[SECURITY-2053] Prevent plain text credentials of Basic/Digest authen…

…tication (#105)

pom.xml

@@ -52,7 +52,7 @@ THE SOFTWARE.
 		<changelist>-SNAPSHOT</changelist>
 		<gitHubRepo>jenkinsci/http-request-plugin</gitHubRepo>
 		<jenkins.version>2.249.1</jenkins.version>
-		<hpi.compatibleSinceVersion>1.8.17</hpi.compatibleSinceVersion>
+		<hpi.compatibleSinceVersion>1.16</hpi.compatibleSinceVersion>
 	</properties>
 
 	<repositories>

src/main/java/jenkins/plugins/http_request/HttpRequest.java

@@ -42,7 +42,6 @@
 import hudson.util.ListBoxModel;
 import hudson.util.ListBoxModel.Option;
 
-import jenkins.plugins.http_request.auth.BasicDigestAuthentication;
 import jenkins.plugins.http_request.auth.FormAuthentication;
 import jenkins.plugins.http_request.util.HttpClientUtil;
 import jenkins.plugins.http_request.util.HttpRequestFormDataPart;
@@ -536,10 +535,6 @@ public static ListBoxModel fillAuthenticationItems(Item project, String url) {
 			}
 
 			List<Option> options = new ArrayList<>();
-			for (BasicDigestAuthentication basic : HttpRequestGlobalConfig.get().getBasicDigestAuthentications()) {
-				options.add(new Option("(deprecated - use Jenkins Credentials) " +
-						basic.getKeyName(), basic.getKeyName()));
-            }
 
             for (FormAuthentication formAuthentication : HttpRequestGlobalConfig.get().getFormAuthentications()) {
 				options.add(new Option(formAuthentication.getKeyName()));

src/main/java/jenkins/plugins/http_request/HttpRequestGlobalConfig.java

@@ -28,7 +28,11 @@
 @Extension
 public class HttpRequestGlobalConfig extends GlobalConfiguration {
 
-    private List<BasicDigestAuthentication> basicDigestAuthentications = new ArrayList<>();
+    /**
+     * @deprecated removed without replacement
+     */
+    @Deprecated
+    private transient List<BasicDigestAuthentication> basicDigestAuthentications = new ArrayList<>();
     private List<FormAuthentication> formAuthentications = new ArrayList<>();
 
     private static final XStream2 XSTREAM2 = new XStream2();
@@ -78,10 +82,18 @@ public static HttpRequestGlobalConfig get() {
         return GlobalConfiguration.all().get(HttpRequestGlobalConfig.class);
     }
 
+    /**
+     * @deprecated removed without replacement
+     */
+    @Deprecated
     public List<BasicDigestAuthentication> getBasicDigestAuthentications() {
         return basicDigestAuthentications;
     }
 
+    /**
+     * @deprecated removed without replacement
+     */
+    @Deprecated
     public void setBasicDigestAuthentications(
             List<BasicDigestAuthentication> basicDigestAuthentications) {
         this.basicDigestAuthentications = basicDigestAuthentications;
@@ -97,10 +109,7 @@ public void setFormAuthentications(
     }
 
     public List<Authenticator> getAuthentications() {
-        List<Authenticator> list = new ArrayList<>();
-        list.addAll(basicDigestAuthentications);
-        list.addAll(formAuthentications);
-        return list;
+        return new ArrayList<>(formAuthentications);
     }
 
     public Authenticator getAuthentication(String keyName) {
@@ -111,4 +120,11 @@ public Authenticator getAuthentication(String keyName) {
         }
         return null;
     }
+
+    protected Object readResolve() {
+        if (this.basicDigestAuthentications != null) {
+            this.basicDigestAuthentications = new ArrayList<>();
+        }
+        return this;
+    }
 }

src/main/resources/jenkins/plugins/http_request/HttpRequestGlobalConfig/config.jelly

@@ -18,27 +18,6 @@
 		</d:tag>
 	</d:taglib>
     <f:section title="HTTP Request">
-    	<f:entry title="DEPRECATED (use Jenkins credentials) Basic/Digest Authentication">
-            <f:repeatable field="basicDigestAuthentications">
-				<local:blockWrapper>
-                    <f:entry title="Key Name" field="keyName" help="/plugin/http_request/help-keyName.html">
-                        <f:textbox />
-                    </f:entry>
-                    <f:entry title="Username" field="userName" help="/plugin/http_request/help-userName.html">
-                        <f:textbox />
-                    </f:entry>
-                    <f:entry title="Password" field="password" help="/plugin/http_request/help-password.html">
-                        <f:password />
-                    </f:entry>
-                    <f:entry title="">
-                        <div align="right">
-                            <f:repeatableDeleteButton />
-                        </div>
-                    </f:entry>
-				</local:blockWrapper>
-            </f:repeatable>
-        </f:entry>
-
         <f:entry title="Form Authentication">
             <f:repeatable field="formAuthentications">
                 <local:blockWrapper>

src/test/java/jenkins/plugins/http_request/HttpRequestBackwardCompatibilityTest.java

@@ -15,7 +15,6 @@
 import hudson.model.FreeStyleProject;
 import hudson.tasks.Builder;
 
-import jenkins.plugins.http_request.auth.BasicDigestAuthentication;
 import jenkins.plugins.http_request.auth.FormAuthentication;
 import jenkins.plugins.http_request.util.HttpRequestNameValuePair;
 import jenkins.plugins.http_request.util.RequestAction;
@@ -33,7 +32,6 @@ public class HttpRequestBackwardCompatibilityTest {
     public void defaultGlobalConfig() {
         // Test that config from 1.8.6 can be loaded
         HttpRequestGlobalConfig cfg = HttpRequestGlobalConfig.get();
-        assertEquals(Collections.emptyList(), cfg.getBasicDigestAuthentications());
         assertEquals(Collections.emptyList(), cfg.getFormAuthentications());
         assertEquals("jenkins.plugins.http_request.HttpRequest.xml", cfg.getConfigFile().getFile().getName());
     }
@@ -46,18 +44,6 @@ public void populatedGlobalConfig() {
         // and the HttpRequestGlobalConfig.getConfigFile() method
         HttpRequestGlobalConfig cfg = HttpRequestGlobalConfig.get();
 
-        List<BasicDigestAuthentication> bdas = cfg.getBasicDigestAuthentications();
-        assertEquals(2,bdas.size());
-		Iterator<BasicDigestAuthentication> itr = bdas.iterator();
-		BasicDigestAuthentication bda = itr.next();
-		assertEquals("k1",bda.getKeyName());
-        assertEquals("u1",bda.getUserName());
-        assertEquals("p1",bda.getPassword());
-		bda = itr.next();
-		assertEquals("k2",bda.getKeyName());
-        assertEquals("u2",bda.getUserName());
-        assertEquals("p2",bda.getPassword());
-
         List<FormAuthentication> fas = cfg.getFormAuthentications();
         assertEquals(1,fas.size());
 

src/test/java/jenkins/plugins/http_request/HttpRequestRoundTripTest.java

@@ -10,7 +10,6 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import jenkins.plugins.http_request.auth.BasicDigestAuthentication;
 import jenkins.plugins.http_request.auth.FormAuthentication;
 import jenkins.plugins.http_request.util.HttpRequestNameValuePair;
 import jenkins.plugins.http_request.util.RequestAction;
@@ -62,10 +61,6 @@ public void configRoundtripGroup2() throws Exception {
 
     @Test
     public void configRoundtripGroup3() throws Exception {
-        List<BasicDigestAuthentication> bda = new ArrayList<>();
-        bda.add(new BasicDigestAuthentication("keyname1","username1","password1"));
-        bda.add(new BasicDigestAuthentication("keyname2","username2","password2"));
-        HttpRequestGlobalConfig.get().setBasicDigestAuthentications(bda);
         configRoundTrip(before);
 
         List<HttpRequestNameValuePair> params = new ArrayList<>();
@@ -117,18 +112,6 @@ private void configRoundTrip(HttpRequest before) throws Exception {
           assertEquals(bnvp.getValue(),anvp.getValue());
         }
 
-        // Basic authentication check
-        List<BasicDigestAuthentication> beforeBdas = HttpRequestGlobalConfig.get().getBasicDigestAuthentications();
-        List<BasicDigestAuthentication> afterBdas  = HttpRequestGlobalConfig.get().getBasicDigestAuthentications();
-        assertEquals(beforeBdas.size(), afterBdas.size());
-        for (int idx = 0; idx < beforeBdas.size(); idx++) {
-            BasicDigestAuthentication beforeBda = beforeBdas.get(idx);
-            BasicDigestAuthentication afterBda = afterBdas.get(idx);
-            assertEquals(beforeBda.getKeyName(), afterBda.getKeyName());
-            assertEquals(beforeBda.getUserName(),afterBda.getUserName());
-            assertEquals(beforeBda.getPassword(),afterBda.getPassword());
-        }
-
         // Form authentication check
         List<FormAuthentication> beforeFas = HttpRequestGlobalConfig.get().getFormAuthentications();
         List<FormAuthentication> afterFas  = HttpRequestGlobalConfig.get().getFormAuthentications();

src/test/java/jenkins/plugins/http_request/HttpRequestStepRoundTripTest.java

@@ -4,7 +4,6 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import jenkins.plugins.http_request.auth.BasicDigestAuthentication;
 import jenkins.plugins.http_request.auth.FormAuthentication;
 import jenkins.plugins.http_request.util.HttpRequestNameValuePair;
 import jenkins.plugins.http_request.util.RequestAction;
@@ -54,10 +53,6 @@ public void configRoundtripGroup2() throws Exception {
 
     @Test
     public void configRoundtripGroup3() throws Exception {
-        List<BasicDigestAuthentication> bda = new ArrayList<>();
-        bda.add(new BasicDigestAuthentication("keyname1","username1","password1"));
-        bda.add(new BasicDigestAuthentication("keyname2","username2","password2"));
-        HttpRequestGlobalConfig.get().setBasicDigestAuthentications(bda);
         configRoundTrip(before);
 
         List<HttpRequestNameValuePair> params = new ArrayList<>();
@@ -112,18 +107,6 @@ private void configRoundTrip(HttpRequestStep before) throws Exception {
           assertEquals(bnvp.getValue(),anvp.getValue());
         }
 
-        // Basic authentication check
-        List<BasicDigestAuthentication> beforeBdas = HttpRequestGlobalConfig.get().getBasicDigestAuthentications();
-        List<BasicDigestAuthentication> afterBdas  = HttpRequestGlobalConfig.get().getBasicDigestAuthentications();
-        assertEquals(beforeBdas.size(), afterBdas.size());
-        for (int idx = 0; idx < beforeBdas.size(); idx++) {
-            BasicDigestAuthentication beforeBda = beforeBdas.get(idx);
-            BasicDigestAuthentication afterBda = afterBdas.get(idx);
-            assertEquals(beforeBda.getKeyName(), afterBda.getKeyName());
-            assertEquals(beforeBda.getUserName(),afterBda.getUserName());
-            assertEquals(beforeBda.getPassword(),afterBda.getPassword());
-        }
-
         // Form authentication check
         List<FormAuthentication> beforeFas = HttpRequestGlobalConfig.get().getFormAuthentications();
         List<FormAuthentication> afterFas  = HttpRequestGlobalConfig.get().getFormAuthentications();