hybrid_platforms_conductor 33.3.0 → 33.7.0

data/lib/hybrid_platforms_conductor/cmd_runner.rb

@@ -59,7 +59,7 @@ module HybridPlatformsConductor
     # Raise an exception if the exit status is not the expected one.
     #
     # Parameters::
-    # * *cmd* (String): Command to be run
+    # * *cmd* (String or SecretString): Command to be run
     # * *log_to_file* (String or nil): Log file capturing stdout or stderr (or nil for none). [default: nil]
     # * *log_to_stdout* (Boolean): Do we send the output to stdout? [default: true]
     # * *log_stdout_to_io* (IO or nil): IO to send command's stdout to, or nil for none. [default: nil]
@@ -108,7 +108,7 @@ module HybridPlatformsConductor
         bash_file = nil
         if force_bash
           bash_file = Tempfile.new('hpc_bash')
-          bash_file.write(cmd)
+          bash_file.write(cmd.to_unprotected)
           bash_file.chmod 0o700
           bash_file.close
           cmd = "/bin/bash -c #{bash_file.path}"
@@ -136,7 +136,7 @@ module HybridPlatformsConductor
                 pty: true,
                 timeout: timeout,
                 uuid: false
-              ).run!(cmd) do |stdout, stderr|
+              ).run!(cmd.to_unprotected) do |stdout, stderr|
                 stdout_queue << stdout if stdout
                 stderr_queue << stderr if stderr
               end
@@ -162,7 +162,7 @@ module HybridPlatformsConductor
           log_debug "Finished in #{elapsed} seconds with exit status #{exit_status} (#{(expected_code.include?(exit_status) ? 'success'.light_green : 'failure'.light_red).bold})"
         end
         unless expected_code.include?(exit_status)
-          error_title = "Command '#{cmd.split("\n").first}' returned error code #{exit_status} (expected #{expected_code.join(', ')})."
+          error_title = "Command '#{cmd.to_s.split("\n").first}' returned error code #{exit_status} (expected #{expected_code.join(', ')})."
           if no_exception
             # We consider the caller is responsible for logging what he wants about the details of the error (stdout and stderr)
             log_error error_title

data/lib/hybrid_platforms_conductor/common_config_dsl/bitbucket.rb

@@ -1,5 +1,3 @@
-require 'hybrid_platforms_conductor/bitbucket'
-
 module HybridPlatformsConductor
 
   module CommonConfigDsl
@@ -7,12 +5,21 @@ module HybridPlatformsConductor
     # Add common Bitbucket config DSL to declare known Bitbucket repositories
     module Bitbucket
 
+      # List of known Bitbucket repos
+      # Array< Hash<Symbol, Object> >
+      # * *url* (String): URL to the Bitbucket server
+      # * *project* (String): Project name from the Bitbucket server, storing repositories
+      # * *repos* (Array<String> or Symbol): List of repository names from this project, or :all for all
+      # * *jenkins_ci_url* (String or nil): Corresponding Jenkins CI URL, or nil if none
+      # * *checks* (Hash<Symbol, Object>): Checks definition to be perform on those repositories (see the #for_each_bitbucket_repo to know the structure)
+      attr_reader :known_bitbucket_repos
+
       # Initialize the DSL
       def init_bitbucket
         # List of Bitbucket repositories definitions
         # Array< Hash<Symbol, Object> >
-        # Each definition is just mapping the signature of #bitbucket_repos
-        @bitbucket_repos = []
+        # Each definition is just mapping the signature of #known_bitbucket_repos
+        @known_bitbucket_repos = []
       end
 
       # Register new Bitbucket repositories
@@ -24,7 +31,7 @@ module HybridPlatformsConductor
       # * *jenkins_ci_url* (String or nil): Corresponding Jenkins CI URL, or nil if none [default: nil]
       # * *checks* (Hash<Symbol, Object>): Checks definition to be perform on those repositories (see the #for_each_bitbucket_repo to know the structure) [default: {}]
       def bitbucket_repos(url:, project:, repos: :all, jenkins_ci_url: nil, checks: {})
-        @bitbucket_repos << {
+        @known_bitbucket_repos << {
           url: url,
           project: project,
           repos: repos,
@@ -33,45 +40,6 @@ module HybridPlatformsConductor
         }
       end
 
-      # Iterate over each Bitbucket repository
-      #
-      # Parameters::
-      # * Proc: Code called for each Bitbucket repository:
-      #   * Parameters::
-      #     * *bitbucket* (Bitbucket): The Bitbucket instance used to query the API for this repository
-      #     * *repo_info* (Hash<Symbol, Object>): The repository info:
-      #       * *name* (String): Repository name.
-      #       * *project* (String): Project name.
-      #       * *url* (String): Project Git URL.
-      #       * *jenkins_ci_url* (String or nil): Corresponding Jenkins CI URL, or nil if none.
-      #       * *checks* (Hash<Symbol, Object>): Checks to be performed on this repository:
-      #         * *branch_permissions* (Array< Hash<Symbol, Object> >): List of branch permissions to check [optional]
-      #           * *type* (String): Type of branch permissions to check. Examples of values are 'fast-forward-only', 'no-deletes', 'pull-request-only'.
-      #           * *branch* (String): Branch on which those permissions apply.
-      #           * *exempted_users* (Array<String>): List of exempted users for this permission [default: []]
-      #           * *exempted_groups* (Array<String>): List of exempted groups for this permission [default: []]
-      #           * *exempted_keys* (Array<String>): List of exempted access keys for this permission [default: []]
-      #         * *pr_settings* (Hash<Symbol, Object>): PR specific settings to check [optional]
-      #           * *required_approvers* (Integer): Number of required approvers [optional]
-      #           * *required_builds* (Integer): Number of required successful builds [optional]
-      #           * *default_merge_strategy* (String): Name of the default merge strategy. Example: 'rebase-no-ff' [optional]
-      #           * *mandatory_default_reviewers* (Array<String>): List of mandatory reviewers to check [default: []]
-      def for_each_bitbucket_repo
-        @bitbucket_repos.each do |bitbucket_repo_info|
-          HybridPlatformsConductor::Bitbucket.with_bitbucket(bitbucket_repo_info[:url], @logger, @logger_stderr) do |bitbucket|
-            (bitbucket_repo_info[:repos] == :all ? bitbucket.repos(bitbucket_repo_info[:project])['values'].map { |repo_info| repo_info['slug'] } : bitbucket_repo_info[:repos]).each do |name|
-              yield bitbucket, {
-                name: name,
-                project: bitbucket_repo_info[:project],
-                url: "#{bitbucket_repo_info[:url]}/scm/#{bitbucket_repo_info[:project].downcase}/#{name}.git",
-                jenkins_ci_url: bitbucket_repo_info[:jenkins_ci_url].nil? ? nil : "#{bitbucket_repo_info[:jenkins_ci_url]}/job/#{name}",
-                checks: bitbucket_repo_info[:checks]
-              }
-            end
-          end
-        end
-      end
-
     end
 
   end

data/lib/hybrid_platforms_conductor/common_config_dsl/github.rb

@@ -1,6 +1,3 @@
-require 'octokit'
-require 'hybrid_platforms_conductor/credentials'
-
 module HybridPlatformsConductor
 
   module CommonConfigDsl
@@ -8,12 +5,19 @@ module HybridPlatformsConductor
     # Add common Github config DSL to declare known Github repositories
     module Github
 
+      # List of Github repositories
+      # Array< Hash<Symbol, Object> >
+      # * *user* (String): User or organization name, storing repositories
+      # * *url* (String): URL to the Github API
+      # * *repos* (Array<String> or Symbol): List of repository names from this project, or :all for all
+      attr_reader :known_github_repos
+
       # Initialize the DSL
       def init_github
         # List of Github repositories definitions
         # Array< Hash<Symbol, Object> >
         # Each definition is just mapping the signature of #github_repos
-        @github_repos = []
+        @known_github_repos = []
       end
 
       # Register new Github repositories
@@ -23,39 +27,13 @@ module HybridPlatformsConductor
       # * *url* (String): URL to the Github API [default: 'https://api.github.com']
       # * *repos* (Array<String> or Symbol): List of repository names from this project, or :all for all [default: :all]
       def github_repos(user:, url: 'https://api.github.com', repos: :all)
-        @github_repos << {
+        @known_github_repos << {
           url: url,
           user: user,
           repos: repos
         }
       end
 
-      # Iterate over each Github repository
-      #
-      # Parameters::
-      # * Proc: Code called for each Github repository:
-      #   * Parameters::
-      #     * *github* (Octokit::Client): The client instance accessing the Github API
-      #     * *repo_info* (Hash<Symbol, Object>): The repository info:
-      #       * *name* (String): Repository name.
-      #       * *slug* (String): Repository slug.
-      def for_each_github_repo
-        @github_repos.each do |repo_info|
-          Octokit.configure do |c|
-            c.api_endpoint = repo_info[:url]
-          end
-          Credentials.with_credentials_for(:github, @logger, @logger_stderr, url: repo_info[:url]) do |_github_user, github_token|
-            client = Octokit::Client.new(access_token: github_token)
-            (repo_info[:repos] == :all ? client.repositories(repo_info[:user]).map { |repo| repo[:name] } : repo_info[:repos]).each do |name|
-              yield client, {
-                name: name,
-                slug: "#{repo_info[:user]}/#{name}"
-              }
-            end
-          end
-        end
-      end
-
     end
 
   end

data/lib/hybrid_platforms_conductor/config.rb

@@ -34,6 +34,8 @@ module HybridPlatformsConductor
     end
     @mixin_initializers = []
 
+    expose :log_debug?
+
     # Directory of the definition of the platforms
     #   String
     attr_reader :hybrid_platforms_dir

data/lib/hybrid_platforms_conductor/confluence.rb

@@ -7,111 +7,116 @@ require 'hybrid_platforms_conductor/credentials'
 
 module HybridPlatformsConductor
 
-  # Object used to access Confluence API
-  class Confluence
+  # Mixin used to access Confluence API
+  module Confluence
 
-    include LoggerHelpers
+    include Credentials
 
     # Provide a Confluence connector, and make sure the password is being cleaned when exiting.
     #
     # Parameters::
     # * *confluence_url* (String): The Confluence URL
-    # * *logger* (Logger): Logger to be used
-    # * *logger_stderr* (Logger): Logger to be used for stderr
     # * Proc: Code called with the Confluence instance.
-    #   * *confluence* (Confluence): The Confluence instance to use.
-    def self.with_confluence(confluence_url, logger, logger_stderr)
-      Credentials.with_credentials_for(:confluence, logger, logger_stderr, url: confluence_url) do |confluence_user, confluence_password|
-        yield Confluence.new(confluence_url, confluence_user, confluence_password, logger: logger, logger_stderr: logger_stderr)
+    #   * *confluence* (ConfluenceApi): The Confluence instance to use.
+    def with_confluence(confluence_url)
+      with_credentials_for(:confluence, resource: confluence_url) do |confluence_user, confluence_password|
+        yield ConfluenceApi.new(confluence_url, confluence_user, confluence_password, logger: @logger, logger_stderr: @logger_stderr)
       end
     end
 
-    # Constructor
-    #
-    # Parameters::
-    # * *confluence_url* (String): The Confluence URL
-    # * *confluence_user_name* (String): Confluence user name to be used when querying the API
-    # * *confluence_password* (String): Confluence password to be used when querying the API
-    # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
-    # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
-    def initialize(confluence_url, confluence_user_name, confluence_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
-      init_loggers(logger, logger_stderr)
-      @confluence_url = confluence_url
-      @confluence_user_name = confluence_user_name
-      @confluence_password = confluence_password
-    end
+    # Provide an API access on Confluence
+    class ConfluenceApi
 
-    # Return a Confluence storage format content from a page ID
-    #
-    # Parameters::
-    # * *page_id* (String): Confluence page ID
-    # Result::
-    # * Nokogiri::HTML: Storage format content, as a Nokogiri object
-    def page_storage_format(page_id)
-      Nokogiri::HTML(call_api("plugins/viewstorage/viewpagestorage.action?pageId=#{page_id}").body)
-    end
+      include LoggerHelpers
 
-    # Return some info of a given page ID
-    #
-    # Parameters::
-    # * *page_id* (String): Confluence page ID
-    # Result::
-    # * Hash: Page information, as returned by the Confluence API
-    def page_info(page_id)
-      JSON.parse(call_api("rest/api/content/#{page_id}").body)
-    end
+      # Constructor
+      #
+      # Parameters::
+      # * *confluence_url* (String): The Confluence URL
+      # * *confluence_user_name* (String): Confluence user name to be used when querying the API
+      # * *confluence_password* (SecretString): Confluence password to be used when querying the API
+      # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
+      # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
+      def initialize(confluence_url, confluence_user_name, confluence_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
+        init_loggers(logger, logger_stderr)
+        @confluence_url = confluence_url
+        @confluence_user_name = confluence_user_name
+        @confluence_password = confluence_password
+      end
 
-    # Update a Confluence page to a new content.
-    #
-    # Parameters::
-    # * *page_id* (String): Confluence page ID
-    # * *content* (String): New content
-    # * *version* (String or nil): New version, or nil to automatically increase last existing version [default: nil]
-    def update_page(page_id, content, version: nil)
-      info = page_info(page_id)
-      version = info['version']['number'] + 1 if version.nil?
-      log_debug "Update Confluence page #{page_id}..."
-      call_api("rest/api/content/#{page_id}", :put) do |request|
-        request['Content-Type'] = 'application/json'
-        request.body = {
-          type: 'page',
-          title: info['title'],
-          body: {
-            storage: {
-              value: content,
-              representation: 'storage'
-            }
-          },
-          version: { number: version }
-        }.to_json
+      # Return a Confluence storage format content from a page ID
+      #
+      # Parameters::
+      # * *page_id* (String): Confluence page ID
+      # Result::
+      # * Nokogiri::HTML: Storage format content, as a Nokogiri object
+      def page_storage_format(page_id)
+        Nokogiri::HTML(call_api("plugins/viewstorage/viewpagestorage.action?pageId=#{page_id}").body)
       end
-    end
 
-    private
+      # Return some info of a given page ID
+      #
+      # Parameters::
+      # * *page_id* (String): Confluence page ID
+      # Result::
+      # * Hash: Page information, as returned by the Confluence API
+      def page_info(page_id)
+        JSON.parse(call_api("rest/api/content/#{page_id}").body)
+      end
 
-    # Call the Confluence API for a given URL and HTTP verb.
-    # Provide a simple way to tweak the request with an optional proc.
-    # Automatically handles authentication, base URL and error handling.
-    #
-    # Parameters::
-    # * *api_path* (String): The API path to query
-    # * *http_method* (Symbol): HTTP method to be used to create the request [default = :get]
-    # * Proc: Optional code called to alter the request
-    #   * Parameters::
-    #     * *request* (Net::HTTPRequest): The request
-    # Result::
-    # * Net::HTTPResponse: The corresponding response
-    def call_api(api_path, http_method = :get)
-      response = nil
-      page_url = URI.parse("#{@confluence_url}/#{api_path}")
-      Net::HTTP.start(page_url.host, page_url.port, use_ssl: true) do |http|
-        request = Net::HTTP.const_get(http_method.to_s.capitalize.to_sym).new(page_url.request_uri)
-        request.basic_auth @confluence_user_name, @confluence_password
-        yield request if block_given?
-        response = http.request(request)
-        raise "Confluence page API request on #{page_url} returned an error: #{response.code}\n#{response.body}\n===== Request body =====\n#{request.body}" unless response.is_a?(Net::HTTPSuccess)
+      # Update a Confluence page to a new content.
+      #
+      # Parameters::
+      # * *page_id* (String): Confluence page ID
+      # * *content* (String): New content
+      # * *version* (String or nil): New version, or nil to automatically increase last existing version [default: nil]
+      def update_page(page_id, content, version: nil)
+        info = page_info(page_id)
+        version = info['version']['number'] + 1 if version.nil?
+        log_debug "Update Confluence page #{page_id}..."
+        call_api("rest/api/content/#{page_id}", :put) do |request|
+          request['Content-Type'] = 'application/json'
+          request.body = {
+            type: 'page',
+            title: info['title'],
+            body: {
+              storage: {
+                value: content,
+                representation: 'storage'
+              }
+            },
+            version: { number: version }
+          }.to_json
+        end
       end
-      response
+
+      private
+
+      # Call the Confluence API for a given URL and HTTP verb.
+      # Provide a simple way to tweak the request with an optional proc.
+      # Automatically handles authentication, base URL and error handling.
+      #
+      # Parameters::
+      # * *api_path* (String): The API path to query
+      # * *http_method* (Symbol): HTTP method to be used to create the request [default = :get]
+      # * Proc: Optional code called to alter the request
+      #   * Parameters::
+      #     * *request* (Net::HTTPRequest): The request
+      # Result::
+      # * Net::HTTPResponse: The corresponding response
+      def call_api(api_path, http_method = :get)
+        response = nil
+        page_url = URI.parse("#{@confluence_url}/#{api_path}")
+        Net::HTTP.start(page_url.host, page_url.port, use_ssl: true) do |http|
+          request = Net::HTTP.const_get(http_method.to_s.capitalize.to_sym).new(page_url.request_uri)
+          request.basic_auth @confluence_user_name, @confluence_password&.to_unprotected
+          yield request if block_given?
+          response = http.request(request)
+          raise "Confluence page API request on #{page_url} returned an error: #{response.code}\n#{response.body}\n===== Request body =====\n#{request.body}" unless response.is_a?(Net::HTTPSuccess)
+        end
+        response
+      end
+
     end
 
   end

data/lib/hybrid_platforms_conductor/connector.rb

@@ -14,16 +14,19 @@ module HybridPlatformsConductor
     # * *config* (Config): Config to be used. [default: Config.new]
     # * *cmd_runner* (CmdRunner): Command executor to be used. [default: CmdRunner.new]
     # * *nodes_handler* (NodesHandler): NodesHandler to be used. [default: NodesHandler.new]
+    # * *actions_executor* (ActionsExecutor): ActionsExecutor to be used. [default: ActionsExecutor.new]
     def initialize(
       logger: Logger.new($stdout),
       logger_stderr: Logger.new($stderr),
       config: Config.new,
       cmd_runner: CmdRunner.new,
-      nodes_handler: NodesHandler.new
+      nodes_handler: NodesHandler.new,
+      actions_executor: ActionsExecutor.new
     )
       super(logger: logger, logger_stderr: logger_stderr, config: config)
       @cmd_runner = cmd_runner
       @nodes_handler = nodes_handler
+      @actions_executor = actions_executor
       # If the connector has an initializer, use it
       init if respond_to?(:init)
     end
@@ -67,7 +70,7 @@ module HybridPlatformsConductor
     # Handle the redirection of standard output and standard error to file and stdout depending on the context of the run.
     #
     # Parameters::
-    # * *cmd* (String): The command to be run
+    # * *cmd* (String or SecretString): The command to be run
     # * *force_bash* (Boolean): If true, then make sure command is invoked with bash instead of sh [default: false]
     # Result::
     # * Integer: Exit code

data/lib/hybrid_platforms_conductor/credentials.rb

@@ -1,4 +1,5 @@
 require 'netrc'
+require 'secret_string'
 require 'uri'
 require 'hybrid_platforms_conductor/logger_helpers'
 
@@ -7,122 +8,146 @@ module HybridPlatformsConductor
   # Give a secured and harmonized way to access credentials for a given service.
   # It makes sure to remove passwords from memory for hardened security (this way if a vulnerability allows an attacker to dump the memory it won't get passwords).
   # It gets credentials from the following sources:
+  # * Configuration
   # * Environment variables
   # * Netrc file
-  class Credentials
+  module Credentials
 
-    include LoggerHelpers
+    # Extend the Config DSL
+    module ConfigDSLExtension
+
+      # List of credentials. Each info has the following properties:
+      # * *credential_id* (Symbol): Credential ID this rule applies to
+      # * *resource* (Regexp): Resource filtering for this rule
+      # * *provider* (Proc): The code providing the credentials:
+      #   * Parameters::
+      #     * *resource* (String or nil): The resource for which we want credentials, or nil if none
+      #     * *requester* (Proc): Code to be called to give credentials to:
+      #       * Parameters::
+      #         * *user* (String or nil): The user name, or nil if none
+      #         * *password* (String or nil): The password, or nil if none
+      attr_reader :credentials
+
+      # Mixin initializer
+      def init_credentials_config
+        @credentials = []
+      end
+
+      # Define a credentials provider
+      #
+      # Parameters::
+      # * *credential_id* (Symbol): Credential ID this rule applies to
+      # * *resource* (String or Regexp): Resource filtering for this rule [default: /.*/]
+      # * *provider* (Proc): The code providing the credentials:
+      #   * Parameters::
+      #     * *resource* (String or nil): The resource for which we want credentials, or nil if none
+      #     * *requester* (Proc): Code to be called to give credentials to:
+      #       * Parameters::
+      #         * *user* (String or nil): The user name, or nil if none
+      #         * *password* (String or nil): The password, or nil if none
+      def credentials_for(credential_id, resource: /.*/, &provider)
+        @credentials << {
+          credential_id: credential_id,
+          resource: resource.is_a?(String) ? /^#{Regexp.escape(resource)}$/ : resource,
+          provider: provider
+        }
+      end
+
+    end
+
+    Config.extend_config_dsl_with ConfigDSLExtension, :init_credentials_config
 
     # Get access to credentials and make sure they are wiped out from memory when client code ends.
     # To ensure password safety, never store the password in a scope beyond the client code's Proc.
     #
     # Parameters::
     # * *id* (Symbol): Credential ID
-    # * *logger* (Logger): Logger to be used
-    # * *logger_stderr* (Logger): Logger to be used for stderr
-    # * *url* (String or nil): The URL for which we want the credentials, or nil if not associated to a URL [default: nil]
+    # * *resource* (String or nil): The resource for which we want the credentials, or nil if not associated to a resource [default: nil]
     # * Proc: Client code called with credentials provided
     #   * Parameters::
     #     * *user* (String or nil): User name, or nil if none
-    #     * *password* (String or nil): Password, or nil if none.
-    #       !!! Never store this password in a scope broader than the client code itself !!!
-    def self.with_credentials_for(id, logger, logger_stderr, url: nil)
-      credentials = Credentials.new(id, url: url, logger: logger, logger_stderr: logger_stderr)
-      begin
-        yield credentials.user, credentials.password
-      ensure
-        credentials.clear_password
-      end
-    end
+    #     * *password* (SecretString or nil): Password, or nil if none.
+    #       !!! Never clone this password in a scope broader than the client code itself !!!
+    def with_credentials_for(id, resource: nil)
+      # Get the credentials provider
+      provider = nil
 
-    # Constructor
-    #
-    # Parameters::
-    # * *id* (Symbol): Credential ID
-    # * *url* (String or nil): The URL for which we want the credentials, or nil if not associated to a URL [default: nil]
-    # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
-    # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
-    def initialize(id, url: nil, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
-      init_loggers(logger, logger_stderr)
-      @id = id
-      @url = url
-      @user = nil
-      @password = nil
-      @retrieved = false
-    end
-
-    # Provide a helper to clear password from memory for security.
-    # To be used when the client knows it won't use the password anymore.
-    def clear_password
-      @password&.replace('gotyou!' * 100)
-      GC.start
-    end
-
-    # Get the associated user
-    #
-    # Result::
-    # * String or nil: The user name, or nil if none
-    def user
-      retrieve_credentials
-      @user
-    end
-
-    # Get the associated password
-    #
-    # Result::
-    # * String or nil: The password, or nil if none
-    def password
-      retrieve_credentials
-      @password
-    end
-
-    private
-
-    # Retrieve credentials in @user and @password.
-    # Do it only once.
-    # Make sure the retrieved credentials are not linked to other objects in memory, so that we can remove any other trace of secrets.
-    def retrieve_credentials
-      return if @retrieved
+      # Check configuration
+      # Take the last matching provider, this way we can define several providers for resources matched in a increasingly refined way.
+      @config.credentials.each do |credentials_info|
+        provider = credentials_info[:provider] if credentials_info[:credential_id] == id && (
+          (resource.nil? && credentials_info[:resource] == /.*/) || credentials_info[:resource] =~ resource
+        )
+      end
 
-      # Check environment variables
-      @user = ENV["hpc_user_for_#{@id}"].dup
-      @password = ENV["hpc_password_for_#{@id}"].dup
-      if @user.nil? || @user.empty? || @password.nil? || @password.empty?
-        log_debug "[ Credentials for #{@id} ] - Credentials not found from environment variables."
-        if @url.nil?
-          log_debug "[ Credentials for #{@id} ] - No URL associated to this credentials, so .netrc can't be used."
-        else
-          # Check Netrc
-          netrc = ::Netrc.read
-          begin
-            netrc_user, netrc_password = netrc[URI.parse(@url).host.downcase]
-            if netrc_user.nil?
-              log_debug "[ Credentials for #{@id} ] - No credentials retrieved from .netrc."
-              # TODO: Add more credentials source if needed here
-              log_warn "[ Credentials for #{@id} ] - Unable to get credentials for #{@id} (URL: #{@url})."
-            else
-              @user = netrc_user.dup
-              @password = netrc_password.dup
-              log_debug "[ Credentials for #{@id} ] - Credentials retrieved from .netrc using #{@url}."
-            end
-          ensure
-            # Make sure the password does not stay in Netrc memory
-            # Wipe out any memory trace that might contain passwords in clear
-            netrc.instance_variable_get(:@data).each do |data_line|
-              data_line.each do |data_string|
-                data_string.replace('GotYou!!!' * 100)
+      provider ||= proc do |requested_resource, requester|
+        # Check environment variables
+        user = ENV["hpc_user_for_#{id}"]
+        # Clone the password as we are going to treat it as a secret string that will be wiped out
+        password = ENV["hpc_password_for_#{id}"].dup
+        if user.nil? || user.empty? || password.nil? || password.empty?
+          log_debug "[ Credentials for #{id} ] - Credentials not found from environment variables."
+          if requested_resource.nil?
+            log_debug "[ Credentials for #{id} ] - No resource associated to this credentials, so .netrc can't be used."
+          else
+            # Check Netrc
+            netrc = ::Netrc.read
+            begin
+              netrc_user, netrc_password = netrc[
+                begin
+                  URI.parse(requested_resource).host.downcase
+                rescue URI::InvalidURIError
+                  requested_resource
+                end
+              ]
+              if netrc_user.nil?
+                log_debug "[ Credentials for #{id} ] - No credentials retrieved from .netrc."
+                # TODO: Add more credentials source if needed here
+                log_warn "[ Credentials for #{id} ] - Unable to get credentials for #{id} (Resource: #{requested_resource})."
+              else
+                # Clone in memory as we are going to wipe out ::Netrc's memory
+                user = netrc_user.dup
+                password = netrc_password.dup
+                log_debug "[ Credentials for #{id} ] - Credentials retrieved from .netrc using #{requested_resource}."
+              end
+            ensure
+              # Make sure the password does not stay in Netrc memory
+              # Wipe out any memory trace that might contain passwords in clear
+              netrc.instance_variable_get(:@data).each do |data_line|
+                data_line.each do |data_string|
+                  data_string.replace('GotYou!!!' * 100)
+                end
               end
             end
-            # We don this assignment on purpose so that GC can remove sensitive data later
-            # rubocop:disable Lint/UselessAssignment
-            netrc = nil
-            # rubocop:enable Lint/UselessAssignment
+          end
+        else
+          log_debug "[ Credentials for #{id} ] - Credentials retrieved from environment variables."
+        end
+        if password.nil?
+          requester.call user, password
+        else
+          SecretString.protect(password) do |secret_password|
+            requester.call user, secret_password
           end
         end
-      else
-        log_debug "[ Credentials for #{@id} ] - Credentials retrieved from environment variables."
       end
-      GC.start
+
+      requester_called = false
+      provider.call(
+        resource,
+        proc do |user, password|
+          requester_called = true
+          if password.is_a?(String)
+            SecretString.protect(password) do |secret_password|
+              yield user, secret_password
+            end
+          else
+            yield user, password
+          end
+        end
+      )
+
+      raise "Requester not called by the credentials provider for #{id} (resource: #{resource}) - Please check the credentials_for code in your configuration." unless requester_called
     end
 
   end