Hide password parameter passed by MavenModuleSet.setGoals

7 messages

Bouiaw

Hide password parameter passed by MavenModuleSet.setGoals

Reply Threaded

Hi,

I am currently creating a patch for m2release plugin that allow to
specify when the user do a release SCM username and password.

I have been doing this easily, but I have a blocking issue : the
password password set with
mmSet.setGoals("-Dscm.password="+scmPassword) is printed in build logs
:
Executing Maven: -B -f D:\...\pom.xml -Dscm.password=zzzz
-Dscm.username=aaaa -Dresume=false release:prepare release:perform

I would like to pass the real value of the password to Maven but have
in logs something like -Dscm.password=*********

How to acheive this in Hudson ?

Thanks in advance for you help, I think this feature could be useful
for a lot of Hudson users.

Regards,
Bouiaw

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Bouiaw

Re: Hide password parameter passed by MavenModuleSet.setGoals

Reply Threaded

Additional informations about my issue in order to give you more information ...

Currently the mmSet, where I have set my goals with the password, is
used as following :

In the setUp of a BuildWrapper that return an Envrionnement instance :

mavenOpts = mmSet.getMavenOpts();
...
return new Environment() {

@Override
public void buildEnvVars(java.util.Map<String, String> env) {
if (mavenOpts != null && !env.containsKey("MAVEN_OPTS")) {
env.put("MAVEN_OPTS", mavenOpts);
}
};
}

So my question may be : where could I have control to obfuscate logs
created from the Environment instance return by the SetUp of a Builder
?

On Sat, Oct 31, 2009 at 11:35 PM, Bouiaw <[hidden email]> wrote:

> Hi,
>
> I am currently creating a patch for m2release plugin that allow to
> specify when the user do a release SCM username and password.
>
> I have been doing this easily, but I have a blocking issue : the
> password password set with
> mmSet.setGoals("-Dscm.password="+scmPassword) is printed in build logs
> :
> Executing Maven: -B -f D:\...\pom.xml -Dscm.password=zzzz
> -Dscm.username=aaaa -Dresume=false release:prepare release:perform
>
> I would like to pass the real value of the password to Maven but have
> in logs something like -Dscm.password=*********
>
> How to acheive this in Hudson ?
>
> Thanks in advance for you help, I think this feature could be useful
> for a lot of Hudson users.
>
> Regards,
> Bouiaw
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Bouiaw

Re: Hide password parameter passed by MavenModuleSet.setGoals

Reply Threaded

If someone know it is not possible, let me know I will try to patch
hudson logger to hide related parameters ...

On Sat, Oct 31, 2009 at 11:50 PM, Bouiaw <[hidden email]> wrote:

> Additional informations about my issue in order to give you more information ...
>
> Currently the mmSet, where I have set my goals with the password, is
> used as following :
>
> In the setUp of a BuildWrapper that return an Envrionnement instance :
>
> mavenOpts = mmSet.getMavenOpts();
> ...
> return new Environment() {
>
> @Override
> public void buildEnvVars(java.util.Map<String, String> env) {
> if (mavenOpts != null && !env.containsKey("MAVEN_OPTS")) {
> env.put("MAVEN_OPTS", mavenOpts);
> }
> };
> }
>
> So my question may be : where could I have control to obfuscate logs
> created from the Environment instance return by the SetUp of a Builder
> ?
>
> On Sat, Oct 31, 2009 at 11:35 PM, Bouiaw <[hidden email]> wrote:
>> Hi,
>>
>> I am currently creating a patch for m2release plugin that allow to
>> specify when the user do a release SCM username and password.
>>
>> I have been doing this easily, but I have a blocking issue : the
>> password password set with
>> mmSet.setGoals("-Dscm.password="+scmPassword) is printed in build logs
>> :
>> Executing Maven: -B -f D:\...\pom.xml -Dscm.password=zzzz
>> -Dscm.username=aaaa -Dresume=false release:prepare release:perform
>>
>> I would like to pass the real value of the password to Maven but have
>> in logs something like -Dscm.password=*********
>>
>> How to acheive this in Hudson ?
>>
>> Thanks in advance for you help, I think this feature could be useful
>> for a lot of Hudson users.
>>
>> Regards,
>> Bouiaw
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Bouiaw

Re: Hide password parameter passed by MavenModuleSet.setGoals

Reply Threaded

I try with the user list in addition to dev one, since my issue is
about plugin development, both may be relevant.

To summarize my concerns : I have developped a patch for Hudson
m2release plugin that allow to specify SCM username and password when
you make a build in order to have no password in my project
configuration.

This plugin functionnality works fine, and I will send the patch for
inclusion but I have one remaining blocking issue : the password
passed with -Dpassword=foo is visible in logs !!!

So I would like to find a way to modify Hudson logging to replace
-Dpassword=foo by -Dpassword=*****.
I may be able to do a dirty patch for Hudson (override login class,
search -Dpassword=* and replace it by obfuscated one) but I think this
functionnality may interest other people.

Could someone could help me to do this ?

Regards,
Bouiaw

On Tue, Nov 3, 2009 at 9:25 AM, Bouiaw <[hidden email]> wrote:

> If someone know it is not possible, let me know I will try to patch
> hudson logger to hide related parameters ...
>
> On Sat, Oct 31, 2009 at 11:50 PM, Bouiaw <[hidden email]> wrote:
>> Additional informations about my issue in order to give you more information ...
>>
>> Currently the mmSet, where I have set my goals with the password, is
>> used as following :
>>
>> In the setUp of a BuildWrapper that return an Envrionnement instance :
>>
>> mavenOpts = mmSet.getMavenOpts();
>> ...
>> return new Environment() {
>>
>> @Override
>> public void buildEnvVars(java.util.Map<String, String> env) {
>> if (mavenOpts != null && !env.containsKey("MAVEN_OPTS")) {
>> env.put("MAVEN_OPTS", mavenOpts);
>> }
>> };
>> }
>>
>> So my question may be : where could I have control to obfuscate logs
>> created from the Environment instance return by the SetUp of a Builder
>> ?
>>
>> On Sat, Oct 31, 2009 at 11:35 PM, Bouiaw <[hidden email]> wrote:
>>> Hi,
>>>
>>> I am currently creating a patch for m2release plugin that allow to
>>> specify when the user do a release SCM username and password.
>>>
>>> I have been doing this easily, but I have a blocking issue : the
>>> password password set with
>>> mmSet.setGoals("-Dscm.password="+scmPassword) is printed in build logs
>>> :
>>> Executing Maven: -B -f D:\...\pom.xml -Dscm.password=zzzz
>>> -Dscm.username=aaaa -Dresume=false release:prepare release:perform
>>>
>>> I would like to pass the real value of the password to Maven but have
>>> in logs something like -Dscm.password=*********
>>>
>>> How to acheive this in Hudson ?
>>>
>>> Thanks in advance for you help, I think this feature could be useful
>>> for a lot of Hudson users.
>>>
>>> Regards,
>>> Bouiaw
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Bouiaw

Fwd: Hide password parameter passed by MavenModuleSet.setGoals

Reply Threaded

In reply to this post by Bouiaw

Kohsuke,

Could you give me your advice on how to obfuscate password in Hudson
logs as described bellow please ?

Regards,
Bouiaw

---------- Forwarded message ----------
From: Bouiaw <[hidden email]>
Date: Sat, Oct 31, 2009 at 11:35 PM
Subject: Hide password parameter passed by MavenModuleSet.setGoals
To: [hidden email]

Hi,

I am currently creating a patch for m2release plugin that allow to
specify when the user do a release SCM username and password.

I have been doing this easily, but I have a blocking issue : the
password password set with
mmSet.setGoals("-Dscm.password="+scmPassword) is printed in build logs
:
Executing Maven: -B -f D:\...\pom.xml -Dscm.password=zzzz
-Dscm.username=aaaa -Dresume=false release:prepare release:perform

I would like to pass the real value of the password to Maven but have
in logs something like -Dscm.password=*********

How to acheive this in Hudson ?

Thanks in advance for you help, I think this feature could be useful
for a lot of Hudson users.

Regards,
Bouiaw

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Kohsuke Kawaguchi

Re: Hide password parameter passed by MavenModuleSet.setGoals

Reply Threaded

I didn't follow the whole discussion, but passing in a password in a
command line argument is inherently insecure, as anyone can see them
with the ps command.

Why don't you pass it in through settings.xml or environment variable
MAVEN_OPTS? Those system properties are just as effective in
MAVEN_OPTS as in the command line options.

2009/11/12 Bouiaw <[hidden email]>:

> Kohsuke,
>
> Could you give me your advice on how to obfuscate password in Hudson
> logs as described bellow please ?
>
> Regards,
> Bouiaw
>
> ---------- Forwarded message ----------
> From: Bouiaw <[hidden email]>
> Date: Sat, Oct 31, 2009 at 11:35 PM
> Subject: Hide password parameter passed by MavenModuleSet.setGoals
> To: [hidden email]
>
>
> Hi,
>
> I am currently creating a patch for m2release plugin that allow to
> specify when the user do a release SCM username and password.
>
> I have been doing this easily, but I have a blocking issue : the
> password password set with
> mmSet.setGoals("-Dscm.password="+scmPassword) is printed in build logs
> :
> Executing Maven: -B -f D:\...\pom.xml -Dscm.password=zzzz
> -Dscm.username=aaaa -Dresume=false release:prepare release:perform
>
> I would like to pass the real value of the password to Maven but have
> in logs something like -Dscm.password=*********
>
> How to acheive this in Hudson ?
>
> Thanks in advance for you help, I think this feature could be useful
> for a lot of Hudson users.
>
> Regards,
> Bouiaw
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Kohsuke Kawaguchi

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Bouiaw

Re: Hide password parameter passed by MavenModuleSet.setGoals

Reply Threaded

Hi,

You can find all details in
http://n4.nabble.com/Hide-password-parameter-passed-by-MavenModuleSet-setGoals-td395175.html#a395175

My goal is to pass as dynamic parameters (input fields used when the
user run a Maven release) login and password when doing a release
(http://maven.apache.org/plugins/maven-release-plugin/prepare-mojo.html).
Since mvn release is based on native SCM tools installed on the
machine.

Settings.xml is not dynamic so I can't use it.

Maybe using MAVEN_OPTS as you proposed is a good option, but it seems
to me that's already the case. From what I see from my code, it is the
content of mavenOpts put in the Environment instance that is currently
printed in logs :
...
mmSet.setGoals("-Dscm.password="+scmPassword);
...
mavenOpts = mmSet.getMavenOpts();
...
return new Environment() {

@Override
public void buildEnvVars(java.util.Map<String,
String> env) {
if (mavenOpts != null &&
!env.containsKey("MAVEN_OPTS")) {
env.put("MAVEN_OPTS", mavenOpts);
}
};
}

How could I use dynamically generted MAVEN_OPTS whithout print is in
the logs on Hudson side (Maven already obfuscate the password value) ?

Regards,
Bouiaw

On Fri, Nov 13, 2009 at 3:43 PM, Kohsuke Kawaguchi <[hidden email]> wrote:

> I didn't follow the whole discussion, but passing in a password in a
> command line argument is inherently insecure, as anyone can see them
> with the ps command.
>
> Why don't you pass it in through settings.xml or environment variable
> MAVEN_OPTS? Those system properties are just as effective in
> MAVEN_OPTS as in the command line options.
>
> 2009/11/12 Bouiaw <[hidden email]>:
>> Kohsuke,
>>
>> Could you give me your advice on how to obfuscate password in Hudson
>> logs as described bellow please ?
>>
>> Regards,
>> Bouiaw
>>
>> ---------- Forwarded message ----------
>> From: Bouiaw <[hidden email]>
>> Date: Sat, Oct 31, 2009 at 11:35 PM
>> Subject: Hide password parameter passed by MavenModuleSet.setGoals
>> To: [hidden email]
>>
>>
>> Hi,
>>
>> I am currently creating a patch for m2release plugin that allow to
>> specify when the user do a release SCM username and password.
>>
>> I have been doing this easily, but I have a blocking issue : the
>> password password set with
>> mmSet.setGoals("-Dscm.password="+scmPassword) is printed in build logs
>> :
>> Executing Maven: -B -f D:\...\pom.xml -Dscm.password=zzzz
>> -Dscm.username=aaaa -Dresume=false release:prepare release:perform
>>
>> I would like to pass the real value of the password to Maven but have
>> in logs something like -Dscm.password=*********
>>
>> How to acheive this in Hudson ?
>>
>> Thanks in advance for you help, I think this feature could be useful
>> for a lot of Hudson users.
>>
>> Regards,
>> Bouiaw
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
>
>
> --
> Kohsuke Kawaguchi
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]