[SECURITY-49] Backing off from @Extension-based discovery.

This is because we discovered some plugins that use Secret early on in the initialization.

[SECURITY-49] Backing off from @Extension-based discovery.
This is because we discovered some plugins that use Secret early on in the initialization.
c3d8e05a · Kohsuke Kawaguchi · 4895eaaf · c3d8e05a · c3d8e05a
2 changed file
--- a/core/src/main/java/jenkins/security/ConfidentialStore.java
+++ b/core/src/main/java/jenkins/security/ConfidentialStore.java
 package jenkins.security;

 import hudson.Extension;
+import hudson.Lookup;
+import hudson.init.InitMilestone;
+import hudson.util.Secret;
+import hudson.util.Service;
 import jenkins.model.Jenkins;
+import org.kohsuke.MetaInfServices;

 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import java.io.IOException;
 import java.security.SecureRandom;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;

 /**
 * The actual storage for the data held by {@link ConfidentialKey}s, and the holder
@@ -18,8 +26,11 @@ import java.security.SecureRandom;
 *
 * <p>
 * OEM distributions of Jenkins can provide a custom {@link ConfidentialStore} implementation
- * by writing a subclass, mark it with {@link Extension} annotation, package it as a Jenkins module,
- * and bundling it with the war file.
+ * by writing a subclass, mark it with {@link MetaInfServices} annotation, package it as a Jenkins module,
+ * and bundling it with the war file. This doesn't use {@link Extension} because some plugins
+ * have been found to use {@link Secret} before we get to {@link InitMilestone#PLUGINS_PREPARED}, and
+ * therefore {@link Extension}s aren't loaded yet. (Similarly, it's conceivable that some future
+ * core code might need this early on during the boot sequence.)
 *
 * @author Kohsuke Kawaguchi
 * @since 1.498
@@ -51,11 +62,36 @@ public abstract class ConfidentialStore {
     */
    public static @Nonnull ConfidentialStore get() {
        if (TEST!=null) return TEST.get();
-        return Jenkins.getInstance().getExtensionList(ConfidentialStore.class).get(0);
+
+        Lookup lookup = Jenkins.getInstance().lookup;
+        ConfidentialStore cs = lookup.get(ConfidentialStore.class);
+        if (cs==null) {
+            try {
+                List<ConfidentialStore> r = (List) Service.loadInstances(ConfidentialStore.class.getClassLoader(), ConfidentialStore.class);
+                if (!r.isEmpty())
+                    cs = r.get(0);
+            } catch (IOException e) {
+                LOGGER.log(Level.WARNING, "Failed to list up ConfidentialStore implementations",e);
+                // fall through
+            }
+
+            if (cs==null)
+                try {
+                    cs = new DefaultConfidentialStore();
+                } catch (Exception e) {
+                    // if it's still null, bail out
+                    throw new Error(e);
+                }
+
+            cs = lookup.setIfNull(ConfidentialStore.class,cs);
+        }
+        return cs;
    }

    /**
     * Testing only. Used for testing {@link ConfidentialKey} without {@link Jenkins}
     */
    /*package*/ static ThreadLocal<ConfidentialStore> TEST = null;
+
+    private static final Logger LOGGER = Logger.getLogger(ConfidentialStore.class.getName());
 }
--- a/core/src/main/java/jenkins/security/DefaultConfidentialStore.java
+++ b/core/src/main/java/jenkins/security/DefaultConfidentialStore.java
 package jenkins.security;

-import hudson.Extension;
 import hudson.FilePath;
 import hudson.Util;
 import hudson.util.IOException2;
@@ -28,7 +27,7 @@ import java.security.SecureRandom;
 *
 * @author Kohsuke Kawaguchi
 */
-@Extension(ordinal=-99999) // small ordinal value to allow other higher ones to take over
+// @MetaInfServices --- not annotated because this is the fallback implementation
 public class DefaultConfidentialStore extends ConfidentialStore {
    private final SecureRandom sr = new SecureRandom();