(), tenantId);
+                StringUtils.equals(creds.getTenant(), tenantId) &&
+                ObjectUtils.equals(creds.getScope(), scope);
     }
 
     private Optional<String> getPropertyByEnvOrSystemProperty(String envVariable, String systemProperty) {

src/test/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultGlobalConfigurationEnvVarSPSecretFileTest.java

@@ -1,6 +1,7 @@
 package org.jenkinsci.plugins.azurekeyvaultplugin;
 
 import com.cloudbees.plugins.credentials.Credentials;
+import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
 import com.microsoft.azure.util.AzureCredentials;
 import org.junit.jupiter.api.Test;
@@ -37,5 +38,23 @@ void testValuesSet(JenkinsRule j) {
         assertThat(azureCredentials.getPlainClientSecret(), is("1255534"));
         assertThat(azureCredentials.getSubscriptionId(), is("5678"));
         assertThat(azureCredentials.getTenant(), is("tenant_id"));
+        assertThat(azureCredentials.getScope(), is(CredentialsScope.GLOBAL));
+    }
+
+    @Test
+    @SetEnvironmentVariable(key = "AZURE_KEYVAULT_SP_SCOPE", value = "SYSTEM")
+    void testValuesSetWithScope(JenkinsRule j) {
+        AzureKeyVaultGlobalConfiguration configuration = AzureKeyVaultGlobalConfiguration.get();
+
+        assertThat(configuration.getCredentialID(), is(AzureKeyVaultGlobalConfiguration.GENERATED_ID));
+        assertThat(configuration.getCredentialID(), is(AzureKeyVaultGlobalConfiguration.GENERATED_ID));
+        assertThat(configuration.getKeyVaultURL(), is("https://mine.vault.azure.net"));
+
+        Credentials credentials = SystemCredentialsProvider.getInstance().getCredentials().get(0);
+
+        assertThat(credentials, instanceOf(AzureCredentials.class));
+        AzureCredentials azureCredentials = (AzureCredentials) credentials;
+
+        assertThat(azureCredentials.getScope(), is(CredentialsScope.SYSTEM));
     }
 }

src/test/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultGlobalConfigurationEnvVarSPTest.java

@@ -1,6 +1,7 @@
 package org.jenkinsci.plugins.azurekeyvaultplugin;
 
 import com.cloudbees.plugins.credentials.Credentials;
+import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
 import com.microsoft.azure.util.AzureCredentials;
 import org.junit.jupiter.api.Test;
@@ -37,5 +38,27 @@ void testValuesSet(JenkinsRule j) {
         assertThat(azureCredentials.getPlainClientSecret(), is("1255534"));
         assertThat(azureCredentials.getSubscriptionId(), is("5678"));
         assertThat(azureCredentials.getTenant(), is("tenant_id"));
+        assertThat(azureCredentials.getScope(), is(CredentialsScope.GLOBAL));
+    }
+
+    @Test
+    @SetEnvironmentVariable(key = "AZURE_KEYVAULT_SP_SCOPE", value = "SYSTEM")
+    void testValuesSetWithScope(JenkinsRule j) {
+        AzureKeyVaultGlobalConfiguration configuration = AzureKeyVaultGlobalConfiguration.get();
+
+        assertThat(configuration.getCredentialID(), is(AzureKeyVaultGlobalConfiguration.GENERATED_ID));
+        assertThat(configuration.getCredentialID(), is(AzureKeyVaultGlobalConfiguration.GENERATED_ID));
+        assertThat(configuration.getKeyVaultURL(), is("https://mine.vault.azure.net"));
+
+        Credentials credentials = SystemCredentialsProvider.getInstance().getCredentials().get(0);
+
+        assertThat(credentials, instanceOf(AzureCredentials.class));
+        AzureCredentials azureCredentials = (AzureCredentials) credentials;
+
+        assertThat(azureCredentials.getClientId(), is("1234"));
+        assertThat(azureCredentials.getPlainClientSecret(), is("1255534"));
+        assertThat(azureCredentials.getSubscriptionId(), is("5678"));
+        assertThat(azureCredentials.getTenant(), is("tenant_id"));
+        assertThat(azureCredentials.getScope(), is(CredentialsScope.SYSTEM));
     }
 }

src/test/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultGlobalConfigurationEnvVarUamiTest.java

@@ -1,6 +1,7 @@
 package org.jenkinsci.plugins.azurekeyvaultplugin;
 
 import com.cloudbees.plugins.credentials.Credentials;
+import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
 import com.microsoft.azure.util.AzureImdsCredentials;
 import org.junit.jupiter.api.Test;
@@ -27,5 +28,20 @@ void testValuesSet(JenkinsRule j) {
         Credentials credentials = SystemCredentialsProvider.getInstance().getCredentials().get(0);
 
         assertThat(credentials, instanceOf(AzureImdsCredentials.class));
+        assertThat(credentials.getScope(), is(CredentialsScope.GLOBAL));
+    }
+
+    @Test
+    @SetEnvironmentVariable(key = "AZURE_KEYVAULT_SP_SCOPE", value = "SYSTEM")
+    void testValuesSetWithScope(JenkinsRule j) {
+        AzureKeyVaultGlobalConfiguration configuration = AzureKeyVaultGlobalConfiguration.get();
+
+        assertThat(configuration.getCredentialID(), is(AzureKeyVaultGlobalConfiguration.GENERATED_ID));
+        assertThat(configuration.getKeyVaultURL(), is("https://mine.vault.azure.net"));
+
+        Credentials credentials = SystemCredentialsProvider.getInstance().getCredentials().get(0);
+
+        assertThat(credentials, instanceOf(AzureImdsCredentials.class));
+        assertThat(credentials.getScope(), is(CredentialsScope.SYSTEM));
     }
 }

src/test/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultGlobalConfigurationSystemPropertySPSecretFileTest.java

@@ -1,6 +1,7 @@
 package org.jenkinsci.plugins.azurekeyvaultplugin;
 
 import com.cloudbees.plugins.credentials.Credentials;
+import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
 import com.microsoft.azure.util.AzureCredentials;
 import java.util.List;
@@ -34,6 +35,7 @@ void after() {
         System.clearProperty("jenkins.azure-keyvault.sp.subscription_id");
         System.clearProperty("jenkins.azure-keyvault.sp.tenant_id");
         System.clearProperty("jenkins.azure-keyvault.uami.enabled");
+        System.clearProperty("jenkins.azure-keyvault.sp.scope");
     }
 
     @Test
@@ -52,13 +54,15 @@ void testValuesSet(JenkinsRule j) {
         assertThat(azureCredentials.getPlainClientSecret(), is("1255534"));
         assertThat(azureCredentials.getSubscriptionId(), is("5678"));
         assertThat(azureCredentials.getTenant(), is("tenant_id"));
+        assertThat(azureCredentials.getScope(), is(CredentialsScope.GLOBAL));
 
         // Test updating value
         System.setProperty("jenkins.azure-keyvault.url", "https://mine2.vault.azure.net");
         System.setProperty("jenkins.azure-keyvault.sp.client_id", "5678");
         System.setProperty("jenkins.azure-keyvault.sp.client_secret_file", "src/test/resources/org/jenkinsci/plugins/azurekeyvaultplugin/secretfile2");
         System.setProperty("jenkins.azure-keyvault.sp.subscription_id", "9999");
         System.setProperty("jenkins.azure-keyvault.sp.tenant_id", "11111");
+        System.setProperty("jenkins.azure-keyvault.sp.scope", "system");
 
         configuration = AzureKeyVaultGlobalConfiguration.get();
 
@@ -74,5 +78,6 @@ void testValuesSet(JenkinsRule j) {
         assertThat(azureCredentialsUpdated.getPlainClientSecret(), is("99999"));
         assertThat(azureCredentialsUpdated.getSubscriptionId(), is("9999"));
         assertThat(azureCredentialsUpdated.getTenant(), is("11111"));
+        assertThat(azureCredentialsUpdated.getScope(), is(CredentialsScope.SYSTEM));
     }
 }

src/test/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultGlobalConfigurationSystemPropertySPTest.java

@@ -1,6 +1,7 @@
 package org.jenkinsci.plugins.azurekeyvaultplugin;
 
 import com.cloudbees.plugins.credentials.Credentials;
+import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
 import com.microsoft.azure.util.AzureCredentials;
 import com.microsoft.azure.util.AzureImdsCredentials;
@@ -35,6 +36,7 @@ void after() {
         System.clearProperty("jenkins.azure-keyvault.sp.subscription_id");
         System.clearProperty("jenkins.azure-keyvault.sp.tenant_id");
         System.clearProperty("jenkins.azure-keyvault.uami.enabled");
+        System.clearProperty("jenkins.azure-keyvault.sp.scope");
     }
 
     @Test
@@ -53,13 +55,15 @@ void testValuesSet(JenkinsRule j) {
         assertThat(azureCredentials.getPlainClientSecret(), is("1255534"));
         assertThat(azureCredentials.getSubscriptionId(), is("5678"));
         assertThat(azureCredentials.getTenant(), is("tenant_id"));
+        assertThat(azureCredentials.getScope(), is(CredentialsScope.GLOBAL));
 
         // Test updating value
         System.setProperty("jenkins.azure-keyvault.url", "https://mine2.vault.azure.net");
         System.setProperty("jenkins.azure-keyvault.sp.client_id", "5678");
         System.setProperty("jenkins.azure-keyvault.sp.client_secret", "99999");
         System.setProperty("jenkins.azure-keyvault.sp.subscription_id", "9999");
         System.setProperty("jenkins.azure-keyvault.sp.tenant_id", "11111");
+        System.setProperty("jenkins.azure-keyvault.sp.scope", "system");
 
         configuration = AzureKeyVaultGlobalConfiguration.get();
 
@@ -75,6 +79,7 @@ void testValuesSet(JenkinsRule j) {
         assertThat(azureCredentialsUpdated.getPlainClientSecret(), is("99999"));
         assertThat(azureCredentialsUpdated.getSubscriptionId(), is("9999"));
         assertThat(azureCredentialsUpdated.getTenant(), is("11111"));
+        assertThat(azureCredentialsUpdated.getScope(), is(CredentialsScope.SYSTEM));
     }
 
     @Test
@@ -93,12 +98,15 @@ void testChangingFromSptoUami(JenkinsRule j) {
         assertThat(azureCredentials.getPlainClientSecret(), is("1255534"));
         assertThat(azureCredentials.getSubscriptionId(), is("5678"));
         assertThat(azureCredentials.getTenant(), is("tenant_id"));
+        assertThat(azureCredentials.getScope(), is(CredentialsScope.GLOBAL));
 
         System.setProperty("jenkins.azure-keyvault.uami.enabled", "true");
+        System.setProperty("jenkins.azure-keyvault.sp.scope", "system");
 
         assertThat(configuration.getCredentialID(), is(AzureKeyVaultGlobalConfiguration.GENERATED_ID));
 
         credentials = SystemCredentialsProvider.getInstance().getCredentials().get(0);
         assertThat(credentials, instanceOf(AzureImdsCredentials.class));
+        assertThat(credentials.getScope(), is(CredentialsScope.SYSTEM));
     }
 }

src/test/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultGlobalConfigurationSystemPropertyUamiTest.java

@@ -1,6 +1,7 @@
 package org.jenkinsci.plugins.azurekeyvaultplugin;
 
 import com.cloudbees.plugins.credentials.Credentials;
+import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
 import com.microsoft.azure.util.AzureImdsCredentials;
 import org.junit.jupiter.api.AfterEach;
@@ -26,6 +27,7 @@ void before() {
     void after() {
         System.clearProperty("jenkins.azure-keyvault.url");
         System.clearProperty("jenkins.azure-keyvault.uami.enabled");
+        System.clearProperty("jenkins.azure-keyvault.sp.scope");
     }
 
     @Test
@@ -38,5 +40,21 @@ void testValuesSet(JenkinsRule j) {
         Credentials credentials = SystemCredentialsProvider.getInstance().getCredentials().get(0);
 
         assertThat(credentials, instanceOf(AzureImdsCredentials.class));
+        assertThat(credentials.getScope(), is(CredentialsScope.GLOBAL));
+
+    }
+    @Test
+    void testValuesSetWithScope(JenkinsRule j) {
+        System.setProperty("jenkins.azure-keyvault.sp.scope", "system");
+
+        AzureKeyVaultGlobalConfiguration configuration = AzureKeyVaultGlobalConfiguration.get();
+
+        assertThat(configuration.getCredentialID(), is(AzureKeyVaultGlobalConfiguration.GENERATED_ID));
+        assertThat(configuration.getKeyVaultURL(), is("https://mine.vault.azure.net"));
+
+        Credentials credentials = SystemCredentialsProvider.getInstance().getCredentials().get(0);
+
+        assertThat(credentials, instanceOf(AzureImdsCredentials.class));
+        assertThat(credentials.getScope(), is(CredentialsScope.SYSTEM));
     }
 }