Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better built-in secure field support #64

Closed
samrocketman opened this issue May 28, 2015 · 6 comments
Closed

Better built-in secure field support #64

samrocketman opened this issue May 28, 2015 · 6 comments
Milestone
jervis-0.4

Comments

@samrocketman
Copy link
Owner

Right now a lot of the work for secure field support is offloaded to the user. I want this to be made even easier by offloading most of this work into the library. See also #22.
@samrocketman
Copy link
Owner Author

Here's how it can be supported. Based on using securityIO and repository-secrets proof of concept using openssl commands to encrypt strings.

jenkins:
  secrets_id: "<Jenkins RSA key identifier>"
  secrets:
    - key: MY_ENVIRONMENT_VAR
      secret: <rsa encrypted string>
    - key: ANOTHER_ENVIRON_VAR
      secret: <rsa encypted string>

Job DSL to obtain the private key from Jenkins.

import jenkins.model.Jenkins

public String getFolderRSAKeyCredentials(String folder, String credentials_id) {
    def credentials
    def properties = Jenkins.getInstance().getJob(folder).getProperties()
    for(int i=0; i < properties.size(); i++) {
        if(properties.get(i).getClass().getSimpleName() == 'FolderCredentialsProperty') {
            credentials = properties.get(i)
        }
    }
    String found_credentials = ''
    if(credentials != null ) {
        credentials.getDomainCredentials().each { domain ->
            domain.getCredentials().each { credential ->
                if(credential != null && credential.getClass().getSimpleName() == 'BasicSSHUserPrivateKey') {
                    if(credential.getId() == credentials_id) {
                        found_credentials = credential.getPrivateKey()
                    }
                }
            }
        }
    }
    return found_credentials
}

println getFolderRSAKeyCredentials('folder', 'cred-id')

@samrocketman samrocketman modified the milestone: jervis-0.4 Feb 14, 2016
@samrocketman
Copy link
Owner Author

Created a test repo. https://github.com/samrocketman/jervis-secrets-test

@samrocketman
Copy link
Owner Author

https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin can be used to set the secret vars.

@samrocketman
Copy link
Owner Author

securityIO class should be handled carefully because it uses files. If temp files are to be used it should be used like this:

File priv_key = File.createTempFile('temp', '.txt')
//delete file if JVM is shut down
priv_key.deleteOnExit()
try {
    priv_key.write(getFolderRSAKeyCredentials('folder', 'cred-id'))
    //do some stuff with secrets
    //use the absolute path when referencing
    //priv_key.getAbsolutePath()
}
catch(Throwable t) {
    //clean up temp file
    priv_key.delete()
    //rethrow caught exception
    throw t
}

@samrocketman
Copy link
Owner Author

https://issues.jenkins-ci.org/browse/JENKINS-31674 for Job DSL implementation.

@samrocketman
Copy link
Owner Author

Support added in:

  • 00ec1be secure property support in lifecycleGenerator
  • 8c0eac5 encrypted property support in firstjob DSL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
jervis-0.4
Development

No branches or pull requests
1 participant
@samrocketman