Hi,

I am currently trying to install Conjur's plugin from https://github.com/cyberark/conjur-credentials-plugin/releases/download/v0.5/Conjur.hpi on a Jenkins ver. 2.150.2 on Openshift.

java.io.IOException: Conjur Secrets Plugin v0.5 failed to load.

• Credentials Binding Plugin v1.15 is older than required. To fix, install v1.16 or later.
  at hudson.PluginWrapper.resolvePluginDependencies(PluginWrapper.java:652)

Tried also the repo clone and maven compilation, both sources do not work with the mentioned versions:

joalmaraz$ md5 Conjur.hpi
MD5 (Conjur.hpi) = 98461ba333421f4a9f3c859d89d7631c

joalmaraz$ md5 Conjur.hpi.1
MD5 (Conjur.hpi.1) = b71ab22c973b5ac8b4f953b1ed69cd80

Binaries should not be stored in a git repo. Instead, once the .hpi is built by Jenkins and is deemed ready for release, it should be added to https://github.com/cyberark/conjur-credentials-plugin/releases

Git under Source code management not allowing to choose conjur secret type credentails

Currently, both tabs and spaces are being used for indentation. A quick Google search for "Java style guide" suggests that many organizations (e.g. Google, Twitter) use two additional spaces each time indentation should be increased: https://google.github.io/styleguide/javaguide.html#s4.2-block-indentation

Summary

When trying to use the git plugin for Jenkins in a freestyle pipeline on a Jenkins slave the pipeline fails.

Steps to Reproduce

Steps to reproduce the behavior:

1. Install conjur plugin 1.0.0
2. Configure a Conjur Secret Username Credential with username and password to access a git repo.
3. Create a freestyle pipeline using the syntax:

git credentialsId: 'my_conjur_username_for_git', url: 'http://your_git_url', branch: 'master'

3. Configure a Jenkins slave node and try to run the pipeline on it using node ('slave'){}
4. You should get the error below.

Expected Results

Pipeline should successfully run on slave and the git plugin should fetch the credentials from Conjur and contact the git repo.

Actual Results (including error logs, if applicable)

The pipline fails to run with the following error:

Started by user admin
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] Start of Pipeline
[Pipeline] node
Running on slave01 in /home/jenkins/workspace/docker-test
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Work)
[Pipeline] git
using credential github_ssh_key
Cloning the remote Git repository
Cloning repository http://gogs:3000/guyg/jenkins.git
/usr/bin/git init /home/jenkins/workspace/docker-test # timeout=10
Fetching upstream changes from http://gogs:3000/guyg/jenkins.git
/usr/bin/git --version # timeout=10
using GIT_ASKPASS to set credentials GitHub ssh-key from Conjur
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Also: hudson.remoting.Channel$CallSiteStackTrace: Remote call to slave01
at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1743)
at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:357)
at hudson.remoting.Channel.call(Channel.java:957)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132)
at com.sun.proxy.$Proxy91.execute(Unknown Source)
at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1152)
at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1192)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:120)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:90)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:77)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.lang.IllegalStateException: Jenkins.instance is missing. Read the documentation of Jenkins.getInstanceOrNull to see what you are doing wrong.
at jenkins.model.Jenkins.get(Jenkins.java:769)
at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:409)
at org.conjur.jenkins.conjursecrets.ConjurSecretCredentials.credentialWithID(ConjurSecretCredentials.java:62)
at org.conjur.jenkins.conjursecrets.ConjurSecretCredentials.getSecretFromCredentialIDWithConfigAndContext(ConjurSecretCredentials.java:98)
at org.conjur.jenkins.conjursecrets.ConjurSecretUsernameCredentialsImpl.getPassword(ConjurSecretUsernameCredentialsImpl.java:115)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.createUnixStandardAskpass(CliGitAPIImpl.java:1853)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1721)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$400(CliGitAPIImpl.java:72)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:442)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$2.execute(CliGitAPIImpl.java:655)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:153)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:146)
at hudson.remoting.UserRequest.perform(UserRequest.java:212)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:369)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Finished: FAILURE
`

Additional Information

Bear in mind that if you are trying to run the same behaviour on the Jenkins master node it will succeed.
In addition other plugins that uses the Conjur Secret Username Credential such as Artifactory is able to successfully work both on master and slave.

Before the Jenkins Conjur Credential Plugin can be released, someone from R&D needs to review to project to make sure there are no glaring issues.

Please review the project: https://github.com/cyberark/conjur-credentials-plugin, and file issues for any concerns you find.

Fail job/pipeline when secret cannot be retrieved

Issue

In both v0.7 and branch JIT-Creds, if a ConjurSecretUsernameCredentials makes use of a ConjurSecretCredential not defined at the global domain, the latter is not retrieved (no API call to Conjur).

How to reproduce

1. Create a folder and add a ConjurSecretCredential in it.
2. Add a ConjurUsernameSecretCredential (in the same folder) that uses the previously defined ConjurSecretCredential.
3. Create a freestyle job in the folder that uses the ConjurSecretUsernameCredentials either for a binding or a git SCM configuration.

Expected Results

In v0.7: A stacktrace due to NullPointerException.
In branch JIT-Creds: Nothing happens (no credential retrieved).

Additional notes

In v0.7, if the ConjurSecretCredential is defined at the global domain, Conjur logs the secret retrieval but Jenkins doesn't seem to use it properly.

To demonstrate that the code functions as expected, and to prevent future regressions, there should be a suite of automated test for the plugin. src/test/java/org/conjur/jenkins/configuration/ConjurConfigurationTest.java exists, but the body of the test method is commented out.

As part of writing the test suite, a Jenkinsfile should be added that runs the suite and builds the .hpi when the tests all pass.

Currently Jenkins supports authentication via the conjur api key, however if jenkins is being run in k8s with the conjur side car container a session token is provided to the jenkins container.

We need the ability to authenticate using this session token rather than an api key.

The conjur configuration should contain a field for 'Session Token File' and if this field is populated then the jenkins plugin should use the session token to retrieve the credential.

This also means that the conjur-credential-plugin does not need to authenticate since it is already authenticated.

Include docs at plugins.jenkins.io

Plugin documentation for Jenkins plugins is displayed on https://plugins.jenkins.io.
For example, see https://plugins.jenkins.io/git for the documentation of the git plugin.

Plugin documentation for the Conjur credentials plugin is not displayed on https://plugins.jenkins.io/conjur-credentials-plugin .
It shows a link to a top level marketing page. It would be better for users if the plugin documentation were on that page.

Describe the solution you would like

Plugin documentation should be visible at https://plugins.jenkins.io/conjur-credentials/

Describe alternatives you have considered

Jenkins documentation as code as described at https://www.jenkins.io/doc/developer/publishing/documentation/#documenting-plugins will allow the plugins site to use the documentation from the GitHub repository.

Additional context

Discussed with Ben Rich

There is one superflous curly bracket in line 8 of the provided Code-Snippet for the withcredentials function of the readme-md

Is your feature request related to a problem? Please describe.

The normal behavior to fetch a secret from DAP is to create a secret inside Jenkins Credential Manager, with that information the plugin is able to retrieve the secret.

Describe the solution you would like

We would have a way to do it programmatically by avoiding the creation of a Conjur secret inside the Jenkins credential manager.

Additional context

Why we are asking this feature? In a complex context with thousand of credential we cannot relay to the jenkins credential manager but the only source of truth should be only Conjur / DAP, we also avoid manual sync betwen update / delete actions.

It assumes to use the SSH credentials for jenkins even though it should be using username and password (Where the password is the access token generated by github).

I am looking into this issue, but I do not know why the Jenkins git plugin is using it as an ssh key.
The secret is being retrieved successfully.

Hello team
I shared detail about the problem in jenkins Jira in the JCASC section as described here:

https://issues.jenkins.io/browse/JENKINS-64492

Steps to Reproduce

Steps to reproduce the behavior:

1. configure jenkins using the cacerts insted of .p12 file as described here https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Integrations/jenkins-configure.htm?tocpath=Integrations%7CJenkins%7C_____2#Preparethecertificate
2. make sure jenkins as JCASC plugin installed and your conjur plugin is configured in this way
3. restart jenkins and run a pipeline that is expected to work because certificate is managed at cacerts level
4. The pipeline should not be able to fetch the secret from DAP / Conjur
   

Expected Results

Conjur / Cyberark plugin should work correctly with JCASC and manage correctly empty values in the plugin

Actual Results (including error logs, if applicable)

This is the error i have in all the pipele implementing the secret fetching

Reproducible

• [ X] Always
• Sometimes
• Non-Reproducible

Version/Tag number

1.0.2

Environment setup

jenkins 2.263.1
DAP 11.7
JCASC plugin
conjur plugin

Additional Information

A workaround we found is, reapply the configuration the " - none -" value in the SSL Certificate field make the plugin and the pipeline working as expected.

Is your feature request related to a problem? Please describe.

The Conjur plugin for Jenkins requires a credential of kind: "Username and password" to be configured.
User-scoped credentials of kind "Username and password" are not listed when configuring the plugin (system, folder or job)

Describe the solution you would like

User-scoped credentials of kind "Username and password" to be listed in the plugin configuration section.

Describe alternatives you have considered

Pipeline parameters

Additional context

https://docs.cloudbees.com/docs/admin-resources/latest/pipelines/user-scoped-creds

When using Conjur SecretUsenameCredential with Jenkins master and slave and fetching the ssh key from Conjur, the Jenkins master refers the ssh key as a password object instead of a ssh key.

Way to reproduce

1. Configure a linux machine to support both password and ssh authentication and try to use Conjur SecretUsenameCredential to fetch a ssh key and use it for master/slave connection.
2. The process will fail saying that the password is incorrect with the syntax "method:password"
3. Disable password authentication on the slave linux machine and try again and the handshake will now work.

Proposed solution

Create a dedicated ssh key Conjur credential object that can be used as Jenkins credential.

If the repo has a changelog that doesn't meet the standard, do try to change earlier entries to match the standard.
If the repo doesn't have a changelog use this as a starter:

# Changelog
All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [Unreleased]

Acceptance criteria

• CHANGELOG.md exists and follows the KeepAChangeLog format. For reference consult https://github.com/cyberark/conjur/blob/master/CHANGELOG.md.
• Add parse-changelog validation step to Jenkinsfile. For reference consult https://github.com/cyberark/conjur/blob/master/Jenkinsfile#L27.