Add telemetry for password field masking (jenkinsci#26195)

Kevin-CB · web-flow · commit 6c50589ae917 · 2026-01-31T18:00:45.000+01:00
* Add telemetry for password field masking

* Collect actionable info

* Always send data and clear collection
diff --git a/core/src/main/java/hudson/Functions.java b/core/src/main/java/hudson/Functions.java
@@ -170,6 +170,7 @@
 import jenkins.model.details.Detail;
 import jenkins.model.details.DetailFactory;
 import jenkins.model.details.DetailGroup;
+import jenkins.telemetry.impl.PasswordMasking;
 import jenkins.util.SystemProperties;
 import org.apache.commons.jelly.JellyContext;
 import org.apache.commons.jelly.JellyTagException;
@@ -2256,32 +2257,64 @@ public String getPasswordValue(Object o) {
         if (o instanceof Secret || Secret.BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE) {
             if (req != null) {
                 if (NON_RECURSIVE_PASSWORD_MASKING_PERMISSION_CHECK) {
+                    List<Ancestor> ancestors = req.getAncestors();
+                    String closestAncestor = ancestors.isEmpty() ? "unknown" :
+                        ancestors.getLast().getObject().getClass().getName();
+
                     Item item = req.findAncestorObject(Item.class);
                     if (item != null && !item.hasPermission(Item.CONFIGURE)) {
+                        PasswordMasking.recordMasking(
+                            item.getClass().getName(),
+                            closestAncestor,
+                            getJellyViewsInformationForCurrentRequest()
+                        );
                         return "********";
                     }
                     Computer computer = req.findAncestorObject(Computer.class);
                     if (computer != null && !computer.hasPermission(Computer.CONFIGURE)) {
+                        PasswordMasking.recordMasking(
+                            computer.getClass().getName(),
+                            closestAncestor,
+                            getJellyViewsInformationForCurrentRequest()
+                        );
                         return "********";
                     }
                 } else {
                     List<Ancestor> ancestors = req.getAncestors();
+                    String closestAncestor = ancestors.isEmpty() ? "unknown" :
+                        ancestors.getLast().getObject().getClass().getName();
+
                     for (Ancestor ancestor : Iterators.reverse(ancestors)) {
                         Object type = ancestor.getObject();
                         if (type instanceof Item item) {
                             if (!item.hasPermission(Item.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    item.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;
                         }
                         if (type instanceof Computer computer) {
                             if (!computer.hasPermission(Computer.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    computer.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;
                         }
                         if (type instanceof View view) {
                             if (!view.hasPermission(View.CONFIGURE)) {
+                                PasswordMasking.recordMasking(
+                                    view.getClass().getName(),
+                                    closestAncestor,
+                                    getJellyViewsInformationForCurrentRequest()
+                                );
                                 return "********";
                             }
                             break;
diff --git a/core/src/main/java/jenkins/telemetry/impl/PasswordMasking.java b/core/src/main/java/jenkins/telemetry/impl/PasswordMasking.java
@@ -0,0 +1,110 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2026, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.telemetry.impl;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import java.time.LocalDate;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicLong;
+import jenkins.telemetry.Telemetry;
+import net.sf.json.JSONArray;
+import net.sf.json.JSONObject;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Telemetry implementation gathering information about password field masking.
+ */
+@Extension
+@Restricted(NoExternalUse.class)
+public class PasswordMasking extends Telemetry {
+
+    private static final Map<String, AtomicLong> maskingCounts = new ConcurrentHashMap<>();
+
+    /**
+     * Records when password masking occurs.
+     *
+     * @param className the class name of the object
+     * @param closestAncestor the closest ancestor class name
+     * @param jellyView the Jelly view where masking occurred
+     */
+    public static void recordMasking(String className, String closestAncestor, String jellyView) {
+        if (Telemetry.isDisabled()) {
+            return;
+        }
+
+        String key = className + "|" + closestAncestor + "|" + jellyView;
+        maskingCounts.computeIfAbsent(key, k -> new AtomicLong(0)).incrementAndGet();
+    }
+
+    @NonNull
+    @Override
+    public String getDisplayName() {
+        return "Password field masking";
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getStart() {
+        return LocalDate.of(2026, 1, 26);
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getEnd() {
+        return LocalDate.of(2026, 7, 26);
+    }
+
+    @Override
+    public JSONObject createContent() {
+        JSONArray events = new JSONArray();
+        for (Map.Entry<String, AtomicLong> entry : maskingCounts.entrySet()) {
+            String[] parts = entry.getKey().split("\\|", 3);
+            if (parts.length == 3) {
+                String className = parts[0];
+                String closestAncestor = parts[1];
+                String jellyView = parts[2];
+                long count = entry.getValue().longValue();
+
+                JSONObject event = new JSONObject();
+                event.put("className", className);
+                event.put("closestAncestor", closestAncestor);
+                event.put("jellyView", jellyView);
+                event.put("count", count);
+                events.add(event);
+            }
+        }
+
+        maskingCounts.clear();
+
+        JSONObject payload = new JSONObject();
+        payload.put("components", buildComponentInformation());
+        payload.put("masking", events);
+
+        return payload;
+    }
+}
diff --git a/core/src/main/resources/jenkins/telemetry/impl/PasswordMasking/description.jelly b/core/src/main/resources/jenkins/telemetry/impl/PasswordMasking/description.jelly
@@ -0,0 +1,16 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core">
+    This trial collects detailed information about password field masking when users lack Configure permission on Items, Computers, or Views:
+    <ul>
+        <li>The class name</li>
+        <li>The closest ancestor class name</li>
+        <li>The Jelly view hierarchy where masking occurred</li>
+        <li>The frequency of each combination</li>
+    </ul>
+    <p>
+        This masking behavior is a fallback that should normally be rare, as views rendering content for users without Configure permission should use read-only mode instead.
+    </p>
+    <p>
+        Additionally, this trial collects the list of installed plugins, their version, and the version of Jenkins.
+    </p>
+</j:jelly>
