security

[!NOTE|label:references:]

get securityRealm

import hudson.security.*
import jenkins.security.*
import jenkins.model.Jenkins

def jenkins = jenkins.model.Jenkins.getInstance()
println jenkins.securityRealm
println jenkins.authorizationStrategy


// -- result --
// hudson.security.LDAPSecurityRealm@7d090e41
// hudson.security.ProjectMatrixAuthorizationStrategy@6d51bb9d

authorization strategy

decrypt credentials.xml

[!NOTE|label:references:]

hudson.util.Secret.fromString('{..string..}').getPlainText()
// or
hudson.util.Secret.fromString('{..string..}').getEncryptedValue()
  • example
    hudson.util.Secret.fromString('{AQAAABAAAAAQszhBK4LXdjzjqP/7w8yQWbD4+Kf1ql4XnYEnPUyvP2o=}').getPlainText()
    // 123456
    

list all Jenkins supported authorization permissions

hudson.security.Permission.getAll().each { p ->
  println "${p.name} :\n" +
          "\t${p.id} : ${p.description}"
}
  • better one

    import hudson.security.GlobalMatrixAuthorizationStrategy
    import hudson.security.Permission
    import hudson.security.ProjectMatrixAuthorizationStrategy
    import jenkins.model.Jenkins
    
    String shortName( Permission p ) {
      Map<String, String> replacement = [
                     'Hudson' : 'Overall' ,
                   'Computer' : 'Agent'   ,
                       'Item' : 'Job'     ,
        'CredentialsProvider' : 'Credentials'
      ]
      p.id
       .tokenize('.')[-2..-1]
       .collect { replacement.get(it) ?: it }
       .join(' ')
    }
    
    Map<String, Permission> permissionIds = Permission.all.findAll { permission ->
      List<String> nonConfigurablePerms = ['RunScripts', 'UploadPlugins', 'ConfigureUpdateCenter']
      permission.enabled &&
        ! permission.id.startsWith('hudson.security.Permission') &&
        ! nonConfigurablePerms.any { permission.id.endsWith(it) }
    }.collect { permission ->
      [ (shortName(permission)): permission ]
    }.sum()
    
    // show result
    println permissionIds.collect {
      it.key + ' : ' + it.value.id
    }.join ('\n')
    
    'DONE'
    

get current authorization strategy class

import hudson.model.*
import hudson.security.*

Hudson instance = Jenkins.getInstance()
def strategy = instance.getAuthorizationStrategy()
println strategy.getClass()

// result
// class hudson.security.ProjectMatrixAuthorizationStrategy

get raw authorization and permissions info

Jenkins.instance
       .authorizationStrategy
       .grantedPermissions
       .collect{ p, u -> [ (p.id), u ] }
  • or
    Jenkins.instance
           .authorizationStrategy
           .grantedPermissions
           .each { p, u -> println "\n${p} :\n\t${u}" }
    

ProjectMatrixAuthorizationStrategy

grant permission to user

import hudson.security.GlobalMatrixAuthorizationStrategy
import hudson.security.Permission
import hudson.security.ProjectMatrixAuthorizationStrategy
import jenkins.model.Jenkins

ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()
String id   = 'hudson.model.Hudson.Administer'
String user = 'marslo'
authorizationStrategy.add( Permission.fromId(id), user )

// save strategy
Jenkins.instance.authorizationStrategy = authorizationStrategy
Jenkins.instance.save()

add new configurations according to Map structure

create new instance

  • new

    import hudson.security.*
    ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()
    
  • via getAuthorizationStrategy

    import hudson.model.*
    import hudson.security.*
    
    def strategy = Jenkins.getInstance().getAuthorizationStrategy()
    def authorizationStrategy = strategy.class.newInstance()
    
  • new instance from name

    String instanceName = 'hudson.security.ProjectMatrixAuthorizationStrategy'
    def strategy = Class.forName(instanceName).newInstance()
    println strategy.class
    
    // -- result --
    // class hudson.security.ProjectMatrixAuthorizationStrategy
    
  • get groups list

    import hudson.model.*
    import hudson.security.*
    
    ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()
    println authorizationStrategy.getGroups()
    

RoleBasedAuthorizationStrategy

add 'admin' user to all permissions

import hudson.*
import hudson.security.*
import jenkins.model.*
import java.util.*
import com.michelin.cio.hudson.plugins.rolestrategy.*
import com.synopsys.arc.jenkins.plugins.rolestrategy.*
import java.lang.reflect.*
import java.util.logging.*
import groovy.json.*

import jenkins.*
import com.michelin.cio.hudson.plugins.rolestrategy.*

String admin = 'admin'

// Turn security on
RoleBasedAuthorizationStrategy authorizationStrategy = new RoleBasedAuthorizationStrategy()
// ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()
Jenkins.instance.setAuthorizationStrategy(authorizationStrategy)

Constructor[] constrs = Role.class.getConstructors()
for (Constructor<?> c : constrs) {
  c.setAccessible(true)
}

Method assignRoleMethod = RoleBasedAuthorizationStrategy.class.getDeclaredMethod( "assignRole", String.class, Role.class, String.class )
assignRoleMethod.setAccessible( true )
Set<Permission> adminPermissions = new HashSet<Permission>()
hudson.security.Permission.getAll(){ adminPermissions.add(Permission.fromId(it) }
Role adminRole = new Role( admin, adminPermissions )
authorizationStrategy.addRole( RoleBasedAuthorizationStrategy.GLOBAL, adminRole )

crumb issuer

reference:

get crumb issuer

import hudson.security.csrf.DefaultCrumbIssuer

DefaultCrumbIssuer issuer = jenkins.model.Jenkins.instance.crumbIssuer
String jenkinsCrumb = "${issuer.crumbRequestField}:${issuer.crumb}"
println jenkinsCrumb

// Jenkins-Crumb:b8a9cd5***********

set crumb issuer

import jenkins.model.Jenkins

Jenkins jenkins = jenkins.model.Jenkins.instance
jenkins.setCrumbIssuer(new DefaultCrumbIssuer(true))
jenkins.save()

clean up all pending Async Resource Disposers items

import org.jenkinsci.plugins.resourcedisposer.AsyncResourceDisposer
import org.jenkinsci.plugins.strictcrumbissuer.StrictCrumbIssuer

AsyncResourceDisposer disposer = AsyncResourceDisposer.get()
StrictCrumbIssuer issuer = jenkins.model.Jenkins.instance.crumbIssuer
String jenkinsCrumb = "${issuer.crumbRequestField}:${issuer.crumb}"
String url = Jenkins.instance.rootUrl + disposer.url

disposer.getBacklog().each { item ->
  println "\n${item.id} : \t${url}/stopTracking/?id=${item.id} : \t${item.class.simpleName} : \n" +
          "\t${item.getLastState().getDisplayName()} : \n" +
          "\t${item.getDisposable().node} : ${item.getDisposable().path}\n" +
          "\t${item.toString()}"
  println "removeing ${item.id} : "
  [ 'bash', '-c', 'curl -v -s ' +
                       '-u <user>:<token> ' +
                       '-X POST ' +
                       "-H \"Content-Type: application/json\" " +
                       "-H \"Accept: application/json\" " +
                       "-H \"${jenkinsCrumb}\" " +
                       "${url}/stopTracking/?id=${item.id} "
  ].execute().with{
    def stdout = new StringBuffer()
    def stderr = new StringBuffer()
    it.waitForProcessOutput( stdout, stderr )
    println "EXIT CODE: ${it.exitValue()}"
    println "ERROR: ${stderr}"
    println "OUTPUT: ${stdout}"
  }
}

get crumb via cmd

[!TIP|local:references:]

  • curl

    # after 2.176.2
    $ SERVER="https://localhost:8080"
    $ COOKIEJAR="$(mktemp)"
    $ CRUMB=$(curl -u "admin:admin" -s --cookie-jar "$COOKIEJAR" "$SERVER/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)")
    
    # verify
    $ echo $CRUMB
    Jenkins-Crumb:786**********************************************************932
    
    # trigger a build
    $ curl -X POST \
           -u "admin:admin" \
           --cookie "$COOKIEJAR" \
           -H "$CRUMB" \
           https://${SERVER}/job/sandbox/build
    
    # to run script
    $ curl -d "script=System.getProperties()" \
           -u "admin:admin" \
           --cookie "$COOKIEJAR" \
           -H "$CRUMB" \
           https://${SERVER}/scriptText
    
  • via wget

    # after 2.176.2
    $ SERVER="https://localhost:8080"
    $ COOKIEJAR="$(mktemp)"
    $ CRUMB="$(wget --quiet --user=admin --password=admin --auth-no-challenge --save-cookies "$COOKIEJAR" --keep-session-cookies -q --output-document - "$SERVER/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)")"
    $ wget --user=admin --password=admin \
           --auth-no-challenge \
           --load-cookies "$COOKIEJAR" \
           --header="$CRUMB" \
           --post-data="" \
           --quiet \
           "$SERVER"/job/someJob/build
    

credential

[!TIP] something else :

api :

list all credentials

import com.cloudbees.plugins.credentials.common.StandardCredentials
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
import com.cloudbees.plugins.credentials.SystemCredentialsProvider

CredentialsProvider.lookupCredentials( StandardCredentials.class, jenkins.model.Jenkins.instance)
                   .sort{ it.id }
                   .each{
                     switch( it.class.simpleName ) {
                       case 'BasicSSHUserPrivateKey' :
                         println """
                                                             type : ${it.class.simpleName}
                                                               id : ${it.id}
                                                            scope : ${it.scope}
                                                         username : ${it.username}
                                                      description : ${it.description}
                                          privateKeysLastModified : ${it.privateKeysLastModified}
                                                   usernameSecret : ${it.usernameSecret ?: 'false'}
                                                      privateKeys : ${it.privateKeys.join('\n')}
                          """
                         break;

                       case 'CertificateCredentialsImpl' :
                          println """
                                                             type : ${it.class.simpleName}
                                                               id : ${it.id}
                                                            scope : ${it.scope}
                                                         password : ${it.password}
                                                      description : ${it.description}
                                                    keyStore.type : ${it.keyStore.type}
                                     keyStoreSource.keyStoreBytes : ${it.keyStoreSource.keyStoreBytes}
                             keyStoreSource.uploadedKeystoreBytes : ${it.keyStoreSource.uploadedKeystoreBytes}

                                                       properties : ${it.properties}
                                              properties.password : ${it.properties.password}
                                         properties.passwordEmpty : ${it.properties.passwordEmpty}
                                         properties.keyStore.type : ${it.properties.keyStore.type}
                          """
                         break;
                       case 'StringCredentialsImpl' :
                         println """
                                                             type : ${it.class.simpleName}
                                                               id : ${it.id}
                                                           secret : ${it.secret}
                                                      description : ${it.description}
                                                            scope : ${it.scope}
                        """
                         break;

                       case 'UsernamePasswordCredentialsImpl' :
                         println """
                                                             type : ${it.class.simpleName}
                                                               id : ${it.id}
                                                         username : ${it.username}
                                                         password : ${it.password}
                                                      description : ${it.description}
                                                   usernameSecret : ${it.usernameSecret ?: 'false'}
                         """
                         break;
                     }
                   }
  • with vault

    import com.cloudbees.plugins.credentials.common.StandardCredentials
    import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials
    import com.cloudbees.plugins.credentials.CredentialsProvider
    import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
    import com.cloudbees.plugins.credentials.SystemCredentialsProvider
    import com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredential
    import com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential
    import com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl
    import com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl
    
    CredentialsProvider.lookupCredentials( StandardCredentials.class, jenkins.model.Jenkins.instance)
                       .sort{ it.id }
                       .each{
                         switch( it.class.simpleName ) {
                           case 'BasicSSHUserPrivateKey' :
                             println """
                                                                 type : ${it.class.simpleName}
                                                                   id : ${it.id}
                                                                scope : ${it.scope}
                                                             username : ${it.username}
                                                          description : ${it.description}
                                              privateKeysLastModified : ${it.privateKeysLastModified}
                                                       usernameSecret : ${it.usernameSecret ?: 'false'}
                                                          privateKeys : ${it.privateKeys.join('\n')}
                              """
                             break;
    
                           case 'CertificateCredentialsImpl' :
                              println """
                                                                 type : ${it.class.simpleName}
                                                                   id : ${it.id}
                                                                scope : ${it.scope}
                                                             password : ${it.password}
                                                          description : ${it.description}
                                                        keyStore.type : ${it.keyStore.type}
                                         keyStoreSource.keyStoreBytes : ${it.keyStoreSource.keyStoreBytes}
                                 keyStoreSource.uploadedKeystoreBytes : ${it.keyStoreSource.uploadedKeystoreBytes}
    
                                                           properties : ${it.properties}
                                                  properties.password : ${it.properties.password}
                                             properties.passwordEmpty : ${it.properties.passwordEmpty}
                                             properties.keyStore.type : ${it.properties.keyStore.type}
                              """
                             break;
                           case 'StringCredentialsImpl' :
                             println """
                                                                 type : ${it.class.simpleName}
                                                                   id : ${it.id}
                                                               secret : ${it.secret}
                                                          description : ${it.description}
                                                                scope : ${it.scope}
                            """
                             break;
    
                           case 'UsernamePasswordCredentialsImpl' :
                             println """
                                                                 type : ${it.class.simpleName}
                                                                   id : ${it.id}
                                                             username : ${it.username}
                                                             password : ${it.password}
                                                          description : ${it.description}
                                                       usernameSecret : ${it.usernameSecret ?: 'false'}
                             """
                             break;
    
                           case 'VaultUsernamePasswordCredentialImpl' :
                             println """
    
                                                                 type : ${it.class.simpleName}
                                                        engineVersion : ${it.engineVersion}
                                                                  id  : ${it.id}
                                                                scope : ${it.scope}
                                                          description : ${it.description}
                                                          displayName : ${it.displayName}
                                                                 path : ${it.path}
                                                          usernameKey : ${it.usernameKey}
                                                             username : ${it.username}
                                                          passwordKey : ${it.passwordKey}
                                                             password : ${it.password}
                                                       usernameSecret : ${it.usernameSecret ?: 'false'}
                             """
                             break;
    
                           case 'VaultAppRoleCredential':
                             println """
                                                                 type : ${it.class.simpleName}
                                                                   id : ${it.id}
                                                               roleId : ${it.roleId}
                                                             secretId : ${it.secretId}
                                                                 path : ${it.path}
                                                            namespace : ${it.namespace}
                                                                scope : ${it.scope}
                                                          description : ${it.description}
                             """
                             break;
    
                           case 'VaultSSHUserPrivateKeyImpl':
                             println """
                                                                 type : ${it.class.simpleName}
                                                        engineVersion : ${it.engineVersion}
                                                                   id : ${it.id}
                                                                scope : ${it.scope}
                                                          description : ${it.description}
                                                          displayName : ${it.displayName}
                                                       usernameSecret : ${it.usernameSecret ?: 'false'}
                                                          usernameKey : ${it.usernameKey}
                                                             username : ${it.username}
                                                        privateKeyKey : ${it.privateKeyKey}
                                                          privateKeys : ${it.privateKeys.join('\n')}
                                                        passphraseKey : ${it.passphraseKey}
                                                           passphrase : ${ it.passphrase}
                             """
                             break;
    
                           case 'VaultStringCredentialImpl':
                             println """
                                                                 type : ${it.class.simpleName}
                                                        engineVersion : ${it.engineVersion}
                                                                   id : ${it.id}
                                                          displayName : ${it.displayName}
                                                          description : ${it.description}
                                                           prefixPath : ${it.prefixPath}
                                                                 path : ${it.path}
                                                               secret : ${it.secret}
                                                             valutKey : ${it.vaultKey}
                             """
                             break;
                         }
                        }
    
  • or

    import com.cloudbees.plugins.credentials.CredentialsProvider
    import com.cloudbees.plugins.credentials.Credentials
    import com.cloudbees.plugins.credentials.domains.Domain
    import jenkins.model.Jenkins
    def indent = { String text, int indentationCount ->
      def replacement = "\t" * indentationCount
      text.replaceAll("(?m)^", replacement)
    }
    
    Jenkins.get().allItems().collectMany{ CredentialsProvider.lookupStores(it).toList()}.unique().forEach { store ->
      Map<Domain, List<Credentials>> domainCreds = [:]
      store.domains.each { domainCreds.put(it, store.getCredentials(it))}
      if (domainCreds.collectMany{ it.value}.empty) {
        return
      }
      def shortenedClassName = store.getClass().name.substring(store.getClass().name.lastIndexOf(".") + 1)
      println "Credentials for store context: ${store.contextDisplayName}, of type $shortenedClassName"
      domainCreds.forEach { domain , creds ->
        println indent("Domain: ${domain.name}", 1)
        creds.each { cred ->
          cred.properties.each { prop, val ->
            println indent("$prop = \"$val\"", 2)
          }
          println indent("-----------------------", 2)
        }
      }
    }
    

StandardUsernamePasswordCredentials

import com.cloudbees.plugins.credentials.common.StandardCredentials
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials
import com.cloudbees.plugins.credentials.CredentialsProvider

List<StandardUsernamePasswordCredentials> creds = CredentialsProvider.lookupCredentials(
  StandardUsernamePasswordCredentials.class,
  jenkins.model.Jenkins.instance
)

creds.sort{it.id}.each {
  println """
                id : ${it.id}
          username : ${it.username}
          password : ${it.password}
       description : ${it.description}
    usernameSecret : ${it.usernameSecret ?: 'false'}
  """
}

"DONE"

BasicSSHUserPrivateKey

import com.cloudbees.plugins.credentials.common.StandardCredentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey
import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;

List<BasicSSHUserPrivateKey> creds = CredentialsProvider.lookupCredentials(
  SSHUserPrivateKey.class ,                         // or BasicSSHUserPrivateKey.class
  jenkins.model.Jenkins.instance
).sort{ it.id }
 .each {
    println """
                        id  : ${it.id}
                      scope : ${it.scope}
                  username  : ${it.username}
               description  : ${it.description}
    privateKeysLastModified : ${it.privateKeysLastModified}
            usernameSecret  : ${it.usernameSecret ?: 'false'}
               privateKeys  : ${it.privateKeys.join('\n')}
    """
 }

CertificateCredentials

import com.cloudbees.plugins.credentials.common.StandardCredentials
import com.cloudbees.plugins.credentials.common.CertificateCredentials
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.cloudbees.plugins.credentials.SecretBytes
import com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl

CredentialsProvider.lookupCredentials(
  CertificateCredentials.class,
  jenkins.model.Jenkins.instance
).sort{ it.id }
 .each {
    SecretBytes secretKey = it.properties.keyStoreSource.uploadedKeystoreBytes
    println """
                       id : ${it.id}
                 password : ${it.password}
              description : ${it.description}
                    scope : ${it.scope}
            keyStore.type : ${it.properties.keyStore.type}
      SecretBytes.decrypt : ${SecretBytes.decrypt(it.keyStoreSource.keyStoreBytes)}
           encryptedValue : ${hudson.util.Secret.fromString(secretKey.toString()).encryptedValue}
                plainData : ${new String(SecretBytes.fromString(secretKey.toString()).getPlainData(), "ASCII")}
    """
}

"DONE"

SystemCredentialsProvider

import com.cloudbees.plugins.credentials.SystemCredentialsProvider

SystemCredentialsProvider systemCredentialsProvider = jenkins.model.Jenkins.instance.getExtensionList(
  'com.cloudbees.plugins.credentials.SystemCredentialsProvider'
).first()

systemCredentialsProvider.credentials.each {
  println """
             id : ${it.id}
    description : ${it.description}
          scope : ${it.scope}
         secret : ${it.secret}
  """
}

vault

[!NOTE|label:references:]

VaultAppRoleCredential

[!NOTE|label:references:]

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential

List<VaultAppRoleCredential> creds = CredentialsProvider.lookupCredentials(
  VaultAppRoleCredential.class ,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
             type : ${it.class.simpleName}
            scope : ${it.scope}
    engineVersion : ${it.engineVersion}
               id : ${it.id}
      description : ${it.description}
        namespace : ${it.namespace}
             path : ${it.path}
         secretId : ${it.secretId}
           roleId : ${it.roleId}
  """
}

VaultUsernamePasswordCredential

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredential

List<VaultUsernamePasswordCredential> creds = CredentialsProvider.lookupCredentials(
  VaultUsernamePasswordCredential.class ,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
              type : ${it.class.simpleName}
             scope : ${it.scope}
     engineVersion : ${it.engineVersion}
                id : ${it.id}
       description : ${it.description}
              path : ${it.path}
       usernameKey : ${it.usernameKey}
          username : ${it.username}
       passwordKey : ${it.passwordKey}
          password : ${it.password}
    usernameSecret : ${it.usernameSecret ?: 'false'}
  """
}

VaultUsernamePasswordCredentialImpl

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredentialImpl

List<VaultUsernamePasswordCredentialImpl> creds = CredentialsProvider.lookupCredentials(
  VaultUsernamePasswordCredentialImpl.class ,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
              type : ${it.class.simpleName}
     engineVersion : ${it.engineVersion}
               id  : ${it.id}
             scope : ${it.scope}
       description : ${it.description}
       displayName : ${it.displayName}
              path : ${it.path}
       usernameKey : ${it.usernameKey}
          username : ${it.username}
       passwordKey : ${it.passwordKey}
          password : ${it.password}
    usernameSecret : ${it.usernameSecret ?: 'false'}
  """
}

VaultSSHUserPrivateKeyImpl

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl

List<VaultSSHUserPrivateKeyImpl> creds = CredentialsProvider.lookupCredentials(
  VaultSSHUserPrivateKeyImpl.class,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
               type : ${it.class.simpleName}
              scope : ${it.scope}
      engineVersion : ${it.engineVersion}
                 id : ${it.id}
        description : ${it.description}
        displayName : ${it.displayName}
     usernameSecret : ${it.usernameSecret ?: 'false'}
        usernameKey : ${it.usernameKey}
           username : ${it.username}
      privateKeyKey : ${it.privateKeyKey}
        privateKeys : ${it.privateKeys.collect{ it.trim() }}
         privateKey : ${it.privateKey}
      passphraseKey : ${it.passphraseKey}
         passphrase : ${ it.passphrase}
  """
}

VaultStringCredentialImpl

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl

List<VaultStringCredentialImpl> creds = CredentialsProvider.lookupCredentials(
  VaultStringCredentialImpl.class ,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
             type : ${it.class.simpleName}
    engineVersion : ${it.engineVersion}
            scope : ${it.scope}
               id : ${it.id}
      description : ${it.description}
      displayName : ${it.displayName}
       prefixPath : ${it.prefixPath}
             path : ${it.path}
         valutKey : ${it.vaultKey}
           secret : ${it.secret}
  """
}

encrypt/decrypt password

import hudson.util.Secret

String original  = 'marslo'
Secret secret    = Secret.fromString( original )
String encrypted = secret.getEncryptedValue()
Secret decrypted = Secret.decrypt( encrypted )

println """
   original : ${original}
  encrypted : ${encrypted}
  decrypted : ${decrypted}
"""

//   original : marslo
//  encrypted : {AQAAABAAAAAQyF78QAdq9bWCAeUi1VdYO7cB0CfG29KrvwZUU506zig=}
//  decrypted : marslo
  • or

    println hudson.util.Secret.fromString('marslo').getEncryptedValue()
    println hudson.util.Secret.decrypt( hudson.util.Secret.fromString('marslo').getEncryptedValue()
    
    // {AQAAABAAAAAQfwTdrtsFbS2MyOOA3kuO01p21CsVsSIpZg9FE1TMlMQ=}
    // marslo
    

tricky

Access granted with Overall/SystemRead

This permission can be enabled by setting the system property jenkins.security.SystemReadPermission to true or installing the Extended Read Permission plugin.

Access granted with Overall/Manage

This permission can be enabled by setting the system property jenkins.security.ManagePermission to true or installing the Overall/Manage permission enabler plugin.

Copyright © marslo 2020-2023 all right reserved,powered by GitbookLast Modified: 2024-03-12 15:01:28

results matching ""

    No results matching ""