Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
FIY695
jenkins
提交
a572450f
J
jenkins
项目概览
FIY695
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
a572450f
编写于
12月 21, 2016
作者:
J
Jesse Glick
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[SECURITY-376] Remove backup directory for RekeySecretAdminMonitor.
上级
767a919b
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
20 addition
and
27 deletion
+20
-27
core/src/main/java/hudson/util/SecretRewriter.java
core/src/main/java/hudson/util/SecretRewriter.java
+15
-23
core/src/main/java/jenkins/security/RekeySecretAdminMonitor.java
...c/main/java/jenkins/security/RekeySecretAdminMonitor.java
+4
-1
core/src/test/groovy/hudson/util/SecretRewriterTest.groovy
core/src/test/groovy/hudson/util/SecretRewriterTest.groovy
+1
-3
未找到文件。
core/src/main/java/hudson/util/SecretRewriter.java
浏览文件 @
a572450f
...
...
@@ -2,7 +2,6 @@ package hudson.util;
import
com.trilead.ssh2.crypto.Base64
;
import
hudson.model.TaskListener
;
import
org.apache.commons.io.FileUtils
;
import
javax.crypto.Cipher
;
import
javax.crypto.SecretKey
;
...
...
@@ -33,21 +32,21 @@ public class SecretRewriter {
*/
private
int
count
;
/**
* If non-null the original file before rewrite gets in here.
*/
private
final
File
backupDirectory
;
/**
* Canonical paths of the directories we are recursing to protect
* against symlink induced cycles.
*/
private
Set
<
String
>
callstack
=
new
HashSet
<
String
>();
public
SecretRewriter
(
File
backupDirectory
)
throws
GeneralSecurityException
{
public
SecretRewriter
()
throws
GeneralSecurityException
{
cipher
=
Secret
.
getCipher
(
"AES"
);
key
=
Secret
.
getLegacyKey
();
this
.
backupDirectory
=
backupDirectory
;
}
/** @deprecated SECURITY-376: {@code backupDirectory} is ignored */
@Deprecated
public
SecretRewriter
(
File
backupDirectory
)
throws
GeneralSecurityException
{
this
();
}
private
String
tryRewrite
(
String
s
)
throws
IOException
,
InvalidKeyException
{
...
...
@@ -70,12 +69,14 @@ public class SecretRewriter {
return
s
;
}
/**
* @param backup
* if non-null, the original file will be copied here before rewriting.
* if the rewrite doesn't happen, no copying.
*/
/** @deprecated SECURITY-376: {@code backup} is ignored */
@Deprecated
public
boolean
rewrite
(
File
f
,
File
backup
)
throws
InvalidKeyException
,
IOException
{
return
rewrite
(
f
);
}
public
boolean
rewrite
(
File
f
)
throws
InvalidKeyException
,
IOException
{
AtomicFileWriter
w
=
new
AtomicFileWriter
(
f
,
"UTF-8"
);
try
{
PrintWriter
out
=
new
PrintWriter
(
new
BufferedWriter
(
w
));
...
...
@@ -117,10 +118,6 @@ public class SecretRewriter {
}
if
(
modified
)
{
if
(
backup
!=
null
)
{
backup
.
getParentFile
().
mkdirs
();
FileUtils
.
copyFile
(
f
,
backup
);
}
w
.
commit
();
}
return
modified
;
...
...
@@ -165,11 +162,7 @@ public class SecretRewriter {
if
((
count
++)%
100
==
0
)
listener
.
getLogger
().
println
(
"Scanning "
+
child
);
try
{
File
backup
=
null
;
if
(
backupDirectory
!=
null
)
backup
=
new
File
(
backupDirectory
,
relative
+
'/'
+
cn
);
if
(
rewrite
(
child
,
backup
))
{
if
(
backup
!=
null
)
listener
.
getLogger
().
println
(
"Copied "
+
child
+
" to "
+
backup
+
" as a backup"
);
if
(
rewrite
(
child
))
{
listener
.
getLogger
().
println
(
"Rewritten "
+
child
);
rewritten
++;
}
...
...
@@ -199,7 +192,6 @@ public class SecretRewriter {
String
n
=
dir
.
getName
();
return
n
.
equals
(
"workspace"
)
||
n
.
equals
(
"artifacts"
)
||
n
.
equals
(
"plugins"
)
// no mutable data here
||
n
.
equals
(
"jenkins.security.RekeySecretAdminMonitor"
)
// we don't want to rewrite backups
||
n
.
equals
(
"."
)
||
n
.
equals
(
".."
);
}
...
...
core/src/main/java/jenkins/security/RekeySecretAdminMonitor.java
浏览文件 @
a572450f
package
jenkins.security
;
import
hudson.Extension
;
import
hudson.Util
;
import
hudson.init.InitMilestone
;
import
hudson.init.Initializer
;
import
hudson.model.TaskListener
;
...
...
@@ -50,6 +51,7 @@ public class RekeySecretAdminMonitor extends AsynchronousAdministrativeMonitor {
*/
private
final
FileBoolean
scanOnBoot
=
state
(
"scanOnBoot"
);
@SuppressWarnings
(
"OverridableMethodCallInConstructor"
)
// should have been final
public
RekeySecretAdminMonitor
()
throws
IOException
{
// if JENKINS_HOME existed <1.497, we need to offer rewrite
// this computation needs to be done and the value be captured,
...
...
@@ -59,6 +61,7 @@ public class RekeySecretAdminMonitor extends AsynchronousAdministrativeMonitor {
if
(
j
.
isUpgradedFromBefore
(
new
VersionNumber
(
"1.496.*"
))
&&
new
FileBoolean
(
new
File
(
j
.
getRootDir
(),
"secret.key.not-so-secret"
)).
isOff
())
needed
.
on
();
Util
.
deleteRecursive
(
new
File
(
getBaseDir
(),
"backups"
));
// SECURITY-376: no longer used
}
@Override
...
...
@@ -133,7 +136,7 @@ public class RekeySecretAdminMonitor extends AsynchronousAdministrativeMonitor {
protected
void
fix
(
TaskListener
listener
)
throws
Exception
{
LOGGER
.
info
(
"Initiating a re-keying of secrets. See "
+
getLogFile
());
SecretRewriter
rewriter
=
new
SecretRewriter
(
new
File
(
getBaseDir
(),
"backups"
)
);
SecretRewriter
rewriter
=
new
SecretRewriter
();
try
{
PrintStream
log
=
listener
.
getLogger
();
...
...
core/src/test/groovy/hudson/util/SecretRewriterTest.groovy
浏览文件 @
a572450f
...
...
@@ -70,8 +70,7 @@ class SecretRewriterTest {
*/
@Test
void
recursionDetection
()
{
def
backup
=
tmp
.
newFolder
(
"backup"
)
def
sw
=
new
SecretRewriter
(
backup
);
def
sw
=
new
SecretRewriter
();
def
st
=
StreamTaskListener
.
fromStdout
()
def
o
=
encryptOld
(
"Hello world"
)
...
...
@@ -101,7 +100,6 @@ class SecretRewriterTest {
dirs
.
each
{
p
->
assert
new
File
(
t
,
"$p/foo.xml"
).
text
.
trim
()==
answer
assert
new
File
(
backup
,
"$p/foo.xml"
).
text
.
trim
()==
payload
}
// t2 is only reachable by following a symlink. this should be covered, too
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录