Re: more meaningful description of a step

2017-07-17 Thread Samuel Van Oort 
Torsten, 

> how do I hide sensitive information that *DO NOT* come from credential 
binding in the shell script header?

First, I would strongly discourage this approach in general.  Credentials 
and credentials-binding exist specifically to provide a secure mechanism 
for build secrets (with several levels of security around them), and if you 
break from that it's very easy to shoot yourself in the foot and leak 
something sensitive.

A better approach would be to select from a list of credential ids.  

Second, as a workaround, if you have one of the cases where you can't do 
that, if you bind the secret to an actual environment variable (rather than 
a pipeline variable) it will currently be masked automatically by the 
implementation.  However I cannot guarantee the implementation will not 
become more specific about what it masks in the future (as described in the 
ticket above), ergo why I strongly encourage appropriate use of credentials.

Note that for purposes of step description, masking means that *all* of the 
string is removed, rather than just masking out part with asterisks.  This 
is to make one class of dictionary password attack harder to conduct, by 
not revealing what part of the input is sensitive.

Regards,
Sam Van Oort

On Wednesday, July 12, 2017 at 4:34:48 AM UTC-4, Torsten Gippert wrote:
>
>
> Hello,
>
> I am a bit confused how to handle sensitive information when using a shell 
> script:
>
> In https://issues.jenkins-ci.org/browse/JENKINS-37324 Sam Van Oort wrote 
> (2017-01-11 
> 23:37):
>  "Lots of discussion about how to separate sensitive and nonsensitive 
> environment variable content (markers for data, whitelist/blacklist, or 
> custom information in their EnvVars definitions) – *Jesse Glick* 
>  has 
> suggested a clever approach:
>
> to play with a different way of detecting secrets you would patch 
> `BindingStep` and `MaskPasswordsBuildWrapper` to, say, not just set 
> `PASSWORD=s3cr3t` but also `*PASSWORD+SECRET=true*`, and then document 
> this somewhere like in `EnvironmentExpander`"
>
>
> The question is, how do I hide sensitive information that *DO NOT* come 
> from credential binding in the shell script header? 
>
>
>
> *Example:*
> String userAndPwd = "test:123" // this comes from an manual input step
> def userAndPwdSECRET = true // Doesn't do anything ?! 
> (`PASSWORD+SECRET=true)
>
> sh """
>set +x
>curl -u ${userAndPwd} https://www.google.com
> """  
>
> In Blue Ocean I see "set +x curl -u test:123 https://www.google.com - 
> Shell Script"
>
> How can I mask out test:123 (=${userAndPwd})  in the shell script 
> description header in Blue Ocean?
>
> Many thanks to any answer in advance :-)
>
>
>
>
>
>
>  
>
>
>
> Am Dienstag, 11. Juli 2017 09:51:55 UTC+2 schrieb Jakub Pawlinski:
>
> Hi, 
>>
>> Recently https://issues.jenkins-ci.org/browse/JENKINS-37324 was solved. 
>>
>> In sprint review Sam Van Oort 
>>  
>> demonstrated 
>> the foundation for this https://www.youtube.com/watch?v=HhiUY70RVJY=510
>>  
>>
>> He mentions there possibility of having custom caption but I have found 
>> no way to actually achieve it.
>>
>> Maybe you know how I could make a custom description of step in 
>> declarative pipeline, far too simple example:
>>
>> stages {
>>   stage('A') { 
>> steps {
>>   bat "@echo Hello World"
>>
>> }
>> }
>> }
>>
>>
>> How can I make it appear as "Hello World Step — Windows Batch Script" 
>> instead of "@echo Hello World — Windows Batch Script" that I'm getting now.
>>
>>
>> Thanks
>>
>> Jakub
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/8877cf0a-1408-4115-b41f-c3ab91c0ceba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: more meaningful description of a step

2017-07-11 Thread Samuel Van Oort 
Hi Jakub, 
Custom captions (or more accurately, custom step argument descriptions) are 
supported on a per-Step type basis, so if your plugin is defining a new 
Step type, you can define how to display its inputs. There isn't anything 
coming immediately to allow you to customize captions individually -- 
though there is a future enhancement to allow attaching metadata to a step 
that might be displayed in some fashion.  But I assume that would be in 
addition to the caption, not in place of it.  Apologies for any confusion 
from the demos.

Cheers, 
Sam

On Tuesday, July 11, 2017 at 3:51:55 AM UTC-4, Jakub Pawlinski wrote:
>
> Hi, 
>
> Recently https://issues.jenkins-ci.org/browse/JENKINS-37324 was solved. 
>
> In sprint review Sam Van Oort 
>  
> demonstrated 
> the foundation for this https://www.youtube.com/watch?v=HhiUY70RVJY=510 
>
> He mentions there possibility of having custom caption but I have found no 
> way to actually achieve it.
>
> Maybe you know how I could make a custom description of step in 
> declarative pipeline, far too simple example:
>
> stages {
>   stage('A') { 
> steps {
>   bat "@echo Hello World"
>
> }
> }
> }
>
>
> How can I make it appear as "Hello World Step — Windows Batch Script" 
> instead of "@echo Hello World — Windows Batch Script" that I'm getting now.
>
>
> Thanks
>
> Jakub
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/e3a99fdb-d38b-4140-b035-c85a97a7b217%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.