security
[!NOTE|label:references:]
get securityRealm
import hudson.security.*
import jenkins.security.*
import jenkins.model.Jenkins
def jenkins = jenkins.model.Jenkins.getInstance()
println jenkins.securityRealm
println jenkins.authorizationStrategy
// -- result --
// hudson.security.LDAPSecurityRealm@7d090e41
// hudson.security.ProjectMatrixAuthorizationStrategy@6d51bb9d
authorization strategy
reference:
- hudson.security.Permission
- hudson.security.ProjectMatrixAuthorizationStrategy
- matrix-auth-plugin/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
- How to add permission in GlobalMatrixAuthorizationStrategy through the groovy - for hudson.sercurity.item.Move
- Jenkins : Grant Cancel Permission for user and group that have Build permission
- Accessing and dumping Jenkins credentials
decrypt credentials.xml
[!NOTE|label:references:]
hudson.util.Secret.fromString('{..string..}').getPlainText()
// or
hudson.util.Secret.fromString('{..string..}').getEncryptedValue()
- example
hudson.util.Secret.fromString('{AQAAABAAAAAQszhBK4LXdjzjqP/7w8yQWbD4+Kf1ql4XnYEnPUyvP2o=}').getPlainText() // 123456
list all Jenkins supported authorization permissions
hudson.security.Permission.getAll().each { p ->
println "${p.name} :\n" +
"\t${p.id} : ${p.description}"
}
-
import hudson.security.GlobalMatrixAuthorizationStrategy import hudson.security.Permission import hudson.security.ProjectMatrixAuthorizationStrategy import jenkins.model.Jenkins String shortName( Permission p ) { Map<String, String> replacement = [ 'Hudson' : 'Overall' , 'Computer' : 'Agent' , 'Item' : 'Job' , 'CredentialsProvider' : 'Credentials' ] p.id .tokenize('.')[-2..-1] .collect { replacement.get(it) ?: it } .join(' ') } Map<String, Permission> permissionIds = Permission.all.findAll { permission -> List<String> nonConfigurablePerms = ['RunScripts', 'UploadPlugins', 'ConfigureUpdateCenter'] permission.enabled && ! permission.id.startsWith('hudson.security.Permission') && ! nonConfigurablePerms.any { permission.id.endsWith(it) } }.collect { permission -> [ (shortName(permission)): permission ] }.sum() // show result println permissionIds.collect { it.key + ' : ' + it.value.id }.join ('\n') 'DONE'
get current authorization strategy class
import hudson.model.*
import hudson.security.*
Hudson instance = Jenkins.getInstance()
def strategy = instance.getAuthorizationStrategy()
println strategy.getClass()
// result
// class hudson.security.ProjectMatrixAuthorizationStrategy
get raw authorization and permissions info
Jenkins.instance
.authorizationStrategy
.grantedPermissions
.collect{ p, u -> [ (p.id), u ] }
- or
Jenkins.instance .authorizationStrategy .grantedPermissions .each { p, u -> println "\n${p} :\n\t${u}" }
ProjectMatrixAuthorizationStrategy
grant permission to user
import hudson.security.GlobalMatrixAuthorizationStrategy
import hudson.security.Permission
import hudson.security.ProjectMatrixAuthorizationStrategy
import jenkins.model.Jenkins
ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()
String id = 'hudson.model.Hudson.Administer'
String user = 'marslo'
authorizationStrategy.add( Permission.fromId(id), user )
// save strategy
Jenkins.instance.authorizationStrategy = authorizationStrategy
Jenkins.instance.save()
add new configurations according to Map structure
create new instance
newimport hudson.security.* ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()-
import hudson.model.* import hudson.security.* def strategy = Jenkins.getInstance().getAuthorizationStrategy() def authorizationStrategy = strategy.class.newInstance() -
String instanceName = 'hudson.security.ProjectMatrixAuthorizationStrategy' def strategy = Class.forName(instanceName).newInstance() println strategy.class // -- result -- // class hudson.security.ProjectMatrixAuthorizationStrategy get groups list
import hudson.model.* import hudson.security.* ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy() println authorizationStrategy.getGroups()
RoleBasedAuthorizationStrategy
add 'admin' user to all permissions
import hudson.*
import hudson.security.*
import jenkins.model.*
import java.util.*
import com.michelin.cio.hudson.plugins.rolestrategy.*
import com.synopsys.arc.jenkins.plugins.rolestrategy.*
import java.lang.reflect.*
import java.util.logging.*
import groovy.json.*
import jenkins.*
import com.michelin.cio.hudson.plugins.rolestrategy.*
String admin = 'admin'
// Turn security on
RoleBasedAuthorizationStrategy authorizationStrategy = new RoleBasedAuthorizationStrategy()
// ProjectMatrixAuthorizationStrategy authorizationStrategy = new ProjectMatrixAuthorizationStrategy()
Jenkins.instance.setAuthorizationStrategy(authorizationStrategy)
Constructor[] constrs = Role.class.getConstructors()
for (Constructor<?> c : constrs) {
c.setAccessible(true)
}
Method assignRoleMethod = RoleBasedAuthorizationStrategy.class.getDeclaredMethod( "assignRole", String.class, Role.class, String.class )
assignRoleMethod.setAccessible( true )
Set<Permission> adminPermissions = new HashSet<Permission>()
hudson.security.Permission.getAll(){ adminPermissions.add(Permission.fromId(it) }
Role adminRole = new Role( admin, adminPermissions )
authorizationStrategy.addRole( RoleBasedAuthorizationStrategy.GLOBAL, adminRole )
crumb issuer
reference:
get crumb issuer
import hudson.security.csrf.DefaultCrumbIssuer
DefaultCrumbIssuer issuer = jenkins.model.Jenkins.instance.crumbIssuer
String jenkinsCrumb = "${issuer.crumbRequestField}:${issuer.crumb}"
println jenkinsCrumb
// Jenkins-Crumb:b8a9cd5***********
set crumb issuer
import jenkins.model.Jenkins
Jenkins jenkins = jenkins.model.Jenkins.instance
jenkins.setCrumbIssuer(new DefaultCrumbIssuer(true))
jenkins.save()
clean up all pending Async Resource Disposers items
import org.jenkinsci.plugins.resourcedisposer.AsyncResourceDisposer
import org.kohsuke.stapler.StaplerResponse;
import org.kohsuke.stapler.Stapler
AsyncResourceDisposer disposer = AsyncResourceDisposer.get()
backlog = disposer.getBacklog()
stap = Stapler
resp = stap.getCurrentResponse()
disposer.backlog.each { item ->
disposer.doStopTracking( item.id, resp )
}
or via curl
import org.jenkinsci.plugins.resourcedisposer.AsyncResourceDisposer import org.jenkinsci.plugins.strictcrumbissuer.StrictCrumbIssuer AsyncResourceDisposer disposer = AsyncResourceDisposer.get() StrictCrumbIssuer issuer = jenkins.model.Jenkins.instance.crumbIssuer String jenkinsCrumb = "${issuer.crumbRequestField}:${issuer.crumb}" String url = Jenkins.instance.rootUrl + disposer.url disposer.getBacklog().each { item -> println "\n${item.id} : \t${url}/stopTracking/?id=${item.id} : \t${item.class.simpleName} : \n" + "\t${item.getLastState().getDisplayName()} : \n" + "\t${item.getDisposable().node} : ${item.getDisposable().path}\n" + "\t${item.toString()}" println "removeing ${item.id} : " [ 'bash', '-c', 'curl -v -s ' + '-u <user>:<token> ' + '-X POST ' + "-H \"Content-Type: application/json\" " + "-H \"Accept: application/json\" " + "-H \"${jenkinsCrumb}\" " + "${url}/stopTracking/?id=${item.id} " ].execute().with{ def stdout = new StringBuffer() def stderr = new StringBuffer() it.waitForProcessOutput( stdout, stderr ) println "EXIT CODE: ${it.exitValue()}" println "ERROR: ${stderr}" println "OUTPUT: ${stdout}" } }
get crumb via cmd
[!TIP|local:references:]
curl
# after 2.176.2 $ SERVER="https://localhost:8080" $ COOKIEJAR="$(mktemp)" $ CRUMB=$(curl -u "admin:admin" -s --cookie-jar "$COOKIEJAR" "$SERVER/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)") # verify $ echo $CRUMB Jenkins-Crumb:786**********************************************************932 # trigger a build $ curl -X POST \ -u "admin:admin" \ --cookie "$COOKIEJAR" \ -H "$CRUMB" \ https://${SERVER}/job/sandbox/build # to run script $ curl -d "script=System.getProperties()" \ -u "admin:admin" \ --cookie "$COOKIEJAR" \ -H "$CRUMB" \ https://${SERVER}/scriptTextvia wget
# after 2.176.2 $ SERVER="https://localhost:8080" $ COOKIEJAR="$(mktemp)" $ CRUMB="$(wget --quiet --user=admin --password=admin --auth-no-challenge --save-cookies "$COOKIEJAR" --keep-session-cookies -q --output-document - "$SERVER/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)")" $ wget --user=admin --password=admin \ --auth-no-challenge \ --load-cookies "$COOKIEJAR" \ --header="$CRUMB" \ --post-data="" \ --quiet \ "$SERVER"/job/someJob/build
credential
references:
- * Setting Jenkins Credentials with Groovy
- * addCredentials : hayderimran7/Jenkins_ssh_groovy.md
- * Jenkins Credentials Store Access via Groovy
- * Adding Google Service Account Credentials by a groovy script
- * Fetch the domain for each credential returned in a job template.
- * update username/password crednetial
- * How to update credentials of specific folder in Jenkins using Groovy script?
- Extension Points defined in Credentials Plugin
- CredentialsProvider.java
- Jenkins Pipelines: How to use withCredentials() from a shared-variable script
- Jenkins Credentials Store Access via Groovy
- How to get android signing certificate back from jenkins plugin
- Go Decrypt Jenkins
- * Jenkins: Decrypting all passwords in credentials.xml (via Jenkins execution console)
- How to get android signing certificate back from jenkins plugin
- bstapes/jenkins-decrypt
- * How to decrypt Jenkins passwords from credentials.xml?
- update Jenkins credentials by script
- Accessing and dumping Jenkins credentials
[!TIP] something else :
api :
list all credentials
import com.cloudbees.plugins.credentials.common.StandardCredentials
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
import com.cloudbees.plugins.credentials.SystemCredentialsProvider
CredentialsProvider.lookupCredentials( StandardCredentials.class, jenkins.model.Jenkins.instance)
.sort{ it.id }
.each{
switch( it.class.simpleName ) {
case 'BasicSSHUserPrivateKey' :
println """
type : ${it.class.simpleName}
id : ${it.id}
scope : ${it.scope}
username : ${it.username}
description : ${it.description}
privateKeysLastModified : ${it.privateKeysLastModified}
usernameSecret : ${it.usernameSecret ?: 'false'}
privateKeys : ${it.privateKeys.join('\n')}
"""
break;
case 'CertificateCredentialsImpl' :
println """
type : ${it.class.simpleName}
id : ${it.id}
scope : ${it.scope}
password : ${it.password}
description : ${it.description}
keyStore.type : ${it.keyStore.type}
keyStoreSource.keyStoreBytes : ${it.keyStoreSource.keyStoreBytes}
keyStoreSource.uploadedKeystoreBytes : ${it.keyStoreSource.uploadedKeystoreBytes}
properties : ${it.properties}
properties.password : ${it.properties.password}
properties.passwordEmpty : ${it.properties.passwordEmpty}
properties.keyStore.type : ${it.properties.keyStore.type}
"""
break;
case 'StringCredentialsImpl' :
println """
type : ${it.class.simpleName}
id : ${it.id}
secret : ${it.secret}
description : ${it.description}
scope : ${it.scope}
"""
break;
case 'UsernamePasswordCredentialsImpl' :
println """
type : ${it.class.simpleName}
id : ${it.id}
username : ${it.username}
password : ${it.password}
description : ${it.description}
usernameSecret : ${it.usernameSecret ?: 'false'}
"""
break;
}
}
with vault
import com.cloudbees.plugins.credentials.common.StandardCredentials import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials import com.cloudbees.plugins.credentials.CredentialsProvider import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey; import com.cloudbees.plugins.credentials.SystemCredentialsProvider import com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredential import com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential import com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl import com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl CredentialsProvider.lookupCredentials( StandardCredentials.class, jenkins.model.Jenkins.instance) .sort{ it.id } .each{ switch( it.class.simpleName ) { case 'BasicSSHUserPrivateKey' : println """ type : ${it.class.simpleName} id : ${it.id} scope : ${it.scope} username : ${it.username} description : ${it.description} privateKeysLastModified : ${it.privateKeysLastModified} usernameSecret : ${it.usernameSecret ?: 'false'} privateKeys : ${it.privateKeys.join('\n')} """ break; case 'CertificateCredentialsImpl' : println """ type : ${it.class.simpleName} id : ${it.id} scope : ${it.scope} password : ${it.password} description : ${it.description} keyStore.type : ${it.keyStore.type} keyStoreSource.keyStoreBytes : ${it.keyStoreSource.keyStoreBytes} keyStoreSource.uploadedKeystoreBytes : ${it.keyStoreSource.uploadedKeystoreBytes} properties : ${it.properties} properties.password : ${it.properties.password} properties.passwordEmpty : ${it.properties.passwordEmpty} properties.keyStore.type : ${it.properties.keyStore.type} """ break; case 'StringCredentialsImpl' : println """ type : ${it.class.simpleName} id : ${it.id} secret : ${it.secret} description : ${it.description} scope : ${it.scope} """ break; case 'UsernamePasswordCredentialsImpl' : println """ type : ${it.class.simpleName} id : ${it.id} username : ${it.username} password : ${it.password} description : ${it.description} usernameSecret : ${it.usernameSecret ?: 'false'} """ break; case 'VaultUsernamePasswordCredentialImpl' : println """ type : ${it.class.simpleName} engineVersion : ${it.engineVersion} id : ${it.id} scope : ${it.scope} description : ${it.description} displayName : ${it.displayName} path : ${it.path} usernameKey : ${it.usernameKey} username : ${it.username} passwordKey : ${it.passwordKey} password : ${it.password} usernameSecret : ${it.usernameSecret ?: 'false'} """ break; case 'VaultAppRoleCredential': println """ type : ${it.class.simpleName} id : ${it.id} roleId : ${it.roleId} secretId : ${it.secretId} path : ${it.path} namespace : ${it.namespace} scope : ${it.scope} description : ${it.description} """ break; case 'VaultSSHUserPrivateKeyImpl': println """ type : ${it.class.simpleName} engineVersion : ${it.engineVersion} id : ${it.id} scope : ${it.scope} description : ${it.description} displayName : ${it.displayName} usernameSecret : ${it.usernameSecret ?: 'false'} usernameKey : ${it.usernameKey} username : ${it.username} privateKeyKey : ${it.privateKeyKey} privateKeys : ${it.privateKeys.join('\n')} passphraseKey : ${it.passphraseKey} passphrase : ${ it.passphrase} """ break; case 'VaultStringCredentialImpl': println """ type : ${it.class.simpleName} engineVersion : ${it.engineVersion} id : ${it.id} displayName : ${it.displayName} description : ${it.description} prefixPath : ${it.prefixPath} path : ${it.path} secret : ${it.secret} valutKey : ${it.vaultKey} """ break; } }-
import com.cloudbees.plugins.credentials.CredentialsProvider import com.cloudbees.plugins.credentials.Credentials import com.cloudbees.plugins.credentials.domains.Domain import jenkins.model.Jenkins def indent = { String text, int indentationCount -> def replacement = "\t" * indentationCount text.replaceAll("(?m)^", replacement) } Jenkins.get().allItems().collectMany{ CredentialsProvider.lookupStores(it).toList()}.unique().forEach { store -> Map<Domain, List<Credentials>> domainCreds = [:] store.domains.each { domainCreds.put(it, store.getCredentials(it))} if (domainCreds.collectMany{ it.value}.empty) { return } def shortenedClassName = store.getClass().name.substring(store.getClass().name.lastIndexOf(".") + 1) println "Credentials for store context: ${store.contextDisplayName}, of type $shortenedClassName" domainCreds.forEach { domain , creds -> println indent("Domain: ${domain.name}", 1) creds.each { cred -> cred.properties.each { prop, val -> println indent("$prop = \"$val\"", 2) } println indent("-----------------------", 2) } } }
StandardUsernamePasswordCredentials
import com.cloudbees.plugins.credentials.common.StandardCredentials
import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials
import com.cloudbees.plugins.credentials.CredentialsProvider
List<StandardUsernamePasswordCredentials> creds = CredentialsProvider.lookupCredentials(
StandardUsernamePasswordCredentials.class,
jenkins.model.Jenkins.instance
)
creds.sort{it.id}.each {
println """
id : ${it.id}
username : ${it.username}
password : ${it.password}
description : ${it.description}
usernameSecret : ${it.usernameSecret ?: 'false'}
"""
}
"DONE"
BasicSSHUserPrivateKey
import com.cloudbees.plugins.credentials.common.StandardCredentials;
import com.cloudbees.plugins.credentials.CredentialsProvider;
import com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey
import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
List<BasicSSHUserPrivateKey> creds = CredentialsProvider.lookupCredentials(
SSHUserPrivateKey.class , // or BasicSSHUserPrivateKey.class
jenkins.model.Jenkins.instance
).sort{ it.id }
.each {
println """
id : ${it.id}
scope : ${it.scope}
username : ${it.username}
description : ${it.description}
privateKeysLastModified : ${it.privateKeysLastModified}
usernameSecret : ${it.usernameSecret ?: 'false'}
privateKeys : ${it.privateKeys.join('\n')}
"""
}
CertificateCredentials
import com.cloudbees.plugins.credentials.common.StandardCredentials
import com.cloudbees.plugins.credentials.common.CertificateCredentials
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.cloudbees.plugins.credentials.SecretBytes
import com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl
CredentialsProvider.lookupCredentials(
CertificateCredentials.class,
jenkins.model.Jenkins.instance
).sort{ it.id }
.each {
SecretBytes secretKey = it.properties.keyStoreSource.uploadedKeystoreBytes
println """
id : ${it.id}
password : ${it.password}
description : ${it.description}
scope : ${it.scope}
keyStore.type : ${it.properties.keyStore.type}
SecretBytes.decrypt : ${SecretBytes.decrypt(it.keyStoreSource.keyStoreBytes)}
encryptedValue : ${hudson.util.Secret.fromString(secretKey.toString()).encryptedValue}
plainData : ${new String(SecretBytes.fromString(secretKey.toString()).getPlainData(), "ASCII")}
"""
}
"DONE"
SystemCredentialsProvider
import com.cloudbees.plugins.credentials.SystemCredentialsProvider
SystemCredentialsProvider systemCredentialsProvider = jenkins.model.Jenkins.instance.getExtensionList(
'com.cloudbees.plugins.credentials.SystemCredentialsProvider'
).first()
systemCredentialsProvider.credentials.each {
println """
id : ${it.id}
description : ${it.description}
scope : ${it.scope}
secret : ${it.secret}
"""
}
vault
[!NOTE|label:references:]
- scripts:
VaultAppRoleCredential
[!NOTE|label:references:]
- scripts
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential
List<VaultAppRoleCredential> creds = CredentialsProvider.lookupCredentials(
VaultAppRoleCredential.class ,
jenkins.model.Jenkins.instance
).sort{ it.id }
creds.each {
println """
type : ${it.class.simpleName}
scope : ${it.scope}
engineVersion : ${it.engineVersion}
id : ${it.id}
description : ${it.description}
namespace : ${it.namespace}
path : ${it.path}
secretId : ${it.secretId}
roleId : ${it.roleId}
"""
}
VaultUsernamePasswordCredential
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredential
List<VaultUsernamePasswordCredential> creds = CredentialsProvider.lookupCredentials(
VaultUsernamePasswordCredential.class ,
jenkins.model.Jenkins.instance
).sort{ it.id }
creds.each {
println """
type : ${it.class.simpleName}
scope : ${it.scope}
engineVersion : ${it.engineVersion}
id : ${it.id}
description : ${it.description}
path : ${it.path}
usernameKey : ${it.usernameKey}
username : ${it.username}
passwordKey : ${it.passwordKey}
password : ${it.password}
usernameSecret : ${it.usernameSecret ?: 'false'}
"""
}
VaultUsernamePasswordCredentialImpl
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredentialImpl
List<VaultUsernamePasswordCredentialImpl> creds = CredentialsProvider.lookupCredentials(
VaultUsernamePasswordCredentialImpl.class ,
jenkins.model.Jenkins.instance
).sort{ it.id }
creds.each {
println """
type : ${it.class.simpleName}
engineVersion : ${it.engineVersion}
id : ${it.id}
scope : ${it.scope}
description : ${it.description}
displayName : ${it.displayName}
path : ${it.path}
usernameKey : ${it.usernameKey}
username : ${it.username}
passwordKey : ${it.passwordKey}
password : ${it.password}
usernameSecret : ${it.usernameSecret ?: 'false'}
"""
}
VaultSSHUserPrivateKeyImpl
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl
List<VaultSSHUserPrivateKeyImpl> creds = CredentialsProvider.lookupCredentials(
VaultSSHUserPrivateKeyImpl.class,
jenkins.model.Jenkins.instance
).sort{ it.id }
creds.each {
println """
type : ${it.class.simpleName}
scope : ${it.scope}
engineVersion : ${it.engineVersion}
id : ${it.id}
description : ${it.description}
displayName : ${it.displayName}
usernameSecret : ${it.usernameSecret ?: 'false'}
usernameKey : ${it.usernameKey}
username : ${it.username}
privateKeyKey : ${it.privateKeyKey}
privateKeys : ${it.privateKeys.collect{ it.trim() }}
privateKey : ${it.privateKey}
passphraseKey : ${it.passphraseKey}
passphrase : ${ it.passphrase}
"""
}
VaultStringCredentialImpl
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl
List<VaultStringCredentialImpl> creds = CredentialsProvider.lookupCredentials(
VaultStringCredentialImpl.class ,
jenkins.model.Jenkins.instance
).sort{ it.id }
creds.each {
println """
type : ${it.class.simpleName}
engineVersion : ${it.engineVersion}
scope : ${it.scope}
id : ${it.id}
description : ${it.description}
displayName : ${it.displayName}
prefixPath : ${it.prefixPath}
path : ${it.path}
valutKey : ${it.vaultKey}
secret : ${it.secret}
"""
}
encrypt/decrypt password
import hudson.util.Secret
String original = 'marslo'
Secret secret = Secret.fromString( original )
String encrypted = secret.getEncryptedValue()
Secret decrypted = Secret.decrypt( encrypted )
println """
original : ${original}
encrypted : ${encrypted}
decrypted : ${decrypted}
"""
// original : marslo
// encrypted : {AQAAABAAAAAQyF78QAdq9bWCAeUi1VdYO7cB0CfG29KrvwZUU506zig=}
// decrypted : marslo
or
println hudson.util.Secret.fromString('marslo').getEncryptedValue() println hudson.util.Secret.decrypt( hudson.util.Secret.fromString('marslo').getEncryptedValue() // {AQAAABAAAAAQfwTdrtsFbS2MyOOA3kuO01p21CsVsSIpZg9FE1TMlMQ=} // marslo
tricky
Access granted with Overall/SystemRead
This permission can be enabled by setting the system property jenkins.security.SystemReadPermission to true or installing the Extended Read Permission plugin.
Access granted with Overall/Manage
This permission can be enabled by setting the system property jenkins.security.ManagePermission to true or installing the Overall/Manage permission enabler plugin.