1. Atlassian Avatar Atlassian
  2. Project: Atlassian
  3. bitbucket-code-coverage
  4. Issues

Need a way to hide credentials from the command line

Issue #24 new
Pavel Roskin created an issue

The only way to pass credentials is by specifying them on the command line, whether it’s the password or the token. The command line can be seen in the process list, exposing the credentials to other users on the system.

I’d like to have a way to load the credentials from a file. Alternatively, the credentials could be read from the environment without being specified on the command line.

Comments (4)

  1. Ilya Vassilevsky

    Instead of setting properties in the command line, you can set them in POM:

    <?xml version="1.0" encoding="UTF-8"?>
<project>
  <modelVersion>4.0.0</modelVersion>
  <groupId>com.company.department-name</groupId>
  <artifactId>application-name</artifactId>
  <version>1.2.3</version>

  <properties>
    <coverage.format>COBERTURA</coverage.format>
    <coverage.file>coverage/coverage.xml</coverage.file>

    <bitbucket.url>https://bitbucket-server.company.com</bitbucket.url>
    <bitbucket.user>username</bitbucket.user>
    <bitbucket.password>password</bitbucket.password>
    <bitbucket.commit.id>${env.GIT_COMMIT}</bitbucket.commit.id>
  </properties>

  <pluginRepositories>
    <pluginRepository>
      <id>atlassian</id>
      <name>Atlassian</name>
      <url>https://packages.atlassian.com/maven-public</url>
    </pluginRepository>

    <!-- Maven Central does not have some of the plugin dependencies but this repo does -->
    <pluginRepository>
      <id>jcenter</id>
      <name>JCenter</name>
      <url>https://jcenter.bintray.com</url>
    </pluginRepository>
  </pluginRepositories>
</project>

  4. Pavel Roskin reporter

    I see. Thank you for your reply!

    I was able to make it work. I don’t use a POM, as the project is not Java-based. However, properties can be added to the settings file, and they will be seen by the plugin:

              <?xml version="1.0" encoding="UTF-8"?>
          <settings>
            <profiles>
              <profile>
                <id>with-atlassian-repo</id>
                <properties>
                  <bitbucket.token>${BITBUCKET_TOKEN}</bitbucket.token>
                </properties>
                <pluginRepositories>
                  <pluginRepository>
                    <id>atlassian-repo</id>
                    <url>https://packages.atlassian.com/mvn/maven-external/</url>
                    <releases>
                      <enabled>true</enabled>
                      <checksumPolicy>warn</checksumPolicy>
                    </releases>
                  </pluginRepository>
                </pluginRepositories>
              </profile>
            </profiles>
            <activeProfiles>
              <activeProfile>with-atlassian-repo</activeProfile>
            </activeProfiles>
          </settings>

    Then I can substitute the value in Jenkins by using envsubst and passing the processed file to Maven. One important consideration is to have the substituted credentials only in the file that Jenkins would remove even if the shell script fails.

            stage("Publish coverage to Bitbucket") {
            environment {
                BITBUCKET_TOKEN = credentials("jenkins-coverage-token")
            }
            steps {
                configFileProvider([configFile(fileId: "atlassian-maven-settings", variable: "MAVEN_SETTINGS")]) {
                    sh """
                        # Substitute token in the Maven settings file. Make sure
                        # that the expanded token only appears in the file that
                        # will be cleaned up automatically.
                        mv -f ${env.MAVEN_SETTINGS} ${env.MAVEN_SETTINGS}.tmp
                        envsubst < ${env.MAVEN_SETTINGS}.tmp > ${env.MAVEN_SETTINGS}
                        rm -f ${env.MAVEN_SETTINGS}.tmp
                        mvn com.atlassian.bitbucket:code-coverage-maven-plugin:3.2.2:publish \
                            --batch-mode \
                            --settings ${env.MAVEN_SETTINGS} \
                            -Dbitbucket.url=${env.BITBUCKET_URL} \
                            -Dbitbucket.commit.id=${env.GIT_COMMIT} \
                            -Dcoverage.format=COBERTURA \
                            -Dcoverage.file=CoverageReport.xml
                    """
                }
            }
        }

  5. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
new
Votes
0
Watchers
1