Hide potentially sensitive values (system properties and environment variables) by default (#6843)

Co-authored-by: NAlexander Brandes <brandes.alexander@web.de>
Co-authored-by: NDaniel Beck <daniel-beck@users.noreply.github.com>
Co-authored-by: NTim Jacomb <timjacomb1+github@gmail.com>
Co-authored-by: NTim Jacomb <timjacomb1@gmail.com>
Co-authored-by: NAlexander Brandes <mc.cache@web.de>

core/src/main/resources/jenkins/model/Jenkins/systemInfo.jelly

@@ -35,13 +35,13 @@ THE SOFTWARE.
 
       <l:hasPermission permission="${app.SYSTEM_READ}">
         <l:tabPane title="${%System Properties}">
-          <t:propertyTable items="${h.systemProperties}" />
+          <t:propertyTable items="${h.systemProperties}" sensitive="true" />
         </l:tabPane>
       </l:hasPermission>
 
       <l:hasPermission permission="${app.SYSTEM_READ}">
         <l:tabPane title="${%Environment Variables}">
-          <t:propertyTable items="${h.envVars}" />
+          <t:propertyTable items="${h.envVars}" sensitive="true" />
         </l:tabPane>
       </l:hasPermission>
 

core/src/main/resources/jenkins/slaves/systemInfo/EnvVarsSlaveInfo/systemInfo.jelly

@@ -29,5 +29,5 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <t:propertyTable items="${it.envVarsFull}" />
-</j:jelly>
\ No newline at end of file
+  <t:propertyTable items="${it.envVarsFull}" sensitive="true" />
+</j:jelly>

core/src/main/resources/jenkins/slaves/systemInfo/SystemPropertySlaveInfo/systemInfo.jelly

@@ -29,5 +29,5 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <t:propertyTable items="${it.systemProperties}" />
-</j:jelly>
\ No newline at end of file
+  <t:propertyTable items="${it.systemProperties}" sensitive="true" />
+</j:jelly>

core/src/main/resources/lib/hudson/property-table.css

+.app-table-full-width-column {
+  width: 100%;
+}
+
+.app-hidden-info-hide > button {
+  text-align: left;
+}
+
+span.jenkins-\!-color-blue > svg {
+  vertical-align: text-top;
+}

core/src/main/resources/lib/hudson/property-table.js

+(function () {
+  document.addEventListener("DOMContentLoaded", function () {
+    document
+      .querySelectorAll(".app-hidden-info-reveal .jenkins-button")
+      .forEach(function (elem) {
+        elem.addEventListener("click", function () {
+          elem.parentElement.classList.add("jenkins-hidden");
+          elem.parentElement.nextSibling.classList.remove("jenkins-hidden");
+        });
+      });
+    document
+      .querySelectorAll(".app-hidden-info-hide .jenkins-button")
+      .forEach(function (elem) {
+        elem.addEventListener("click", function () {
+          elem.parentElement.classList.add("jenkins-hidden");
+          elem.parentElement.previousSibling.classList.remove("jenkins-hidden");
+        });
+      });
+
+    document
+      .querySelectorAll(".app-all-hidden-reveal-all")
+      .forEach(function (elem) {
+        elem.addEventListener("click", function () {
+          elem.classList.add("jenkins-hidden");
+          elem.nextSibling.classList.remove("jenkins-hidden");
+          let tableId = elem.getAttribute("data-table-id");
+          document
+            .getElementById(tableId)
+            .querySelectorAll(".app-hidden-info-reveal .jenkins-button")
+            .forEach(function (elem) {
+              elem.parentElement.classList.add("jenkins-hidden");
+              elem.parentElement.nextSibling.classList.remove("jenkins-hidden");
+            });
+        });
+      });
+
+    document
+      .querySelectorAll(".app-all-hidden-hide-all")
+      .forEach(function (elem) {
+        elem.addEventListener("click", function () {
+          elem.classList.add("jenkins-hidden");
+          elem.previousSibling.classList.remove("jenkins-hidden");
+          let tableId = elem.getAttribute("data-table-id");
+          document
+            .getElementById(tableId)
+            .querySelectorAll(".app-hidden-info-reveal .jenkins-button")
+            .forEach(function (elem) {
+              elem.parentElement.classList.remove("jenkins-hidden");
+              elem.parentElement.nextSibling.classList.add("jenkins-hidden");
+            });
+        });
+      });
+  });
+})();

core/src/main/resources/lib/hudson/propertyTable.jelly

@@ -30,12 +30,31 @@ THE SOFTWARE.
     <st:attribute name="items" use="required">
       A Map object that gets rendered as a table.
     </st:attribute>
+    <st:attribute name="sensitive" use="optional">
+      Set to true if the information shown in the table is sensitive and should be hidden by default. Since TODO.
+    </st:attribute>
   </st:documentation>
-  <table class="jenkins-table sortable">
+  <j:if test="${attrs.sensitive}">
+    <st:adjunct includes="lib.hudson.property-table"/>
+  </j:if>
+  <j:set var="tableId" value="${h.generateId()}"/>
+  <j:if test="${attrs.sensitive}">
+    <div class="jenkins-!-margin-bottom-2">
+      <button class="app-all-hidden-reveal-all jenkins-button jenkins-button--transparent jenkins-!-color-blue" data-table-id="${tableId}">
+        <l:icon src="symbol-view"/>
+        ${%revealAll}
+      </button>
+      <button class="app-all-hidden-hide-all jenkins-hidden jenkins-button jenkins-button--transparent jenkins-!-color-blue" data-table-id="${tableId}">
+        <l:icon src="symbol-view"/>
+        ${%hideAll}
+      </button>
+    </div>
+  </j:if>
+  <table class="jenkins-table sortable" id="${tableId}">
     <thead>
       <tr>
         <th initialSortDir="down">${%Name}</th>
-        <th>${%Value}</th>
+        <th class="app-table-full-width-column">${%Value}</th>
       </tr>
     </thead>
     <tbody>
@@ -44,8 +63,28 @@ THE SOFTWARE.
           <td>
             <st:out value="${e.key}"/>
           </td>
-          <td style="white-space: normal">
-            <l:breakable value="${e.value}"/>
+          <td style="white-space: normal" class="property-table__value">
+            <j:choose>
+              <j:when test="${attrs.sensitive}">
+                <div class="app-hidden-info-reveal">
+                  <button class="jenkins-button jenkins-button--transparent jenkins-!-color-blue">
+                    <l:icon src="symbol-view"/> ${%reveal}
+                  </button>
+                </div>
+                <div class="app-hidden-info-hide jenkins-hidden">
+                  <button class="jenkins-button jenkins-button--transparent">
+                    <span class="jenkins-!-color-blue">
+                      <l:icon src="symbol-eye-off-outline"/><j:out value=" "/><l:breakable value="${e.value}"/>
+                    </span>
+                  </button>
+                </div>
+              </j:when>
+              <j:otherwise>
+                <div>
+                  <l:breakable value="${e.value}"/>
+                </div>
+              </j:otherwise>
+            </j:choose>
           </td>
         </tr>
       </j:forEach>

core/src/main/resources/lib/hudson/propertyTable.properties

+# The MIT License
+#
+# Copyright (c) 2022, Daniel Beck
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+revealAll = Show values
+reveal = Hidden value, click to show this value
+hideAll = Hide values

war/src/main/resources/images/symbols/eye-off-outline.svg

+<svg xmlns="http://www.w3.org/2000/svg" class="ionicon" viewBox="0 0 512 512"><title>Eye Off</title><path d="M432 448a15.92 15.92 0 01-11.31-4.69l-352-352a16 16 0 0122.62-22.62l352 352A16 16 0 01432 448zM255.66 384c-41.49 0-81.5-12.28-118.92-36.5-34.07-22-64.74-53.51-88.7-91v-.08c19.94-28.57 41.78-52.73 65.24-72.21a2 2 0 00.14-2.94L93.5 161.38a2 2 0 00-2.71-.12c-24.92 21-48.05 46.76-69.08 76.92a31.92 31.92 0 00-.64 35.54c26.41 41.33 60.4 76.14 98.28 100.65C162 402 207.9 416 255.66 416a239.13 239.13 0 0075.8-12.58 2 2 0 00.77-3.31l-21.58-21.58a4 4 0 00-3.83-1 204.8 204.8 0 01-51.16 6.47zM490.84 238.6c-26.46-40.92-60.79-75.68-99.27-100.53C349 110.55 302 96 255.66 96a227.34 227.34 0 00-74.89 12.83 2 2 0 00-.75 3.31l21.55 21.55a4 4 0 003.88 1 192.82 192.82 0 0150.21-6.69c40.69 0 80.58 12.43 118.55 37 34.71 22.4 65.74 53.88 89.76 91a.13.13 0 010 .16 310.72 310.72 0 01-64.12 72.73 2 2 0 00-.15 2.95l19.9 19.89a2 2 0 002.7.13 343.49 343.49 0 0068.64-78.48 32.2 32.2 0 00-.1-34.78z" fill="currentColor" /><path d="M256 160a95.88 95.88 0 00-21.37 2.4 2 2 0 00-1 3.38l112.59 112.56a2 2 0 003.38-1A96 96 0 00256 160zM165.78 233.66a2 2 0 00-3.38 1 96 96 0 00115 115 2 2 0 001-3.38z" fill="currentColor" /></svg>
\ No newline at end of file