Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bamboo Specs and masked variables

hmozaffari
hmozaffari May 15, 2018

In Bamboo plans we are able to mask plan variables with "password" phrase in variable name. So nobody will be able to see the content.

We are planning to move to Bamboo Specs and therefor plan variables will be define in specs ( Java API ). How can we avoid exposing passwords in specs. 

I was hoping to enter passwords later on using UI but plans created by spec are not editable with UI.

 

Answer
Watch
Like # people like this
5566 views

3 answers

2 accepted

4 votes
Answer accepted
Foong
Foong
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 17, 2018

Use the following steps to get encrypted password

  1. Create a dummy plan in Bamboo manually through UI
  2. Add the password into the Plan Variable
  3. In the Plan Configuration view, click on Actions > View plan as Java Specs
  4. Look for the password variable - it will be shown in encrypted format
Reply
2 votes
Answer accepted
Alexey Chystoprudov
Alexey Chystoprudov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 17, 2018

You can use encrypted form of variable value. Try to create plan with "secret" variable and export it to Java Specs, "secret" variable will be encrypted. You can use this value in Specs code and store it at repository. If you want to avoid storing of variable in encrypted form at code, use Global variable 

Reply
1 vote
Herbert Yang
Herbert Yang June 12, 2018

Hi, @Alexey Chystoprudov@Foong

Great answer for masked variables.  However, I tried this solution for task type 'Artifactory Generic Deploy', it does not work. It seems that for this task type, it takes readable password string instead of encrypted form in 'Deployer Password' field.

As we are checking java spec code into source control, it is highly recommended that the readable password should NOT be part of code. So, do we have a way to let this task type take encrypted password? or, alternatively, is there a way to call any existing functions ( like what env var decrpytion does) to decrypt the password at run time? Or maybe there's other better way to handle this case?

 

'Artifactory Generic Deploy' Task view through bamboo portal UI

artDeployTaskDeployerPasswordUI.png

Code snippet corresponding to field 'Deployer password'

 new Stage("Approval and Trigger file upload")
 .manual(true)
 .jobs(new Job("Approval And TF Artifactory Upload",
 new BambooKey("*****")) //masked info
 .tasks(new VcsCheckoutTask()
 .description("Capture script from BB")
 .checkoutItems(new CheckoutItem().defaultRepository()),
 new ScriptTask()
 .description("Approval Notification")
 .interpreter(ScriptTaskProperties.Interpreter.BINSH_OR_CMDEXE)
 .location(ScriptTaskProperties.Location.FILE)
 .fileFromPath("approvalMessage.sh")
 .workingSubdirectory("jiraTFAutoGen"))
 .finalTasks(new AnyTask(new AtlassianModule("org.jfrog.bamboo.bamboo-artifactory-plugin:artifactoryGenericTask"))
 .description("deliver trigger file to qa artifactory")
 .configuration(new MapBuilder()
 .put("artifactory.generic.publishBuildInfo", "true")
 .put("bintrayConfiguration", "")
 .put("bintray.licenses", "")
 .put("bintray.repository", "")
 .put("artifactory.generic.username", "******") //masked info
 .put("artifactory.generic.specSourceChoice", "jobConfiguration")
 .put("artifactory.generic.resolveRepo", "")
 .put("artifactory.generic.deployPattern", "")
 .put("artifactory.generic.envVarsExcludePatterns", "*password*,*secret*,*security*,*key*")
 .put("bintray.signMethod", "false")
 .put("builder.artifactoryGenericBuilder.artifactoryServerId", "0")
 .put("bintray.subject", "")
 .put("artifactory.generic.file", "")
 .put("artifactory.generic.useSpecsChoice", "specs")
 .put("bintray.packageName", "")
 .put("artifactory.generic.includeEnvVars", "")
 .put("artifactory.generic.artifactSpecs", "")
 .put("artifactory.generic.password", "*************") //<------This is where the password is, it takes un-encrypted, plain text form
 .put("bintray.mavenSync", "")
 .put("artifactory.generic.jobConfiguration", "{****************}") //masked info
 .put("baseUrl", "https://bamboo.********") //masked info
 .put("artifactory.generic.envVarsIncludePatterns", "")
 .put("artifactory.generic.resolvePattern", "")
 .put("bintray.vcsUrl", "")
 .put("builder.artifactoryGenericBuilder.deployableRepo", "AADEFrontEnd-ReleaseCandidates")
 .put("bintray.gpgPassphrase", "/* SENSITIVE INFORMATION */")
 .build()))

 

Thanks in advance for any help to be provided.

View More Comments
Alexey Chystoprudov
Alexey Chystoprudov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 13, 2018

It's responsibility of plugin developer to store data in encrypted form in DB and decrypt it in runtime. Contact plugin vendor to fix this issue: https://www.jfrog.com/jira/projects/BAP/issues

Like
Herbert Yang
Herbert Yang June 13, 2018

Thanks for the direction Alex.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

    See all events