I'm generating a token from an api call and I want to mask its value to avoid displaying in the jenkins console. For that reason, I'm trying to use varMaskRegexes because I'm getting a token with the following format azAz09-azAz09. However, I'm getting an error because it seems to me that I'm not using it in the correct way. I can't store the token value in a envar because it must be generated, when the job is executed.
pipeline {
agent any
stages {
stage('Secret-Masking') {
steps {
wrap([$class: 'MaskPasswordsBuildWrapper', varMaskRegexes: [[key:'token',value:'([A-Za-z0-9]{5}+-[A-Za-z0-9]{5})']]]) {
sh '''
token =$(curl -X POST https://secret.api/getToken)
curl -H "Authorization:$token" https://secret.api/getJobinfo
curl -H "Authorization:$token" https://secret.api/revokeToken
'''
}
}
}
}
}
I tried to remove the quotes from the regex expression but it didn't worked, so I think that is the issue.
The error I'm getting it's the following:
[Pipeline] stage
[Pipeline] {Secret-Masking
[Pipeline] {
[Pipeline] wrap
WARNING: Unknown parameter(s) found for class type 'com.michelin.cio.hudson.plugins.maskpasswords.MaskPasswordsConfig$VarMaskRegexEntry': name
java.lang.ClassCastException: com.michelin.cio.hudson.plugins.maskpasswords.MaskPasswordsConfig$VarMaskRegexEntry.value expects class java.lang.String but received class com.michelin.cio.hudson.plugins.maskpasswords.MaskPasswordsBuildWrapper$VarMaskRegex
at org.jenkinsci.plugins.structs.describable.DescribableModel.coerce(DescribableModel.java:492)
at org.jenkinsci.plugins.structs.describable.DescribableModel.buildArguments(DescribableModel.java:409)
at org.jenkinsci.plugins.structs.describable.DescribableModel.instantiate(DescribableModel.java:329)
Caused: java.lang.IllegalArgumentException: Could not instantiate {name=null, value=([[A-Za-z0-9]{5}+-[A-Za-z0-9]{5})} for com.michelin.cio.hudson.plugins.maskpasswords.MaskPasswordsConfig$VarMaskRegexEntry
at org.jenkinsci.plugins.structs.describable.DescribableModel.instantiate(DescribableModel.java:334)
at org.jenkinsci.plugins.structs.describable.DescribableModel.coerce(DescribableModel.java:474)
at org.jenkinsci.plugins.structs.describable.DescribableModel.coerceList(DescribableModel.java:585)
at org.jenkinsci.plugins.structs.describable.DescribableModel.coerce(DescribableModel.java:458)
at org.jenkinsci.plugins.structs.describable.DescribableModel.buildArguments(DescribableModel.java:409)
at org.jenkinsci.plugins.structs.describable.DescribableModel.instantiate(DescribableModel.java:329)
Caused: java.lang.IllegalArgumentException: Could not instantiate {varPasswordPairs=[], varMaskRegexes=[{value=([[A-Za-z0-9]{5}+-[A-Za-z0-9]{5}), key=token}]} for com.michelin.cio.hudson.plugins.maskpasswords.MaskPasswordsBuildWrapper
at org.jenkinsci.plugins.structs.describable.DescribableModel.instantiate(DescribableModel.java:334)
at org.jenkinsci.plugins.structs.describable.DescribableModel.coerce(DescribableModel.java:474)
at org.jenkinsci.plugins.structs.describable.DescribableModel.buildArguments(DescribableModel.java:409)
at org.jenkinsci.plugins.structs.describable.DescribableModel.instantiate(DescribableModel.java:329)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:305)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:196)
at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:124)
at jdk.internal.reflect.GeneratedMethodAccessor3296.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1225)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034)
at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:41)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:180)
at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:163)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:178)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:182)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:152)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
Caused: java.lang.IllegalArgumentException: Could not instantiate {delegate={$class=MaskPasswordsBuildWrapper, varPasswordPairs=[], varMaskRegexes=[{value=([[A-Za-z0-9]{5}+-[A-Za-z0-9]{5}), key=token}]}} for org.jenkinsci.plugins.workflow.steps.CoreWrapperStep
at org.jenkinsci.plugins.structs.describable.DescribableModel.instantiate(DescribableModel.java:334)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:305)
at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:196)
at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:124)
at jdk.internal.reflect.GeneratedMethodAccessor3296.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1225)
at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034)
at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:41)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:180)
at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:163)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:178)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:182)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:152)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:17)
at WorkflowScript.run(WorkflowScript:76)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.delegateAndExecute(ModelInterpreter.groovy:137)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.executeSingleStage(ModelInterpreter.groovy:666)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.catchRequiredContextForNode(ModelInterpreter.groovy:395)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.catchRequiredContextForNode(ModelInterpreter.groovy:393)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.executeSingleStage(ModelInterpreter.groovy:665)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.evaluateStage(ModelInterpreter.groovy:288)
at org.jenkinsci.plugins.pipeline.modeldefinition.ModelInterpreter.toolsBlock(ModelInterpreter.groovy:539)
at ___cps.transform___(Native Method)
at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:90)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:116)
at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:85)
at jdk.internal.reflect.GeneratedMethodAccessor278.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ClosureBlock.eval(ClosureBlock.java:46)
at com.cloudbees.groovy.cps.Next.step(Next.java:83)
at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:152)
at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:146)
at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:136)
at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:275)
at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:146)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:51)
at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:187)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:420)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:330)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:294)
at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:67)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:139)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
at jenkins.util.ErrorLoggingExecutorService.lambda$wrap$0(ErrorLoggingExecutorService.java:51)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Finished: FAILURE
The varMaskRegexes is a configuration option in Jenkins that allows you to define regular expressions to mask sensitive information (e.g. passwords, access tokens, etc.) in the console output.
To use this feature, you need to define the regular expression that matches the sensitive information and then add it to the varMaskRegexes configuration option. Here is an example of how you can use it to mask a token with the format you mentioned (azAz09-azAz09):
Code
def token = 'abc123-def456' // replace with your actual token value
def varMaskRegexes = '([a-zA-Z0-9]{8}-[a-zA-Z0-9]{6})'
echo "Token: ${token}" // will display the token value in the console
echo "Masked Token: ${token.replaceAll(varMaskRegexes, '********')}" // will display the masked token value in the console
In this example, the regular expression ([a-zA-Z0-9]{8}-[a-zA-Z0-9]{6}) matches the token format azAz09-azAz09. Then, the replaceAll method is used to replace the matched token with ******** to mask it in the console output.
You can also add the regular expression to the varMaskRegexes configuration option in the Jenkinsfile or in the Jenkins system configuration, depending on your needs.