File Credentials Support

This commit implements the in-toto metadata siging with Jenkins File Credentials

README.md

@@ -20,11 +20,14 @@ implementation is reached.
 This plugin exposes a "post build" entry in the task menu. When selecting it
 you will be prompted to fill the following information in:
 
-- step name: the name of the step for this Jenkins pipeline (more on that later)
-- key path: the path to the signing key used to sign the link metadata.
+- stepName: the name of the step for this Jenkins pipeline (more on that later)
+- credentialId: Id of File Credential as the signing key used to sign the link metada. *
+- keyPath: the path to the signing key used to sign the link metadata. *
 - transport: a URI to where to post the metadata upon
   completion.
 
+* You should either fill the credentialId or keyPath to assgin a key for signing the link metadata.
+
 Once this is done, the plugin will take care of generating and tracking
 information of the build process.
 
@@ -41,11 +44,11 @@ pipeline {
 
   stages {
     stage('Build') {
-      agent { label 'worker 1' }
+      agent { label 'worker01' }
 
       steps {
         in_toto_wrap(['stepName': 'Build',
-            'keyPath': '/worker-key1',
+            'credentialId': 'keyId01',
             'transport': 'redis://redis']){
           echo 'Building..'
         }
@@ -59,9 +62,9 @@ This will produce a piece of link metadata and post it to a redis server.
 Currently, we have transport handlers for redis, etcd and an unauthenticated
 POST request with the link metadata.
 
-The keypath must be located on the remote worker. The plugin uses a
+If using the keypath parameter, the path must be located on the remote worker. The plugin uses a
 `MasterToSlave` handler to serialize in-toto code to capture the in-toto
-metadata natively in any worker. This both serves to not expose the key
+metadata natively in any worker. This both serves to not expose the slave's key
 unecessarilly in the Master's filesystem and to authenticate any worker that
 performed the pipeline step.
 
@@ -82,6 +85,7 @@ As of now, the current limitations exist:
 
 - There hasn't been much thorough testing with the pipeline plugin. Although it
   *should* work, there may be some rough edges to fix up.
+- If using the credentialId, the metadata will be signed in master.
 - There should be other interesting settings to add (e.g., ignore patterns,
   etc.). Right now, and due to the way the workspaces are created in Jenknis,
   the whole of the .git folder is tracked upon execution (which increases the

pom.xml

@@ -1,79 +1,90 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <parent>
-        <groupId>org.jenkins-ci.plugins</groupId>
-        <artifactId>plugin</artifactId>
-        <version>3.4</version>
-        <relativePath />
-    </parent>
-    <groupId>io.jenkins.plugins</groupId>
-    <artifactId>in-toto</artifactId>
-    <version>0.1</version>
-    <packaging>hpi</packaging>
-    <properties>
-        <jenkins.version>2.7.3</jenkins.version>
-        <java.level>8</java.level>
-    </properties>
-    <name>in-toto provenance agent</name>
-        <description>
-            This agent automatically tracks steps in a Jenkins pipeline and produces link metadata that corresponds to it.
-        </description>
-    <licenses>
-        <license>
-            <name>MIT License</name>
-            <url>https://opensource.org/licenses/MIT</url>
-        </license>
-    </licenses>
-    <!-- Assuming you want to host on @jenkinsci:
-    <url>https://wiki.jenkins.io/display/JENKINS/TODO+Plugin</url>
-    <scm>
-        <connection>scm:git:git://github.com/jenkinsci/${project.artifactId}-plugin.git</connection>
-        <developerConnection>scm:git:[email protected]:jenkinsci/${project.artifactId}-plugin.git</developerConnection>
-        <url>https://github.com/jenkinsci/${project.artifactId}-plugin</url>
-    </scm>
-    -->
-    <repositories>
-        <repository>
-            <id>repo.jenkins-ci.org</id>
-            <url>https://repo.jenkins-ci.org/public/</url>
-        </repository>
-    </repositories>
-    <pluginRepositories>
-        <pluginRepository>
-            <id>repo.jenkins-ci.org</id>
-            <url>https://repo.jenkins-ci.org/public/</url>
-        </pluginRepository>
-    </pluginRepositories>
-  	<dependencies>
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.jenkins-ci.plugins</groupId>
+    <artifactId>plugin</artifactId>
+    <version>3.4</version>
+    <relativePath />
+  </parent>
+  <groupId>io.jenkins.plugins</groupId>
+  <artifactId>in-toto</artifactId>
+  <version>0.1</version>
+  <packaging>hpi</packaging>
+  <properties>
+    <jenkins.version>2.7.3</jenkins.version>
+    <java.level>8</java.level>
+  </properties>
+  <name>in-toto provenance agent</name>
+    <description>
+      This agent automatically tracks steps in a Jenkins pipeline and produces link metadata that corresponds to it.
+    </description>
+  <licenses>
+    <license>
+      <name>MIT License</name>
+        <url>https://opensource.org/licenses/MIT</url>
+    </license>
+  </licenses>
+  <!-- Assuming you want to host on @jenkinsci:
+  <url>https://wiki.jenkins.io/display/JENKINS/TODO+Plugin</url>
+  <scm>
+    <connection>scm:git:git://github.com/jenkinsci/${project.artifactId}-plugin.git</connection>
+    <developerConnection>scm:git:[email protected]:jenkinsci/${project.artifactId}-plugin.git</developerConnection>
+    <url>https://github.com/jenkinsci/${project.artifactId}-plugin</url>
+  </scm>
+  -->
+  <repositories>
+    <repository>
+      <id>repo.jenkins-ci.org</id>
+      <url>https://repo.jenkins-ci.org/public/</url>
+      </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>repo.jenkins-ci.org</id>
+      <url>https://repo.jenkins-ci.org/public/</url>
+    </pluginRepository>
+  </pluginRepositories>
+  <dependencies>
     <!-- in-toto: library to generate link metadata -->
-      <dependency>
-        <groupId>io.github.in-toto</groupId>
-        <artifactId>in-toto</artifactId>
-        <version>0.1.1</version>
-        <scope>compile</scope>
-      </dependency>
-      <dependency>
-        <groupId>com.google.http-client</groupId>
-        <artifactId>google-http-client</artifactId>
-        <version>1.23.0</version>
-      </dependency>
-      <!--
-        FIXME: this apparently requires a version of Guava that conflicts w
-        ith the one installed as a plugin base.
-      <dependency>
-        <groupId>com.coreos</groupId>
-        <artifactId>jetcd-core</artifactId>
-        <version>0.0.2</version>
-      </dependency>
-      -->
-      <dependency>
-          <groupId>redis.clients</groupId>
-          <artifactId>jedis</artifactId>
-          <version>2.9.0</version>
-          <type>jar</type>
-          <scope>compile</scope>
-      </dependency>
+    <dependency>
+      <groupId>io.github.in-toto</groupId>
+      <artifactId>in-toto</artifactId>
+      <version>0.1.1</version>
+      <scope>compile</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.google.http-client</groupId>
+      <artifactId>google-http-client</artifactId>
+      <version>1.23.0</version>
+    </dependency>
+    <!--
+      FIXME: this apparently requires a version of Guava that conflicts w
+      ith the one installed as a plugin base.
+    <dependency>
+      <groupId>com.coreos</groupId>
+      <artifactId>jetcd-core</artifactId>
+      <version>0.0.2</version>
+    </dependency>
+    -->
+    <dependency>
+      <groupId>redis.clients</groupId>
+      <artifactId>jedis</artifactId>
+      <version>2.9.0</version>
+      <type>jar</type>
+      <scope>compile</scope>
+    </dependency>
+    <!-- credentials plugin -->
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>credentials</artifactId>
+      <version>2.1.17</version>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>plain-credentials</artifactId>
+      <version>1.1</version>
+    </dependency>
   </dependencies>
   <build>
     <plugins>
@@ -87,28 +98,28 @@
           </compilerArgs>
         </configuration>
       </plugin>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-failsafe-plugin</artifactId>
-        <executions>
-          <execution>
-            <goals>
-              <goal>integration-test</goal>
-              <goal>verify</goal>
-            </goals>
-          </execution>
-        </executions>
-        <configuration>
-          <environmentVariables>
-            <ETCD_SERVER_PORT>${etcd-server.port}</ETCD_SERVER_PORT>
-            <REDIS_SERVER_PORT>${redis.port}</REDIS_SERVER_PORT>
-          </environmentVariables>
-        </configuration>
-      </plugin>
-      <plugin>
-        <groupId>io.fabric8</groupId>
-        <artifactId>docker-maven-plugin</artifactId>
-        <version>0.20.1</version>
+    <plugin>
+      <groupId>org.apache.maven.plugins</groupId>
+      <artifactId>maven-failsafe-plugin</artifactId>
+      <executions>
+        <execution>
+          <goals>
+            <goal>integration-test</goal>
+            <goal>verify</goal>
+          </goals>
+        </execution>
+      </executions>
+      <configuration>
+        <environmentVariables>
+          <ETCD_SERVER_PORT>${etcd-server.port}</ETCD_SERVER_PORT>
+          <REDIS_SERVER_PORT>${redis.port}</REDIS_SERVER_PORT>
+        </environmentVariables>
+      </configuration>
+    </plugin>
+    <plugin>
+      <groupId>io.fabric8</groupId>
+      <artifactId>docker-maven-plugin</artifactId>
+      <version>0.20.1</version>
         <executions>
           <execution>
             <id>prepare-etcd-server</id>