diff --git a/docs/user.adoc b/docs/user.adoc index 6e4225992..8c921adb2 100644 --- a/docs/user.adoc +++ b/docs/user.adoc @@ -52,7 +52,7 @@ While the Credentials API plugin provides a default _internal_ credentials store If you are using the _internal_ credentials store to store *high value* credentials then you will need to lock down your Jenkins configuration: * Apply all of the recommendations from the https://wiki.jenkins.io/display/JENKINS/Securing+Jenkins[Securing Jenkins] wiki page. -* No builds on the master (ideally zero executors) +* No builds on the controller (ideally zero executors) * Probably use the https://plugins.jenkins.io/authorize-project[Authorize Project plugin] to control effective permission of running builds. * etc. @@ -66,9 +66,9 @@ While the above security recommendations are generally valid for any situation w * the _internal_ store is encrypted using a key that is also stored in `JENKINS_HOME` * the JVM running Jenkins must have access to these files -It becomes critical to secure the filesystem of the Jenkins master process. +It becomes critical to secure the filesystem of the Jenkins controller process. -With an _external_ credentials store, access to the Jenkins master filesystem will not generically compromise credentials. +With an _external_ credentials store, access to the Jenkins controller filesystem will not generically compromise credentials. In the event of a breach, the last-accessed tracking facilities of an enterprise-grade external store will enable identification of _at risk_ credentials in need of rotation. ==== @@ -119,7 +119,7 @@ Jenkins is a multithreaded application. Each execution thread has an associated authentication. There are three classes of authentication that a thread can be associated with: -* `ACL.SYSTEM` this is the super-user authentication of the Jenkins master process itself. +* `ACL.SYSTEM` this is the super-user authentication of the Jenkins controller process itself. Also known as `SYSTEM`. Any actions performed by Jenkins itself will start in a thread using this authentication. * A user authentication, this type of authentication is assigned to any web/CLI requests by a logged in user. @@ -429,10 +429,10 @@ The two options: Are logically equivalent. The difference between these two options is in how they react as new plugins are installed. -_Only selected_ is essentially a whitelist strategy. +_Only selected_ is essentially a allowlist strategy. When new plugins are installed the configuration will not automatically select any new options to be enabled. -_Exclude selected_ is essentially a blacklist strategy. +_Exclude selected_ is essentially a denylist strategy. When new plugins are installed the configuration will not automatically select any new options to be disabled. ==== diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsProviderFilter.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsProviderFilter.java index 2a49d7dc1..fa1c6824c 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsProviderFilter.java +++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsProviderFilter.java @@ -159,7 +159,7 @@ public String getDisplayName() { } /** - * A filter that implements a whitelist policy, "if you are not on the list you can't come in". + * A filter that implements a allowlist policy, "if you are not on the list you can't come in". * * @since 2.0 */ @@ -177,7 +177,7 @@ public static class Includes extends CredentialsProviderFilter { /** * Our constructor. * - * @param classNames the whitelist of class names. + * @param classNames the list of allowed class names. */ @DataBoundConstructor public Includes(@CheckForNull List classNames) { @@ -193,9 +193,9 @@ public boolean filter(CredentialsProvider provider) { } /** - * Returns the whitelist of allowed {@link Class#getName()}. + * Returns the list of allowed {@link Class#getName()}. * - * @return the whitelist of allowed {@link Class#getName()}. + * @return the list of allowed {@link Class#getName()}. */ @NonNull public List getClassNames() { @@ -271,7 +271,7 @@ public List getProviderDescriptors() { } /** - * A filter that implements a blacklist policy, "if you are not on the list you can come in". + * A filter that implements a denylist policy, "if you are not on the list you can come in". * * @since 2.0 */ @@ -289,7 +289,7 @@ public static class Excludes extends CredentialsProviderFilter { /** * Our constructor. * - * @param classNames the blacklist of class names. + * @param classNames the excluded list of class names. */ @DataBoundConstructor public Excludes(@CheckForNull List classNames) { @@ -305,9 +305,9 @@ public boolean filter(CredentialsProvider provider) { } /** - * Returns the blacklist of banned {@link Class#getName()}. + * Returns the list of banned {@link Class#getName()}. * - * @return the blacklist of banned {@link Class#getName()}. + * @return the list of banned {@link Class#getName()}. */ @NonNull public List getClassNames() { diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsProviderTypeRestriction.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsProviderTypeRestriction.java index ce9954538..9ff39bdf9 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsProviderTypeRestriction.java +++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsProviderTypeRestriction.java @@ -91,7 +91,7 @@ public CredentialsProviderTypeRestrictionDescriptor getDescriptor() { public abstract String toString(); /** - * A whitelist of types for each provider. If you specify any {@link Includes} for any specific + * A list of included types for each provider. If you specify any {@link Includes} for any specific * {@link #getProvider()} then at least one {@link Includes} for that {@link #getProvider()} must match for a * {@link #getType()} to be permitted. * @@ -264,7 +264,7 @@ public ListBoxModel doFillTypeItems() { } /** - * A blacklist of types for each provider. + * A list of excluded types for each provider. * * @since 2.0 */ diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsScope.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsScope.java index b6ac65658..a9ee6d6fb 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsScope.java +++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsScope.java @@ -36,7 +36,7 @@ public enum CredentialsScope implements Serializable { /** * This credential is only available to the object on which the credential is associated. Typically you would - * use SYSTEM scoped credentials for things like email auth, slave connection, etc, i.e. where the + * use SYSTEM scoped credentials for things like email auth, agent connection, etc, i.e. where the * Jenkins instance itself is using the credential. */ SYSTEM { diff --git a/src/main/java/com/cloudbees/plugins/credentials/CredentialsTypeFilter.java b/src/main/java/com/cloudbees/plugins/credentials/CredentialsTypeFilter.java index 10d863c41..46efc1d62 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/CredentialsTypeFilter.java +++ b/src/main/java/com/cloudbees/plugins/credentials/CredentialsTypeFilter.java @@ -160,7 +160,7 @@ public String getDisplayName() { } /** - * A filter that implements a whitelist policy, "if you are not on the list you can't come in". + * A filter that implements a allowlist policy, "if you are not on the list you can't come in". * * @since 2.0 */ @@ -177,7 +177,7 @@ public static class Includes extends CredentialsTypeFilter { /** * Our constructor. * - * @param classNames the whitelist of class names. + * @param classNames the list of included class names. */ @DataBoundConstructor public Includes(@CheckForNull List classNames) { @@ -193,9 +193,9 @@ public boolean filter(CredentialsDescriptor type) { } /** - * Returns the whitelist of allowed {@link Class#getName()}. + * Returns the list of allowed {@link Class#getName()}. * - * @return the whitelist of allowed {@link Class#getName()}. + * @return the list of allowed {@link Class#getName()}. */ @NonNull public List getClassNames() { @@ -272,7 +272,7 @@ public List getTypeDescriptors() { } /** - * A filter that implements a blacklist policy, "if you are not on the list you can come in". + * A filter that implements a denylist policy, "if you are not on the list you can come in". * * @since 2.0 */ @@ -289,7 +289,7 @@ public static class Excludes extends CredentialsTypeFilter { /** * Our constructor. * - * @param classNames the blacklist of class names. + * @param classNames the list of excluded class names. */ @DataBoundConstructor public Excludes(@CheckForNull List classNames) { @@ -305,9 +305,9 @@ public boolean filter(CredentialsDescriptor type) { } /** - * Returns the blacklist of banned {@link Class#getName()}. + * Returns the list of banned {@link Class#getName()}. * - * @return the blacklist of banned {@link Class#getName()}. + * @return the list of banned {@link Class#getName()}. */ @NonNull public List getClassNames() { diff --git a/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java b/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java index 2b991bf17..ce1a248cb 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java +++ b/src/main/java/com/cloudbees/plugins/credentials/common/AbstractIdCredentialsListBoxModel.java @@ -99,7 +99,7 @@ *
System-level settings *
* If your model is a singleton in the whole Jenkins instance, things that belong to the root {@link Jenkins} - * (such as slaves), or do not have any ancestors serving as the context, then use {@link Jenkins#get} as the + * (such as agents), or do not have any ancestors serving as the context, then use {@link Jenkins#get} as the * context. *
Job-level settings *
diff --git a/src/main/java/com/cloudbees/plugins/credentials/domains/PathSpecification.java b/src/main/java/com/cloudbees/plugins/credentials/domains/PathSpecification.java index aa21ab424..2abe6ddf5 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/domains/PathSpecification.java +++ b/src/main/java/com/cloudbees/plugins/credentials/domains/PathSpecification.java @@ -33,8 +33,8 @@ import org.springframework.util.AntPathMatcher; /** - * A {@link DomainSpecification} that matches {@link PathRequirement}s where the URI path is on a whitelist - * of paths. + * A {@link DomainSpecification} that matches {@link PathRequirement}s where the URI path is on a list + * of allowed paths. * * @see RFC-3986 Section 3.1 * @since 1.12 diff --git a/src/main/java/com/cloudbees/plugins/credentials/domains/SchemeSpecification.java b/src/main/java/com/cloudbees/plugins/credentials/domains/SchemeSpecification.java index b8e9cc3d9..080d782bb 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/domains/SchemeSpecification.java +++ b/src/main/java/com/cloudbees/plugins/credentials/domains/SchemeSpecification.java @@ -33,8 +33,8 @@ import org.kohsuke.stapler.DataBoundConstructor; /** - * A {@link DomainSpecification} that matches {@link SchemeRequirement}s where the URI scheme is on a whitelist - * of schemes. + * A {@link DomainSpecification} that matches {@link SchemeRequirement}s where the URI scheme is on a list + * of allowed schemes. * * @see RFC-3986 Section 3.1 * @since 1.5 diff --git a/src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java b/src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java index 8c18890c9..ba48c86e3 100644 --- a/src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java +++ b/src/main/java/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.java @@ -346,7 +346,7 @@ public static class FileOnMasterKeyStoreSource extends KeyStoreSource { private static final Logger LOGGER = Logger.getLogger(FileOnMasterKeyStoreSource.class.getName()); /** - * The path of the file on the master. + * The path of the file on the controller. */ private final String keyStoreFile; diff --git a/src/main/resources/com/cloudbees/plugins/credentials/BaseCredentials/help-scope.html b/src/main/resources/com/cloudbees/plugins/credentials/BaseCredentials/help-scope.html index 5867eaaca..5817e9928 100644 --- a/src/main/resources/com/cloudbees/plugins/credentials/BaseCredentials/help-scope.html +++ b/src/main/resources/com/cloudbees/plugins/credentials/BaseCredentials/help-scope.html @@ -29,7 +29,7 @@
System
This credential is only available to the object on which the credential is associated. Typically you would - use system-scoped credentials for things like email auth, slave connection, etc, i.e. where the + use system-scoped credentials for things like email auth, agent connection, etc, i.e. where the Jenkins instance itself is using the credential. Unlike the global scope, this significantly restricts where the credential can be used, thereby providing a higher degree of confidentiality to the credential.
@@ -47,7 +47,7 @@

In general, a credential is defined in one place (e.g., the credentials configuration page under "Manage Jenkins") - and then used in another place (e.g., when connecting to a new SSH slave). + and then used in another place (e.g., when connecting to a new SSH build agent). The scope allows you to say "this credential is only used by these places" by looking at the relationship between the two locations. diff --git a/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnamePortSpecification/help-excludes.html b/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnamePortSpecification/help-excludes.html index 0a2c0ad2c..968ef9ff9 100644 --- a/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnamePortSpecification/help-excludes.html +++ b/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnamePortSpecification/help-excludes.html @@ -23,7 +23,7 @@ -->

- A comma separated blacklist of hostnames. (The * wildcard is permitted in hostnames, + A comma separated list of excluded hostnames. (The * wildcard is permitted in hostnames, for example: jenkins-ci.org:*, *.jenkins-ci.org:80, jenkinsci.github.io:443.)
The empty list implies no hostname:port is excluded. The excludes list is processed after the includes diff --git a/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnamePortSpecification/help-includes.html b/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnamePortSpecification/help-includes.html index 68f8ed552..87d618b29 100644 --- a/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnamePortSpecification/help-includes.html +++ b/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnamePortSpecification/help-includes.html @@ -23,7 +23,7 @@ -->
- A comma separated whitelist of hostnames. (The * wildcard is permitted in hostnames, + A comma separated list of included hostnames. (The * wildcard is permitted in hostnames, for example: jenkins-ci.org:*, *.jenkins-ci.org:80, jenkinsci.github.io:443.)
The empty list implies no hostname:port is excluded. The excludes list is processed after the includes diff --git a/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnameSpecification/help-excludes.html b/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnameSpecification/help-excludes.html index 0d650bfe2..3d185a837 100644 --- a/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnameSpecification/help-excludes.html +++ b/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnameSpecification/help-excludes.html @@ -23,7 +23,7 @@ -->
- A comma separated blacklist of hostnames. (The * wildcard is permitted in hostnames, + A comma separated list of excluded hostnames. (The * wildcard is permitted in hostnames, for example: jenkins-ci.org, *.jenkins-ci.org, jenkinsci.github.io.)
The empty list implies no hostnames are excluded. The excludes list is processed after the includes list. diff --git a/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnameSpecification/help-includes.html b/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnameSpecification/help-includes.html index c5f5d98c7..27f566e59 100644 --- a/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnameSpecification/help-includes.html +++ b/src/main/resources/com/cloudbees/plugins/credentials/domains/HostnameSpecification/help-includes.html @@ -23,7 +23,7 @@ -->
- A comma separated whitelist of hostnames. (The * wildcard is permitted in hostnames, + A comma separated list of included hostnames. (The * wildcard is permitted in hostnames, for example: jenkins-ci.org, *.jenkins-ci.org, jenkinsci.github.io.)
The empty list implies no hostnames are excluded. The excludes list is processed after the includes list. diff --git a/src/main/resources/com/cloudbees/plugins/credentials/domains/PathSpecification/help-excludes.html b/src/main/resources/com/cloudbees/plugins/credentials/domains/PathSpecification/help-excludes.html index abf073adb..fa9c468c9 100644 --- a/src/main/resources/com/cloudbees/plugins/credentials/domains/PathSpecification/help-excludes.html +++ b/src/main/resources/com/cloudbees/plugins/credentials/domains/PathSpecification/help-excludes.html @@ -23,7 +23,7 @@ -->
- A comma separated blacklist of paths. (ANT style * and ** wildcards are permitted in paths, + A comma separated list of excluded paths. (ANT style * and ** wildcards are permitted in paths, for example: /jenkins/github/*,/jenkins-ci/**/org,jenkinsci.github.io.)
The empty list implies no paths are excluded. The excludes list is processed after the includes list. diff --git a/src/main/resources/com/cloudbees/plugins/credentials/domains/PathSpecification/help-includes.html b/src/main/resources/com/cloudbees/plugins/credentials/domains/PathSpecification/help-includes.html index c553dc712..d18dab85b 100644 --- a/src/main/resources/com/cloudbees/plugins/credentials/domains/PathSpecification/help-includes.html +++ b/src/main/resources/com/cloudbees/plugins/credentials/domains/PathSpecification/help-includes.html @@ -23,7 +23,7 @@ -->
- A comma separated whitelist of paths. (ANT style * and ** wildcards are permitted in paths, + A comma separated list of included paths. (ANT style * and ** wildcards are permitted in paths, for example: /jenkins/github/*,/jenkins-ci/**/org,jenkinsci.github.io.)
The empty list implies no paths are excluded. The excludes list is processed after the includes list. diff --git a/src/main/resources/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl/FileOnMasterKeyStoreSource/help-keyStoreFile.html b/src/main/resources/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl/FileOnMasterKeyStoreSource/help-keyStoreFile.html index fd9a1170a..f9e84ff6b 100644 --- a/src/main/resources/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl/FileOnMasterKeyStoreSource/help-keyStoreFile.html +++ b/src/main/resources/com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl/FileOnMasterKeyStoreSource/help-keyStoreFile.html @@ -23,5 +23,5 @@ -->
- The path to the file on the Jenkins master node. -
\ No newline at end of file + The path to the file on the Jenkins controller. +
diff --git a/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java b/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java index 5dcfe97d7..ba6b57187 100644 --- a/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java +++ b/src/test/java/com/cloudbees/plugins/credentials/CredentialsProviderTest.java @@ -277,7 +277,7 @@ public void testNodeCredentialFingerprintsAreRemovedForNonExistentNodes() throws // Create a DumbSlave, this time don't add it to the model, // it should not be recorded DumbSlave nonAddedSlave = new DumbSlave("non-added-slave", - "dummy", "/home/test/slave", "1", Node.Mode.NORMAL, "remote", + "dummy", "/home/test/agent", "1", Node.Mode.NORMAL, "remote", new JNLPLauncher(), RetentionStrategy.INSTANCE, Collections.emptyList()); @@ -288,8 +288,8 @@ public void testNodeCredentialFingerprintsAreRemovedForNonExistentNodes() throws // Create a DumbSlave to use, and add it to the Jenkins model, this // one should be recorded - DumbSlave addedSlave = new DumbSlave("added-slave", - "dummy", "/home/test/slave", "1", Node.Mode.NORMAL, "remote", + DumbSlave addedSlave = new DumbSlave("added-agent", + "dummy", "/home/test/agent", "1", Node.Mode.NORMAL, "remote", new JNLPLauncher(), RetentionStrategy.INSTANCE, Collections.emptyList()); @@ -302,7 +302,7 @@ public void testNodeCredentialFingerprintsAreRemovedForNonExistentNodes() throws CredentialsProvider.track(addedSlave, globalCred); assertEquals(initialFingerprintSize+1, CredentialsProvider.getOrCreateFingerprintOf(globalCred).getFacets().size()); - // Remove the added slave from Jenkins, and track the non-added slave + // Remove the added agent from Jenkins, and track the non-added agent // to flush any mapped credentials for nodes that no longer exist. Jenkins.get().removeNode(addedSlave); CredentialsProvider.track(nonAddedSlave, globalCred);