search

jenkinsci / ansible-plugin

Jenkins Ansible plugin
https://plugins.jenkins.io/ansible/
MIT License
228 stars 117 forks source link

PR85 breaks password with special characters #107

Closed colshine1 closed 1 year ago

colshine1 commented 1 year ago

Jenkins and plugins versions report

Environment Jenkins: 2.401.2 OS: Linux - 4.18.0-477.15.1.el8_8.x86_64 Java: 11.0.19 - Red Hat, Inc. (OpenJDK 64-Bit Server VM) --- ace-editor:1.1 ansible:240.vc26740a_625c0 ansicolor:1.0.2 antisamy-markup-formatter:159.v25b_c67cd35fb_ apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5 bootstrap4-api:4.6.0-6 bootstrap5-api:5.3.0-1 bouncycastle-api:2.29 branch-api:2.1122.v09cb_8ea_8a_724 build-timeout:1.31 caffeine-api:3.1.6-115.vb_8b_b_328e59d8 checks-api:2.0.0 cloudbees-folder:6.815.v0dd5a_cb_40e0e command-launcher:100.v2f6722292ee8 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-36.vc008c8fcda_7b_ credentials:1271.v54b_1c2c6388a_ credentials-binding:631.v861c06d062b_4 dashboard-view:2.487.vcf0ff9008a_c0 data-tables-api:1.13.5-1 display-url-api:2.3.7 durable-task:513.vc48a_a_075a_d93 echarts-api:5.4.0-5 email-ext:2.100 font-awesome-api:6.4.0-2 git:5.2.0 git-client:4.4.0 git-server:99.va_0826a_b_cdfa_d github:1.37.1 github-api:1.314-431.v78d72a_3fe4c3 github-branch-source:1728.v859147241f49 handlebars:3.0.8 instance-identity:173.va_37c494ec4e5 ionicons-api:56.v1b_1c8c49374e jackson2-api:2.15.2-350.v0c2f3f8fc595 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.8-1 jdk-tool:66.vd8fa_64ee91b_d jjwt-api:0.11.5-77.v646c772fddb_0 jquery3-api:3.7.0-1 jsch:0.2.8-65.v052c39de79b_2 junit:1217.v4297208a_a_b_ce lockable-resources:1172.v4b_8fc8eed570 mailer:457.v3f72cb_e015e5 matrix-auth:3.1.10 matrix-project:789.v57a_725b_63c79 mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_ mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_ momentjs:1.1.1 okhttp-api:4.11.0-145.vcb_8de402ef81 pam-auth:1.10 pipeline-build-step:505.v5f0844d8d126 pipeline-github-lib:42.v0739460cda_c4 pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7 pipeline-input-step:468.va_5db_051498a_4 pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2144.v077a_d1928a_40 pipeline-model-definition:2.2144.v077a_d1928a_40 pipeline-model-extensions:2.2144.v077a_d1928a_40 pipeline-rest-api:2.33 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40 pipeline-stage-view:2.33 plain-credentials:143.v1b_df8b_d3b_e48 plugin-util-api:3.3.0 popper-api:1.16.1-3 popper2-api:2.11.6-2 python:1.3 resource-disposer:0.22 scm-api:676.v886669a_199a_a_ script-security:1251.vfe552ed55f8d snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4 ssh-credentials:305.v8f4381501156 sshd:3.303.vefc7119b_ec23 structs:324.va_f5d6774f3a_d timestamper:1.25 token-macro:359.vb_cde11682e0c trilead-api:2.84.v72119de229b_7 variant:59.vf075fe829ccb workflow-aggregator:596.v8c21c963d92d workflow-api:1248.v4b_91043341d2 workflow-basic-steps:1017.vb_45b_302f0cea_ workflow-cps:3726.v83f8cff396c9 workflow-cps-global-lib:609.vd95673f149b_b workflow-durable-task-step:1247.v7f9dfea_b_4fd0 workflow-job:1316.vd2290d3341a_f workflow-multibranch:756.v891d88f2cd46 workflow-scm-step:415.v434365564324 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:848.v5a_383b_d14921 ws-cleanup:0.45 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins: Rocky Linux 8

Reproduction steps

  1. Create an Ansible playbook to show passwords:

    - hosts: all

tasks:
  - name: show the current user
    ansible.builtin.debug:
      msg: "Current user is {{ ansible_user }}"

  - name: show the current user password
    ansible.builtin.debug:
      msg: "Current user is {{ ansible_ssh_passowrd }}"

  2. Create a username/password credential in Jenkins with the details: ansible4/pa$$word

  3. Create a Jenkins pipeline to the ansible plugin:

pipeline{
    agent any
    stages{
        stage("Check Creds"){
            steps{
                withCredentials([usernamePassword(credentialsId: 'ansible4', passwordVariable: 'PASS', usernameVariable: 'USER')]){
                    sh "echo $USER"
                    sh "sshpass -p '${PASS}' ansible-playbook display_ssh_pass.yml -i hosts -u ansible4 -k"
                }
            }
        }
        stage("Execute Ansible"){
            steps{
                ansiblePlaybook colorized: true, credentialsId: 'ansible4', disableHostKeyChecking: true, inventory: 'hosts', playbook: 'display_ssh_pass.yml'
            }
        }
    }
}

Expected Results

To show password is: pa$$word

Actual Results

[ansible4] $ sshpass -p 'pa$$word' ansible-playbook display_ssh_pass.yml -i hosts -u ansible4 -k

PLAY [all] *********************************************************************

TASK [Gathering Facts] *********************************************************
ok: [all]

TASK [show the current user] ***************************************************
ok: [all] => {
    "msg": "Current user is:[ansible4]"
}

TASK [show the current user password] ******************************************
ok: [all] => {
    "msg": "Current user password is:['pa$word']"
}

PLAY RECAP *********************************************************************
all                 : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

Anything else?

The issue reported in: https://github.com/jenkinsci/ansible-plugin/pull/83 is the same issue I have described above.

However the fix in PR: https://github.com/jenkinsci/ansible-plugin/pull/85/files breaks passing passwords to sshpass. This is because $$ is escaped by Groovy. The PR is incorrectly escaping all special characters. The original issue was with passwords that contain $$ and has nothing to do with escaping any other special character. The PR should be reverted so passwords container special character combinations other than $$ continue to work.

I have found no way to parse $$ correctly, it would be better to document this as there are two issues:

  1. $$ = pid in bash
  2. $ is an escape character in Groovy.

In a situation outside of this plugin if I had a Jenkins username/password credential with a password containing $$ e.g. abc$$123 I would enter it as abc$$$$123 so I could get the correct value passed to the shell.

jonesbusy commented 1 year ago

PR will be rollback until this plugin gets better test coverage. Thanks for your patience

jonesbusy commented 1 year ago

Released https://github.com/jenkinsci/ansible-plugin/releases/tag/253.v4fe719ffdd8a_