[JENKINS-70101] Revive ability to snapshot() the CertificateCredentials so they can be used on remote agents

pom.xml

@@ -168,6 +168,32 @@
       <artifactId>workflow-basic-steps</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <!-- withCredentials() step for pipeline-oriented tests -->
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>credentials-binding</artifactId>
+      <scope>test</scope>
+    </dependency>
+<!--
+    <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>job-dsl</artifactId>
+        <scope>test</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>command-launcher</artifactId>
+        <scope>test</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.jenkins-ci.plugins</groupId>
+        <artifactId>http_request</artifactId>
+        <! - - Note: testCertHttpRequestOnNodeRemote() fails for 1.16
+             unless CertificateCredentialsSnapshotTaker is functional
+         - - >
+        <scope>test</scope>
+    </dependency>
+-->
   </dependencies>
 
   <build>

src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java

@@ -867,6 +867,7 @@ public static <C extends IdCredentials> C findCredentialById(@NonNull String id,
     /**
      * @deprecated Use {@link #findCredentialById(String, Class, Run, List)} instead.
      */
+    @Deprecated
     public static <C extends IdCredentials> C findCredentialById(@NonNull String id, @NonNull Class<C> type,
                                                                  @NonNull Run<?, ?> run,
                                                                  DomainRequirement... domainRequirements) {

src/main/java/com/cloudbees/plugins/credentials/SecretBytes.java

@@ -35,6 +35,7 @@
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Util;
+import hudson.remoting.Channel;
 import hudson.util.Secret;
 import java.io.Serializable;
 import java.security.GeneralSecurityException;
@@ -52,7 +53,9 @@
  * salt and padding so no two invocations of {@link #getEncryptedData()} will return the same result, but all will
  * decrypt to the same {@link #getPlainData()}. XStream serialization and Stapler form-binding will assume that
  * the {@link #toString()} representation is used (i.e. the Base64 encoded secret bytes wrapped with <code>{</code>
- * and <code>}</code>. If the string representation fails to decrypt (and is not wrapped
+ * and <code>}</code>). If the string representation fails to decrypt (and is not wrapped) the {@link #fromString}
+ * method returns a {@link SecretBytes} representation of an empty array, and {@link #isSecretBytes} method
+ * returns {@code false}.
  *
  * @since 2.1.5
  */
@@ -70,15 +73,18 @@
      */
     private static final long serialVersionUID = 1L;
     /**
-     * The key that encrypts the data on disk.
+     * The key that encrypts the data on disk.<br/>
+     *
+     * NOTE: Unique per JVM run-time, so different value on a
+     * Jenkins controller and remote agents or across restarts!
      */
     private static final CredentialsConfidentialKey KEY = new CredentialsConfidentialKey(SecretBytes.class, "KEY");
     /**
      * Our logger.
      */
     private static final Logger LOGGER = Logger.getLogger(SecretBytes.class.getName());
     /**
-     * The unencrypted bytes.
+     * The encrypted bytes.
      */
     @NonNull
     private final byte[] value;
@@ -138,7 +144,12 @@
             Cipher cipher = KEY.decrypt(salt);
             return cipher.doFinal(encryptedBytes);
         } catch (GeneralSecurityException e) {
-            throw new Error(e);
+            if (Channel.current() == null) {
+                // Local JVM of the Jenkins controller
+                throw new Error(e);
+            } else {
+                throw new Error("Failed to access secret data by remote agent", e);
+            }
         }
     }
 

src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java

@@ -23,6 +23,7 @@
  */
 package com.cloudbees.plugins.credentials.impl;
 
+import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SecretBytes;
 import com.cloudbees.plugins.credentials.common.StandardCertificateCredentials;
@@ -35,6 +36,7 @@
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
 import hudson.model.Items;
+import hudson.remoting.Channel;
 import hudson.util.FormValidation;
 import hudson.util.Secret;
 import java.io.ByteArrayInputStream;
@@ -156,6 +158,21 @@
         return password.getPlainText().toCharArray();
     }
 
+    /**
+     * When serializing over a {@link Channel} ensure that we send a self-contained version.
+     *
+     * @return the object instance to write to the stream.
+     */
+    private Object writeReplace() {
+        if (/* XStream */ Channel.current() == null
+        ||  /* already safe to serialize */ keyStoreSource
+                .isSnapshotSource()
+        ) {
+            return this;
+        }
+        return CredentialsProvider.snapshot(this);
+    }
+
     /**
      * Returns the {@link KeyStore} containing the certificate.
      *
@@ -369,17 +386,18 @@
 
         /**
          * The old uploaded keystore.
+         * Still used for snapshot taking, with contents independent of Jenkins instance and JVM.
          */
         @CheckForNull
         @Deprecated
-        private transient Secret uploadedKeystore;
+        private Secret uploadedKeystore;
         /**
          * The uploaded keystore.
          *
          * @since 2.1.5
          */
         @CheckForNull
-        private final SecretBytes uploadedKeystoreBytes;
+        private SecretBytes uploadedKeystoreBytes;
 
         /**
          * Our constructor.
@@ -409,6 +427,19 @@
             this.uploadedKeystoreBytes = uploadedKeystore;
         }
 
+        /**
+         * Our constructor for serialization (e.g. to remote agents, whose SecretBytes
+         * in another JVM use a different static KEY); would re-encode.
+         *
+         * @param uploadedKeystore the keystore content.
+         * @deprecated
+         */
+        @SuppressWarnings("unused") // by stapler
+        @Deprecated
+        public UploadedKeyStoreSource(@CheckForNull Secret uploadedKeystore) {
+            this.uploadedKeystore = uploadedKeystore;
+        }
+
         /**
          * Constructor able to receive file directly
          * 
@@ -428,6 +459,18 @@
             this.uploadedKeystoreBytes = uploadedKeystore;
         }
 
+        /**
+         * Request that if the less-efficient but more-portable Secret
+         * is involved (e.g. to cross the remoting gap to another JVM),
+         * we use the more secure and efficient SecretBytes.
+         */
+        public void useSecretBytes() {
+            if (this.uploadedKeystore != null && this.uploadedKeystoreBytes == null) {
+                this.uploadedKeystoreBytes = SecretBytes.fromBytes(DescriptorImpl.toByteArray(this.uploadedKeystore));
+                this.uploadedKeystore = null;
+            }
+        }
+
         /**
          * Migrate to the new field.
          *
@@ -444,11 +487,14 @@
         }
 
         /**
-         * Returns the private key file name.
+         * Returns the private key + certificate file bytes.
          *
-         * @return the private key file name.
+         * @return the private key + certificate file bytes.
          */
         public SecretBytes getUploadedKeystore() {
+            if (uploadedKeystore != null && uploadedKeystoreBytes == null) {
+                return SecretBytes.fromBytes(DescriptorImpl.toByteArray(uploadedKeystore));
+            }
             return uploadedKeystoreBytes;
         }
 
@@ -458,6 +504,9 @@
         @NonNull
         @Override
         public byte[] getKeyStoreBytes() {
+            if (uploadedKeystore != null && uploadedKeystoreBytes == null) {
+                return DescriptorImpl.toByteArray(uploadedKeystore);
+            }
             return SecretBytes.getPlainData(uploadedKeystoreBytes);
         }
 
@@ -474,7 +523,11 @@
          */
         @Override
         public boolean isSnapshotSource() {
-            return true;
+            //return this.snapshotSecretBytes;
+            // If context is local, clone SecretBytes directly (only
+            // usable in same JVM). Otherwise use Secret for transport
+            // (see {@link CertificateCredentialsSnapshotTaker}.
+            return (/* XStream */ Channel.current() == null);
         }
 
         @Override
@@ -486,7 +539,7 @@
                 throw new IllegalStateException(className + " is not FIPS compliant and can not be used when Jenkins is in FIPS mode. " +
                                                 "An issue should be filed against the plugin " + pluginName + " to ensure it is adapted to be able to work in this mode");
             }
-            // legacy behaviour that assumed all KeyStoreSources where in the non compliant PKCS12 format
+            // legacy behaviour that assumed all KeyStoreSources were in the non FIPS compliant PKCS12 format
             KeyStore keyStore = KeyStore.getInstance("PKCS12");
             keyStore.load(new ByteArrayInputStream(getKeyStoreBytes()), password);
             return keyStore;

src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsSnapshotTaker.java

@@ -0,0 +1,97 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2011-2016, CloudBees, Inc., Stephen Connolly.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+
+package com.cloudbees.plugins.credentials.impl;
+
+import com.cloudbees.plugins.credentials.CredentialsSnapshotTaker;
+import com.cloudbees.plugins.credentials.SecretBytes;
+import com.cloudbees.plugins.credentials.common.StandardCertificateCredentials;
+import hudson.Extension;
+import hudson.util.Secret;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Arrays;
+
+/**
+ * The {@link CredentialsSnapshotTaker} for {@link StandardCertificateCredentials}.
+ * Taking a snapshot of the credential ensures that all the details are captured
+ * within the credential.
+ *
+ * @since 1.14
+ *
+ * Historic note: This code was dropped from {@link CertificateCredentialsImpl}
+ * codebase along with most of FileOnMasterKeyStoreSource (deprecated and headed
+ * towards eventual deletion) due to SECURITY-1322, see more details at
+ * https://www.jenkins.io/security/advisory/2019-05-21/
+ * In hind-sight, this snapshot taker was needed to let the
+ * {@link CertificateCredentialsImpl.UploadedKeyStoreSource} be used
+ * on remote agents.
+ */
+@Extension
+public class CertificateCredentialsSnapshotTaker extends CredentialsSnapshotTaker<StandardCertificateCredentials> {
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Class<StandardCertificateCredentials> type() {
+        return StandardCertificateCredentials.class;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public StandardCertificateCredentials snapshot(StandardCertificateCredentials credentials) {
+        if (credentials instanceof CertificateCredentialsImpl) {
+            final CertificateCredentialsImpl.KeyStoreSource keyStoreSource = ((CertificateCredentialsImpl) credentials).getKeyStoreSource();
+            if (keyStoreSource.isSnapshotSource()) {
+                return credentials;
+            }
+            return new CertificateCredentialsImpl(credentials.getScope(), credentials.getId(),
+                    credentials.getDescription(), credentials.getPassword().getEncryptedValue(),
+                    new CertificateCredentialsImpl.UploadedKeyStoreSource(CertificateCredentialsImpl.UploadedKeyStoreSource.DescriptorImpl.toSecret(keyStoreSource.getKeyStoreBytes())));
+        }
+
+        ByteArrayOutputStream bos = new ByteArrayOutputStream();
+        final char[] password = credentials.getPassword().getPlainText().toCharArray();
+        try {
+            credentials.getKeyStore().store(bos, password);
+            bos.close();
+        } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException e) {
+            return credentials; // as-is
+        } finally {
+            Arrays.fill(password, (char) 0);
+        }
+
+        return new CertificateCredentialsImpl(credentials.getScope(), credentials.getId(),
+                credentials.getDescription(), credentials.getPassword().getEncryptedValue(),
+                new CertificateCredentialsImpl.UploadedKeyStoreSource(CertificateCredentialsImpl.UploadedKeyStoreSource.DescriptorImpl.toSecret(bos.toByteArray())));
+    }
+}