New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JENKINS-60373: Read secret from file and encode it with base64 #1219
Comments
The suggested declaration format is:
or perhaps
|
Sounds like a reasonable approach that has caused pain for people using certain plugins for a long time |
@timja, great to hear that. If you can point to some other use-cases to keep in mind while implementing that, that would be good. |
There's some google plugins that have similar issues, can't remember off the top of my head though |
Note that this was just a dashed-off example. Probably you can find a more intuitive / readable syntax studying some other configuration languages. |
Test secret string whether it is path or base 64 string encoded? |
Any updates on this? |
@jglick @olivergondza @timja Though it will cleanup some of the code as StringSubstitutor already supports default value via
I would properly settle for:
|
For my own sanity I will extend FileStringLookup to only allow UTF-8. |
ARGH... I am left to use second |
Really happy that we had such good test coverage of our SecretResolver. I would actually like to benchmark it @oleg-nenashev @AbhyudayaSharma 😅 |
Syntax would look like this:
Hopefully that is acceptable? |
@jetersen https://www.jenkins.io/blog/2019/06/21/performance-testing-jenkins/ should get you started. It will be great to have these benchmarks in JCasC. Please let me know if you need any help. |
@AbhyudayaSharma I did some quick initial simple tests. Though SecretSourceResolver is actually on the critical path meaning all values in the JCasC yaml has to go through it. So I have added a test that sort of simulates it by calling it 100 times, which is also really slow 😅 (Stilling waiting on results from first run). I should try and add a test case for actually going through jcasc.Configure method though it might be terribly slow |
Ah I would need to use different |
Feature Request
I am looking for a way to practically and securely inject binary secrets from
/run/secret
into afile
credential type (plain-credentials
plugin). The challenge is, the input is expected to be base64 encoded so reading the file as-is from/run/secrets
does not work. Extendingplain-credentials
to read the file content instead of expecting inlined string is something that was proven challenging to secure. Several approaches to address that was discussed in JENKINS-60373 and I would like to propose the most straightforward one[1].Introduce a new syntax, that would permit reading file from filesystem and encoding the content with base64 to close the gap between traditional secrets injection and
file
credential. The reasoning is that when the feature is specific for JCasC, it is by definition restricted to administrators eliminating possible arbitrary file read vulnerabilities.[1] https://issues.jenkins-ci.org/browse/JENKINS-60373?focusedCommentId=381101&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-381101
The text was updated successfully, but these errors were encountered: