使用Jenkins凭证插件以纯文本形式显示密码 [英] Password shows in plain text using Jenkins credentials plugin

问题描述

我正在尝试使用Jenkins凭据插件来获取用户输入，并在Jenkinsfile中使用它进行处理.由于密码字段高度敏感，因此我希望凭据插件可以屏蔽密码，使其不会在控制台输出中显示.但是似乎密码以纯文本显示.我注意到了一个现有问题 https://issues.jenkins-ci.org/browse/JENKINS -38181 讨论withCredentials块之外的echo语句，以纯文本形式显示密码，这是预期的.但就我而言，withCredentials块中的甚至echo语句也显示为纯色.

I am trying to use Jenkins Credentials plugin to get user input and make use of it in Jenkinsfile for processing. Since the password field is highly sensitive, I was hoping credentials plugin would mask the password from displaying in the console output. However seems like password is displayed in plain text. I noticed an existing issue https://issues.jenkins-ci.org/browse/JENKINS-38181 that talks about echo statements outside of withCredentials block displays passwords in plain text, which is expected. But in my case, even echo statements inside withCredentials block is displayed plain.

我在这里做错什么了吗?我应该避免使用echo吗?

Am i doing something wrong here? Should I just refrain from using echo?

凭证绑定插件:1.12
凭据插件:2.1.16

Credentials Binding Plugin: 1.12
Credentials Plugin: 2.1.16

 node('someagent') {
    stage 'input'
    def userNameInput = input(
        id: 'UserName', message: 'input your username: ', ok: 'ok', parameters: [string(defaultValue: 'user', description: '.....', name: 'DB_USER')]
    )
    def userPasswordInput = input(
        id: 'Password', message: 'input your password: ', ok: 'ok', parameters: [string(defaultValue: 'password', description: '.....', name: 'DB_PASS')]
    )
    withCredentials(bindings: [usernamePassword(credentialsId: 'CREDS', usernameVariable: userNameInput, variable: userPasswordInput)]) {
     echo ("My Username: ${userNameInput}")
     echo ("My Password: ${userPasswordInput}")
    }
}

控制台输出:

[Pipeline] {
[Pipeline] stage (input)
Using the ‘stage’ step without a block argument is deprecated
Entering stage input
Proceeding
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
My Username: user
[Pipeline] echo
My Password: password
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

推荐答案

您不正确理解withCredentials用法.使用withCredentials时，意味着已将凭据添加到Jenkins中，withCredentials可以将用户名和密码值提取到Shell变量中，然后可以通过引用Shell变量来使用它们.

You don't understand the withCredentials usage correctly. When use withCredentials, means the credential had been added into Jenkins, withCredentials can extract the user and password value into Shell variables, then you can use them by refer the shell variables.

因此无法将用户名和密码提取到预定义的Groovy变量中.

So there is no way to extract the user and password into your pre-defined Groovy variable.

withCredentials的正确用法:

withCredentials([usernamePassword(
    credentialsId: 'CREDS', // the CREDS should be exist in Jenkins
    passwordVariable: 'pwd', // you need to use a string, not a Groovy variable
    usernameVariable: 'user') // you need to use a string, not a Groovy variable
]) {
    sh '''
    echo UserName: ${user} // the user and pwd injected into Shell Context as Environment variable
    echo Password: ${pwd} // will show as *** in jenkins console
    '''

    // If you user `"` or `"""` to wrapper a string, 
    // Groovy will execute string substitution with Groovy variable if 
    // same name variable exist in Groovy Context
    // otherwise the string keep nothing change

    sh """
     echo ${user} 
     echo ${pwd}  // will show as *** in jenkins console
    """
    // because the user and pwd not exist Groovy context
    // so substitution will fail and the string keep no change
    // then execute the string in Shell by sh(), 
    // the user and pwd can be found in Shell context
}

实际上，您的以下代码将首先由Groovy执行字符串替换. 这就是为什么您在jenkins控制台

Actually your below code will execute string substitution by Groovy firstly. This why you see the password show in plain text in jenkins console

 echo ("My Username: ${userNameInput}") 
 echo ("My Password: ${userPasswordInput}")

 // because userNameInput and userPasswordInput exist in Groovy variables,
 // so the ${userNameInput} and ${userPasswordInput} will be replaced to
 // the value of Groovy variables before echo, as result ${userNameInput}
 // and ${userPasswordInput} used variable from Groovy, rather then from Shell

这篇关于使用Jenkins凭证插件以纯文本形式显示密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！