Mask Credentials in Jenkins Plugin

DaGeRe · February 2, 2022, 3:01pm

I’m currently writing a Jenkins plugin that executes performance measurement runs (https://github.com/jenkinsci/peass-ci-plugin) and afterwards provides access to the measurement run logs via own Action, for example in peass-ci-plugin/RTSLogAction.java at 10b37a03928d8d8fddf87511cfe32072012d3448 · jenkinsci/peass-ci-plugin · GitHub.

While this works technically correct, it does not mask credentials that have been provided to the run. So if I got a configuration like this:

    stage('Measure Performance') {
            steps {
                withCredentials([usernamePassword(credentialsId: 'PW1', passwordVariable: 'PASSWORD', usernameVariable: 'USER')]) {
                    measure VMs: 2, iterations: 3, properties: "-PmavenPassword=$PASSWORD -PmavenUser=$USER",
                }
            }
        }

the value of password will be printed out in the logs directly. Since the logs contain of several repeated VM starts, printing all logs directly to the Jenkins console is no solution. Therefore, the plugin also needs to mask the password for the logs, i.e. I somehow need the Pattern that is used for credentials replacement by the credentials plugin.

As far as I see it, I can get the Pattern by in perform-methods in my Builder like public boolean perform(final AbstractBuild<?, ?> build, final Launcher launcher, final BuildListener listener) (which take the AbstractBuild), if I run SecretBuildWrapper.getPatternForBuild((AbstractBuild<?, ?>) build) from the credentials-binding-plugin. But this perform method is not called in my regular method perform(final Run<?, ?> run, final FilePath workspace, final EnvVars env, final Launcher launcher, final TaskListener listener) if I use a pipeline script (for classical jobs, it seems to work).

I also tried using Recorder instead of Builder: I added another build step, which is a recorder with a different symbol, and implemented its perform method. Unfortunately, the same behavior appears: Methods having an AbstractBuild in the signature are not called.

Is there any way to get the Pattern to mask the credentials, or some other way to achieve that credentials are masked in the additional logs?

bpedersen2 · February 3, 2022, 6:58am

Probably the easiset way would be to not pass the credentials as strings to your plugin, but use the credentials API (so you just pass a credentials id).

DaGeRe · February 3, 2022, 3:03pm

Thanks a lot!

Passing the credentials separately solved the problem: https://github.com/jenkinsci/peass-ci-plugin/commit/2e45f44d8a53c25d201c73d39e0cfafa4b6b4231

Topic		Replies	Views
Censor Jenkins Console Output Ask a question	1	874	March 4, 2022
Prevent developers from stealing jenkins credentials Using Jenkins sig-security	8	2539	June 10, 2023
Jenkins casc utilize secret files to store credentials Ask a question question	3	2324	March 2, 2023
In withCredentials() block get username and password variables' names Using Jenkins question	0	1100	February 16, 2023
Credentials Binding Plugin - Not running on the Jenkins controller JVM Community	2	615	October 6, 2023

Mask Credentials in Jenkins Plugin

Related Topics