Merge pull request #890 from jeromepochat/BEE-62243-update-migration-path

[BEE-62243] Use `AccessSpecifiedRepositories` as default access strategy for GitHub App credentials

Author: jeromepochat

docs/github-app.adoc

@@ -187,12 +187,15 @@ For now, in this case, you either need to use a less restrictive strategy for th
 
 ==== Backwards compatibility
 
-[IMPORTANT]
-The new configuration options are not fully backwards compatible.
+The existing credentials is migrated to the “Specify accessible repositories” mode described in the documentation:
+
+* the owner is set with the original credentials owner
+* the list of repository is set with empty list
 
-For existing GitHub App credentials which do not have the owner field set, the migration to the new format is not fully compatible. These credentials migrate to the “Infer owner and allow access to all owned repositories” mode described in the documentation, which means that they will only work in contexts where the owner can be inferred, such as Organization Folders and Multibranch Pipelines.
+In case of empty owner and when the credentials are used in a context where inference is supported, such as Organization Folders and Multibranch Pipelines, the inferred owner is used to compute permissions.
 
-If you are using the credentials in a context where inference is not supported, you will need to reconfigure these credentials to use the “Specify accessible repositories” mode instead, specifying the appropriate owner (or leaving it blank if the app is installed in a single GitHub organization).
+[IMPORTANT]
+If you are using the credentials in a context where inference is not supported, you will need to reconfigure these credentials to specify the appropriate owner (or leaving it blank if the app is installed in a single GitHub organization).
 
 === Help?
 

src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java

@@ -39,7 +39,6 @@
 import jenkins.util.JenkinsJVM;
 import net.sf.json.JSONObject;
 import org.apache.commons.lang3.StringUtils;
-import org.jenkinsci.plugins.github_branch_source.app_credentials.AccessInferredOwner;
 import org.jenkinsci.plugins.github_branch_source.app_credentials.AccessSpecifiedRepositories;
 import org.jenkinsci.plugins.github_branch_source.app_credentials.AccessibleRepositories;
 import org.jenkinsci.plugins.github_branch_source.app_credentials.DefaultPermissionsStrategy;
@@ -165,19 +164,18 @@ public String getOwner() {
     /** Do not call this method, use {@link #setRepositoryAccessStrategy} instead. */
     public void setOwner(String owner) {
         owner = Util.fixEmptyAndTrim(owner);
-        if (owner != null) {
-            setRepositoryAccessStrategy(new AccessSpecifiedRepositories(owner, List.of()));
-        } else {
-            setRepositoryAccessStrategy(new AccessInferredOwner());
-        }
+        LOGGER.log(Level.FINE, null, new Exception("setOwner method called with owner: " + owner));
+        setRepositoryAccessStrategy(new AccessSpecifiedRepositories(owner, List.of()));
         // We only expect this to be called by CasC and by a few plugins which implement variants of this class based on
         // external credential providers, so we still count it as a migration.
         MigrationAdminMonitor.addMigratedCredentialId(getId());
     }
 
     @NonNull
     public RepositoryAccessStrategy getRepositoryAccessStrategy() {
-        return repositoryAccessStrategy == null ? new AccessInferredOwner() : repositoryAccessStrategy;
+        return repositoryAccessStrategy == null
+                ? new AccessSpecifiedRepositories(owner, List.of())
+                : repositoryAccessStrategy;
     }
 
     @DataBoundSetter
@@ -206,6 +204,10 @@ Map<String, GHPermissionType> getPermissions() {
         return getDefaultPermissionsStrategy().getPermissions();
     }
 
+    private GitHubAppUsageContext getContext() {
+        return context;
+    }
+
     @SuppressWarnings("deprecation")
     AuthorizationProvider getAuthorizationProvider() {
         return new CredentialsTokenProvider(this);
@@ -273,7 +275,8 @@ static AppInstallationToken generateAppInstallationToken(
             String apiUrl,
             String owner,
             List<String> repositories,
-            Map<String, GHPermissionType> permissions) {
+            Map<String, GHPermissionType> permissions,
+            String inferredOwner) {
         JenkinsJVM.checkJenkinsJVM();
         // We expect this to be fast but if anything hangs in here we do not want to block indefinitely
 
@@ -293,12 +296,15 @@ static AppInstallationToken generateAppInstallationToken(
             if (appInstallations.isEmpty()) {
                 throw new IllegalArgumentException(String.format(ERROR_NOT_INSTALLED, appId));
             }
-            GHAppInstallation appInstallation;
-            if (StringUtils.isEmpty(owner) && appInstallations.size() == 1) {
+            final String ownerOrNull = Util.fixEmpty(owner);
+            final GHAppInstallation appInstallation;
+            if (ownerOrNull == null && appInstallations.size() == 1) {
                 // This case is only used when AccessSpecifiedRepositories.getOwner is empty.
                 appInstallation = appInstallations.get(0);
             } else {
-                final String ownerOrEmpty = owner != null ? owner : "";
+                // Use the possibly inferred owner from the context
+                final String ownerOrEmpty =
+                        Util.fixNull(Optional.ofNullable(ownerOrNull).orElse(inferredOwner));
                 Optional<GHAppInstallation> appInstallationOptional = appInstallations.stream()
                         .filter(installation -> installation
                                 .getAccount()
@@ -390,7 +396,8 @@ private AppInstallationToken getToken(GitHub gitHub) {
                             actualApiUri(),
                             accessibleRepositories.getOwner(),
                             accessibleRepositories.getRepositories(),
-                            getPermissions());
+                            getPermissions(),
+                            getContext().getInferredOwner());
                     LOGGER.log(Level.FINER, "Retrieved GitHub App Installation Token for app ID {0}", getAppID());
                 }
             } catch (Exception e) {
@@ -592,19 +599,7 @@ long getTokenStaleEpochSeconds() {
     private Object readResolve() {
         cachedCredentials = new ConcurrentHashMap<>();
         if (repositoryAccessStrategy == null || defaultPermissionsStrategy == null) {
-            if (owner != null) {
-                // In this case, the migration should result in identical behavior.
-                setRepositoryAccessStrategy(new AccessSpecifiedRepositories(owner, List.of()));
-            } else {
-                // There is a choice here: We can either preserve compatibility for users who have
-                // the app installed in multiple orgs and only use the credentials in contexts
-                // where owner inference is supported by using AccessInferredOwner, _or_ we can
-                // preserve compatibility for users who have the app installed in a single org and
-                // use it in contexts where inference is not supported by using
-                // AccessSpecifiedRepositories with a null owner.
-                // None of the new strategies support these two use cases simultaneously.
-                setRepositoryAccessStrategy(new AccessInferredOwner());
-            }
+            setRepositoryAccessStrategy(new AccessSpecifiedRepositories(owner, List.of()));
             setDefaultPermissionsStrategy(DefaultPermissionsStrategy.INHERIT_ALL);
             MigrationAdminMonitor.addMigratedCredentialId(getId());
         }
@@ -662,6 +657,7 @@ private static final class DelegatingGitHubAppCredentials extends BaseStandardCr
             j.put("owner", accessibleRepositories.getOwner());
             j.put("repositories", accessibleRepositories.getRepositories());
             j.put("permissions", onMaster.getPermissions());
+            j.put("inferredOwner", onMaster.getContext().getInferredOwner());
             tokenRefreshData = Secret.fromString(j.toString()).getEncryptedValue();
 
             // Check token is valid before sending it to the agent.
@@ -772,7 +768,8 @@ public AppInstallationToken call() throws RuntimeException {
                         (String) fields.get("apiUri"),
                         (String) fields.get("owner"),
                         (List<String>) fields.get("repositories"),
-                        (Map<String, GHPermissionType>) fields.get("permissions"));
+                        (Map<String, GHPermissionType>) fields.get("permissions"),
+                        (String) fields.get("inferredOwner"));
                 LOGGER.log(
                         Level.FINER,
                         "Retrieved GitHub App Installation Token for app ID {0} for agent",
@@ -814,6 +811,10 @@ public ListBoxModel doFillApiUriItems() {
             return getPossibleApiUriItems();
         }
 
+        public static RepositoryAccessStrategy getDefaultRepositoryAccessStrategy() {
+            return new AccessSpecifiedRepositories(null, List.of());
+        }
+
         public FormValidation doCheckAppID(@QueryParameter String appID) {
             if (!appID.isEmpty()) {
                 try {

src/main/resources/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials/config.jelly

@@ -22,7 +22,7 @@
   </f:entry>
 
   <f:advanced>
-    <f:dropdownDescriptorSelector title="${%Repository access strategy}" field="repositoryAccessStrategy" />
+    <f:dropdownDescriptorSelector title="${%Repository access strategy}" field="repositoryAccessStrategy" default="${descriptor.defaultRepositoryAccessStrategy}" />
     <f:entry title="${%Default permissions strategy}" field="defaultPermissionsStrategy">
       <f:enum default="INHERIT_ALL">
         ${it.displayName}

src/main/resources/org/jenkinsci/plugins/github_branch_source/app_credentials/AccessSpecifiedRepositories/help-owner.html

@@ -1,5 +1,8 @@
 <p>
     The organization or user that this credential is to be used for.
-    If left blank, and the GitHub App is only installed in a single organization, then these
-    credentials will be able to access that organization in any context in Jenkins.
+    If left blank:
+    <ul>
+      <li>If the GitHub App is installed in a single organization, then these credentials will be able to access that organization in any context in Jenkins.</li>
+      <li>If the GitHub App is installed in multiple organizations, then the owner will be inferred from the context where inference is supported.</li>
+    </ul>
 </p>

src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentialsContextualizationTest.java

@@ -36,7 +36,7 @@ public void setUpWireMock() throws Exception {
         githubApi.stubFor(get(urlEqualTo("/app/installations"))
                 .willReturn(aResponse()
                         .withHeader("Content-Type", "application/json; charset=utf-8")
-                        .withBodyFile("../AppCredentials/files/body-mapping-githubapp-installations.json")));
+                        .withBodyFile("../AppCredentials/files/body-mapping-githubapp-installations-multiple.json")));
         githubApi.stubFor(post(urlEqualTo("/app/installations/654321/access_tokens"))
                 .withRequestBody(equalToJson(
                         "{\"permissions\":{\"pull_requests\":\"write\",\"metadata\":\"read\",\"checks\":\"write\",\"contents\":\"read\"}}",

src/test/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentialsJCasCCompatibilityTest.java

@@ -51,7 +51,8 @@ public void should_support_configuration_as_code() throws Exception {
         List<Credentials> credentials = domainCredentials.get(0).getCredentials();
         assertThat(credentials.size(), is(7));
 
-        assertGitHubAppCredential(credentials.get(0), "github-app", "GitHub app 1111");
+        assertGitHubAppCredential(
+                credentials.get(0), "github-app", "GitHub app 1111", new AccessSpecifiedRepositories(null, List.of()));
         assertGitHubAppCredential(
                 credentials.get(1), "old-owner", "", new AccessSpecifiedRepositories("test", List.of()));
         assertGitHubAppCredential(
@@ -106,10 +107,6 @@ private CNode getCredentials() throws Exception {
         return configNode;
     }
 
-    private static void assertGitHubAppCredential(Credentials credentials, String id, String description) {
-        assertGitHubAppCredential(credentials, id, description, new AccessInferredOwner());
-    }
-
     private static void assertGitHubAppCredential(
             Credentials credentials, String id, String description, RepositoryAccessStrategy repoStrategy) {
         assertGitHubAppCredential(credentials, id, description, repoStrategy, DefaultPermissionsStrategy.INHERIT_ALL);

src/test/java/org/jenkinsci/plugins/github_branch_source/GithubAppCredentialsTest.java

@@ -113,7 +113,7 @@ public void setUpWireMock() throws Exception {
         githubApi.stubFor(get(urlEqualTo("/app/installations"))
                 .willReturn(aResponse()
                         .withHeader("Content-Type", "application/json; charset=utf-8")
-                        .withBodyFile("../AppCredentials/files/body-mapping-githubapp-installations.json")));
+                        .withBodyFile("../AppCredentials/files/body-mapping-githubapp-installations-multiple.json")));
 
         final String scenarioName = "credentials-accesstoken";
 

src/test/java/org/jenkinsci/plugins/github_branch_source/app_credentials/MigrationAdminMonitorTest.java

@@ -41,16 +41,19 @@ public void smokes() throws Throwable {
                 CredentialsProvider.lookupCredentialsInItemGroup(GitHubAppCredentials.class, r.jenkins, ACL.SYSTEM2),
                 CredentialsMatchers.withId("old-credentials-with-owner"));
         assertThat(credentialsWithOwner.getOwner(), nullValue());
-        var strategy = (AccessSpecifiedRepositories) credentialsWithOwner.getRepositoryAccessStrategy();
-        assertThat(strategy.getOwner(), is("cloudBeers"));
-        assertThat(strategy.getRepositories(), empty());
+        var strategyWithOwner = (AccessSpecifiedRepositories) credentialsWithOwner.getRepositoryAccessStrategy();
+        assertThat(strategyWithOwner.getOwner(), is("cloudBeers"));
+        assertThat(strategyWithOwner.getRepositories(), empty());
         assertThat(credentialsWithOwner.getDefaultPermissionsStrategy(), is(DefaultPermissionsStrategy.INHERIT_ALL));
 
         var credentialsNoOwner = CredentialsMatchers.firstOrNull(
                 CredentialsProvider.lookupCredentialsInItemGroup(GitHubAppCredentials.class, r.jenkins, ACL.SYSTEM2),
                 CredentialsMatchers.withId("old-credentials-no-owner"));
         assertThat(credentialsNoOwner.getOwner(), nullValue());
-        assertThat(credentialsNoOwner.getRepositoryAccessStrategy(), instanceOf(AccessInferredOwner.class));
+        assertThat(credentialsNoOwner.getRepositoryAccessStrategy(), instanceOf(AccessSpecifiedRepositories.class));
+        var strategyWithNoOwner = (AccessSpecifiedRepositories) credentialsNoOwner.getRepositoryAccessStrategy();
+        assertThat(strategyWithNoOwner.getOwner(), nullValue());
+        assertThat(strategyWithNoOwner.getRepositories(), empty());
         assertThat(credentialsNoOwner.getDefaultPermissionsStrategy(), is(DefaultPermissionsStrategy.INHERIT_ALL));
 
         var monitor = ExtensionList.lookupSingleton(MigrationAdminMonitor.class);

src/test/java/org/jenkinsci/plugins/github_branch_source/app_credentials/RunWithCredentialsTest.java

@@ -127,12 +127,6 @@ public void setup() throws IOException, FormException, InterruptedException, Exe
                         .withHeaders(HEADERS)
                         .withBodyFile("../AppCredentials/files/body-mapping-githubapp-app.json")));
 
-        // Stub app installation
-        githubApi.stubFor(get(urlEqualTo("/app/installations"))
-                .willReturn(aResponse()
-                        .withHeaders(HEADERS)
-                        .withBodyFile("../AppCredentials/files/body-mapping-githubapp-installations.json")));
-
         // Stub app installation access token
         githubApi.stubFor(post(urlEqualTo("/app/installations/654321/access_tokens"))
                 .withRequestBody(equalToJson(
@@ -206,6 +200,22 @@ public void setup() throws IOException, FormException, InterruptedException, Exe
                                                 "{\"repositories\":[{\"id\":1,\"name\":\"repository-a\",\"full_name\":\"cloudbeers/repository-a\"},{\"id\":2,\"name\":\"repository-b\",\"full_name\":\"cloudbeers/repository-b\"}]}")));
     }
 
+    private void simpleInstallations() {
+        // Stub app installation
+        githubApi.stubFor(get(urlEqualTo("/app/installations"))
+                .willReturn(aResponse()
+                        .withHeaders(HEADERS)
+                        .withBodyFile("../AppCredentials/files/body-mapping-githubapp-installations-single.json")));
+    }
+
+    private void multipleInstallations() {
+        // Stub app installation
+        githubApi.stubFor(get(urlEqualTo("/app/installations"))
+                .willReturn(aResponse()
+                        .withHeaders(HEADERS)
+                        .withBodyFile("../AppCredentials/files/body-mapping-githubapp-installations-multiple.json")));
+    }
+
     @After
     public void cleanup() throws IOException, InterruptedException {
         if (project != null) {
@@ -218,6 +228,8 @@ public void cleanup() throws IOException, InterruptedException {
 
     @Test
     public void inferredRepository() throws Exception {
+        multipleInstallations();
+
         credentials.setRepositoryAccessStrategy(new AccessInferredRepository());
 
         final var build = r.buildAndAssertSuccess(project);
@@ -228,6 +240,8 @@ public void inferredRepository() throws Exception {
 
     @Test
     public void inferredOwner() throws Exception {
+        multipleInstallations();
+
         credentials.setRepositoryAccessStrategy(new AccessInferredOwner());
 
         final var build = r.buildAndAssertSuccess(project);
@@ -238,6 +252,8 @@ public void inferredOwner() throws Exception {
 
     @Test
     public void specifiedRepositoriesA() throws Exception {
+        multipleInstallations();
+
         credentials.setRepositoryAccessStrategy(
                 new AccessSpecifiedRepositories("cloudbeers", Arrays.asList("repository-a")));
 
@@ -249,6 +265,8 @@ public void specifiedRepositoriesA() throws Exception {
 
     @Test
     public void specifiedRepositoriesB() throws Exception {
+        multipleInstallations();
+
         credentials.setRepositoryAccessStrategy(
                 new AccessSpecifiedRepositories("cloudbeers", Arrays.asList("repository-b")));
 
@@ -260,6 +278,8 @@ public void specifiedRepositoriesB() throws Exception {
 
     @Test
     public void specifiedRepositoriesAB() throws Exception {
+        multipleInstallations();
+
         credentials.setRepositoryAccessStrategy(
                 new AccessSpecifiedRepositories("cloudbeers", Arrays.asList("repository-a", "repository-b")));
 
@@ -271,6 +291,8 @@ public void specifiedRepositoriesAB() throws Exception {
 
     @Test
     public void specifiedRepositoriesABC() throws Exception {
+        multipleInstallations();
+
         credentials.setRepositoryAccessStrategy(new AccessSpecifiedRepositories(
                 "cloudbeers", Arrays.asList("repository-a", "repository-b", "repository-c")));
 
@@ -282,13 +304,40 @@ public void specifiedRepositoriesABC() throws Exception {
                 build);
     }
 
+    @Test
+    public void specifiedRepositoryWithOwner() throws Exception {
+        simpleInstallations();
+
+        credentials.setRepositoryAccessStrategy(new AccessSpecifiedRepositories("cloudbeers", List.of()));
+
+        final var build = r.buildAndAssertSuccess(project);
+
+        // Only specified repositories should be accessible from the contextualized credentials (TOKEN_AB)
+        assertAccessibleRepositories(build, "cloudbeers/repository-a", "cloudbeers/repository-b");
+    }
+
+    @Test
+    public void specifiedRepositoryWithoutOwner() throws Exception {
+        simpleInstallations();
+
+        // Owner is inferred from the context in this case
+        credentials.setRepositoryAccessStrategy(new AccessSpecifiedRepositories(null, List.of()));
+
+        final var build = r.buildAndAssertSuccess(project);
+
+        // Only specified repositories should be accessible from the contextualized credentials (TOKEN_AB)
+        assertAccessibleRepositories(build, "cloudbeers/repository-a", "cloudbeers/repository-b");
+    }
+
     /**
      * Demonstrates how a user who only has access to edit a Jenkinsfile can abuse GithubProjectProperty in combination
      * with the properties step to access any repository accessible to the app installation, as long as the Pipeline is
      * not part of a MultiBranchProject.
      */
     @Test
     public void propertiesStepAllowsAccessBypass() throws Exception {
+        multipleInstallations();
+
         credentials.setRepositoryAccessStrategy(new AccessInferredRepository());
 
         project.setDefinition(new CpsFlowDefinition(