Jenkins Pipeline Displays Password in Plaintex - jenkins

I am retrieving the username password from the credentials plugin.
The values are then saved as environmental variables. I am using the password in later stages of the pipeline, in sh block as an argument for curl.
At this point the password is displayed in plaintext in the build logs. Is there a way to avoid this? I assumed by using the credentials plugin the password will be masked.
pipeline {
stages {
stage ('One') {
steps {
withCredentials([userNamePassword(credentialsId: 'my_cred', userNameVariable: 'User_Name', passwordVariable: 'Password')]){
env.User_Name = User_Name
env.Password = Password
}
}
}
stage ('Two') {
sh '''
curl -v -u ${User_Name}:${Password} ...
'''
}
}
}
Note: I am using the curl to upload a file to a remote host.

Thats true. The password will be displayed in plaintext.
The best way for your request, ist to use the HTTP Request Plugin.
You can pass credentials in "Authorization" in the Header inestead of URL.

I ended up using the curl inside the withCredentialsblock.
withCredentials([userNamePassword(credentialsId: 'my_cred', userNameVariable: 'User_Name', passwordVariable: 'Password')]){
sh '''
curl -v -u ${User_Name}:${Password} ...
'''
}

Related

Avoid printing passwords in Jenkins console

We have Jenkins stage which is calling a "GetVMPassword" function from library. The function returns credential and it will be used to login remote server. We dont want to print the "ssh command" and "calling a funtion command" and its reponse on stage logs. So we used ‘#!/bin/sh -e \n’ before every command. Because if we print, this could reveal the remote server credentials in the stage log. This was working when we don't use "parallel execution" block.
When we include "ssh command" and "calling a function command" inside "parallel execution" block, passwords are printed in stage logs.
How can we avoid printing in stage logs the library command and its response when we use "parallel execution" block ?
This is snippet of my stage and parallel execution block.
Jenkins Version: 2.235.3
#Library ('MyLib_API') _
pipeline{
agent {
label 'master'
}
stages{
stage('BuildAll'){
steps{
script{
def executions = APPSERVERS.split(',').collectEntries {APPS ->
["Execution ${APPS}": {
stage(APPS) {
APP_USERNAME = "ubuntu"
response = getPassword("${APPS}","${APP_USERNAME}")
sh '#!/bin/sh -e \n' + "sshpass -p '${response}' ssh -o StrictHostKeyChecking=no ${APP_USERNAME}#${APPS} 'ls'"
sleep 2
}
}]
}
parallel executions
}
}
}
}
}
"getPassword" is the function in library used to get the vm password dynamically.
"APPSERVERS" values we are getting from Active choice parameters option.This has list of IP's of servers.
Please help me to hide those library commands and responses from stage logs.
We have tried below options.
Used set +x and it is not worked for us.
Password masking plugin will not work. Since response from the command will get print for our case.
We tried routing all the execution of commands to file and tried fetching it from there. In this option, also while parsing the file logs are printed in stage logs.
Try starting your script with set +x, if not use password masking plugins
as mentioned here - https://issues.jenkins.io/browse/JENKINS-36007
You can use input to pass the credential and mask it in log.
Here is a detailed answer stackoverflow credentials masking
you can use this as well it works for me.
node('Node Name'){
println('Please enter the username')
def userName = input(
id: 'userName', message: 'VPN Username', parameters: [
[$class: 'hudson.model.TextParameterDefinition', defaultValue :'', name: 'Username', description: 'Please enter your username']
])
println('Please enter the password')
def userPassword = input(
id: 'userPassword', message: 'VPN Password', parameters: [
[$class: 'hudson.model.PasswordParameterDefinition', defaultValue :'', name: 'Password', description: 'Please enter your password']
])
connectToClient = bat(returnStdout: true, script: 'start Forticlient connect -h v3 -u ' + userName+ ':' + userPassword)
stage('Deploy (Test)'){
withCredentials([usernamePassword(credentialsId: 'IH_IIS_JENKINS', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
bat"msdeploy command"
}
}
}

In Jenkins how can I mask the contents of a dynamic variable from output?

I have a dynamic credential that I am fetching in a script. When I later use that secret it is un-masked in the Jenkins output. How can I tell Jenkins to just mask a particular string dynamically?
stage ("Release") {
steps {
script {
withCredentials([
usernamePassword(
credentialsId: 'github-app',
usernameVariable: 'GITHUB_API_ID',
passwordVariable: 'GITHUB_API_KEY'
)
]) {
def TOKEN = sh(
returnStdout: true,
script: '''#!/bin/bash
ENCODED_KEY=$(echo -n "$GITHUB_API_KEY" | base64)
github_app_auth "$GITHUB_API_ID" "$ENCODED_KEY" "$GITHUB_INSTALLATION_ID"
'''
).trim()
// This function is logging TOKEN unmasked...
glGithubRelease([
token: TOKEN,
tagName: VERSION,
commitish: COMMIT,
])
}
}
}
}
In the above script I would like to know how to tell Jenkins to mask the local TOKEN. I am using withCredentials to mask my GITHUB_API_KEY and I am using #!/bin/bash to mask the contents of ENCODED_KEY (by showing no output at all) but the glGithubRelease function is 3rd party and it is logging all input parameters and I want to tell Jenkins to mask the TOKEN string as if its a credential.

How to use credential function in jenkins file which has node, stage

I am not getting google credentials when i am using the below code.
def GOOGLE_CREDENTIALS = credentials('XYZ Credentials')
[Edited]
Please check this official guide to see if you have defined it correctly.
Also check if you're passing credentials ID, not a description to credentials() method.
If you're using Jenkins pipelines, you also can try Credentials Binding Plugin.
From plugin wiki, a typical example of a username password type credential would look like:
withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
// available as an env variable, but will be masked if you try to print it out any which way
// note: single quotes prevent Groovy interpolation; expansion is by Bourne Shell, which is what you want
sh 'echo $PASSWORD'
// also available as a Groovy variable
echo USERNAME
// or inside double quotes for string interpolation
echo "username is $USERNAME"
}
For scripted pipeline you can use withCredentials() as well (see this):
node {
withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
sh '''
set +x
curl -u "$USERPASS" https://private.server/ > output
'''
}
}
Or you can use withEnv() section:
node {
withEnv(["CREDS=credentials('jenkins-creds')"]) {
stage('Build') {
sh 'printenv'
}
}
}
Here is my working example
node {
stage('Preparing env') {
withCredentials([usernamePassword(credentialsId: 'XYZ Credentials', passwordVariable: 'GOOGLE_CREDENTIALS_PSW', usernameVariable: 'GOOGLE_CREDENTIALS_USR')]) {
// Do something here with your username and password variables
}
}
}

How to invoke Jenkins credentials in a jenkins scripted pipeline (not declarative)

i am trying to use jenkins scripted pipeline to invoke config file provider plugin along with fetching credentials from jenkins for the username and password, but the below doesn't seem to work.
node {
def mvnHome
def mvnSettings
stage('Prepare') {
mvnHome = tool 'maven-3.5.4'
}
stage('Checkout') {
checkout scm
}
stage('Deploy'){
def usernameLocal, passwordLocal, usr, psw
withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'xyz', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) {
usernameLocal = env.USERNAME
passwordLocal = env.PASSWORD
}
configFileProvider(
[configFile(fileId: '*********', variable: 'MAVEN_SETTINGS', replaceTokens: true)])
{
usr="${usernameLocal}"
psw="${passwordLocal}"
sh "echo $usr"
sh "'${mvnHome}/bin/mvn' -s $MAVEN_SETTINGS deploy -Dserver.username="${usernameLocal}" -Dserver.password="${passwordLocal}""
}
}
}
where server.username and server.password are defined as properties under settings.xml server section for username and password.
Looks like i found out the issue and its nothing to do with withCredentials used here rather to do with the config file provider plugin. So i am able to print the credentials username correctly but somehow the config file provider is unable to substitute the variable value in the settings.xml.
so i don't get any error anymore, its just that the deployment doesn't go through with 401 unauthorized since the below in my settings.xml never gets the correct values :-
<server>
<id>snapshot</id>
<username>${server.username}</username>
<password>${server.password}</password>
</server>
Could you please advise how to resolve this?
The variables created by withCredentials are Groovy variables not environment variables. Try the following:
stage('Deploy'){
withCredentials([usernamePassword(credentialsId:'xyz', passwordVariable: 'Password', usernameVariable: 'Username')]) {
configFileProvider([configFile(fileId: 'abcde', variable:'MAVEN_SETTINGS')]) {
sh "'${mvnHome}/bin/mvn' -s $MAVEN_SETTINGS deploy -Dserver.username=${Username} -Dserver.password=${Password}"
}
}
}
Ok I figured out the solution, declare the configFileProvider entire section under the block of withCredentials and pass:
-Dserver.username='${usernameLocal}' -Dserver.password='${passwordLocal}'
(Please note single quotes). This way the values also get substituted and are outputted in the logs as masked.

enviroment variables on jenkins pipeline for user and password

I´m quite new on using groovy for jenkins pipeline. I have a pipeline that is already running performing some steps like running unitest, sonnarqube anaysis etc. One of the steps is to upload artifact to artifactory using curl -u. I don´t want to show user and pass on output script, so I´m using credential plug in In which I stored user and password and has the ID. But I don´t know how to pass that to the sh command using variables. This is what I have now in that step using withCredentials .
stage ('Upload war to Artifactory') {
withCredentials([usernamePassword(credentialsId: '7c9e8186-1f16-4920-837b-b571ea88a7e8', usernameVariable: 'willy11', passwordVariable: 'hello123')])
sh "sudo curl -u ${willy11}:{$hello123} -T $warPath 'https://artifactory.xxxxx.com:443/artifactory/Platform/$warFile'"
I don´t know how to pass or define values of usernameVariable and passwordVariable to use on the curl command. The way it is now, I get on output script:
java.lang.IllegalStateException: **There is no body to invoke**
at org.jenkinsci.plugins.workflow.cps.CpsStepContext.newBodyInvoker(CpsStepContext.java:283)
at org.jenkinsci.plugins.workflow.cps.CpsStepContext.newBodyInvoker(CpsStepContext.java:95)
How can I achieve this? the credential plug in, I read that supposedly puts *** on the output of the script, is this how this work? should I declare "will11" and "hello123" elsewere and use as env variables?
Thank you.
def call(body) {
def config = [:]
body.resolveStrategy = Closure.DELEGATE_FIRST
body.delegate = config
body()
def artifactName = 'extractor'
def artifactExt = '.war'
def artifactVersion = '0.0.1'
def buildPath = 'target/'
def warFile = artifactName + '-' + artifactVersion + artifactExt
def warPath = buildPath + warFile
def warNoVersion = artifactName + artifactExt
def deployPath = '/var/lib/tomcat8/webapps/'
def deployFile = deployPath + warNoVersion
node {
// Clean workspace before doing anything
//deleteDir()
try {
stage ('Code Checkout') {
git branch: 'master',
credentialsId: 'xxxxxxxxxxxxxxxxxxxxxxxxxx',
url: 'ssh://git#bitbucket.org/xxxxxxx/xxxxxxxctor'
}
stage ('Configure Application') {
configFileProvider([configFile(fileId: config.confiFileId, variable: 'CONFIG_FILE_PATH')]) {
sh 'cp $CONFIG_FILE_PATH resources/config.properties'
}
sh "echo 'job_name: $JOB_NAME' > WebContent/version.txt"
sh "echo 'job_number: $BUILD_NUMBER' >> WebContent/version.txt"
}
stage ('Run Unitests') {
sh 'mvn test'
}
/*stage ('SonarQube analysis') {
withSonarQubeEnv('xxxxxxxxxxxxxxxx) {
sh 'mvn sonar:sonar'
}
}*/
stage ('Compile and Build WAR') {
sh 'mvn clean compile war:war'
}
stage ('Upload war to Artifactory') {
withCredentials([usernamePassword(credentialsId: '7c9e8186-1f16-4920-837b-b571ea88a7e8', usernameVariable: 'USER', passwordVariable: 'PASSWORD')])
sh "sudo curl -u ${USER}:{$PASSWORD} -T $warPath 'https://artifactory.xxxxxxx.com:443/artifactory/Platform/$warFile'"
}
} catch (err) {
notifyBuild('FAILURE', config.slackChannel)
throw err
}
}
When you use the credentials binding plugin the credentials will be bound to environment variables and the code to be executed must be inside the curly braces of the withCredentials statement, this is what we've missed.
So use:
stage ('Upload war to Artifactory') {
withCredentials([usernamePassword(credentialsId: '7c9e8186-1f16-4920-837b-b571ea88a7e8', usernameVariable: 'USER', passwordVariable: 'PASSWORD')]) {
sh ("sudo curl -u $USER:$PASSWORD -T $warPath 'https://artifactory.xxxxx.com:443/artifactory/Platform/$warFile'")
}
}
instead of:
stage ('Upload war to Artifactory') {
withCredentials([usernamePassword(credentialsId: '7c9e8186-1f16-4920-837b-b571ea88a7e8', usernameVariable: 'USER', passwordVariable: 'PASSWORD')])
sh "sudo curl -u ${USER}:{$PASSWORD} -T $warPath 'https://artifactory.xxxxxxx.com:443/artifactory/Platform/$warFile'"
}

Resources