Add support for credentials of type certificate (#247)

ysmaoui · web-flow · commit cfe31c013dc7 · 2024-04-12T22:52:16.000+01:00
diff --git a/README.md b/README.md
@@ -259,6 +259,9 @@ To use a different type add a tag called `type` with one of the below values:
 - `sshUserPrivateKey` - SSH Private key
   - add a tag `username` for the username of the credential
   - (optional) add a tag `username-is-secret` and set it to true to hide the username in the build logs
+  - (optional) add a tag `passphrase-id` that points to the secret name in the vault that has the passphrase that should be used with the ssh keys
+- `certificate` - a certificate as secret
+  - (optional) add tag `password-id` that points to the secret name in the vault that has the password of the certificate.
 
 #### Secret String
 
@@ -401,6 +404,70 @@ az keyvault secret set --tags type=sshUserPrivateKey username=my-username passph
 
 If the passphrase can not be found in the vault, the secret will not load and a warning will be logged.
 
+#### Certificate
+
+It is possible to load certificates from the vault.
+The certificate needs to be stored in a vault-secret **base64-encoded** and **without whitespace**.
+In addition to the secret containing the keystore info (the certificate), another vault-secret is needed to store the password of the keystore.
+
+1. If the certificate is protected by a password, Create the password secret:
+
+```bash
+az keyvault secret set \
+  --vault-name my-vault \
+  --name secret-containing-keystore-password \
+  --value my-keystore-password
+```
+
+2. Store the (**base64-encoded** and **without whitespace**) keystore with the password tag:
+
+  if the certificate is protected by a password:
+
+```bash
+az keyvault secret set \
+  --tags type=certificate password-id=secret-containing-keystore-password \
+  --vault-name my-vault \
+  --name secret-containing-base64encoded-keystore \
+  --value {base64-encoded-keystore}
+```
+
+  if the certificate has no password ( a zero length password )
+
+```bash
+az keyvault secret set \
+  --tags type=certificate \
+  --vault-name my-vault \
+  --name secret-containing-base64encoded-keystore \
+  --value {base64-encoded-keystore}
+```
+
+If the tag `password-id` is set but the password can not be found in the vault, the secret will not load and a warning will be logged.
+If the keystore cannot be decoded, or cannot be loaded the pipeline using the certificate-credentialsId will throw an error.
+
+
+Scripted pipeline:
+
+```groovy
+node {
+    withCredentials([
+        certificate(
+            credentialsId: certificateCredentialsId,
+            keystoreVariable: 'PATH_TO_KEYSTORE',
+            passwordVariable: 'PASSWORD'
+        )
+    ]) {
+      sh(
+        script: """
+            curl -X POST \
+                --cert-type P12 \
+                --cert "\$PATH_TO_KEYSTORE":\$PASSWORD \
+                ${url}
+        """
+      )
+    }
+}
+```
+
 #### Secret Labels
 
 You can filter which secrets are visible to the credentials provider.
diff --git a/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureCredentialsProvider.java b/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureCredentialsProvider.java
@@ -38,6 +38,7 @@
 import jenkins.model.Jenkins;
 import org.acegisecurity.Authentication;
 import org.apache.commons.lang3.StringUtils;
+import org.jenkinsci.plugins.azurekeyvaultplugin.credentials.certificate.AzureCertificateCredentials;
 import org.jenkinsci.plugins.azurekeyvaultplugin.credentials.secretfile.AzureSecretFileCredentials;
 import org.jenkinsci.plugins.azurekeyvaultplugin.credentials.sshuserprivatekey.AzureSSHUserPrivateKeyCredentials;
 import org.jenkinsci.plugins.azurekeyvaultplugin.credentials.string.AzureSecretStringCredentials;
@@ -229,6 +230,27 @@ private static Collection<IdCredentials> fetchCredentials() {
                             credentials.add(cred);
                             break;
                         }
+                        case "certificate": {
+                            String passwordId = tags.get("password-id");
+                            Supplier<Secret> password = () -> Secret.fromString("");
+                            if (StringUtils.isNotBlank(passwordId)) {
+                                try {
+                                    password = new KeyVaultSecretRetriever(client, keyVaultURL + "secrets/" + passwordId);
+                                } catch (Exception e) {
+                                    LOG.log(Level.WARNING, "Could not find password with ID " + passwordId + " in KeyVault.");
+                                    continue;
+                                }
+                            }
+                            AzureCertificateCredentials cred = new AzureCertificateCredentials(
+                                scope,
+                                jenkinsID,
+                                description,
+                                password,
+                                new KeyVaultSecretRetriever(client, id)
+                            );
+                            credentials.add(cred);
+                            break;
+                        }
                         default: {
                             throw new IllegalStateException("Unknown type: " + type);
                         }
diff --git a/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/credentials/certificate/AzureCertificateCredentials.java b/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/credentials/certificate/AzureCertificateCredentials.java
@@ -0,0 +1,126 @@
+package org.jenkinsci.plugins.azurekeyvaultplugin.credentials.certificate;
+
+import com.cloudbees.plugins.credentials.CredentialsProvider;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.common.StandardCertificateCredentials;
+import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials;
+import com.cloudbees.plugins.credentials.impl.Messages;
+import edu.umd.cs.findbugs.annotations.CheckForNull;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.Util;
+import hudson.util.Secret;
+import java.io.ByteArrayInputStream;
+import java.security.KeyStore;
+import java.util.Base64;
+import java.util.Objects;
+import java.util.function.Supplier;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.jenkinsci.plugins.azurekeyvaultplugin.AzureCredentialsProvider;
+import org.jvnet.localizer.ResourceBundleHolder;
+
+public class AzureCertificateCredentials extends BaseStandardCredentials implements StandardCertificateCredentials {
+    private static final Logger LOG = Logger.getLogger(AzureCertificateCredentials.class.getName());
+
+    private final Supplier<Secret> keyStoreSource;
+    private final Supplier<Secret> password;
+
+    public AzureCertificateCredentials(
+        CredentialsScope scope,
+        String id,
+        String description,
+        Supplier<Secret> password,
+        Supplier<Secret> keyStoreSource
+    ) {
+        super(scope, id, description);
+
+        Objects.requireNonNull(keyStoreSource);
+        this.password = password;
+        this.keyStoreSource = keyStoreSource;
+    }
+
+    /**
+     * Helper to convert a {@link Secret} password into a {@code char[]}
+     *
+     * @param password the password.
+     * @return a {@code char[]} containing the password or {@code null}
+     */
+    @CheckForNull
+    private static char[] toCharArray(@NonNull Secret password) {
+        String plainText = Util.fixEmpty(password.getPlainText());
+        return plainText == null ? null : plainText.toCharArray();
+    }
+
+    @NonNull
+    @Override
+    public KeyStore getKeyStore()
+    {
+        KeyStore keyStore;
+
+        try {
+            keyStore = KeyStore.getInstance("PKCS12");
+        } catch (java.security.KeyStoreException e) {
+            throw new IllegalStateException("PKCS12 is a keystore type per the JLS spec", e);
+        }
+
+        ByteArrayInputStream keyStoreByteInputStream;
+
+        try{
+            keyStoreByteInputStream = new ByteArrayInputStream(
+                Base64.getDecoder().decode(
+                    Secret.toString(keyStoreSource.get())
+                )
+            );
+        } catch (java.lang.IllegalArgumentException e) {
+            LOG.log(Level.WARNING, "Error decoding Keystore. A base64 encoded certificate is expected. Secret ID:" + getId() + ". " + e.getMessage(), e);
+            throw new IllegalStateException("Cannot decode keystore", e);
+        }
+
+
+        try {
+            keyStore.load(keyStoreByteInputStream, toCharArray(getPassword()));
+        }
+        catch(
+            java.security.cert.CertificateException |
+            java.security.NoSuchAlgorithmException |
+            java.io.IOException e
+        ){
+            LOG.log(Level.WARNING, "Error loading Keystore . Secret ID:" + getId() + ". " + e.getMessage(), e);
+            throw new IllegalStateException("Error loading Keystore.", e);
+        }
+        return keyStore;
+    }
+
+    @NonNull
+    public Secret getKeyStoreSecret() {
+        return keyStoreSource.get();
+    }
+
+    @NonNull
+    @Override
+    public Secret getPassword() {
+        return password.get();
+    }
+
+
+    @Extension
+    @SuppressWarnings("unused")
+    public static class DescriptorImpl extends BaseStandardCredentialsDescriptor {
+        @Override
+        @NonNull
+        public String getDisplayName() {
+            return ResourceBundleHolder.get(Messages.class).format("CertificateCredentialsImpl.DisplayName");
+        }
+
+        @Override
+        public String getIconClassName() {
+            return "icon-application-certificate";
+        }
+
+        @Override
+        public boolean isApplicable(CredentialsProvider provider) {
+            return provider instanceof AzureCredentialsProvider;
+        }
+    }
+}
diff --git a/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/credentials/certificate/AzureCertificateCredentialsSnapshotTaker.java b/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/credentials/certificate/AzureCertificateCredentialsSnapshotTaker.java
@@ -0,0 +1,34 @@
+package org.jenkinsci.plugins.azurekeyvaultplugin.credentials.certificate;
+
+import com.cloudbees.plugins.credentials.CredentialsSnapshotTaker;
+import hudson.Extension;
+import hudson.util.Secret;
+import org.jenkinsci.plugins.azurekeyvaultplugin.credentials.Snapshot;
+
+@Extension
+@SuppressWarnings("unused")
+public class AzureCertificateCredentialsSnapshotTaker extends CredentialsSnapshotTaker<AzureCertificateCredentials> {
+    @Override
+    public Class<AzureCertificateCredentials> type() {
+        return AzureCertificateCredentials.class;
+    }
+
+    @Override
+    public AzureCertificateCredentials snapshot(AzureCertificateCredentials credential) {
+        SecretSnapshot keyStoreSnapshot = new SecretSnapshot(credential.getKeyStoreSecret());
+        SecretSnapshot passwordSnapshot = new SecretSnapshot(credential.getPassword());
+        return new AzureCertificateCredentials(
+            credential.getScope(),
+            credential.getId(),
+            credential.getDescription(),
+            passwordSnapshot,
+            keyStoreSnapshot
+        );
+    }
+
+    private static class SecretSnapshot extends Snapshot<Secret> {
+        SecretSnapshot(Secret value) {
+            super(value);
+        }
+    }
+}
