Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48599

Ability to retrieve secrets from credentials plugin in groovy script

    Details

    • Type: New Feature
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: active-choices-plugin
    • Labels:
      None
    • Environment:
    • Similar Issues:

      Description

      We use this plugin/script to query an API in order to populate the choices parameter. 
      It would be very beneficial to be able to refer to secrets stored as credentials (credentials plugin) to authenticate against an external API, rather than having to put access tokens in the script itself. 

        Attachments

          Activity

          Hide
          roy_porter Roy Porter added a comment -

          Have you tried something along the lines of: (Replacing ###Credential name###)

          import jenkins.model.*
          
          def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
            com.cloudbees.plugins.credentials.Credentials.class,
            Jenkins.instance,
            null,
            null
          );
          def credential = creds.find {it.id == '###Credential name###'}
          if (!credential) {
            return "Unable to pickup credential from Jenkins"
          }
          
          return credential.password;

           

          Show
          roy_porter Roy Porter added a comment - Have you tried something along the lines of: (Replacing ###Credential name###) import jenkins.model.* def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials( com.cloudbees.plugins.credentials.Credentials.class, Jenkins.instance, null , null ); def credential = creds.find {it.id == '###Credential name###' } if (!credential) { return "Unable to pickup credential from Jenkins" } return credential.password;  
          Hide
          basher590 Chris Hudson added a comment -

          Hey, THanks for this. 

          It returns the credential object, but sadly it doesn't have a `password` property. If I set it to `credential.secret` it returns me an encrypted string. 
          Looks like this...not usual encryption. 

          Result: evGnz_DcxcWFsFXeihUb

          That's from a test credential I setup. 

          Show
          basher590 Chris Hudson added a comment - Hey, THanks for this.  It returns the credential object, but sadly it doesn't have a `password` property. If I set it to `credential.secret` it returns me an encrypted string.  Looks like this...not usual encryption.  Result: evGnz_DcxcWFsFXeihUb That's from a test credential I setup. 
          Hide
          basher590 Chris Hudson added a comment -

          the usual jenkins decryption methods don't yield anything against that string

          at least not the ones I know of. 

          Show
          basher590 Chris Hudson added a comment - the usual jenkins decryption methods don't yield anything against that string at least not the ones I know of. 
          Hide
          auschas Charles Abetz added a comment - - edited

          You can do it like this, but I am not sure if this only works for admin users

           

          //  
          
          
          List<Credentials> credentials =SystemCredentialsProvider.getInstance().getStore().getCredentials(Domain.global())
              for(c in credentials)
              {
              
          
               if(c instanceof com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl )
                  {
           
                      if(c.username == "${user}")
                      {
                          credentials = c.getUsername()+":"+c.getPassword().getPlainText()
                      }
                  }
                  
              }
          

          That works for me as an admin, but it doesn't seem to work for other users even if they have permission to view the Credential store. 
           

          Show
          auschas Charles Abetz added a comment - - edited You can do it like this, but I am not sure if this only works for admin users   //   List<Credentials> credentials =SystemCredentialsProvider.getInstance().getStore().getCredentials(Domain.global())      for (c in credentials)     {           if (c instanceof com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl )         {                if (c.username == "${user}" )             {                 credentials = c.getUsername()+ ":" +c.getPassword().getPlainText()             }         }              } That works for me as an admin, but it doesn't seem to work for other users even if they have permission to view the Credential store.   
          Hide
          olivieratsncf olivier G added a comment -

          I don't understand why it's not possible to use pipeline syntax as witCredentials to work with credentials.

          I use something like Charles Abetz has done. in my case, Any user with job/read en job/build could use it. (jenkins has script-security-plugin, and no approvals is needed).
          This possibility opens a security fail: it's possible to each user to read password from all global credentials

           

          Show
          olivieratsncf olivier G added a comment - I don't understand why it's not possible to use pipeline syntax as witCredentials to work with credentials. I use something like Charles Abetz has done. in my case, Any user with job/read en job/build could use it. (jenkins has script-security-plugin, and no approvals is needed). This possibility opens a security fail: it's possible to each user to read password from all global credentials  

            People

            • Assignee:
              kinow Bruno P. Kinoshita
              Reporter:
              basher590 Chris Hudson
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated: