[JENKINS-44860] Allow usernames to be left unmasked in build log #131
Conversation
- `set +x` will avoid any console output, so the tests didn't actually test anything, as no credentials was logged masked or not. Same goes for `@echo off` for Windows
To avoid findbugs to fail the build. Used the same value as used in the other serializable classes.
…ding-plugin into show-username-JENKINS-44860
…ding-plugin into show-username-JENKINS-44860
jglick
changed the title
This adds |
Because the Declarative syntax is simply environment {
MYCREDS = credentials('the-credentials-id')
}You do not get a choice of which binding to use, much less its specific options. |
Could we make a setting on the credential itself to control whether the name is exposed by default, hidden by default, or not allowed? This seems like a behavior the admins who control the credentials should have some control over. |
I think I remember talking about this with @jeffret-b a while back, IIRC we agreed that this is where it should be as need to mask might depend on the kind of username it is. |
|
Could become a field in |
|
Yes, we did discuss adding some properties on a credential to control things like this -- visibility and other usage behaviors. It does transfer control from the pipeline author to the credential creator, but it makes sense that the owner / creator of the credential should be able to control things like this. It's been quite a while since I looked into things with this, though. |
Check #132. |
JENKINS-44860: Allows usernames to left unmasked in the build log. Continues #50 (and thus #44).
Note that this functionality is available only in Scripted syntax, or at least when explicitly using the
withCredentialsstep. In Declarative using thecredentialssyntax in anenvironmentblock, https://github.com/jenkinsci/pipeline-model-definition-plugin/blob/15978cd172a8d34e2cd6bf8a6bfeaa5514d44dad/pipeline-model-definition/src/main/resources/org/jenkinsci/plugins/pipeline/modeldefinition/ModelInterpreter.groovy#L463-L475 calls https://github.com/jenkinsci/pipeline-model-definition-plugin/blob/15978cd172a8d34e2cd6bf8a6bfeaa5514d44dad/pipeline-model-definition/src/main/java/org/jenkinsci/plugins/pipeline/modeldefinition/credentials/impl/UsernamePasswordHandler.java#L61-L68 which will continue to mask the username. Adding a third binding in which it is unmasked would do no good, since it would still be considered secret due to the second binding. Changing the second binding to setshowUsernametotruewould potentially be a security vulnerability, in case a user expected the username from some credentials to be sensitive: merely upgrading thecredentials-bindingplugin would quietly begin printing the username in new builds. The problem is that Declarative tries to autodetect the right bindings to use based on the credentials type, which is convenient but forecloses the possibility of (compatibly) adding alternative behaviors: there is no place in the syntax for selecting a binding or a binding option.