Resolve credential leak via ps while jenkins-cli is used during puppet runs

Author: avbm

manifests/cli.pp

@@ -64,6 +64,15 @@
     ' '
   )
 
+  if !empty($jenkins::cli_password) {
+    $cmd_environment = [
+      "JENKINS_USER_ID=${jenkins::cli_username}",
+      "JENKINS_API_TOKEN=${jenkins::cli_password}",
+    ]
+  } else {
+    $cmd_environment = undef
+  }
+
   # Do a safe restart of Jenkins (only when notified)
   exec { 'safe-restart-jenkins':
     command     => "${cmd} safe-restart && /bin/sleep 10",
@@ -72,6 +81,7 @@
     try_sleep   => $cli_try_sleep,
     refreshonly => true,
     require     => File[$jar],
+    environment => $cmd_environment,
   }
 
   # jenkins::cli::reload should be included only after $::jenkins::cli::cmd is

manifests/cli/exec.pp

@@ -28,9 +28,14 @@
   )
 
   if $unless {
-    $environment_run = [ "HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}" ]
+    $environment_run = delete_undef_values(
+      flatten([
+        $jenkins::cli::cmd_environment,
+        "HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}",
+      ])
+    )
   } else {
-    $environment_run = undef
+    $environment_run = $jenkins::cli::cmd_environment
   }
 
   exec { $title:

manifests/cli/reload.pp

@@ -17,5 +17,6 @@
     try_sleep   => $cli_try_sleep,
     refreshonly => true,
     require     => File[$jar_file],
+    environment => $jenkins::cli::cmd_environment,
   }
 }

manifests/init.pp

@@ -401,7 +401,9 @@
     # Username / Password auth (needed for AD and other Auth Realms)
     if $_use_new_cli {
       if !empty($cli_password) {
-        $_cli_auth_arg = "-auth '${cli_username}:${cli_password}'"
+        # username and password passed as environment variables to prevent showing in ps output
+        # so setting cli_auth_arg to empty string
+        $_cli_auth_arg = ''
       } elsif !empty($cli_password_file) {
         $_cli_auth_arg = "-auth '@${cli_password_file}'"
       } else {

manifests/job/absent.pp

@@ -33,11 +33,12 @@
 
   # Delete the job
   exec { "jenkins delete-job ${jobname}":
-    path      => ['/usr/bin', '/usr/sbin', '/bin'],
-    command   => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
-    logoutput => false,
-    onlyif    => "test -f \"${config_path}\"",
-    require   => Exec['jenkins-cli'],
+    path        => ['/usr/bin', '/usr/sbin', '/bin'],
+    command     => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
+    logoutput   => false,
+    onlyif      => "test -f \"${config_path}\"",
+    require     => Exec['jenkins-cli'],
+    environment => $jenkins::cli::cmd_environment,
   }
 
 }

manifests/job/present.pp

@@ -65,9 +65,9 @@
   $job_dir            = "${jenkins::job_dir}/${jobname}"
   $config_path        = "${job_dir}/config.xml"
 
-  # Bring variables from Class['::jenkins'] into local scope.
+  # Bring variables from Class['jenkins'] into local scope.
   $cli_tries          = $jenkins::cli_tries
-  $cli_try_sleep   = $jenkins::cli_try_sleep
+  $cli_try_sleep      = $jenkins::cli_try_sleep
 
   Exec {
     logoutput   => false,
@@ -80,18 +80,20 @@
   $cat_config = "cat \"${tmp_config_path}\""
   $create_job = "${jenkins_cli} create-job \"${jobname}\""
   exec { "jenkins create-job ${jobname}":
-    command => "${cat_config} | ${create_job}",
-    creates => [$config_path, "${job_dir}/builds"],
+    command     => "${cat_config} | ${create_job}",
+    creates     => [$config_path, "${job_dir}/builds"],
+    environment => $jenkins::cli::cmd_environment,
   }
 
   if $replace {
     # Use Jenkins CLI to update the job if it already exists
     $update_job = "${jenkins_cli} update-job ${jobname}"
     exec { "jenkins update-job ${jobname}":
-      command => "${cat_config} | ${update_job}",
-      onlyif  => "test -e ${config_path}",
-      unless  => "${difftool} ${config_path} ${tmp_config_path}",
-      notify  => Exec['reload-jenkins'],
+      command     => "${cat_config} | ${update_job}",
+      onlyif      => "test -e ${config_path}",
+      unless      => "${difftool} ${config_path} ${tmp_config_path}",
+      notify      => Exec['reload-jenkins'],
+      environment => $jenkins::cli::cmd_environment,
     }
   }
 

spec/classes/jenkins_cli_spec.rb

@@ -25,9 +25,10 @@
           it { is_expected.to contain_exec('reload-jenkins').with_command(%r{http://localhost:9000}) }
           it { is_expected.to contain_exec('reload-jenkins').with_command(%r{-i\s'/path/to/key'}) }
           it { is_expected.to contain_exec('reload-jenkins').that_requires('File[/path/to/libdir/jenkins-cli.jar]') }
-          it { is_expected.to contain_exec('safe-restart-jenkins') }
+          it { is_expected.to contain_exec('safe-restart-jenkins').with('environment' => nil) }
           it { is_expected.to contain_jenkins__sysconfig('HTTP_PORT').with_value('9000') }
 
+<<<<<<< HEAD
           describe 'jenkins::cli' do
             describe 'relationships' do
               it do
@@ -39,6 +40,70 @@
                   that_comes_before('Anchor[jenkins::end]')
               end
             end
+=======
+    context '$cli => true' do
+      let(:params) {{ :cli => true,
+                      :cli_ssh_keyfile => '/path/to/key',
+                      :config_hash => { 'HTTP_PORT' => { 'value' => '9000' } }}
+      }
+      it { should contain_class('jenkins::cli') }
+      it { should contain_exec('jenkins-cli') }
+      it { should contain_exec('reload-jenkins').with_command(/http:\/\/localhost:9000/) }
+      it { should contain_exec('reload-jenkins').with_command(/-i\s'\/path\/to\/key'/) }
+      it { should contain_exec('safe-restart-jenkins') }
+      it { should contain_exec('safe-restart-jenkins').with('environment' => nil) }
+      it { should contain_jenkins__sysconfig('HTTP_PORT').with_value('9000') }
+
+      describe 'jenkins::cli' do
+        describe 'relationships' do
+          it do
+            should contain_class('jenkins::cli').
+              that_requires('Class[jenkins::service]')
+>>>>>>> 14d095a... CIP-389 Resolve credential leak via ps with cli
+          end
+
+          context '$cli_password is defined' do
+            let(:params) do
+              {
+                version: '2.54',
+                libdir: '/path/to/libdir',
+                cli: true,
+                cli_remoting_free: true,
+                cli_username: 'user01',
+                cli_password: 'password01'
+              }
+            end
+
+            it do
+              is_expected.to contain_exec('safe-restart-jenkins').with(
+                'environment' => [
+                  'JENKINS_USER_ID=user01',
+                  'JENKINS_API_TOKEN=password01'
+                ]
+              )
+            end
+          end
+
+          context '$cli_password is defined' do
+            let(:params) do
+              {
+                version: '2.54',
+                libdir: '/path/to/libdir',
+                cli: true,
+                cli_remoting_free: true,
+                cli_username: 'user01',
+                cli_password: 'password01'
+              }
+            end
+
+            it do
+              is_expected.to contain_exec('safe-restart-jenkins').with(
+                'environment' => [
+                  'JENKINS_USER_ID=user01',
+                  'JENKINS_API_TOKEN=password01'
+                ]
+              )
+            end
           end
         end