Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helpers like readFile in JCasC YAML Fails to Load Password from File #2522

Open
nicklocaso opened this issue Jul 3, 2024 · 4 comments
Open

Helpers like readFile in JCasC YAML Fails to Load Password from File #2522

nicklocaso opened this issue Jul 3, 2024 · 4 comments

Comments

@nicklocaso
Copy link

Jenkins and plugins versions report

Environment 
Jenkins: 2.452.2
OS: Linux - 5.15.0-113-generic
---
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
asm-api:9.7-33.v4d23ef79fcc8
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-233.vfdcdeb_0a_08a_a_
branch-api:2.1169.va_f810c56e895
build-name-setter:2.4.2
build-timeout:1.33
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.0
cloudbees-folder:6.928.v7c780211d66e
commons-lang3-api:3.14.0-76.vda_5591261cfe
commons-text-api:1.12.0-119.v73ef73f2345d
configuration-as-code:1810.v9b_c30a_249a_4c
credentials:1355.v46f52a_b_98d64
credentials-binding:679.v6288482e873c
dark-theme:439.vdef09f81f85e
display-url-api:2.204.vf6fddd8a_8b_e9
durable-task:555.v6802fe0f0b_82
echarts-api:5.5.0-1
eddsa-api:0.3.0-4.v84c6f0f4969e
email-ext:1814.v404722f34263
font-awesome-api:6.5.2-1
git:5.2.2
git-client:5.0.0
github:1.39.0
github-api:1.318-461.v7a_c09c9fa_d63
github-branch-source:1789.v5b_0c0cea_18c3
gradle:2.12
gson-api:2.11.0-41.v019fcf6125dc
instance-identity:185.v303dc7c645f9
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
joda-time-api:2.12.7-29.v5a_b_e3a_82269a_
jquery3-api:3.7.1-2
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-58.v62e3e85b_a_655
junit:1265.v65b_14fa_f12f0
ldap:725.v3cb_b_711b_1a_ef
locale:511.v212370760160
mailer:472.vf7c289a_4b_420
matrix-auth:3.2.2
matrix-project:832.va_66e270d2946
metrics:4.2.21-451.vd51df8df52ec
mina-sshd-api-common:2.13.1-117.v2f1a_b_66ff91d
mina-sshd-api-core:2.13.1-117.v2f1a_b_66ff91d
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
pam-auth:1.11
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github-lib:61.v629f2cc41d83
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-graph-view:304.va_f2a_16b_e4964
pipeline-groovy-lib:727.ve832a_9244dfa_
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2203.v89fa_170c2b_f5
pipeline-model-definition:2.2203.v89fa_170c2b_f5
pipeline-model-extensions:2.2203.v89fa_170c2b_f5
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2203.v89fa_170c2b_f5
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:4.1.0
prism-api:1.29.0-15
resource-disposer:0.23
scm-api:690.vfc8b_54395023
script-security:1341.va_2819b_414686
snakeyaml-api:2.2-111.vc6598e30cc65
ssh-credentials:337.v395d2403ccd4
ssh-slaves:2.973.v0fa_8c0dea_f9f
structs:338.v848422169819
theme-manager:262.vc57ee4a_eda_5d
timestamper:1.27
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
variant:60.v7290fc0eb_b_cd
workflow-aggregator:596.v8c21c963d92d
workflow-api:1316.v33eb_726c50b_a_
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3903.v48a_8836749e9
workflow-durable-task-step:1353.v1891a_b_01da_18
workflow-job:1400.v7fd111b_ec82f
workflow-multibranch:783.787.v50539468395f
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:657.v03b_e8115821b_
workflow-support:907.v6713a_ed8a_573
ws-cleanup:0.46

What Operating System are you using (both controller, and any agents involved in the problem)?

Controller Operating System:

  • Base OS: Jenkins Docker Image
  • Jenkins Version: 2.452.2
  • JDK Version: 21
  • Dockerfile configured as:
FROM jenkins/jenkins:2.452.2-jdk21

LABEL version="1.0.0"

ENV JAVA_OPTS=-Djenkins.install.runSetupWizard=false
ENV TZ=Europe/Rome
ENV CASC_JENKINS_CONFIG=/jenkins/casc_configs/jcasc.yaml
ENV CASC_RELOAD_TOKEN={{token}}

COPY --chown=jenkins:jenkins ./config/jcasc.yaml /jenkins/casc_configs/jcasc.yaml
COPY --chown=jenkins:jenkins ./config/secrets /secrets

COPY --chown=jenkins:jenkins ./config/plugins.txt /usr/share/jenkins/ref/plugins.txt

RUN jenkins-plugin-cli -f /usr/share/jenkins/ref/plugins.txt

Agent Operating System:

  • Not applicable

Reproduction steps

Bug Description

When using the readFile function in a JCasC YAML configuration file to load user credentials, the user ID is correctly loaded from the specified file, but the password is not. Both files exist and contain the expected values, and their paths are correctly referenced. This issue prevents proper configuration of user passwords via external files.

I have also tried using other helpers such as readFileBase64, base64, and decodeBase64, but none of these methods worked either. The login does not work, but if I provide the password via an environment variable, it works:

password: ${ADMIN_PASSWORD}

However, this is a temporary workaround and poses a significant security risk, so it needs to be changed as soon as possible.

YAML Configuration Example

Below is a simplified representation of the relevant part of the JCasC configuration file:

...
jenkins:
  securityRealm:
    local:
      users:
        - id: "${readFile:/secrets/file-user-id.txt}"
          password: "${readFile:/secrets/file-user-password.txt}"
...

Docker compose file

---
services:
  jenkins-controller:
    container_name: jenkins-controller
    build:
      context: ./
      dockerfile: Dockerfile
    image: nicklocaso/jenkins:1.0.0
    ports:
      - "8090:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "${JENKINS_HOME}:/var/jenkins_home"
...
    restart: unless-stopped

Dockerfile

FROM jenkins/jenkins:2.452.2-jdk21

LABEL version="1.0.0"

ENV JAVA_OPTS=-Djenkins.install.runSetupWizard=false
ENV TZ=Europe/Rome
ENV CASC_JENKINS_CONFIG=/jenkins/casc_configs/jcasc.yaml
ENV CASC_RELOAD_TOKEN={{token}}

COPY --chown=jenkins:jenkins ./config/jcasc.yaml /jenkins/casc_configs/jcasc.yaml
COPY --chown=jenkins:jenkins ./config/secrets /secrets

COPY --chown=jenkins:jenkins ./config/plugins.txt /usr/share/jenkins/ref/plugins.txt

RUN ls -l /secrets && echo "Contents of /secrets/file-user-password.txt:" && cat /secrets/file-user-password.txt

RUN jenkins-plugin-cli -f /usr/share/jenkins/ref/plugins.txt

Docker:

# Building
$ docker compose -f ./docker-compose.yaml build --no-cache > build.log 2>&1

# Logging output
$ cat build.log
...
#9 [jenkins-controller 5/6] RUN ls -l /secrets && echo "Contents of /secrets/file-user-password.txt:" && cat /secrets/file-user-password.txt
#9 0.230 total 28
#9 0.230 -rw-r--r-- 1 jenkins jenkins   49 Jul  3 00:59 file-user-password.txt
... other content
#9 0.230 Contents of /secrets/file-user-password.txt:
#9 0.231 {{admin password}}
#9 DONE 0.3s
...

# Running
$ docker compose -f ./docker-compose.yaml up
# No errors on up log !

Expected Results

Successfully load and authenticate user credentials using the password from /secrets/file-user-password.txt.

Actual Results

Attempts to login using the password from /secrets/file-user-password.txt using various methods (base64, readFile, decodeBase64, readFileBase64) have failed. The file paths are correct, and the files themselves contain the expected values. Even after trimming the file and ensuring there are no extraneous spaces or additional lines, the password loading issue persists.

Anything else?

No response
@nicklocaso nicklocaso added the bug label Jul 3, 2024
@nicklocaso
Copy link
Author

Anyone?

@jetersen
Copy link
Member

Have you tried one of the many others ways to use secrets?
https://github.com/jenkinsci/configuration-as-code-plugin/blob/5708e01224bb3fbacdc61026f1d2ac37c4092aa0/docs/features/secrets.adoc

Perhaps a properties file? 🤔

@jetersen
Copy link
Member

I don't know if securityRealm still allows plain text password so perhaps try bcrypt way:
https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/demos/embedded-userdatabase/README.md#additional-attributes

@nicklocaso
Copy link
Author

Have you tried one of the many others ways to use secrets? https://github.com/jenkinsci/configuration-as-code-plugin/blob/5708e01224bb3fbacdc61026f1d2ac37c4092aa0/docs/features/secrets.adoc

Perhaps a properties file? 🤔

Very interesting. Using the properties file seems to work correctly only if I don't use other helpers. I don't like it much, but it might be enough for now.

File /run/secrets/secrets.properties:

ADMIN_ID=admin
ADMIN_PASSWORD=test12345
ADMIN_PASSWORD_B64_ENCODED=dGVzdDEyMzQ1

This will work:

...
  securityRealm:
      users:
        - id: "${ADMIN_ID}"
          name: "admin"
          password: "${ADMIN_PASSWORD}"
...

This will not:

...
  securityRealm:
      users:
        - id: "${ADMIN_ID}"
          name: "admin"
          password: "${decodeBase64:${ADMIN_PASSWORD_B64_ENCODED}"
...

In short, for now, the helpers provided here for the "password" property of "securityRealm" do not seem to work. Is this behaviour intended?

@timja timja removed the bug label Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jetersen @nicklocaso @timja