From aca3745e2471afd7a1abe60ca1a33e5fac755b89 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Wed, 14 Jul 2021 15:24:01 +0200
Subject: [PATCH] ci: do not use Groovy string interpolation for credentials

Jenkins warns in the output of CI jobs about the following:

    Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
        Affected argument(s) used the following variable(s): [CREDS_PASSWD, CREDS_USER]
        See https://jenkins.io/redirect/groovy-string-interpolation for details.

Variable with 'single quotes' and without the {curly brackets} are
expecred to not be affected. There is some indirection in the strings
passed to the `sh` function, so this approach might not fix it?

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 ci-job-validation.groovy        | 27 +++++++++++++++++++++++----
 containerized-tests.groovy      |  2 +-
 k8s-e2e-external-storage.groovy |  2 +-
 mini-e2e-helm.groovy            |  2 +-
 mini-e2e.groovy                 |  2 +-
 upgrade-tests.groovy            |  2 +-
 6 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/ci-job-validation.groovy b/ci-job-validation.groovy
index 17111e9be..f4ca0d8be 100644
--- a/ci-job-validation.groovy
+++ b/ci-job-validation.groovy
@@ -8,9 +8,27 @@ def git_since = 'ci/centos'
 def base = ''
 def doc_change = 0
 // private, internal container image repository
-def cached_image = 'registry-ceph-csi.apps.ocp.ci.centos.org/ceph-csi'
+def ci_registry = 'registry-ceph-csi.apps.ocp.ci.centos.org'
+def cached_image = 'ceph-csi'
 def use_pulled_image = 'USE_PULLED_IMAGE=yes'
 
+def ssh(cmd) {
+	sh "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${CICO_NODE} '${cmd}'"
+}
+
+def podman_login(registry, username, passwd) {
+	ssh "podman login --authfile=~/.podman-auth.json --username=${username} --password='${passwd}' ${registry}"
+}
+
+// podman_pull pulls image from the source (CI internal) registry, and tags it
+// as unqualified image name and into the destination registry. This prevents
+// pulling from the destination registry.
+//
+// Images need to be pre-pushed into the source registry, though.
+def podman_pull(source, destination, image) {
+	ssh "podman pull --authfile=~/.podman-auth.json ${source}/${image} && podman tag ${source}/${image} ${image} ${destination}/${image}"
+}
+
 node('cico-workspace') {
 	stage('checkout ci repository') {
 		if (params.ghprbPullId != null) {
@@ -67,7 +85,7 @@ node('cico-workspace') {
 				base = "--base=${ghprbTargetBranch}"
 			}
 			sh 'scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ./prepare.sh root@${CICO_NODE}:'
-			sh "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${CICO_NODE} ./prepare.sh --workdir=/opt/build/go/src/github.com/ceph/ceph-csi --gitrepo=${ci_git_repo} --ref=${ref} ${base}"
+			ssh "./prepare.sh --workdir=/opt/build/go/src/github.com/ceph/ceph-csi --gitrepo=${ci_git_repo} --ref=${ref} ${base}"
 		}
 
 		// - check if the PR modifies the container image files
@@ -84,11 +102,12 @@ node('cico-workspace') {
 			}
 
 			withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
-				sh "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${CICO_NODE} 'podman pull --creds=${CREDS_USER}:${CREDS_PASSWD} ${cached_image}:test'"
+				podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
 			}
+			podman_pull(ci_registry, ci_registry, "${cached_image}:test")
 		}
 		stage('test') {
-			sh "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${CICO_NODE} 'cd /opt/build/go/src/github.com/ceph/ceph-csi && make ENV_CSI_IMAGE_NAME=${cached_image} ${use_pulled_image}'"
+			ssh "cd /opt/build/go/src/github.com/ceph/ceph-csi && make ENV_CSI_IMAGE_NAME=${cached_image} ${use_pulled_image}"
 		}
 	}
 
diff --git a/containerized-tests.groovy b/containerized-tests.groovy
index 4f1b7e81c..059bc5568 100644
--- a/containerized-tests.groovy
+++ b/containerized-tests.groovy
@@ -102,7 +102,7 @@ node('cico-workspace') {
 				returnStatus: true)
 
 			withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
-				podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
+				podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
 			}
 
 			parallel test: {
diff --git a/k8s-e2e-external-storage.groovy b/k8s-e2e-external-storage.groovy
index 1ec57c2cb..b10ce4d54 100644
--- a/k8s-e2e-external-storage.groovy
+++ b/k8s-e2e-external-storage.groovy
@@ -120,7 +120,7 @@ node('cico-workspace') {
 			def d_io_regex = ~"^docker.io/"
 
 			withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
-				podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
+				podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
 			}
 
 			// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
diff --git a/mini-e2e-helm.groovy b/mini-e2e-helm.groovy
index 5b5d60623..0ae8a2acf 100644
--- a/mini-e2e-helm.groovy
+++ b/mini-e2e-helm.groovy
@@ -122,7 +122,7 @@ node('cico-workspace') {
 			def d_io_regex = ~"^docker.io/"
 
 			withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
-				podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
+				podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
 			}
 
 			// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
diff --git a/mini-e2e.groovy b/mini-e2e.groovy
index 8143fa578..8b6396689 100644
--- a/mini-e2e.groovy
+++ b/mini-e2e.groovy
@@ -119,7 +119,7 @@ node('cico-workspace') {
 			def d_io_regex = ~"^docker.io/"
 
 			withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
-				podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
+				podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
 			}
 
 			// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"
diff --git a/upgrade-tests.groovy b/upgrade-tests.groovy
index 322f9eb3d..c1dffab53 100644
--- a/upgrade-tests.groovy
+++ b/upgrade-tests.groovy
@@ -119,7 +119,7 @@ node('cico-workspace') {
 			def d_io_regex = ~"^docker.io/"
 
 			withCredentials([usernamePassword(credentialsId: 'container-registry-auth', usernameVariable: 'CREDS_USER', passwordVariable: 'CREDS_PASSWD')]) {
-				podman_login(ci_registry, "${CREDS_USER}", "${CREDS_PASSWD}")
+				podman_login(ci_registry, '$CREDS_USER', '$CREDS_PASSWD')
 			}
 
 			// base_image is like ceph/ceph:v15 or docker.io/ceph/ceph:v15, strip "docker.io/"