security & authorization

• security

  • get securityRealm

• authorization strategy

  • decrypt credentials.xml

  • list all Jenkins supported authorization permissions

  • get current authorization strategy class

  • get raw authorization and permissions info

  • ProjectMatrixAuthorizationStrategy

  • add new configurations according to Map structure

  • RoleBasedAuthorizationStrategy

• crumb issuer

  • get crumb issuer

  • set crumb issuer

  • clean up all pending Async Resource Disposers items

  • get crumb via cmd

• credential

  • list all credentials

  • StandardUsernamePasswordCredentials

  • BasicSSHUserPrivateKey

  • CertificateCredentials

  • SystemCredentialsProvider

  • vault

  • encrypt/decrypt password

• tricky

  • Access granted with Overall/SystemRead

  • Access granted with Overall/Manage

security

[!NOTE|label:references:]

• getJavaSecurityAlgorithmReport.groovy

get securityRealm

import hudson.security.*
import jenkins.security.*
import jenkins.model.Jenkins

def jenkins = jenkins.model.Jenkins.instance
println jenkins.securityRealm
println jenkins.authorizationStrategy


// -- result --
// hudson.security.LDAPSecurityRealm@7d090e41
// hudson.security.ProjectMatrixAuthorizationStrategy@6d51bb9d

authorization strategy

reference:

• hudson.security.Permission

• hudson.security.ProjectMatrixAuthorizationStrategy

• matrix-auth-plugin/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java

• How to add permission in GlobalMatrixAuthorizationStrategy through the groovy - for hudson.sercurity.item.Move

• Jenkins : Grant Cancel Permission for user and group that have Build permission

• Accessing and dumping Jenkins credentials

decrypt credentials.xml

[!NOTE|label:references:]

• How to decrypt Jenkins passwords from credentials.xml?

• tweksteen/jenkins-decrypt

• menski/jenkins-decrypt.py

hudson.util.Secret.fromString('{..string..}').getPlainText()
// or
hudson.util.Secret.fromString('{..string..}').getEncryptedValue()

• example

  hudson.util.Secret.fromString('{AQAAABAAAAAQszhBK4LXdjzjqP/7w8yQWbD4+Kf1ql4XnYEnPUyvP2o=}').getPlainText()
  // 123456

list all Jenkins supported authorization permissions

hudson.security.Permission.getAll().each { p ->
  println "${p.name} :" +
          "\n\t${p.id} : ${p.description}"
}

• better one

  import hudson.security.GlobalMatrixAuthorizationStrategy
  import hudson.security.Permission
  import hudson.security.ProjectMatrixAuthorizationStrategy
  import jenkins.model.Jenkins
  
  String shortName( Permission p ) {
    Map<String, String> replacement = [
                   'Hudson' : 'Overall' ,
                 'Computer' : 'Agent'   ,
                     'Item' : 'Job'     ,
      'CredentialsProvider' : 'Credentials'
    ]
    p.id
     .tokenize('.')[-2..-1]
     .collect { replacement.get(it) ?: it }
     .join(' ')
  }
  
  Map<String, Permission> permissionIds = Permission.all.findAll { permission ->
    List<String> nonConfigurablePerms = ['RunScripts', 'UploadPlugins', 'ConfigureUpdateCenter']
    permission.enabled &&
      ! permission.id.startsWith('hudson.security.Permission') &&
      ! nonConfigurablePerms.any { permission.id.endsWith(it) }
  }.collect { permission ->
    [ (shortName(permission)): permission ]
  }.sum()
  
  // show result
  println permissionIds.collect { it.key + ' : ' + it.value.id }.join ('\n')
  
  'DONE'

get current authorization strategy class

import hudson.model.*
import hudson.security.*

Hudson instance = jenkins.model.Jenkins.instance
def strategy    = instance.getAuthorizationStrategy()
println strategy.getClass()

// result
// class hudson.security.ProjectMatrixAuthorizationStrategy

get raw authorization and permissions info

jenkins.model.Jenkins.instance
       .authorizationStrategy
       .grantedPermissions
       .collect{ p, u -> [ (p.id), u ] }

• or

  jenkins.model.Jenkins.instance
         .authorizationStrategy
         .grantedPermissions
         .each { p, u -> println "\n${p} :\n\t${u}" }

ProjectMatrixAuthorizationStrategy

grant permission to user

import hudson.security.GlobalMatrixAuthorizationStrategy
import hudson.security.Permission
import hudson.security.ProjectMatrixAuthorizationStrategy
import jenkins.model.Jenkins

ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()
String id   = 'hudson.model.Hudson.Administer'
String user = 'marslo'
authorizationStrategy.add( Permission.fromId(id), user )

// save strategy
jenkins.model.Jenkins.instance.authorizationStrategy = authorizationStrategy
jenkins.model.Jenkins.instance.save()

add new configurations according to Map structure

create new instance

• new

  import hudson.security.*
  ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()

• via getAuthorizationStrategy

  import hudson.model.*
  import hudson.security.*
  
  def strategy = jenkins.model.Jenkins.instance.getAuthorizationStrategy()
  def authorizationStrategy = strategy.class.newInstance()

• new instance from name

  String instanceName = 'hudson.security.ProjectMatrixAuthorizationStrategy'
  def strategy = Class.forName(instanceName).newInstance()
  println strategy.class
  
  // -- result --
  // class hudson.security.ProjectMatrixAuthorizationStrategy

• get groups list

  import hudson.model.*
  import hudson.security.*
  
  ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()
  println authorizationStrategy.getGroups()

RoleBasedAuthorizationStrategy

add 'admin' user to all permissions

import hudson.*
import hudson.security.*
import jenkins.model.*
import java.util.*
import com.michelin.cio.hudson.plugins.rolestrategy.*
import com.synopsys.arc.jenkins.plugins.rolestrategy.*
import java.lang.reflect.*
import java.util.logging.*
import groovy.json.*

import jenkins.*
import com.michelin.cio.hudson.plugins.rolestrategy.*

String admin = 'admin'

// turn security on
RoleBasedAuthorizationStrategy authorizationStrategy = new RoleBasedAuthorizationStrategy()
// ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()
jenkins.model.Jenkins.instance.setAuthorizationStrategy(authorizationStrategy)

Constructor[] constrs = Role.class.getConstructors()
constrs.each { Constructor c -> c.setAccessible(true) }

Method assignRoleMethod = RoleBasedAuthorizationStrategy.class.getDeclaredMethod( "assignRole", String.class, Role.class, String.class )
assignRoleMethod.setAccessible( true )
Set<Permission> adminPermissions = new HashSet<Permission>()
hudson.security.Permission.getAll(){ adminPermissions.add(Permission.fromId(it) }
Role adminRole = new Role( admin, adminPermissions )
authorizationStrategy.addRole( RoleBasedAuthorizationStrategy.GLOBAL, adminRole )

crumb issuer

[!NOTE|label:references:]

• hudson.security.csrf.CrumbIssuer

• ivan-pinatti/jenkins-set-default-crumb-issuer.groovy

get crumb issuer

import hudson.security.csrf.DefaultCrumbIssuer

DefaultCrumbIssuer issuer = jenkins.model.Jenkins.instance.crumbIssuer
String jenkinsCrumb = "${issuer.crumbRequestField}:${issuer.crumb}"
println jenkinsCrumb

// Jenkins-Crumb:b8a9cd5***********

set crumb issuer

import jenkins.model.Jenkins

Jenkins jenkins = jenkins.model.Jenkins.instance
jenkins.setCrumbIssuer(new DefaultCrumbIssuer(true))
jenkins.save()

clean up all pending Async Resource Disposers items

import org.jenkinsci.plugins.resourcedisposer.AsyncResourceDisposer
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.Stapler

AsyncResourceDisposer disposer = AsyncResourceDisposer.get()
backlog = disposer.getBacklog()

stap = Stapler
resp = stap.getCurrentResponse()

disposer.backlog.each { item ->
  disposer.doStopTracking( item.id, resp )
}

• or via curl

  import org.jenkinsci.plugins.resourcedisposer.AsyncResourceDisposer
  import org.jenkinsci.plugins.strictcrumbissuer.StrictCrumbIssuer
  
  AsyncResourceDisposer disposer = AsyncResourceDisposer.get()
  StrictCrumbIssuer issuer = jenkins.model.Jenkins.instance.crumbIssuer
  String jenkinsCrumb = "${issuer.crumbRequestField}:${issuer.crumb}"
  String url = jenkins.model.Jenkins.instance.rootUrl + disposer.url
  
  disposer.getBacklog().each { item ->
    println "\n${item.id} : \t${url}/stopTracking/?id=${item.id} : \t${item.class.simpleName} : \n" +
            "\t${item.getLastState().getDisplayName()} : \n" +
            "\t${item.getDisposable().node} : ${item.getDisposable().path}\n" +
            "\t${item.toString()}"
    println "removeing ${item.id} : "
    [ 'bash', '-c', 'curl -v -s ' +
                         '-u <user>:<token> ' +
                         '-X POST ' +
                         "-H \"Content-Type: application/json\" " +
                         "-H \"Accept: application/json\" " +
                         "-H \"${jenkinsCrumb}\" " +
                         "${url}/stopTracking/?id=${item.id} "
    ].execute().with{
      def stdout = new StringBuffer()
      def stderr = new StringBuffer()
      it.waitForProcessOutput( stdout, stderr )
      println "EXIT CODE: ${it.exitValue()}"
      println "ERROR: ${stderr}"
      println "OUTPUT: ${stdout}"
    }
  }

get crumb via cmd

[!TIP|local:references:]

• CSRF Protection Explained

• curl

  # after 2.176.2
  $ SERVER="https://localhost:8080"
  $ COOKIEJAR="$(mktemp)"
  $ CRUMB=$(curl -u "admin:admin" -s --cookie-jar "$COOKIEJAR" "$SERVER/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)")
  
  # verify
  $ echo $CRUMB
  Jenkins-Crumb:786**********************************************************932
  
  # trigger a build
  $ curl -X POST \
         -u "admin:admin" \
         --cookie "$COOKIEJAR" \
         -H "$CRUMB" \
         https://${SERVER}/job/sandbox/build
  
  # to run script
  $ curl -d "script=System.getProperties()" \
         -u "admin:admin" \
         --cookie "$COOKIEJAR" \
         -H "$CRUMB" \
         https://${SERVER}/scriptText

• via wget

  # after 2.176.2
  $ SERVER="https://localhost:8080"
  $ COOKIEJAR="$(mktemp)"
  $ CRUMB="$(wget --quiet --user=admin --password=admin --auth-no-challenge --save-cookies "$COOKIEJAR" --keep-session-cookies -q --output-document - "$SERVER/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)")"
  $ wget --user=admin --password=admin \
         --auth-no-challenge \
         --load-cookies "$COOKIEJAR" \
         --header="$CRUMB" \
         --post-data="" \
         --quiet \
         "$SERVER"/job/someJob/build

credential

references:

• * Setting Jenkins Credentials with Groovy

• * addCredentials : hayderimran7/Jenkins_ssh_groovy.md

• * Jenkins Credentials Store Access via Groovy

• * Adding Google Service Account Credentials by a groovy script

• * Fetch the domain for each credential returned in a job template.

• * update username/password crednetial

• * How to update credentials of specific folder in Jenkins using Groovy script?

• Extension Points defined in Credentials Plugin

• CredentialsProvider.java

• Jenkins Pipelines: How to use withCredentials() from a shared-variable script

• Jenkins Credentials Store Access via Groovy

• How to get android signing certificate back from jenkins plugin

• Go Decrypt Jenkins

• * Jenkins: Decrypting all passwords in credentials.xml (via Jenkins execution console)

• How to get android signing certificate back from jenkins plugin

• bstapes/jenkins-decrypt

• * How to decrypt Jenkins passwords from credentials.xml?

• update Jenkins credentials by script

• Accessing and dumping Jenkins credentials

[!TIP|label:something else :]

• kubernetes-credentials-provider-plugin

• scripts:

  • * tuxfight3r/jenkins-decrypt.groovy

  • * menski/jenkins-decrypt.py

  • addCredentials.groovy

  • changeCredentialPassword.groovy

  • credentials-migration

  • list-credential.groovy

api :

• com.cloudbees.plugins.credentials

  • CertificateCredentials

  • DomainRestrictedCredentials

  • IdCredentials

  • PasswordCredentials

  • StandardCertificateCredentials

  • StandardCredentials

  • StandardUsernameCredentials

  • StandardUsernamePasswordCredentials

  • UsernameCredentials

  • UsernamePasswordCredentials

  • VaultUsernamePasswordCredential

list all credentials

import com.cloudbees.plugins.credentials.common.StandardCredentials
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
import com.cloudbees.plugins.credentials.SystemCredentialsProvider

CredentialsProvider.lookupCredentials( StandardCredentials.class, jenkins.model.Jenkins.instance)
                   .sort{ it.id }
                   .each{
                     switch( it.class.simpleName ) {
                       case 'BasicSSHUserPrivateKey' :
                         println """
                                                             type : ${it.class.simpleName}
                                                               id : ${it.id}
                                                            scope : ${it.scope}
                                                         username : ${it.username}
                                                      description : ${it.description}
                                          privateKeysLastModified : ${it.privateKeysLastModified}
                                                   usernameSecret : ${it.usernameSecret ?: 'false'}
                                                      privateKeys : ${it.privateKeys.join('\n')}
                          """
                         break;

                       case 'CertificateCredentialsImpl' :
                          println """
                                                             type : ${it.class.simpleName}
                                                               id : ${it.id}
                                                            scope : ${it.scope}
                                                         password : ${it.password}
                                                      description : ${it.description}
                                                    keyStore.type : ${it.keyStore.type}
                                     keyStoreSource.keyStoreBytes : ${it.keyStoreSource.keyStoreBytes}
                             keyStoreSource.uploadedKeystoreBytes : ${it.keyStoreSource.uploadedKeystoreBytes}

                                                       properties : ${it.properties}
                                              properties.password : ${it.properties.password}
                                         properties.passwordEmpty : ${it.properties.passwordEmpty}
                                         properties.keyStore.type : ${it.properties.keyStore.type}
                          """
                         break;
                       case 'StringCredentialsImpl' :
                         println """
                                                             type : ${it.class.simpleName}
                                                               id : ${it.id}
                                                           secret : ${it.secret}
                                                      description : ${it.description}
                                                            scope : ${it.scope}
                        """
                         break;

                       case 'UsernamePasswordCredentialsImpl' :
                         println """
                                                             type : ${it.class.simpleName}
                                                               id : ${it.id}
                                                         username : ${it.username}
                                                         password : ${it.password}
                                                      description : ${it.description}
                                                   usernameSecret : ${it.usernameSecret ?: 'false'}
                         """
                         break;
                     }
                   }

• with vault

  import com.cloudbees.plugins.credentials.common.StandardCredentials
  import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials
  import com.cloudbees.plugins.credentials.CredentialsProvider
  import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
  import com.cloudbees.plugins.credentials.SystemCredentialsProvider
  import com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredential
  import com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential
  import com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl
  import com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl
  
  CredentialsProvider.lookupCredentials( StandardCredentials.class, jenkins.model.Jenkins.instance)
                     .sort{ it.id }
                     .each{
                       switch( it.class.simpleName ) {
                         case 'BasicSSHUserPrivateKey' :
                           println """
                                                               type : ${it.class.simpleName}
                                                                 id : ${it.id}
                                                              scope : ${it.scope}
                                                           username : ${it.username}
                                                        description : ${it.description}
                                            privateKeysLastModified : ${it.privateKeysLastModified}
                                                     usernameSecret : ${it.usernameSecret ?: 'false'}
                                                        privateKeys : ${it.privateKeys.join('\n')}
                            """
                           break;
  
                         case 'CertificateCredentialsImpl' :
                            println """
                                                               type : ${it.class.simpleName}
                                                                 id : ${it.id}
                                                              scope : ${it.scope}
                                                           password : ${it.password}
                                                        description : ${it.description}
                                                      keyStore.type : ${it.keyStore.type}
                                       keyStoreSource.keyStoreBytes : ${it.keyStoreSource.keyStoreBytes}
                               keyStoreSource.uploadedKeystoreBytes : ${it.keyStoreSource.uploadedKeystoreBytes}
  
                                                         properties : ${it.properties}
                                                properties.password : ${it.properties.password}
                                           properties.passwordEmpty : ${it.properties.passwordEmpty}
                                           properties.keyStore.type : ${it.properties.keyStore.type}
                            """
                           break;
                         case 'StringCredentialsImpl' :
                           println """
                                                               type : ${it.class.simpleName}
                                                                 id : ${it.id}
                                                             secret : ${it.secret}
                                                        description : ${it.description}
                                                              scope : ${it.scope}
                          """
                           break;
  
                         case 'UsernamePasswordCredentialsImpl' :
                           println """
                                                               type : ${it.class.simpleName}
                                                                 id : ${it.id}
                                                           username : ${it.username}
                                                           password : ${it.password}
                                                        description : ${it.description}
                                                     usernameSecret : ${it.usernameSecret ?: 'false'}
                           """
                           break;
  
                         case 'VaultUsernamePasswordCredentialImpl' :
                           println """
  
                                                               type : ${it.class.simpleName}
                                                      engineVersion : ${it.engineVersion}
                                                                id  : ${it.id}
                                                              scope : ${it.scope}
                                                        description : ${it.description}
                                                        displayName : ${it.displayName}
                                                               path : ${it.path}
                                                        usernameKey : ${it.usernameKey}
                                                           username : ${it.username}
                                                        passwordKey : ${it.passwordKey}
                                                           password : ${it.password}
                                                     usernameSecret : ${it.usernameSecret ?: 'false'}
                           """
                           break;
  
                         case 'VaultAppRoleCredential':
                           println """
                                                               type : ${it.class.simpleName}
                                                                 id : ${it.id}
                                                             roleId : ${it.roleId}
                                                           secretId : ${it.secretId}
                                                               path : ${it.path}
                                                          namespace : ${it.namespace}
                                                              scope : ${it.scope}
                                                        description : ${it.description}
                           """
                           break;
  
                         case 'VaultSSHUserPrivateKeyImpl':
                           println """
                                                               type : ${it.class.simpleName}
                                                      engineVersion : ${it.engineVersion}
                                                                 id : ${it.id}
                                                              scope : ${it.scope}
                                                        description : ${it.description}
                                                        displayName : ${it.displayName}
                                                     usernameSecret : ${it.usernameSecret ?: 'false'}
                                                        usernameKey : ${it.usernameKey}
                                                           username : ${it.username}
                                                      privateKeyKey : ${it.privateKeyKey}
                                                        privateKeys : ${it.privateKeys.join('\n')}
                                                      passphraseKey : ${it.passphraseKey}
                                                         passphrase : ${ it.passphrase}
                           """
                           break;
  
                         case 'VaultStringCredentialImpl':
                           println """
                                                               type : ${it.class.simpleName}
                                                      engineVersion : ${it.engineVersion}
                                                                 id : ${it.id}
                                                        displayName : ${it.displayName}
                                                        description : ${it.description}
                                                         prefixPath : ${it.prefixPath}
                                                               path : ${it.path}
                                                             secret : ${it.secret}
                                                           valutKey : ${it.vaultKey}
                           """
                           break;
                       }
                      }

• * or

  import com.cloudbees.plugins.credentials.CredentialsProvider
  import com.cloudbees.plugins.credentials.Credentials
  import com.cloudbees.plugins.credentials.domains.Domain
  import jenkins.model.Jenkins
  
  Closure indent = { String text, int indentationCount ->
    text.replaceAll( "(?m)^", "\t" * indentationCount )
  }
  
  Jenkins.get().allItems().collectMany{ CredentialsProvider.lookupStores(it).toList() }.unique().forEach { store ->
    Map<Domain, List<Credentials>> domainCreds = [:]
    store.domains.each { domainCreds.put(it, store.getCredentials(it))}
    if ( domainCreds.collectMany{it.value}.empty ) {
      return
    }
    def shortenedClassName = store.getClass().name.substring(store.getClass().name.lastIndexOf(".") + 1)
    println "Credentials for store context: ${store.contextDisplayName}, of type $shortenedClassName"
    domainCreds.forEach { domain , creds ->
      println indent( "Domain: ${domain.name}", 1 )
      creds.each { cred ->
        cred.properties.each { prop, val ->
          println indent( "$prop = \"$val\"", 2 )
        }
        println indent( '-----------------------', 2 )
      }
    }
  }

StandardUsernamePasswordCredentials

import com.cloudbees.plugins.credentials.common.StandardCredentials
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials
import com.cloudbees.plugins.credentials.CredentialsProvider

List<StandardUsernamePasswordCredentials> creds = CredentialsProvider.lookupCredentials(
  StandardUsernamePasswordCredentials.class,
  jenkins.model.Jenkins.instance
)

creds.sort{it.id}.each {
  println """
                id : ${it.id}
          username : ${it.username}
          password : ${it.password}
       description : ${it.description}
    usernameSecret : ${it.usernameSecret ?: 'false'}
  """
}

'DONE'

BasicSSHUserPrivateKey

import com.cloudbees.plugins.credentials.common.StandardCredentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey
import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;

List<BasicSSHUserPrivateKey> creds = CredentialsProvider.lookupCredentials(
  SSHUserPrivateKey.class ,                         // or BasicSSHUserPrivateKey.class
  jenkins.model.Jenkins.instance
).sort{ it.id }
 .each {
    println """
                        id  : ${it.id}
                      scope : ${it.scope}
                  username  : ${it.username}
               description  : ${it.description}
    privateKeysLastModified : ${it.privateKeysLastModified}
            usernameSecret  : ${it.usernameSecret ?: 'false'}
               privateKeys  : ${it.privateKeys.join('\n')}
    """
 }

CertificateCredentials

import com.cloudbees.plugins.credentials.common.StandardCredentials
import com.cloudbees.plugins.credentials.common.CertificateCredentials
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.cloudbees.plugins.credentials.SecretBytes
import com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl

CredentialsProvider.lookupCredentials(
  CertificateCredentials.class,
  jenkins.model.Jenkins.instance
).sort{ it.id }
 .each {
    SecretBytes secretKey = it.properties.keyStoreSource.uploadedKeystoreBytes
    println """
                       id : ${it.id}
                 password : ${it.password}
              description : ${it.description}
                    scope : ${it.scope}
            keyStore.type : ${it.properties.keyStore.type}
      SecretBytes.decrypt : ${SecretBytes.decrypt(it.keyStoreSource.keyStoreBytes)}
           encryptedValue : ${hudson.util.Secret.fromString(secretKey.toString()).encryptedValue}
                plainData : ${new String(SecretBytes.fromString(secretKey.toString()).getPlainData(), "ASCII")}
    """
}

'DONE'

SystemCredentialsProvider

import com.cloudbees.plugins.credentials.SystemCredentialsProvider

SystemCredentialsProvider systemCredentialsProvider = jenkins.model.Jenkins.instance.getExtensionList(
  'com.cloudbees.plugins.credentials.SystemCredentialsProvider'
).first()

systemCredentialsProvider.credentials.each {
  println """
             id : ${it.id}
    description : ${it.description}
          scope : ${it.scope}
         secret : ${it.secret}
  """
}

'DONE'

vault

[!NOTE|label:references:]

• scripts:

  • vaultTokenCredential.groovy

VaultAppRoleCredential

[!NOTE|label:references:]

• scripts

  • vaultAppRoleCredential.groovy

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential

List<VaultAppRoleCredential> creds = CredentialsProvider.lookupCredentials(
  VaultAppRoleCredential.class ,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
             type : ${it.class.simpleName}
            scope : ${it.scope}
    engineVersion : ${it.engineVersion}
               id : ${it.id}
      description : ${it.description}
        namespace : ${it.namespace}
             path : ${it.path}
         secretId : ${it.secretId}
           roleId : ${it.roleId}
  """
}

'DONE'

VaultUsernamePasswordCredential

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredential

List<VaultUsernamePasswordCredential> creds = CredentialsProvider.lookupCredentials(
  VaultUsernamePasswordCredential.class ,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
              type : ${it.class.simpleName}
             scope : ${it.scope}
     engineVersion : ${it.engineVersion}
                id : ${it.id}
       description : ${it.description}
              path : ${it.path}
       usernameKey : ${it.usernameKey}
          username : ${it.username}
       passwordKey : ${it.passwordKey}
          password : ${it.password}
    usernameSecret : ${it.usernameSecret ?: 'false'}
  """
}

'DONE'

VaultUsernamePasswordCredentialImpl

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredentialImpl

List<VaultUsernamePasswordCredentialImpl> creds = CredentialsProvider.lookupCredentials(
  VaultUsernamePasswordCredentialImpl.class ,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
              type : ${it.class.simpleName}
     engineVersion : ${it.engineVersion}
               id  : ${it.id}
             scope : ${it.scope}
       description : ${it.description}
       displayName : ${it.displayName}
              path : ${it.path}
       usernameKey : ${it.usernameKey}
          username : ${it.username}
       passwordKey : ${it.passwordKey}
          password : ${it.password}
    usernameSecret : ${it.usernameSecret ?: 'false'}
  """
}

'DONE'

VaultSSHUserPrivateKeyImpl

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl

List<VaultSSHUserPrivateKeyImpl> creds = CredentialsProvider.lookupCredentials(
  VaultSSHUserPrivateKeyImpl.class,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
               type : ${it.class.simpleName}
              scope : ${it.scope}
      engineVersion : ${it.engineVersion}
                 id : ${it.id}
        description : ${it.description}
        displayName : ${it.displayName}
     usernameSecret : ${it.usernameSecret ?: 'false'}
        usernameKey : ${it.usernameKey}
           username : ${it.username}
      privateKeyKey : ${it.privateKeyKey}
        privateKeys : ${it.privateKeys.collect{ it.trim() }}
         privateKey : ${it.privateKey}
      passphraseKey : ${it.passphraseKey}
         passphrase : ${ it.passphrase}
  """
}

'DONE'

VaultStringCredentialImpl

import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl

List<VaultStringCredentialImpl> creds = CredentialsProvider.lookupCredentials(
  VaultStringCredentialImpl.class ,
  jenkins.model.Jenkins.instance
).sort{ it.id }

creds.each {
  println """
             type : ${it.class.simpleName}
    engineVersion : ${it.engineVersion}
            scope : ${it.scope}
               id : ${it.id}
      description : ${it.description}
      displayName : ${it.displayName}
       prefixPath : ${it.prefixPath}
             path : ${it.path}
         valutKey : ${it.vaultKey}
           secret : ${it.secret}
  """
}

'DONE'

encrypt/decrypt password

import hudson.util.Secret

String original  = 'marslo'
Secret secret    = Secret.fromString( original )
String encrypted = secret.getEncryptedValue()
Secret decrypted = Secret.decrypt( encrypted )

println """
   original : ${original}
  encrypted : ${encrypted}
  decrypted : ${decrypted}
"""

//   original : marslo
//  encrypted : {AQAAABAAAAAQyF78QAdq9bWCAeUi1VdYO7cB0CfG29KrvwZUU506zig=}
//  decrypted : marslo

• or

  println hudson.util.Secret.fromString('marslo').getEncryptedValue()
  println hudson.util.Secret.decrypt( hudson.util.Secret.fromString('marslo').getEncryptedValue()
  
  // {AQAAABAAAAAQfwTdrtsFbS2MyOOA3kuO01p21CsVsSIpZg9FE1TMlMQ=}
  // marslo

tricky

Access granted with Overall/SystemRead

This permission can be enabled by setting the system property jenkins.security.SystemReadPermission to true or installing the Extended Read Permission plugin.

Access granted with Overall/Manage

This permission can be enabled by setting the system property jenkins.security.ManagePermission to true or installing the Overall/Manage permission enabler plugin.