Skip to content

Commit

Permalink
Resolve credential leak via ps while jenkins-cli is used during puppe…
Browse files Browse the repository at this point in the history
…t runs
  • Loading branch information
avbm committed Feb 25, 2020
1 parent 5c32ec2 commit 17de537
Show file tree
Hide file tree
Showing 6 changed files with 35 additions and 15 deletions.
9 changes: 9 additions & 0 deletions manifests/cli.pp
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,15 @@
' '
)

if !empty($jenkins::cli_password) {
$cmd_environment = [
"JENKINS_USER_ID=${jenkins::cli_username}",
"JENKINS_API_TOKEN=${jenkins::cli_password}",
]
} else {
$cmd_environment = undef
}

# Do a safe restart of Jenkins (only when notified)
exec { 'safe-restart-jenkins':
command => "${cmd} safe-restart && /bin/sleep 10",
Expand Down
9 changes: 7 additions & 2 deletions manifests/cli/exec.pp
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,14 @@
)

if $unless {
$environment_run = [ "HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}" ]
$environment_run = delete_undef_values(
flatten([
$jenkins::cli::cmd_environment,
"HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}",
])
)
} else {
$environment_run = undef
$environment_run = $jenkins::cli::cmd_environment
}

exec { $title:
Expand Down
1 change: 1 addition & 0 deletions manifests/cli/reload.pp
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,6 @@
try_sleep => $cli_try_sleep,
refreshonly => true,
require => File[$jar_file],
environment => $jenkins::cli::cmd_environment,
}
}
4 changes: 3 additions & 1 deletion manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -401,7 +401,9 @@
# Username / Password auth (needed for AD and other Auth Realms)
if $_use_new_cli {
if !empty($cli_password) {
$_cli_auth_arg = "-auth '${cli_username}:${cli_password}'"
# username and password passed as environment variables to prevent showing in ps output
# so setting cli_auth_arg to empty string
$_cli_auth_arg = ''
} elsif !empty($cli_password_file) {
$_cli_auth_arg = "-auth '@${cli_password_file}'"
} else {
Expand Down
11 changes: 6 additions & 5 deletions manifests/job/absent.pp
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,12 @@

# Delete the job
exec { "jenkins delete-job ${jobname}":
path => ['/usr/bin', '/usr/sbin', '/bin'],
command => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
logoutput => false,
onlyif => "test -f \"${config_path}\"",
require => Exec['jenkins-cli'],
path => ['/usr/bin', '/usr/sbin', '/bin'],
command => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
logoutput => false,
onlyif => "test -f \"${config_path}\"",
require => Exec['jenkins-cli'],
environment => $jenkins::cli::cmd_environment,
}

}
16 changes: 9 additions & 7 deletions manifests/job/present.pp
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
$job_dir = "${jenkins::job_dir}/${jobname}"
$config_path = "${job_dir}/config.xml"

# Bring variables from Class['::jenkins'] into local scope.
# Bring variables from Class['jenkins'] into local scope.
$cli_tries = $jenkins::cli_tries
$cli_try_sleep = $jenkins::cli_try_sleep

Expand All @@ -80,18 +80,20 @@
$cat_config = "cat \"${tmp_config_path}\""
$create_job = "${jenkins_cli} create-job \"${jobname}\""
exec { "jenkins create-job ${jobname}":
command => "${cat_config} | ${create_job}",
creates => [$config_path, "${job_dir}/builds"],
command => "${cat_config} | ${create_job}",
creates => [$config_path, "${job_dir}/builds"],
environment => $jenkins::cli::cmd_environment,
}

if $replace {
# Use Jenkins CLI to update the job if it already exists
$update_job = "${jenkins_cli} update-job ${jobname}"
exec { "jenkins update-job ${jobname}":
command => "${cat_config} | ${update_job}",
onlyif => "test -e ${config_path}",
unless => "${difftool} ${config_path} ${tmp_config_path}",
notify => Exec['reload-jenkins'],
command => "${cat_config} | ${update_job}",
onlyif => "test -e ${config_path}",
unless => "${difftool} ${config_path} ${tmp_config_path}",
notify => Exec['reload-jenkins'],
environment => $jenkins::cli::cmd_environment,
}
}

Expand Down

0 comments on commit 17de537

Please sign in to comment.