[JENKINS-73735] Add API to retrieve the agent secret

core/pom.xml

@@ -439,6 +439,12 @@ THE SOFTWARE.
       <artifactId>test-annotations</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.main</groupId>
+      <artifactId>jenkins-test-harness</artifactId>
+      <version>2391.v9b_3e2d3351a_2</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter</artifactId>

core/src/main/java/hudson/model/Computer.java

@@ -1774,6 +1774,7 @@ public long getWhen() {
                     Permission.WRITE,
                     PermissionScope.COMPUTER);
 
+
     @Restricted(NoExternalUse.class) // called by jelly
     public static final Permission[] EXTENDED_READ_AND_CONNECT =
             new Permission[] { EXTENDED_READ, CONNECT };

core/src/main/java/jenkins/security/AgentSecretAction.java

@@ -0,0 +1,72 @@
+package jenkins.security;
+
+import hudson.model.Action;
+import hudson.model.Computer;
+import hudson.slaves.JNLPLauncher;
+import hudson.slaves.SlaveComputer;
+import java.io.IOException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import jenkins.model.Jenkins;
+import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.kohsuke.stapler.StaplerResponse2;
+
+public class AgentSecretAction implements Action {
+    private final SlaveComputer computer;
+
+    public AgentSecretAction(SlaveComputer computer) {
+        this.computer = computer;
+    }
+
+    private static final Logger LOGGER = Logger.getLogger(AgentSecretAction.class.getName());
+
+    @Override
+    public String getUrlName() {
+        return "agent-secret";
+    }
+
+    @Override
+    public String getDisplayName() {
+        return null;
+    }
+
+    @Override
+    public String getIconFileName() {
+        return null;
+    }
+
+    public void doGet(StaplerRequest2 req, StaplerResponse2 rsp, @QueryParameter String nodeName) throws IOException {
+        Jenkins jenkins = Jenkins.get();
+
+
+        if (nodeName == null || nodeName.isEmpty()) {
+            throw new IllegalArgumentException("Node name is required");
+        }
+
+        Computer computer = jenkins.getComputer(nodeName);
+        if (computer == null) {
+            throw new IllegalArgumentException("Node not found: " + nodeName);
+        }
+        computer.checkPermission(Computer.CONNECT);
+        if (computer instanceof SlaveComputer) {
+            SlaveComputer slaveComputer = (SlaveComputer) computer;
+            if (!(slaveComputer.getLauncher() instanceof JNLPLauncher)) {
+                throw new SecurityException("This API is only available for inbound agents.");
+            }
+            String secret = slaveComputer.getJnlpMac();
+
+            if (secret != null) {
+                rsp.setContentType("text/plain");
+                rsp.getWriter().write(secret);
+                LOGGER.log(Level.INFO, "Agent secret retrieved for node {0} by user {1}",
+                        new Object[]{nodeName, Jenkins.getAuthentication2().getName()});
+            } else {
+                throw new IOException("Secret not available for node: " + nodeName);
+            }
+        } else {
+            throw new IllegalArgumentException("The specified node is not an agent/slave node: " + nodeName);
+        }
+    }
+
+}

core/src/main/resources/hudson/model/Messages.properties

@@ -107,6 +107,7 @@ Computer.ConnectPermission.Description=This permission allows users to connect a
 Computer.DisconnectPermission.Description=This permission allows users to disconnect agents or mark agents as temporarily offline.
 Computer.BuildPermission.Description=This permission allows users to run jobs as them on agents.
 Computer.BadChannel=Agent node offline or not a remote channel (such as the built-in node).
+Computer.AgentSecretPermission.Description=Allows retrieving agent secrets for connection.
 
 ComputerSet.NoSuchSlave=No such agent: {0}
 ComputerSet.SlaveAlreadyExists=Agent called ‘{0}’ already exists

test/src/test/java/jenkins/security/AgentSecretActionTest.java

@@ -0,0 +1,108 @@
+package jenkins.security;
+
+
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import hudson.model.Computer;
+import hudson.slaves.DumbSlave;
+import hudson.slaves.SlaveComputer;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
+import org.kohsuke.stapler.StaplerRequest2;
+import org.kohsuke.stapler.StaplerResponse2;
+
+public class AgentSecretActionTest {
+
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @Rule
+    public ExpectedException thrown = ExpectedException.none();
+
+    private AgentSecretAction action;
+    private StaplerRequest2 req;
+    private StaplerResponse2 rsp;
+    private StringWriter stringWriter;
+    private PrintWriter writer;
+
+    @Before
+    public void setUp() throws Exception {
+        SlaveComputer computer = mock(SlaveComputer.class);
+        action = new AgentSecretAction(computer);
+        req = mock(StaplerRequest2.class);
+        rsp = mock(StaplerResponse2.class);
+        stringWriter = new StringWriter();
+        writer = new PrintWriter(stringWriter);
+        when(rsp.getWriter()).thenReturn(writer);
+    }
+
+    @Test
+    public void testGetSecretWithValidPermissions() throws Exception {
+        DumbSlave agent = j.createSlave("test-agent", null);
+        String expectedSecret = ((SlaveComputer) agent.getComputer()).getJnlpMac();
+
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Computer.CONNECT).everywhere().to("test-user"));
+
+        action.doGet(req, rsp, "test-agent");
+        writer.flush();
+        verify(rsp).setContentType("text/plain");
+        assertEquals(expectedSecret, stringWriter.toString());
+    }
+
+    @Test
+    public void testGetSecretWithoutPermissions() throws Exception {
+        j.createSlave("test-agent", null);
+
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy());
+
+        thrown.expect(org.acegisecurity.AccessDeniedException.class);
+        action.doGet(req, rsp, "test-agent");
+    }
+
+    @Test
+    public void testGetSecretWithInvalidNodeName() throws Exception {
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Computer.CONNECT).everywhere().to("test-user"));
+
+        thrown.expect(IllegalArgumentException.class);
+        thrown.expectMessage("Node not found: non-existent-agent");
+        action.doGet(req, rsp, "non-existent-agent");
+    }
+
+    @Test
+    public void testGetSecretWithNullNodeName() throws Exception {
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Computer.CONNECT).everywhere().to("test-user"));
+
+
+        thrown.expect(IllegalArgumentException.class);
+        thrown.expectMessage("Node name is required");
+        action.doGet(req, rsp, null);
+    }
+
+    @Test
+    public void testGetSecretWithMasterNode() throws Exception {
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+        j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy()
+                .grant(Computer.CONNECT).everywhere().to("test-user"));
+
+        thrown.expect(IllegalArgumentException.class);
+        thrown.expectMessage("The specified node is not an agent/slave node: master");
+        action.doGet(req, rsp, "master");
+    }
+}