Add support for GroupAccessToken credentials, fix credential integration (#479)

Author: mzellho

README.md

@@ -343,6 +343,10 @@ credentials:
               scope: SYSTEM
               id: "i<3GitLab"
               token: "glpat-XfsqZvVtAx5YCph5bq3r" # gitlab personal access token
+          - gitlabGroupAccessToken:
+              scope: SYSTEM
+              id: "i<3GitLab"
+              token: "glgat-XfsqZvVtAx5YCph5bq3r" # gitlab group access token
 
 unclassified:
   gitLabServers:

src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabSCMFileSystem.java

@@ -84,7 +84,8 @@ public SCMFileSystem build(@NonNull Item owner, @NonNull SCM scm, @CheckForNull
         public SCMFileSystem build(@NonNull SCMSource source, @NonNull SCMHead head, @CheckForNull SCMRevision rev)
                 throws IOException, InterruptedException {
             GitLabSCMSource gitlabScmSource = (GitLabSCMSource) source;
-            GitLabApi gitLabApi = apiBuilder(source.getOwner(), gitlabScmSource.getServerName());
+            GitLabApi gitLabApi =
+                    apiBuilder(source.getOwner(), gitlabScmSource.getServerName(), gitlabScmSource.getCredentialsId());
             String projectPath = gitlabScmSource.getProjectPath();
             return build(head, rev, gitLabApi, projectPath);
         }

src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabSCMNavigator.java

@@ -14,7 +14,6 @@
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.common.StandardCredentials;
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
-import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
@@ -198,7 +197,7 @@ public void setTraits(@CheckForNull SCMTrait[] traits) {
 
     private GitLabOwner getGitlabOwner(SCMNavigatorOwner owner) {
         if (gitlabOwner == null) {
-            getGitlabOwner(apiBuilder(owner, serverName));
+            getGitlabOwner(apiBuilder(owner, serverName, credentialsId));
         }
         return gitlabOwner;
     }
@@ -235,7 +234,7 @@ protected String id() {
     public void visitSources(@NonNull final SCMSourceObserver observer) throws IOException, InterruptedException {
         GitLabSCMNavigatorContext context = new GitLabSCMNavigatorContext().withTraits(traits);
         try (GitLabSCMNavigatorRequest request = context.newRequest(this, observer)) {
-            GitLabApi gitLabApi = apiBuilder(observer.getContext(), serverName);
+            GitLabApi gitLabApi = apiBuilder(observer.getContext(), serverName, credentialsId);
             getGitlabOwner(gitLabApi);
             List<Project> projects;
             if (gitlabOwner instanceof GitLabUser) {
@@ -459,14 +458,15 @@ public static class DescriptorImpl extends SCMNavigatorDescriptor implements Ico
 
         public static FormValidation doCheckProjectOwner(
                 @AncestorInPath SCMSourceOwner context,
+                @QueryParameter String credentialsId,
                 @QueryParameter String projectOwner,
                 @QueryParameter String serverName) {
             if (projectOwner.equals("")) {
                 return FormValidation.ok();
             }
             GitLabApi gitLabApi = null;
             try {
-                gitLabApi = apiBuilder(context, serverName);
+                gitLabApi = apiBuilder(context, serverName, credentialsId);
                 GitLabOwner gitLabOwner = GitLabOwner.fetchOwner(gitLabApi, projectOwner);
                 return FormValidation.ok(projectOwner + " is a valid " + gitLabOwner.getWord());
             } catch (IllegalStateException e) {
@@ -552,9 +552,9 @@ public ListBoxModel doFillCredentialsIdItems(
             result.includeMatchingAs(
                     context instanceof Queue.Task ? ((Queue.Task) context).getDefaultAuthentication() : ACL.SYSTEM,
                     context,
-                    StandardUsernameCredentials.class,
+                    StandardCredentials.class,
                     fromUri(getServerUrlFromName(serverName)).build(),
-                    GitClient.CREDENTIALS_MATCHER);
+                    CredentialsMatchers.anyOf(GitClient.CREDENTIALS_MATCHER, GitLabServer.CREDENTIALS_MATCHER));
             return result;
         }
 

src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabSCMSource.java

@@ -13,6 +13,7 @@
 
 import com.cloudbees.plugins.credentials.CredentialsMatchers;
 import com.cloudbees.plugins.credentials.CredentialsProvider;
+import com.cloudbees.plugins.credentials.common.StandardCredentials;
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
 import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import edu.umd.cs.findbugs.annotations.NonNull;
@@ -32,6 +33,7 @@
 import io.jenkins.plugins.gitlabbranchsource.helpers.GitLabAvatar;
 import io.jenkins.plugins.gitlabbranchsource.helpers.GitLabLink;
 import io.jenkins.plugins.gitlabbranchsource.helpers.Sleeper;
+import io.jenkins.plugins.gitlabserverconfig.credentials.GroupAccessToken;
 import io.jenkins.plugins.gitlabserverconfig.credentials.PersonalAccessToken;
 import io.jenkins.plugins.gitlabserverconfig.servers.GitLabServer;
 import io.jenkins.plugins.gitlabserverconfig.servers.GitLabServers;
@@ -208,7 +210,7 @@ public String getRemote() {
 
     protected Project getGitlabProject() {
         if (gitlabProject == null) {
-            getGitlabProject(apiBuilder(this.getOwner(), serverName));
+            getGitlabProject(apiBuilder(this.getOwner(), serverName, credentialsId));
         }
         return gitlabProject;
     }
@@ -247,7 +249,7 @@ private List<Member> getMembersWithRetries() throws GitLabApiException, Interrup
         int delay = INITIAL_DELAY_MS;
         int attemptNb = 0;
         final Sleeper sleeper = new Sleeper();
-        GitLabApi gitLabApi = apiBuilder(this.getOwner(), serverName);
+        GitLabApi gitLabApi = apiBuilder(this.getOwner(), serverName, credentialsId);
         while (true) {
             try {
                 return gitLabApi.getProjectApi().getAllMembers(projectPath);
@@ -300,7 +302,7 @@ public void setTraits(List<SCMSourceTrait> traits) {
     protected SCMRevision retrieve(@NonNull SCMHead head, @NonNull TaskListener listener)
             throws IOException, InterruptedException {
         try {
-            GitLabApi gitLabApi = apiBuilder(this.getOwner(), serverName);
+            GitLabApi gitLabApi = apiBuilder(this.getOwner(), serverName, credentialsId);
             getGitlabProject(gitLabApi);
             if (head instanceof BranchSCMHead) {
                 listener.getLogger().format("Querying the current revision of branch %s...%n", head.getName());
@@ -362,7 +364,7 @@ protected void retrieve(
             @NonNull TaskListener listener)
             throws IOException, InterruptedException {
         try {
-            GitLabApi gitLabApi = apiBuilder(this.getOwner(), serverName);
+            GitLabApi gitLabApi = apiBuilder(this.getOwner(), serverName, credentialsId);
             getGitlabProject(gitLabApi);
             GitLabSCMSourceContext ctx = new GitLabSCMSourceContext(criteria, observer).withTraits(getTraits());
             try (GitLabSCMSourceRequest request = ctx.newRequest(this, listener)) {
@@ -774,7 +776,7 @@ protected SCMProbe createProbe(@NonNull final SCMHead head, SCMRevision revision
             if (builder == null) {
                 throw new AssertionError();
             }
-            GitLabApi gitLabApi = apiBuilder(this.getOwner(), serverName);
+            GitLabApi gitLabApi = apiBuilder(this.getOwner(), serverName, credentialsId);
             getGitlabProject(gitLabApi);
             final SCMFileSystem fs = builder.build(head, revision, gitLabApi, projectPath);
             return new SCMProbe() {
@@ -832,14 +834,19 @@ public void afterSave() {
         }
     }
 
-    public PersonalAccessToken credentials() {
-        return CredentialsMatchers.firstOrNull(
-                lookupCredentials(
-                        PersonalAccessToken.class,
-                        getOwner(),
-                        Jenkins.getAuthentication(),
-                        fromUri(getServerUrlFromName(serverName)).build()),
-                GitLabServer.CREDENTIALS_MATCHER);
+    public StandardCredentials credentials() {
+        List<StandardCredentials> list = new ArrayList<>();
+        list.addAll(lookupCredentials(
+                PersonalAccessToken.class,
+                getOwner(),
+                Jenkins.getAuthentication(),
+                fromUri(getServerUrlFromName(serverName)).build()));
+        list.addAll(lookupCredentials(
+                GroupAccessToken.class,
+                getOwner(),
+                Jenkins.getAuthentication(),
+                fromUri(getServerUrlFromName(serverName)).build()));
+        return CredentialsMatchers.firstOrNull(list, GitLabServer.CREDENTIALS_MATCHER);
     }
 
     @Symbol("gitlab")
@@ -911,13 +918,14 @@ public ListBoxModel doFillCredentialsIdItems(
                     context,
                     StandardUsernameCredentials.class,
                     fromUri(getServerUrlFromName(serverName)).build(),
-                    GitClient.CREDENTIALS_MATCHER);
+                    CredentialsMatchers.anyOf(GitClient.CREDENTIALS_MATCHER, GitLabServer.CREDENTIALS_MATCHER));
             return result;
         }
 
         public long getProjectId(
                 @AncestorInPath SCMSourceOwner context,
                 @QueryParameter String projectPath,
+                @QueryParameter String credentialsId,
                 @QueryParameter String serverName) {
             List<GitLabServer> gitLabServers = GitLabServers.get().getServers();
             if (gitLabServers.size() == 0) {
@@ -926,9 +934,9 @@ public long getProjectId(
             try {
                 GitLabApi gitLabApi;
                 if (StringUtils.isBlank(serverName)) {
-                    gitLabApi = apiBuilder(context, gitLabServers.get(0).getName());
+                    gitLabApi = apiBuilder(context, gitLabServers.get(0).getName(), credentialsId);
                 } else {
-                    gitLabApi = apiBuilder(context, serverName);
+                    gitLabApi = apiBuilder(context, serverName, credentialsId);
                 }
                 if (StringUtils.isNotBlank(projectPath)) {
                     return gitLabApi.getProjectApi().getProject(projectPath).getId();
@@ -941,6 +949,7 @@ public long getProjectId(
 
         public ListBoxModel doFillProjectPathItems(
                 @AncestorInPath SCMSourceOwner context,
+                @QueryParameter String credentialsId,
                 @QueryParameter String serverName,
                 @QueryParameter String projectOwner) {
             List<GitLabServer> gitLabServers = GitLabServers.get().getServers();
@@ -951,9 +960,9 @@ public ListBoxModel doFillProjectPathItems(
             try {
                 GitLabApi gitLabApi;
                 if (serverName.equals("")) {
-                    gitLabApi = apiBuilder(context, gitLabServers.get(0).getName());
+                    gitLabApi = apiBuilder(context, gitLabServers.get(0).getName(), credentialsId);
                 } else {
-                    gitLabApi = apiBuilder(context, serverName);
+                    gitLabApi = apiBuilder(context, serverName, credentialsId);
                 }
 
                 if (projectOwner.equals("")) {

src/main/java/io/jenkins/plugins/gitlabbranchsource/helpers/GitLabHelper.java

@@ -1,11 +1,20 @@
 package io.jenkins.plugins.gitlabbranchsource.helpers;
 
+import static com.cloudbees.plugins.credentials.CredentialsMatchers.withId;
+import static com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials;
+import static com.cloudbees.plugins.credentials.domains.URIRequirementBuilder.fromUri;
+
+import com.cloudbees.plugins.credentials.CredentialsMatchers;
 import com.cloudbees.plugins.credentials.common.StandardCredentials;
 import com.damnhandy.uri.template.UriTemplate;
 import com.damnhandy.uri.template.UriTemplateBuilder;
 import com.damnhandy.uri.template.impl.Operator;
 import hudson.ProxyConfiguration;
+import hudson.model.Item;
+import hudson.model.ItemGroup;
+import hudson.security.ACL;
 import hudson.security.AccessControlled;
+import io.jenkins.plugins.gitlabserverconfig.credentials.GroupAccessToken;
 import io.jenkins.plugins.gitlabserverconfig.credentials.PersonalAccessToken;
 import io.jenkins.plugins.gitlabserverconfig.servers.GitLabServer;
 import io.jenkins.plugins.gitlabserverconfig.servers.GitLabServers;
@@ -15,17 +24,22 @@
 import java.util.Map;
 import java.util.regex.Pattern;
 import jenkins.model.Jenkins;
+import org.apache.commons.lang3.StringUtils;
 import org.eclipse.jgit.annotations.NonNull;
 import org.gitlab4j.api.GitLabApi;
 import org.gitlab4j.api.ProxyClientConfig;
 import org.jenkinsci.plugins.plaincredentials.StringCredentials;
 
 public class GitLabHelper {
 
-    public static GitLabApi apiBuilder(AccessControlled context, String serverName) {
+    public static GitLabApi apiBuilder(AccessControlled context, String serverName, String credentialsId) {
+        return apiBuilder(context, serverName, getCredential(credentialsId, serverName, context));
+    }
+
+    public static GitLabApi apiBuilder(AccessControlled context, String serverName, StandardCredentials credential) {
         GitLabServer server = GitLabServers.get().findServer(serverName);
         if (server != null) {
-            StandardCredentials credentials = server.getCredentials(context);
+            StandardCredentials credentials = credential != null ? credential : server.getCredentials(context);
             String serverUrl = server.getServerUrl();
             String privateToken = getPrivateTokenAsPlainText(credentials);
             if (privateToken.equals(GitLabServer.EMPTY_TOKEN)) {
@@ -106,6 +120,9 @@ public static String getPrivateTokenAsPlainText(StandardCredentials credentials)
             if (credentials instanceof PersonalAccessToken) {
                 privateToken = ((PersonalAccessToken) credentials).getToken().getPlainText();
             }
+            if (credentials instanceof GroupAccessToken) {
+                privateToken = ((GroupAccessToken) credentials).getToken().getPlainText();
+            }
             if (credentials instanceof StringCredentials) {
                 privateToken = ((StringCredentials) credentials).getSecret().getPlainText();
             }
@@ -148,4 +165,32 @@ public static UriTemplate commitUriTemplate(String serverNameOrUrl) {
     public static String[] splitPath(String path) {
         return path.split(Operator.PATH.getSeparator());
     }
+
+    public static StandardCredentials getCredential(String credentialsId, String serverName, AccessControlled context) {
+        if (StringUtils.isNotBlank(credentialsId)) {
+            if (context instanceof ItemGroup) {
+                return CredentialsMatchers.firstOrNull(
+                        lookupCredentials(
+                                StandardCredentials.class,
+                                (ItemGroup) context,
+                                ACL.SYSTEM,
+                                fromUri(StringUtils.defaultIfBlank(
+                                                getServerUrlFromName(serverName), GitLabServer.GITLAB_SERVER_URL))
+                                        .build()),
+                        withId(credentialsId));
+            } else {
+                return CredentialsMatchers.firstOrNull(
+                        lookupCredentials(
+                                StandardCredentials.class,
+                                (Item) context,
+                                ACL.SYSTEM,
+                                fromUri(StringUtils.defaultIfBlank(
+                                                getServerUrlFromName(serverName), GitLabServer.GITLAB_SERVER_URL))
+                                        .build()),
+                        withId(credentialsId));
+            }
+        }
+
+        return null;
+    }
 }

src/main/java/io/jenkins/plugins/gitlabbranchsource/helpers/GitLabPipelineStatusNotifier.java

@@ -207,7 +207,8 @@ private static void logComment(Run<?, ?> build, TaskListener listener) {
         String suffix = " - [Details](" + url + ")";
         SCMRevision revision = SCMRevisionAction.getRevision(source, build);
         try {
-            GitLabApi gitLabApi = GitLabHelper.apiBuilder(build.getParent(), source.getServerName());
+            GitLabApi gitLabApi =
+                    GitLabHelper.apiBuilder(build.getParent(), source.getServerName(), source.getCredentialsId());
             String sudoUsername = sourceContext.getSudoUser();
             if (!sudoUsername.isEmpty()) {
                 gitLabApi.sudo(sudoUsername);
@@ -375,7 +376,8 @@ private static void sendNotifications(Run<?, ?> build, TaskListener listener, Bo
                 }
             }
             try {
-                GitLabApi gitLabApi = GitLabHelper.apiBuilder(build.getParent(), source.getServerName());
+                GitLabApi gitLabApi =
+                        GitLabHelper.apiBuilder(build.getParent(), source.getServerName(), source.getCredentialsId());
                 LOGGER.log(Level.FINE, String.format("Notifiying commit: %s", hash));
 
                 if (revision instanceof MergeRequestSCMRevision) {
@@ -476,7 +478,8 @@ public void onEnterWaiting(final Queue.WaitingItem wi) {
 
                     Constants.CommitBuildState state = Constants.CommitBuildState.PENDING;
                     try {
-                        GitLabApi gitLabApi = GitLabHelper.apiBuilder(job, source.getServerName());
+                        GitLabApi gitLabApi =
+                                GitLabHelper.apiBuilder(job, source.getServerName(), source.getCredentialsId());
                         // check are we still the task to set pending
                         synchronized (resolving) {
                             if (!nonce.equals(resolving.get(job))) {

src/main/java/io/jenkins/plugins/gitlabserverconfig/action/GitlabAction.java

@@ -51,7 +51,10 @@ public HttpResponse doServerList() {
 
     @RequirePOST
     public HttpResponse doProjectList(
-            @AncestorInPath SCMSourceOwner context, @QueryParameter String server, @QueryParameter String owner) {
+            @AncestorInPath SCMSourceOwner context,
+            @QueryParameter String server,
+            @QueryParameter String credentialsId,
+            @QueryParameter String owner) {
         if (!Jenkins.get().hasPermission(Jenkins.MANAGE)) {
             return HttpResponses.errorJSON("no permission to get Gitlab server list");
         }
@@ -62,7 +65,7 @@ public HttpResponse doProjectList(
 
         JSONArray servers = new JSONArray();
 
-        GitLabApi gitLabApi = GitLabHelper.apiBuilder(context, server);
+        GitLabApi gitLabApi = GitLabHelper.apiBuilder(context, server, credentialsId);
         try {
             for (Project project :
                     gitLabApi.getProjectApi().getUserProjects(owner, new ProjectFilter().withOwned(true))) {

src/main/java/io/jenkins/plugins/gitlabserverconfig/credentials/GroupAccessToken.java

@@ -0,0 +1,16 @@
+package io.jenkins.plugins.gitlabserverconfig.credentials;
+
+import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.util.Secret;
+
+public interface GroupAccessToken extends StandardUsernamePasswordCredentials {
+
+    /**
+     * Returns the token.
+     *
+     * @return the token.
+     */
+    @NonNull
+    Secret getToken();
+}