Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

JENKINS-60373: Read secret from file and encode it with base64

See original GitHub issue

Feature Request

I am looking for a way to practically and securely inject binary secrets from /run/secret into a file credential type (plain-credentials plugin). The challenge is, the input is expected to be base64 encoded so reading the file as-is from /run/secrets does not work. Extending plain-credentials to read the file content instead of expecting inlined string is something that was proven challenging to secure. Several approaches to address that was discussed in JENKINS-60373 and I would like to propose the most straightforward one[1].

Introduce a new syntax, that would permit reading file from filesystem and encoding the content with base64 to close the gap between traditional secrets injection and file credential. The reasoning is that when the feature is specific for JCasC, it is by definition restricted to administrators eliminating possible arbitrary file read vulnerabilities.

[1] https://issues.jenkins-ci.org/browse/JENKINS-60373?focusedCommentId=381101&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-381101

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:15 (15 by maintainers)

github_iconTop GitHub Comments

2reactions
jetersencommented, May 30, 2020

@jglick @olivergondza @timja Switching to apache’s StringSubstitutor would enable this Though the default lookup might be too powerful for JCasC use case.

Though it will cleanup some of the code as StringSubstitutor already supports default value via :- Also supports nested variable substitution. So you could have something like

${base64:${file:${/run/secrets/whatever}}}

Default String Lookups
Key	Implementation	Factory Method	Since
"base64Decoder"	Base64DecoderStringLookup	base64DecoderStringLookup()	1.6
"base64Encoder"	Base64EncoderStringLookup	base64EncoderStringLookup()	1.6
"const"	ConstantStringLookup	constantStringLookup()	1.5
"date"	DateStringLookup	dateStringLookup()	1.5
"dns"	DnsStringLookup	dnsStringLookup()	1.8
"env"	EnvironmentVariableStringLookup	environmentVariableStringLookup()	1.3
"file"	FileStringLookup	fileStringLookup()	1.5
"java"	JavaPlatformStringLookup	javaPlatformStringLookup()	1.5
"localhost"	LocalHostStringLookup	localHostStringLookup()	1.3
"properties"	PropertiesStringLookup	propertiesStringLookup()	1.5
"resourceBundle"	ResourceBundleStringLookup	resourceBundleStringLookup()	1.6
"script"	ScriptStringLookup	scriptStringLookup()	1.5
"sys"	SystemPropertyStringLookup	systemPropertyStringLookup()	1.3
"url"	UrlStringLookup	urlStringLookup()	1.5
"urlDecoder"	UrlDecoderStringLookup	urlDecoderStringLookup()	1.5
"urlEncoder"	UrlEncoderStringLookup	urlEncoderStringLookup()	1.5
"xml"	XmlStringLookup	xmlStringLookup()	1.5

I would properly settle for:

"base64" Base64EncoderStringLookup
"file" FileStringLookup
0reactions
jetersencommented, May 31, 2020

Ah I would need to use different BenchmarkMode lucky there are annotations for that.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Permit to inject file credential from master filesystem
Using JCasC in kubernetes/openshift container and injecting secrets to /run/secrets. Some of the secrets are binary blobs and hence are ...
Read more >
How to Base64 Encode Kubernetes Secrets - CloudyTuts
Learn how to encode and decode Kubernetes secrets using the base64 command in Linux and OSX.
Read more >
Base64 encoding: What sysadmins need to know - Red Hat
Existing secrets can be decoded using the base64 command after retrieving them with kubectl : # Read back the encoded secret using a...
Read more >
Base64 Decode and Encode - Online
Decode from Base64 format or encode into it with various advanced options. Our site has an easy to use online tool to convert...
Read more >
How to base64 encode and decode from command-line
One being is ensuring data integrity when transferring data over the network, while another is storing Secrets in Kubernetes. After reading this ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

casc reload groovy command breaks jobdsl plugin if executed by pipeline step load()

Next page

Jenkins failed to start with oic configurations