Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mask Regexes and Global option #6

Merged
merged 11 commits into from
Nov 8, 2016
Merged

Mask Regexes and Global option #6

merged 11 commits into from
Nov 8, 2016

Conversation

jantman
Copy link
Contributor

@jantman jantman commented Aug 4, 2016

This pull request adds two major features to the Mask Passwords plugin:

  1. The ability to mask user-defined regular expressions in addition to passwords. This is useful because (a) it doesn't require defining the password explicitly in the configuration and, (b) it supports masking secrets that aren't known ahead of time. Our use case is AWS credentials; the AWS secret key portion of credentials matches (?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]). The previous Mask Passwords implementation caused problems for jobs that use temporary credentials, or that generate their own credentials and echo them in the job's output.
  2. The ability to enable the plugin globally. This is implented as a ConsoleLogFilter not inside a BuildWrapper, i.e. a global ConsoleLogFilter. The implementation checks the plugin's global configuration, and only decorates the logger if the global enable setting is true. I'm aware that this is probably a bad thing for most users, and have done my best to make the help messages very clear for that. However, for some users (such as myself) who don't have centralized control over job configuration (i.e. anyone in the organization can add or modify jobs), this is necessary in order to suppress credentials from being logged.

I've tested this manually to the best of my abilities using both Jenkins 1.609.1 (as set in pom.xml) as well as the official Docker images of 1.625.2 and 2.7.1.

scoheb
scoheb reviewed Aug 9, 2016
View reviewed changes
README.md
@@ -4,7 +4,7 @@ Copyright &copy; 2010-2011, Manufacture Francaise des Pneumatiques Michelin, Rom

About this plugin
-----------------
The Mask Passwords plugin is meant to be used from [Hudson][1] or [Jenkins][2] to mask passwords which may appear from builds' console. Please take a look at [Jenkins' wiki][3] to get detailed information.
The Mask Passwords plugin is meant to be used from [Hudson][1] or [Jenkins][2] to mask passwords or regulat expressions which may appear from builds' console. Please take a look at [Jenkins' wiki][3] to get detailed information.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops. Apologies. Fix pushed up.

@oleg-nenashev oleg-nenashev self-assigned this Aug 9, 2016
oleg-nenashev
oleg-nenashev reviewed Aug 9, 2016
View reviewed changes
README.md
@@ -4,7 +4,7 @@ Copyright &copy; 2010-2011, Manufacture Francaise des Pneumatiques Michelin, Rom

About this plugin
-----------------
The Mask Passwords plugin is meant to be used from [Hudson][1] or [Jenkins][2] to mask passwords which may appear from builds' console. Please take a look at [Jenkins' wiki][3] to get detailed information.
The Mask Passwords plugin is meant to be used from [Hudson][1] or [Jenkins][2] to mask passwords or regular expressions which may appear from builds' console. Please take a look at [Jenkins' wiki][3] to get detailed information.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This version is not compatible with Hudson anymore. Unrelated to this PR btw

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, shall I remove the Hudson link, while I'm touching the README?

@jantman
Copy link
Contributor Author

jantman commented Aug 9, 2016

@oleg-nenashev thanks so much for looking at this! About to go into a meeting, but will have those comments addressed within the next few hours.

oleg-nenashev
oleg-nenashev reviewed Aug 9, 2016
View reviewed changes
README.md
[3]: http://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin
[4]: https://svn.jenkins-ci.org/trunk/hudson/plugins/mask-passwords/
[5]: https://github.com/jenkinsci/mask-passwords-plugin
[1]: http://jenkins-ci.org/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

outdated link. Now it's https://jenkins.io. Not important btw

@jantman
remove Hudson link from README; this plugin is no longer compatible w…
d65e0fe 
…ith Hudson

retain old constructor signature for binary compatibility

fix Jenkins link

CheckForNull on VarMaskRegex equals method
@jantman
fixes per code review in pull request
dd9a0bd
@jantman
Copy link
Contributor Author

jantman commented Aug 10, 2016

@oleg-nenashev Thank you so much for your time on this. As is probably obvious, this is more Java than I've written in the last 10 years combined. Sorry if some of these issues should be relatively basic, but I really appreciate your time to help with this.

@jantman
Copy link
Contributor Author

jantman commented Aug 15, 2016

@oleg-nenashev I'm sure you're very busy, but would it be possible to get some feedback on my updates? I'm trying to figure out if I should wait for movement on this PR, or figure out how to distribute and install my forked version internally...

@oleg-nenashev
Copy link
Member

@jantman sorry about the delay

@jantman
Copy link
Contributor Author

jantman commented Sep 15, 2016

@oleg-nenashev ok... any odds of getting some input on this?

@jniesen
Copy link

jniesen commented Sep 26, 2016

Is this still under review?

@oleg-nenashev
Copy link
Member

It's somewhere in my TODO list, but I haven't have a chance to investigate this and other PRs in this plugin yet. I commonly do it in a burst (one plugin per weekend), but I have not reached this plugin yet

@mryan43
Copy link

mryan43 commented Oct 26, 2016
edited
Loading

This looks very useful ! I'm going to test this internally as a snapshot version because we need this feature.

I have a slightly different requirement though, my problem is with output of passwords in mercurial URLs by the m2 release plugin, it displays in logs : hg push https://user:password@mercurial.my.org/repo, with password in cleartext.

The only way I know to mask this one is to put the releaser's mercurial credentials in global masked passwords wich is really bad because they change often and a failure to update the global passwords results in a clear text password in logs.

I'd like to use a regexp like this : :\/\/.*:(.*)@ and mask only the capture group instead of the whole match. Do you think it would be possible ?

@mryan43
Copy link

mryan43 commented Oct 26, 2016

FWI the snapshot version works like a charm for us, using regex and global activation, two great features ! Thanks a lot @jantman

@oleg-nenashev oleg-nenashev merged commit 237ffde into jenkinsci:master Nov 8, 2016
@jantman
Copy link
Contributor Author

jantman commented Nov 8, 2016

Thanks so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oleg-nenashev oleg-nenashev oleg-nenashev left review comments

Assignees

@oleg-nenashev oleg-nenashev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jantman @oleg-nenashev @jniesen @mryan43 @scoheb