使用 Jenkins 凭据插件以纯文本形式显示密码

Question

我正在尝试使用 Jenkins Credentials 插件来获取用户输入并在 Jenkinsfile 中使用它进行处理。由于密码字段非常敏感，我希望凭据插件可以屏蔽密码，使其不显示在控制台输出中。但是似乎密码以纯文本显示。我注意到一个现有的问题https://issues.jenkins-ci.org/browse/JENKINS-38181，它讨论了 withCredentials 块之外的 echo 语句以纯文本形式显示密码，这是预期的。但在我的情况下，即使是 withCredentials 块中的 echo 语句也可以简单地显示。

我在这里做错了吗？我应该避免使用 echo 吗？

凭据绑定插件：1.12
凭据插件：2.1.16

 node('someagent') {
    stage 'input'
    def userNameInput = input(
        id: 'UserName', message: 'input your username: ', ok: 'ok', parameters: [string(defaultValue: 'user', description: '.....', name: 'DB_USER')]
    )
    def userPasswordInput = input(
        id: 'Password', message: 'input your password: ', ok: 'ok', parameters: [string(defaultValue: 'password', description: '.....', name: 'DB_PASS')]
    )
    withCredentials(bindings: [usernamePassword(credentialsId: 'CREDS', usernameVariable: userNameInput, variable: userPasswordInput)]) {
     echo ("My Username: ${userNameInput}")
     echo ("My Password: ${userPasswordInput}")
    }
}

控制台输出：

[Pipeline] {
[Pipeline] stage (input)
Using the ‘stage’ step without a block argument is deprecated
Entering stage input
Proceeding
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
My Username: user
[Pipeline] echo
My Password: password
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

Answer 1

您没有正确理解 withCredentials 的用法。使用withCredentials时，表示已将凭据添加到Jenkins中，withCredentials可以将用户和密码值提取到Shell变量中，然后您可以通过引用Shell变量来使用它们。

因此无法将用户和密码提取到您预定义的 Groovy 变量中。

withCredentials的正确用法：

withCredentials([usernamePassword(
    credentialsId: 'CREDS', // the CREDS should be exist in Jenkins
    passwordVariable: 'pwd', // you need to use a string, not a Groovy variable
    usernameVariable: 'user') // you need to use a string, not a Groovy variable
]) {
    sh '''
    echo UserName: ${user} // the user and pwd injected into Shell Context as Environment variable
    echo Password: ${pwd} // will show as *** in jenkins console
    '''

    // If you user `"` or `"""` to wrapper a string, 
    // Groovy will execute string substitution with Groovy variable if 
    // same name variable exist in Groovy Context
    // otherwise the string keep nothing change

    sh """
     echo ${user} 
     echo ${pwd}  // will show as *** in jenkins console
    """
    // because the user and pwd not exist Groovy context
    // so substitution will fail and the string keep no change
    // then execute the string in Shell by sh(), 
    // the user and pwd can be found in Shell context
}

实际上，您下面的代码将首先通过 Groovy 执行字符串替换。 这就是为什么您在詹金斯控制台中看到密码以纯文本显示的原因

 echo ("My Username: ${userNameInput}") 
 echo ("My Password: ${userPasswordInput}")

 // because userNameInput and userPasswordInput exist in Groovy variables,
 // so the ${userNameInput} and ${userPasswordInput} will be replaced to
 // the value of Groovy variables before echo, as result ${userNameInput}
 // and ${userPasswordInput} used variable from Groovy, rather then from Shell