From 83a8f76b01ec6af5c0444b5fe6cb2b5ef87f5ad4 Mon Sep 17 00:00:00 2001
From: Amod Mulay <amodmulay1@gmail.com>
Date: Wed, 19 Feb 2020 13:49:23 -0500
Subject: [PATCH] Resolve credential leak via ps while jenkins-cli is used
 during puppet runs

---
 manifests/cli.pp         |  9 +++++++++
 manifests/cli/exec.pp    |  9 +++++++--
 manifests/cli/reload.pp  |  1 +
 manifests/init.pp        |  4 +++-
 manifests/job/absent.pp  | 11 ++++++-----
 manifests/job/present.pp | 16 +++++++++-------
 6 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/manifests/cli.pp b/manifests/cli.pp
index a47e7e904..023e487fd 100644
--- a/manifests/cli.pp
+++ b/manifests/cli.pp
@@ -64,6 +64,15 @@
     ' '
   )
 
+  if !empty($cli_password) {
+    $cmd_environment = [
+      "JENKINS_USER_ID=${jenkins::cli_username}",
+      "JENKINS_API_TOKEN=${jenkins::cli_password}",
+    ]
+  } else {
+    $cmd_environment = undef
+  }
+
   # Do a safe restart of Jenkins (only when notified)
   exec { 'safe-restart-jenkins':
     command     => "${cmd} safe-restart && /bin/sleep 10",
diff --git a/manifests/cli/exec.pp b/manifests/cli/exec.pp
index 925187317..a6fe6e037 100644
--- a/manifests/cli/exec.pp
+++ b/manifests/cli/exec.pp
@@ -28,9 +28,14 @@
   )
 
   if $unless {
-    $environment_run = [ "HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}" ]
+    $environment_run = delete_undef_values(
+                         flatten([
+                           $jenkins::cli::cmd_environment,
+			   "HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}",
+                         ])
+                       )
   } else {
-    $environment_run = undef
+    $environment_run = $jenkins::cli::cmd_environment
   }
 
   exec { $title:
diff --git a/manifests/cli/reload.pp b/manifests/cli/reload.pp
index 1d028ffa7..a6b040f60 100644
--- a/manifests/cli/reload.pp
+++ b/manifests/cli/reload.pp
@@ -17,5 +17,6 @@
     try_sleep   => $cli_try_sleep,
     refreshonly => true,
     require     => File[$jar_file],
+    environment => $jenkins::cli::cmd_environment,
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index a48276ce1..4139577c2 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -401,7 +401,9 @@
     # Username / Password auth (needed for AD and other Auth Realms)
     if $_use_new_cli {
       if !empty($cli_password) {
-        $_cli_auth_arg = "-auth '${cli_username}:${cli_password}'"
+        # username and password passed as environment variables to prevent showing in ps output
+        # so setting cli_auth_arg to empty string
+        $_cli_auth_arg = ''
       } elsif !empty($cli_password_file) {
         $_cli_auth_arg = "-auth '@${cli_password_file}'"
       } else {
diff --git a/manifests/job/absent.pp b/manifests/job/absent.pp
index ec1c86932..b34b44b89 100644
--- a/manifests/job/absent.pp
+++ b/manifests/job/absent.pp
@@ -33,11 +33,12 @@
 
   # Delete the job
   exec { "jenkins delete-job ${jobname}":
-    path      => ['/usr/bin', '/usr/sbin', '/bin'],
-    command   => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
-    logoutput => false,
-    onlyif    => "test -f \"${config_path}\"",
-    require   => Exec['jenkins-cli'],
+    path        => ['/usr/bin', '/usr/sbin', '/bin'],
+    command     => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
+    logoutput   => false,
+    onlyif      => "test -f \"${config_path}\"",
+    require     => Exec['jenkins-cli'],
+    environment => $jenkins::cli::cmd_environment,
   }
 
 }
diff --git a/manifests/job/present.pp b/manifests/job/present.pp
index be5bb6caf..bef4f2a34 100644
--- a/manifests/job/present.pp
+++ b/manifests/job/present.pp
@@ -65,7 +65,7 @@
   $job_dir            = "${jenkins::job_dir}/${jobname}"
   $config_path        = "${job_dir}/config.xml"
 
-  # Bring variables from Class['::jenkins'] into local scope.
+  # Bring variables from Class['jenkins'] into local scope.
   $cli_tries          = $jenkins::cli_tries
   $cli_try_sleep   = $jenkins::cli_try_sleep
 
@@ -80,18 +80,20 @@
   $cat_config = "cat \"${tmp_config_path}\""
   $create_job = "${jenkins_cli} create-job \"${jobname}\""
   exec { "jenkins create-job ${jobname}":
-    command => "${cat_config} | ${create_job}",
-    creates => [$config_path, "${job_dir}/builds"],
+    command     => "${cat_config} | ${create_job}",
+    creates     => [$config_path, "${job_dir}/builds"],
+    environment => $jenkins::cli::cmd_environment,
   }
 
   if $replace {
     # Use Jenkins CLI to update the job if it already exists
     $update_job = "${jenkins_cli} update-job ${jobname}"
     exec { "jenkins update-job ${jobname}":
-      command => "${cat_config} | ${update_job}",
-      onlyif  => "test -e ${config_path}",
-      unless  => "${difftool} ${config_path} ${tmp_config_path}",
-      notify  => Exec['reload-jenkins'],
+      command     => "${cat_config} | ${update_job}",
+      onlyif      => "test -e ${config_path}",
+      unless      => "${difftool} ${config_path} ${tmp_config_path}",
+      notify      => Exec['reload-jenkins'],
+      environment => $jenkins::cli::cmd_environment,
     }
   }