fix: reimplement http authentification (#1098)

* fix: reimplement http authentification

* fix: typo

* Apply suggestions from code review

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

Author: kuisathaverat

src/main/java/io/jenkins/plugins/opentelemetry/backend/elastic/ElasticLogsBackendWithJenkinsVisualization.java

@@ -13,17 +13,16 @@
 import java.util.logging.Logger;
 
 import org.apache.commons.lang.StringUtils;
-import org.apache.hc.client5.http.auth.Credentials;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
 import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import com.google.errorprone.annotations.MustBeClosed;
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import groovy.text.Template;
 import hudson.Extension;
 import hudson.Util;
@@ -34,7 +33,7 @@
 import io.jenkins.plugins.opentelemetry.TemplateBindingsProvider;
 import io.jenkins.plugins.opentelemetry.backend.ObservabilityBackend;
 import io.jenkins.plugins.opentelemetry.jenkins.CredentialsNotFoundException;
-import io.jenkins.plugins.opentelemetry.jenkins.JenkinsCredentialsToApacheHttpCredentialsAdapter;
+import io.jenkins.plugins.opentelemetry.jenkins.HttpAuthHeaderFactory;
 import io.jenkins.plugins.opentelemetry.job.log.LogStorageRetriever;
 import jenkins.model.Jenkins;
 
@@ -60,9 +59,8 @@ public LogStorageRetriever newLogStorageRetriever(TemplateBindingsProvider templ
             logger.warning(MSG_ELASTICSEARCH_URL_IS_BLANK);
             throw new IllegalStateException(MSG_ELASTICSEARCH_URL_IS_BLANK);
         } else {
-            Credentials credentials = new JenkinsCredentialsToApacheHttpCredentialsAdapter(elasticsearchCredentialsId);
             return new ElasticsearchLogStorageRetriever(
-                    this.elasticsearchUrl, disableSslVerifications, credentials,
+                    this.elasticsearchUrl, disableSslVerifications, elasticsearchCredentialsId,
                     buildLogsVisualizationUrlTemplate, templateBindingsProvider);
         }
     }
@@ -129,6 +127,7 @@ public String getDisplayName() {
             return "Store pipeline logs In Elastic and visualize logs both in Elastic and through Jenkins";
         }
 
+        @RequirePOST
         public FormValidation doCheckElasticsearchUrl(@QueryParameter("elasticsearchUrl") String url) {
             if (StringUtils.isEmpty(url)) {
                 return FormValidation.ok();
@@ -141,6 +140,7 @@ public FormValidation doCheckElasticsearchUrl(@QueryParameter("elasticsearchUrl"
             return FormValidation.ok();
         }
 
+        @RequirePOST
         public ListBoxModel doFillElasticsearchCredentialsIdItems(Item context,
                 @QueryParameter String elasticsearchCredentialsId) {
             if (context == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER)
@@ -153,8 +153,7 @@ public ListBoxModel doFillElasticsearchCredentialsIdItems(Item context,
                     .includeCurrentValue(elasticsearchCredentialsId);
         }
 
-        @SuppressFBWarnings(value="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT",
-            justification="We don't care about the return value, we just want to check that the credentials are valid")
+        @RequirePOST
         public FormValidation doCheckElasticsearchCredentialsId(Item context,
                 @QueryParameter String elasticsearchCredentialsId) {
             if (context == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER)
@@ -166,25 +165,24 @@ public FormValidation doCheckElasticsearchCredentialsId(Item context,
                 return FormValidation.error("Elasticsearch credentials are missing");
             }
             try {
-                new JenkinsCredentialsToApacheHttpCredentialsAdapter(elasticsearchCredentialsId)
-                        .getUserPrincipal().getName();
+                new HttpAuthHeaderFactory(elasticsearchCredentialsId).createAuthHeader();
             } catch (CredentialsNotFoundException e) {
                 return FormValidation.error("Elasticsearch credentials are not valid");
             }
             return FormValidation.ok();
         }
 
+        @RequirePOST
         public FormValidation doValidate(@QueryParameter String elasticsearchUrl,
                 @QueryParameter boolean disableSslVerifications, @QueryParameter String elasticsearchCredentialsId) {
             FormValidation elasticsearchUrlValidation = doCheckElasticsearchUrl(elasticsearchUrl);
             if (elasticsearchUrlValidation.kind != FormValidation.Kind.OK) {
                 return elasticsearchUrlValidation;
             }
-            Credentials credentials = new JenkinsCredentialsToApacheHttpCredentialsAdapter(elasticsearchCredentialsId);
             try (ElasticsearchLogStorageRetriever elasticsearchLogStorageRetriever = new ElasticsearchLogStorageRetriever(
                     elasticsearchUrl,
                     disableSslVerifications,
-                    credentials,
+                    elasticsearchCredentialsId,
                     ObservabilityBackend.ERROR_TEMPLATE,
                     TemplateBindingsProvider.empty())) {
 

src/main/java/io/jenkins/plugins/opentelemetry/backend/elastic/ElasticsearchLogStorageRetriever.java

@@ -43,6 +43,7 @@
 import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.apache.hc.client5.http.ssl.TrustAllStrategy;
+import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
 import org.apache.hc.core5.reactor.IOReactorConfig;
@@ -74,6 +75,7 @@
 import io.jenkins.plugins.opentelemetry.backend.ElasticBackend;
 import io.jenkins.plugins.opentelemetry.backend.ObservabilityBackend;
 import io.jenkins.plugins.opentelemetry.jenkins.CredentialsNotFoundException;
+import io.jenkins.plugins.opentelemetry.jenkins.HttpAuthHeaderFactory;
 import io.jenkins.plugins.opentelemetry.job.log.LogStorageRetriever;
 import io.jenkins.plugins.opentelemetry.job.log.LogsQueryResult;
 import io.jenkins.plugins.opentelemetry.job.log.LogsViewHeader;
@@ -109,7 +111,7 @@ public class ElasticsearchLogStorageRetriever implements LogStorageRetriever, Cl
     private final TemplateBindingsProvider templateBindingsProvider;
 
     @NonNull
-    final Credentials elasticsearchCredentials;
+    final String elasticsearchCredentialsId;
     @NonNull
     final String elasticsearchUrl;
     @NonNull
@@ -127,24 +129,21 @@ public class ElasticsearchLogStorageRetriever implements LogStorageRetriever, Cl
     @MustBeClosed
     public ElasticsearchLogStorageRetriever(
         @NonNull String elasticsearchUrl, boolean disableSslVerifications,
-        @NonNull Credentials elasticsearchCredentials,
+        @NonNull String elasticsearchCredentialsId,
         @NonNull Template buildLogsVisualizationUrlTemplate, @NonNull TemplateBindingsProvider templateBindingsProvider) {
 
         if (StringUtils.isBlank(elasticsearchUrl)) {
             throw new IllegalArgumentException("Elasticsearch url cannot be blank");
         }
 
         this.elasticsearchUrl = elasticsearchUrl;
-        this.elasticsearchCredentials = elasticsearchCredentials;
-        BasicCredentialsProvider credentialsProvider = getCredentialsProvider(elasticsearchUrl,
-                elasticsearchCredentials);
+        this.elasticsearchCredentialsId = elasticsearchCredentialsId;
 
         RequestConfig requestConfig = RequestConfig.custom()
             .setConnectionKeepAlive(TimeValue.ofMilliseconds(KEEPALIVE_INTERVAL))
             .build();
         CloseableHttpAsyncClient httpclient = HttpAsyncClients.custom()
             .setDefaultRequestConfig(requestConfig)
-            .setDefaultCredentialsProvider(credentialsProvider)
             .build();
 
         if (disableSslVerifications) {
@@ -165,12 +164,14 @@ public ElasticsearchLogStorageRetriever(
             httpclient = HttpAsyncClients.custom()
                 .setDefaultRequestConfig(requestConfig)
                 .setConnectionManager(cm)
-                .setDefaultCredentialsProvider(credentialsProvider)
                 .build();
         }
 
+        HttpAuthHeaderFactory httpAuthHeaderFactory = new HttpAuthHeaderFactory(elasticsearchCredentialsId);
+        Header[] headers = {httpAuthHeaderFactory.createAuthHeader()};
         this.restClient = Rest5Client.builder(URI.create(elasticsearchUrl))
             .setHttpClient(httpclient)
+            .setDefaultHeaders(headers)
             .build();
 
         this.elasticsearchTransport = new Rest5ClientTransport(restClient, new JacksonJsonpMapper());
@@ -180,23 +181,6 @@ public ElasticsearchLogStorageRetriever(
         this.templateBindingsProvider = templateBindingsProvider;
     }
 
-    /**
-     * Get the credentials provider for the Elasticsearch client.
-     * @param elasticsearchUrl
-     * @param elasticsearchCredentials
-     * @return
-     */
-    private BasicCredentialsProvider getCredentialsProvider(String elasticsearchUrl,
-            Credentials elasticsearchCredentials) {
-        BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
-        try{
-            credentialsProvider.setCredentials(new AuthScope(HttpHost.create(elasticsearchUrl)), elasticsearchCredentials);
-        } catch(URISyntaxException e) {
-            throw new IllegalArgumentException(e);
-        }
-        return credentialsProvider;
-    }
-
     @NonNull
     @Override
     public LogsQueryResult overallLog(
@@ -287,14 +271,6 @@ public LogsQueryResult stepLog(@NonNull String jobFullName, int runNumber, @NonN
     public List<FormValidation> checkElasticsearchSetup() {
         List<FormValidation> validations = new ArrayList<>();
         ElasticsearchIndicesClient indicesClient = this.esClient.indices();
-        String elasticsearchUsername;
-        try {
-            elasticsearchUsername = Optional.ofNullable(elasticsearchCredentials.getUserPrincipal()).map(Principal::getName).orElse("No username for credentials type " + elasticsearchCredentials.getClass().getSimpleName());
-        } catch (CredentialsNotFoundException e) {
-            validations.add(FormValidation.error("No credentials defined"));
-            return validations;
-        }
-
         try {
             final GetIndexResponse response = indicesClient.get(b -> b.index(ElasticsearchFields.INDEX_TEMPLATE_PATTERNS));
             if (response == null || response.indices() == null || response.indices().isEmpty()) {
@@ -304,14 +280,14 @@ public List<FormValidation> checkElasticsearchSetup() {
             }
         } catch (ElasticsearchException e) {
             logger.fine(e.getLocalizedMessage());
-            validations.addAll(findEsErrorCause(elasticsearchUsername, e));
+            validations.addAll(findEsErrorCause(e));
             return validations;
         } catch (IOException e) {
             logger.fine(e.getLocalizedMessage());
-            validations.add(FormValidation.warning("Exception accessing Elasticsearch " + elasticsearchUrl + " with user '" + elasticsearchUsername + "'.", e));
+            validations.add(FormValidation.warning("Exception accessing Elasticsearch " + elasticsearchUrl + " with credentials '" + elasticsearchCredentialsId + "'.", e));
             return validations;
         }
-        validations.add(FormValidation.ok("Connected to Elasticsearch " + elasticsearchUrl + " with user '" + elasticsearchUsername + "'."));
+        validations.add(FormValidation.ok("Connected to Elasticsearch " + elasticsearchUrl + " with credentials '" + elasticsearchCredentialsId + "'."));
         return validations;
     }
 
@@ -322,25 +298,25 @@ public List<FormValidation> checkElasticsearchSetup() {
      * @return a list of FormValidation objects representing the error cause
      */
     @NonNull
-    private List<FormValidation>  findEsErrorCause(@NonNull String elasticsearchUsername, @NonNull ElasticsearchException e) {
+    private List<FormValidation>  findEsErrorCause(@NonNull ElasticsearchException e) {
         List<FormValidation> validations = new ArrayList<>();
         ErrorCause errorCause = e.error();
         int status = e.status();
         if (ElasticsearchFields.ERROR_CAUSE_TYPE_SECURITY_EXCEPTION.equals(errorCause.type())) {
             if (status == HttpURLConnection.HTTP_UNAUTHORIZED) {
-                validations.add(FormValidation.error("Authentication failure " + "/" + status + " accessing Elasticsearch " + elasticsearchUrl + " with user '" + elasticsearchUsername + "'.", e));
+                validations.add(FormValidation.error("Authentication failure " + "/" + status + " accessing Elasticsearch " + elasticsearchUrl + " with user '" + elasticsearchCredentialsId + "'.", e));
             } else if (status == HttpURLConnection.HTTP_FORBIDDEN) {
-                validations.add(FormValidation.ok("Connected to Elasticsearch " + elasticsearchUrl + " with user '" + elasticsearchUsername + "'."));
+                validations.add(FormValidation.ok("Connected to Elasticsearch " + elasticsearchUrl + " with credentials '" + elasticsearchCredentialsId + "'."));
                 validations.add(FormValidation.warning(errorCause.type() + "/" + status + " accessing index template '" + ElasticsearchFields.INDEX_TEMPLATE_PATTERNS + "' on '" + elasticsearchUrl + "'. " +
-                    "Elasticsearch user '" + elasticsearchUsername + "' doesn't have read permission to the index template metadata - " + errorCause.reason() + "."));
+                    "Elasticsearch credentials '" + elasticsearchCredentialsId + "' doesn't have read permission to the index template metadata - " + errorCause.reason() + "."));
             } else {
-                validations.add(FormValidation.ok("Connected to Elasticsearch " + elasticsearchUrl + " with user '" + elasticsearchUsername + "'."));
+                validations.add(FormValidation.ok("Connected to Elasticsearch " + elasticsearchUrl + " with credentials '" + elasticsearchCredentialsId + "'."));
                 validations.add(FormValidation.warning(errorCause.type() + "/" + status + " accessing index template '" + ElasticsearchFields.INDEX_TEMPLATE_PATTERNS + "' on '" + elasticsearchUrl + "' with " +
-                    "Elasticsearch user '" + elasticsearchUsername + "' - " + errorCause.reason() + "."));
+                    "Elasticsearch credentials '" + elasticsearchCredentialsId + "' - " + errorCause.reason() + "."));
             }
         } else {
             validations.add(FormValidation.warning(errorCause.type() + "/" + status + " accessing index template '" + ElasticsearchFields.INDEX_TEMPLATE_PATTERNS + "' on '" + elasticsearchUrl + "' with " +
-                "Elasticsearch user '" + elasticsearchUsername + "' - " + errorCause.reason() + "."));
+                "Elasticsearch credentials '" + elasticsearchCredentialsId + "' - " + errorCause.reason() + "."));
         }
         return validations;
     }