Jenkins 凭证字符串插值

问题描述 投票:0回答:1

我有一个 Jenkins 管道,它使用凭据来验证来自网站的 

GET
请求。我想防止敏感的环境变量被 Groovy 字符串插值泄露。

按照 Jenkins 用户手册的建议,

Jenkinsfile
将是:

pipeline {
    agent any
    environment {
        EXAMPLE_CREDS = credentials('example-credentials-id')
    }
    stages {
        stage('Example') {
            steps {
                sh('curl -u $EXAMPLE_CREDS_USR:$EXAMPLE_CREDS_PSW https://example.com/')
            }
        }
    }
}

这适用于 URL 固定的情况,但我希望我的 URL 包含变量(请参阅下面代码片段中的 

${EXTENSION}
)。

    environment {
        EXAMPLE_CREDS = credentials('example-credentials-id')
        EXTENSION     = 'url/extended/'
    }
    stages {
        stage('Example') {
            steps {
                sh('curl -u $EXAMPLE_CREDS_USR:$EXAMPLE_CREDS_PSW https://example.com/${EXTENSION}')
            }
        }

问题是 Groovy 解释器在运行时不会将 

${EXTENSION}
替换为 
url/extended/
。 Jenkins 日志中的输出是:

 + curl -u ****:**** https://example.com/${EXTENSION}

我尝试用 withCredentials 块替换凭据环境变量,并将命令周围的撇号替换为引号,

    environment {
        EXTENSION     = 'url/extended/'
    }
    stages {
        stage('Example') {
            withCredentials([usernamePassword(credentialsId: "example-credentials-id", passwordVariable: "EXAMPLE_CREDS_PSW ", usernameVariable: "EXAMPLE_CREDS_USR")]) {
                steps {
                sh("curl -u $EXAMPLE_CREDS_USR:$EXAMPLE_CREDS_PSW https://example.com/${EXTENSION}")
            }
        }

功能正常,但报告以下警告:

Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
         Affected argument(s) used the following variable(s): [EXAMPLE_CREDS_USR, EXAMPLE_CREDS_PSW, example-credentials-id]
         See https://jenkins.io/redirect/groovy-string-interpolation for details.
+ curl -u ****:**** https://example.com/url/extended/

我的工作是编写一个 Jenkins 调用的 SH 脚本。 Jenkins 会将凭据作为输入参数传递,脚本将处理变量替换。

    environment {
        EXAMPLE_CREDS = credentials('example-credentials-id')
    }
    stages {
        stage('Example') {
            steps {
                sh('bash script.sh $EXAMPLE_CREDS_USR $EXAMPLE_CREDS_PSW')
            }
        }

是否有可能在 Jenkins 中继续完成这一壮举,还是外包是唯一的解决方案?

linux jenkins jenkins-pipeline jenkins-groovy credentials
1个回答
0
投票

请参阅 Stephan Wright 发布的问题。解决方案涉及使用引号并在凭据之前转义 

$
。两种可能的解决方案是

    environment {
        EXAMPLE_CREDS = credentials('example-credentials-id')
        EXTENSION     = 'url/extended/'
    }
    stages {
        stage('Example') {
            steps {
                sh("curl -u \$EXAMPLE_CREDS_USR:\$EXAMPLE_CREDS_PSW https://example.com/${EXTENSION}")
            }
        }


    environment {
        EXTENSION     = 'url/extended/'
    }
    stages {
        stage('Example') {
            withCredentials([usernamePassword(credentialsId: "example-credentials-id", passwordVariable: "EXAMPLE_CREDS_PSW ", usernameVariable: "EXAMPLE_CREDS_USR")]) {
                steps {
                sh("curl -u \$EXAMPLE_CREDS_USR:\$EXAMPLE_CREDS_PSW https://example.com/${EXTENSION}")
            }
        }

我的偏好是第一个解决方案,有利于保持“更平坦”的管道。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.