JENKINS-63401 Harden looking up credentials (#350)

Author: timja

src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketOAuthCredentialMatcher.java

@@ -4,12 +4,15 @@
 import com.cloudbees.plugins.credentials.CredentialsMatcher;
 import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
 import hudson.util.Secret;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 public class BitbucketOAuthCredentialMatcher implements CredentialsMatcher, CredentialsMatcher.CQL {
-    private static int keyLenght = 18;
-    private static int secretLenght = 32;
+    private static int keyLength = 18;
+    private static int secretLength = 32;
 
     private static final long serialVersionUID = 6458784517693211197L;
+    private static final Logger LOGGER = Logger.getLogger(BitbucketOAuthCredentialMatcher.class.getName());
 
     /**
      * {@inheritDoc}
@@ -19,13 +22,18 @@ public boolean matches(Credentials item) {
         if (!(item instanceof UsernamePasswordCredentials))
             return false;
 
-        UsernamePasswordCredentials usernamePasswordCredential = ((UsernamePasswordCredentials) item);
-        String username = usernamePasswordCredential.getUsername();
-        boolean isEMail = username.contains(".") && username.contains("@");
-        boolean validSecretLenght = Secret.toString(usernamePasswordCredential.getPassword()).length() == secretLenght;
-        boolean validKeyLenght = username.length() == keyLenght;
+        try {
+            UsernamePasswordCredentials usernamePasswordCredential = ((UsernamePasswordCredentials) item);
+            String username = usernamePasswordCredential.getUsername();
+            boolean isEMail = username.contains(".") && username.contains("@");
+            boolean validSecretLength = Secret.toString(usernamePasswordCredential.getPassword()).length() == secretLength;
+            boolean validKeyLength = username.length() == keyLength;
 
-        return !isEMail && validKeyLenght && validSecretLenght;
+            return !isEMail && validKeyLength && validSecretLength;
+        } catch (RuntimeException e) {
+            LOGGER.log(Level.FINE, "Caught exception validating credential", e);
+            return false;
+        }
     }
 
     /**
@@ -35,7 +43,7 @@ public boolean matches(Credentials item) {
     public String describe() {
         return String.format(
                 "(username.lenght == %d && password.lenght == %d && !(username CONTAINS \".\" && username CONTAINS \"@\")",
-                keyLenght, secretLenght);
+                keyLength, secretLength);
     }
 
 

src/test/java/com/cloudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketOAuthCredentialMatcherTest.java

@@ -0,0 +1,50 @@
+package com.cloudbees.jenkins.plugins.bitbucket.api.credentials;
+
+import com.cloudbees.plugins.credentials.CredentialsDescriptor;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.common.UsernamePasswordCredentials;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.util.Secret;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+
+import static org.junit.Assert.assertFalse;
+
+public class BitbucketOAuthCredentialMatcherTest {
+
+    /**
+     * Some plugins do remote work when getPassword is called and aren't expecting to just be randomly looked up
+     * One example is GitHubAppCredentials
+     */
+    @Test
+    @Issue("JENKINS-63401")
+    public void matches_returns_false_when_exception_getting_password() {
+        assertFalse(new BitbucketOAuthCredentialMatcher().matches(new ExceptionalCredentials()));
+    }
+
+    private static class ExceptionalCredentials implements UsernamePasswordCredentials {
+
+        @NonNull
+        @Override
+        public Secret getPassword() {
+            throw new IllegalArgumentException("Failed authentication");
+        }
+
+        @NonNull
+        @Override
+        public String getUsername() {
+            return "dummy-username";
+        }
+
+        @Override
+        public CredentialsScope getScope() {
+            return null;
+        }
+
+        @NonNull
+        @Override
+        public CredentialsDescriptor getDescriptor() {
+            return null;
+        }
+    }
+}