fix(#532)!: Add dynamic credential handling for withCredentials

martinreck · martinreck · commit 36d40d02449d · 2025-08-25T15:07:46.000+02:00
Adjusted the BasePipelineTest to support dynamic credentials processing by type, including `usernamePassword` and `string`. Updated tests and job scripts to reflect these changes. This fix may cause test cases to fail when the output of the 'withCredentials' step is checked. This is because additional credential binding attributes are now output. Fixes #532
diff --git a/src/main/groovy/com/lesfurets/jenkins/unit/BasePipelineTest.groovy b/src/main/groovy/com/lesfurets/jenkins/unit/BasePipelineTest.groovy
@@ -25,20 +25,29 @@ abstract class BasePipelineTest {
         addParam(desc.name, desc.defaultValue, false)
     }
 
-    def stringInterceptor = { Map desc->
+    def stringInterceptor = { Map desc ->
         if (desc) {
             // we are in context of parameters { string(...)}
             if (desc.name) {
                 addParam(desc.name, desc.defaultValue, false)
             }
             // we are in context of withCredentials([string()..]) { }
-            if(desc.variable) {
-                return desc.variable
+            if(desc.credentialsId && desc.variable) {
+                return [
+                        credentialsType: 'string',
+                        credentialsId: desc.credentialsId,
+                        variable: desc.variable
+                ]
             }
         }
     }
 
-    def usernamePasswordInterceptor = { m -> [m.usernameVariable, m.passwordVariable] }
+    def usernamePasswordInterceptor = { m -> [
+            credentialsType: 'usernamePassword',
+            credentialsId: m.credentialsId,
+            usernameVariable: m.usernameVariable,
+            passwordVariable: m.passwordVariable
+    ]}
 
     def withCredentialsInterceptor = { list, closure ->
         def previousValues = [:]
@@ -67,6 +76,9 @@ abstract class BasePipelineTest {
                     previousValues[password] = null
                 }
                 binding.setVariable(password, password)
+            } else if (creds instanceof Map && creds.get("credentialsType")) {
+                // Delegate handling of known credential types
+                handleCredentialBinding(creds, previousValues)
             } else {
                 creds.each { var ->
                     try {
@@ -560,4 +572,60 @@ abstract class BasePipelineTest {
         Map credentials = binding.getVariable('credentials') as Map
         credentials[key] = val
     }
+
+    void addUsernamePasswordCredential(String credentialId, String username, String password) {
+        addCredential(credentialId, "${username}:${password}")
+    }
+
+    void addStringCredential(String credentialId, String val) {
+        addCredential(credentialId, val)
+    }
+
+    /**
+     * Handles the processing and binding for different types of credentials dynamically.
+     */
+    void handleCredentialBinding(Map creds, Map previousValues) {
+        def credentialsId = creds.get('credentialsId')
+        def credentials = binding.getVariable('credentials')
+        if (credentials == null || !credentials.containsKey(credentialsId)) {
+            throw new AssertionError("The configuration for the credentials ID '${credentialsId}' may be missing.", null)
+        }
+
+        switch (creds.get('credentialsType')) {
+            case 'usernamePassword':
+                def usernamePassword = credentials.get(credentialsId).split(':')
+                def usernameVariable = creds.get('usernameVariable')
+                def passwordVariable = creds.get('passwordVariable')
+
+                try {
+                    previousValues[usernameVariable] = binding.getVariable(usernameVariable)
+                } catch (MissingPropertyException ignored) {
+                    previousValues[usernameVariable] = null
+                }
+                binding.setVariable(usernameVariable, usernamePassword[0])
+
+                try {
+                    previousValues[passwordVariable] = binding.getVariable(passwordVariable)
+                } catch (MissingPropertyException ignored) {
+                    previousValues[passwordVariable] = null
+                }
+                binding.setVariable(passwordVariable, usernamePassword[1])
+                break
+
+            case 'string':
+                def variable = creds.get('variable')
+                def value = credentials.get(credentialsId)
+
+                try {
+                    previousValues[variable] = binding.getVariable(variable)
+                } catch (MissingPropertyException ignored) {
+                    previousValues[variable] = null
+                }
+                binding.setVariable(variable, value)
+                break
+
+            default:
+                throw new UnsupportedOperationException("Unsupported credentials type: ${creds.get('credentialsType')}")
+        }
+    }
 }
diff --git a/src/test/groovy/com/lesfurets/jenkins/TestWithCredentialsAndParametersJob.groovy b/src/test/groovy/com/lesfurets/jenkins/TestWithCredentialsAndParametersJob.groovy
@@ -15,6 +15,9 @@ class TestWithCredentialsAndParametersJob extends BaseRegressionTest {
 
   @Test
   void should_run_script_with_parameters() {
+      // given:
+      addStringCredential('my-gitlab-api-token', 'gitlab-api-token')
+
     // when:
     runScript("job/withCredentialsAndParameters.jenkins")
 
diff --git a/src/test/groovy/com/lesfurets/jenkins/TestWithCredentialsJob.groovy b/src/test/groovy/com/lesfurets/jenkins/TestWithCredentialsJob.groovy
@@ -17,6 +17,14 @@ class TestWithCredentialsJob extends BaseRegressionTest {
 
     @Test
     void should_run_script_with_credentials() {
+        // given:
+        addUsernamePasswordCredential('my_cred_id-1', 'test-user-1', 'test-password-1')
+        addUsernamePasswordCredential('my_cred_id-2', 'test-user-2', 'test-password-2')
+        addStringCredential('docker_cred-1', 'docker-pass-1')
+        addStringCredential('docker_cred-2', 'docker-pass-2')
+        addStringCredential('ssh_cred-1', 'ssh-pass-1')
+        addStringCredential('ssh_cred-2', 'ssh-pass-2')
+
         // when:
         runScript("job/withCredentials.jenkins")
 
diff --git a/src/test/groovy/com/lesfurets/jenkins/unit/declarative/TestDeclaraticeWithCredentials.groovy b/src/test/groovy/com/lesfurets/jenkins/unit/declarative/TestDeclaraticeWithCredentials.groovy
@@ -18,26 +18,32 @@ class TestDeclaraticeWithCredentials extends DeclarativePipelineTest {
 
     @Test
     void should_run_script_with_credentials() {
+        // given:
+        addUsernamePasswordCredential('my_cred_id-1', 'test-user-1', 'test-password-1')
+        addUsernamePasswordCredential('my_cred_id-2', 'test-user-2', 'test-password-2')
+        addStringCredential('docker_cred-1', 'docker-pass-1')
+        addStringCredential('docker_cred-2', 'docker-pass-2')
+        addStringCredential('ssh_cred-1', 'ssh-pass-1')
+        addStringCredential('ssh_cred-2', 'ssh-pass-2')
+
         // when:
         runScript("withCredentials_Jenkinsfile")
 
         // then:
         assertJobStatusSuccess()
-        assertCallStack().contains("echo(User/Pass = user/pass)")
-        assertCallStack().contains("echo(Nested User/Pass = user/pass)")
-        assertCallStack().contains("echo(Restored User/Pass = user/pass)")
+        assertCallStack().contains("echo(User/Pass = test-user-1/test-password-1)")
+        assertCallStack().contains("echo(Nested User/Pass = test-user-2/test-password-2)")
+        assertCallStack().contains("echo(Restored User/Pass = test-user-1/test-password-1)")
         assertCallStack().contains("echo(Cleared User/Pass = null/null)")
 
-        assertCallStack().contains("echo(Docker = docker_pass)")
-        assertCallStack().contains("echo(Nested Docker = docker_pass)")
-        assertCallStack().contains("echo(Restored Docker = docker_pass)")
+        assertCallStack().contains("echo(Docker = docker-pass-1)")
+        assertCallStack().contains("echo(Nested Docker = docker-pass-2)")
+        assertCallStack().contains("echo(Restored Docker = docker-pass-1)")
         assertCallStack().contains("echo(Cleared Docker = null)")
 
-        assertCallStack().contains("echo(SSH = ssh_pass)")
-        assertCallStack().contains("echo(Nested SSH = ssh_pass)")
-        assertCallStack().contains("echo(Restored SSH = ssh_pass)")
+        assertCallStack().contains("echo(SSH = ssh-pass-1)")
+        assertCallStack().contains("echo(Nested SSH = ssh-pass-2)")
+        assertCallStack().contains("echo(Restored SSH = ssh-pass-1)")
         assertCallStack().contains("echo(Cleared SSH = null)")
-
-
     }
 }
diff --git a/src/test/jenkins/jenkinsfiles/withCredentials_Jenkinsfile b/src/test/jenkins/jenkinsfiles/withCredentials_Jenkinsfile
@@ -4,19 +4,19 @@ pipeline {
     stages {
         stage("run") {
             withCredentials([
-                usernamePassword( credentialsId: 'my_cred_id', usernameVariable: 'user', passwordVariable: 'pass' ),
-                string( credentialsId: 'docker_cred', variable: 'docker_pass' ),
-                string( credentialsId: 'ssh_cred', variable: 'ssh_pass' )
+                usernamePassword( credentialsId: 'my_cred_id-1', usernameVariable: 'user', passwordVariable: 'pass' ),
+                string( credentialsId: 'docker_cred-1', variable: 'docker_pass' ),
+                string( credentialsId: 'ssh_cred-1', variable: 'ssh_pass' )
             ]) {
                 // Ensure values are set on entry
                 echo "User/Pass = $user/$pass"
                 echo "Docker = $docker_pass"
                 echo "SSH = $ssh_pass"
 
                 withCredentials([
-                    usernamePassword( credentialsId: 'my_cred_id', usernameVariable: 'user', passwordVariable: 'pass' ),
-                    string( credentialsId: 'docker_cred', variable: 'docker_pass' ),
-                    string( credentialsId: 'ssh_cred', variable: 'ssh_pass' )
+                    usernamePassword( credentialsId: 'my_cred_id-2', usernameVariable: 'user', passwordVariable: 'pass' ),
+                    string( credentialsId: 'docker_cred-2', variable: 'docker_pass' ),
+                    string( credentialsId: 'ssh_cred-2', variable: 'ssh_pass' )
                 ]) {
                     // Ensure nested values are in place
                     echo "Nested User/Pass = $user/$pass"
diff --git a/src/test/jenkins/job/withCredentials.jenkins b/src/test/jenkins/job/withCredentials.jenkins
@@ -1,18 +1,18 @@
 node {
     withCredentials([
-        usernamePassword( credentialsId: 'my_cred_id', usernameVariable: 'user', passwordVariable: 'pass' ),
-        string( credentialsId: 'docker_cred', variable: 'docker_pass' ),
-        string( credentialsId: 'ssh_cred', variable: 'ssh_pass' )
+        usernamePassword( credentialsId: 'my_cred_id-1', usernameVariable: 'user', passwordVariable: 'pass' ),
+        string( credentialsId: 'docker_cred-1', variable: 'docker_pass' ),
+        string( credentialsId: 'ssh_cred-1', variable: 'ssh_pass' )
     ]) {
         // Ensure values are set on entry
         echo "User/Pass = $user/$pass"
         echo "Docker = $docker_pass"
         echo "SSH = $ssh_pass"
 
         withCredentials([
-            usernamePassword( credentialsId: 'my_cred_id', usernameVariable: 'user', passwordVariable: 'pass' ),
-            string( credentialsId: 'docker_cred', variable: 'docker_pass' ),
-            string( credentialsId: 'ssh_cred', variable: 'ssh_pass' )
+            usernamePassword( credentialsId: 'my_cred_id-2', usernameVariable: 'user', passwordVariable: 'pass' ),
+            string( credentialsId: 'docker_cred-2', variable: 'docker_pass' ),
+            string( credentialsId: 'ssh_cred-2', variable: 'ssh_pass' )
         ]) {
             // Ensure nested values are in place
             echo "Nested User/Pass = $user/$pass"
diff --git a/src/test/resources/callstacks/TestWithCredentialsAndParametersJob_withCredentialsAndParameters.txt b/src/test/resources/callstacks/TestWithCredentialsAndParametersJob_withCredentialsAndParameters.txt
@@ -5,5 +5,5 @@
       withCredentialsAndParameters.properties([null])
       withCredentialsAndParameters.echo('myStringParam' value is default: my default value)
       withCredentialsAndParameters.string({credentialsId=my-gitlab-api-token, variable=GITLAB_API_TOKEN})
-      withCredentialsAndParameters.withCredentials([GITLAB_API_TOKEN], groovy.lang.Closure)
-         withCredentialsAndParameters.echo('my-gitlab-api-token' credential variable value: GITLAB_API_TOKEN)
+      withCredentialsAndParameters.withCredentials([{credentialsType=string, credentialsId=my-gitlab-api-token, variable=GITLAB_API_TOKEN}], groovy.lang.Closure)
+         withCredentialsAndParameters.echo('my-gitlab-api-token' credential variable value: gitlab-api-token)
diff --git a/src/test/resources/callstacks/TestWithCredentialsJob_withCredentials.txt b/src/test/resources/callstacks/TestWithCredentialsJob_withCredentials.txt
@@ -1,22 +1,22 @@
    withCredentials.run()
       withCredentials.node(groovy.lang.Closure)
-         withCredentials.usernamePassword({credentialsId=my_cred_id, usernameVariable=user, passwordVariable=pass})
-         withCredentials.string({credentialsId=docker_cred, variable=docker_pass})
-         withCredentials.string({credentialsId=ssh_cred, variable=ssh_pass})
-         withCredentials.withCredentials([[user, pass], docker_pass, ssh_pass], groovy.lang.Closure)
-            withCredentials.echo(User/Pass = user/pass)
-            withCredentials.echo(Docker = docker_pass)
-            withCredentials.echo(SSH = ssh_pass)
-            withCredentials.usernamePassword({credentialsId=my_cred_id, usernameVariable=user, passwordVariable=pass})
-            withCredentials.string({credentialsId=docker_cred, variable=docker_pass})
-            withCredentials.string({credentialsId=ssh_cred, variable=ssh_pass})
-            withCredentials.withCredentials([[user, pass], docker_pass, ssh_pass], groovy.lang.Closure)
-               withCredentials.echo(Nested User/Pass = user/pass)
-               withCredentials.echo(Nested Docker = docker_pass)
-               withCredentials.echo(Nested SSH = ssh_pass)
-            withCredentials.echo(Restored User/Pass = user/pass)
-            withCredentials.echo(Restored Docker = docker_pass)
-            withCredentials.echo(Restored SSH = ssh_pass)
+         withCredentials.usernamePassword({credentialsId=my_cred_id-1, usernameVariable=user, passwordVariable=pass})
+         withCredentials.string({credentialsId=docker_cred-1, variable=docker_pass})
+         withCredentials.string({credentialsId=ssh_cred-1, variable=ssh_pass})
+         withCredentials.withCredentials([{credentialsType=usernamePassword, credentialsId=my_cred_id-1, usernameVariable=user, passwordVariable=pass}, {credentialsType=string, credentialsId=docker_cred-1, variable=docker_pass}, {credentialsType=string, credentialsId=ssh_cred-1, variable=ssh_pass}], groovy.lang.Closure)
+            withCredentials.echo(User/Pass = test-user-1/test-password-1)
+            withCredentials.echo(Docker = docker-pass-1)
+            withCredentials.echo(SSH = ssh-pass-1)
+            withCredentials.usernamePassword({credentialsId=my_cred_id-2, usernameVariable=user, passwordVariable=pass})
+            withCredentials.string({credentialsId=docker_cred-2, variable=docker_pass})
+            withCredentials.string({credentialsId=ssh_cred-2, variable=ssh_pass})
+            withCredentials.withCredentials([{credentialsType=usernamePassword, credentialsId=my_cred_id-2, usernameVariable=user, passwordVariable=pass}, {credentialsType=string, credentialsId=docker_cred-2, variable=docker_pass}, {credentialsType=string, credentialsId=ssh_cred-2, variable=ssh_pass}], groovy.lang.Closure)
+               withCredentials.echo(Nested User/Pass = test-user-2/test-password-2)
+               withCredentials.echo(Nested Docker = docker-pass-2)
+               withCredentials.echo(Nested SSH = ssh-pass-2)
+            withCredentials.echo(Restored User/Pass = test-user-1/test-password-1)
+            withCredentials.echo(Restored Docker = docker-pass-1)
+            withCredentials.echo(Restored SSH = ssh-pass-1)
          withCredentials.echo(Cleared User/Pass = null/null)
          withCredentials.echo(Cleared Docker = null)
          withCredentials.echo(Cleared SSH = null)
