Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,364,541
Community Members
 
Community Events
168
Community Groups

Bamboo Specs and masked variables

In Bamboo plans we are able to mask plan variables with "password" phrase in variable name. So nobody will be able to see the content.

We are planning to move to Bamboo Specs and therefor plan variables will be define in specs ( Java API ). How can we avoid exposing passwords in specs. 

I was hoping to enter passwords later on using UI but plans created by spec are not editable with UI.

 

3 answers

2 accepted

4 votes
Answer accepted
Foong Atlassian Team May 17, 2018

Use the following steps to get encrypted password

  1. Create a dummy plan in Bamboo manually through UI
  2. Add the password into the Plan Variable
  3. In the Plan Configuration view, click on Actions > View plan as Java Specs
  4. Look for the password variable - it will be shown in encrypted format
2 votes
Answer accepted

You can use encrypted form of variable value. Try to create plan with "secret" variable and export it to Java Specs, "secret" variable will be encrypted. You can use this value in Specs code and store it at repository. If you want to avoid storing of variable in encrypted form at code, use Global variable 

Hi, @Alexey Chystoprudov@Foong

Great answer for masked variables.  However, I tried this solution for task type 'Artifactory Generic Deploy', it does not work. It seems that for this task type, it takes readable password string instead of encrypted form in 'Deployer Password' field.

As we are checking java spec code into source control, it is highly recommended that the readable password should NOT be part of code. So, do we have a way to let this task type take encrypted password? or, alternatively, is there a way to call any existing functions ( like what env var decrpytion does) to decrypt the password at run time? Or maybe there's other better way to handle this case?

 

'Artifactory Generic Deploy' Task view through bamboo portal UI

artDeployTaskDeployerPasswordUI.png

Code snippet corresponding to field 'Deployer password'

 new Stage("Approval and Trigger file upload")
.manual(true)
.jobs(new Job("Approval And TF Artifactory Upload",
new BambooKey("*****")) //masked info
.tasks(new VcsCheckoutTask()
.description("Capture script from BB")
.checkoutItems(new CheckoutItem().defaultRepository()),
new ScriptTask()
.description("Approval Notification")
.interpreter(ScriptTaskProperties.Interpreter.BINSH_OR_CMDEXE)
.location(ScriptTaskProperties.Location.FILE)
.fileFromPath("approvalMessage.sh")
.workingSubdirectory("jiraTFAutoGen"))
.finalTasks(new AnyTask(new AtlassianModule("org.jfrog.bamboo.bamboo-artifactory-plugin:artifactoryGenericTask"))
.description("deliver trigger file to qa artifactory")
.configuration(new MapBuilder()
.put("artifactory.generic.publishBuildInfo", "true")
.put("bintrayConfiguration", "")
.put("bintray.licenses", "")
.put("bintray.repository", "")
.put("artifactory.generic.username", "******") //masked info
.put("artifactory.generic.specSourceChoice", "jobConfiguration")
.put("artifactory.generic.resolveRepo", "")
.put("artifactory.generic.deployPattern", "")
.put("artifactory.generic.envVarsExcludePatterns", "*password*,*secret*,*security*,*key*")
.put("bintray.signMethod", "false")
.put("builder.artifactoryGenericBuilder.artifactoryServerId", "0")
.put("bintray.subject", "")
.put("artifactory.generic.file", "")
.put("artifactory.generic.useSpecsChoice", "specs")
.put("bintray.packageName", "")
.put("artifactory.generic.includeEnvVars", "")
.put("artifactory.generic.artifactSpecs", "")
.put("artifactory.generic.password", "*************") //<------This is where the password is, it takes un-encrypted, plain text form
.put("bintray.mavenSync", "")
.put("artifactory.generic.jobConfiguration", "{****************}") //masked info
.put("baseUrl", "https://bamboo.********") //masked info
.put("artifactory.generic.envVarsIncludePatterns", "")
.put("artifactory.generic.resolvePattern", "")
.put("bintray.vcsUrl", "")
.put("builder.artifactoryGenericBuilder.deployableRepo", "AADEFrontEnd-ReleaseCandidates")
.put("bintray.gpgPassphrase", "/* SENSITIVE INFORMATION */")
.build()))

 

Thanks in advance for any help to be provided.

It's responsibility of plugin developer to store data in encrypted form in DB and decrypt it in runtime. Contact plugin vendor to fix this issue: https://www.jfrog.com/jira/projects/BAP/issues

Thanks for the direction Alex.

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events