-
Notifications
You must be signed in to change notification settings - Fork 725
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Helpers like readFile
in JCasC YAML Fails to Load Password from File
#2522
Comments
Anyone? |
Have you tried one of the many others ways to use secrets? Perhaps a properties file? 🤔 |
I don't know if securityRealm still allows plain text password so perhaps try bcrypt way: |
Very interesting. Using the properties file seems to work correctly only if I don't use other helpers. I don't like it much, but it might be enough for now. File /run/secrets/secrets.properties:
This will work: ...
securityRealm:
users:
- id: "${ADMIN_ID}"
name: "admin"
password: "${ADMIN_PASSWORD}"
... This will not: ...
securityRealm:
users:
- id: "${ADMIN_ID}"
name: "admin"
password: "${decodeBase64:${ADMIN_PASSWORD_B64_ENCODED}"
... In short, for now, the helpers provided here for the "password" property of "securityRealm" do not seem to work. Is this behaviour intended? |
Jenkins and plugins versions report
Environment
What Operating System are you using (both controller, and any agents involved in the problem)?
Controller Operating System:
Agent Operating System:
Reproduction steps
Bug Description
When using the readFile function in a JCasC YAML configuration file to load user credentials, the user ID is correctly loaded from the specified file, but the password is not. Both files exist and contain the expected values, and their paths are correctly referenced. This issue prevents proper configuration of user passwords via external files.
I have also tried using other helpers such as readFileBase64, base64, and decodeBase64, but none of these methods worked either. The login does not work, but if I provide the password via an environment variable, it works:
However, this is a temporary workaround and poses a significant security risk, so it needs to be changed as soon as possible.
YAML Configuration Example
Below is a simplified representation of the relevant part of the JCasC configuration file:
Docker compose file
Dockerfile
Docker:
Expected Results
Successfully load and authenticate user credentials using the password from /secrets/file-user-password.txt.
Actual Results
Attempts to login using the password from /secrets/file-user-password.txt using various methods (base64, readFile, decodeBase64, readFileBase64) have failed. The file paths are correct, and the files themselves contain the expected values. Even after trimming the file and ensuring there are no extraneous spaces or additional lines, the password loading issue persists.
Anything else?
No response
The text was updated successfully, but these errors were encountered: