Interesting use case! Never tried accessing a masked password with Groovy in Jenkins. Adding it to the next development cycle. Thanks for reporting it totoroliu

Hi,

Just tried with a password field, where the default value is set to 123.

Here's what I get in the plug-in code while debugging: PASS=657KFHBDRzTNus4oc4hDs8aLP1ymBEorhgagswsCTRI=

Then tried using a Masked password, with the Mask Password Plug-in, but unfortunately I couldn't really understand how it works.

I installed the plug-in, but in the global configuration, I could only find a way to enable that for "Active Choices Parameter", and not for each parameter type as in the description.

Then I created a global mask password MYPASS, with value 123. But still could not see it in the env vars, nor as parameter.

Then, in the job, configured a masked parameter, again MYPASS with value 123. I can successfully see that in the console output if I try to echo it, instead of the value, it displays ****. But it is not available for the parameter.

So the plug-in actually stores the value with the build. In your config.xml you can see something like:

<varPasswordPair var="MYPASS" password="657KFHBDRzTNus4oc4hDs8aLP1ymBEorhgagswsCTRI="/>

Then when you execute the job, it takes care to mask password in the console, and also inject the right value.

The problem is that what you have is not really a parameter, as normal parameters in Jenkins. But even if we changed it to be a parameter, it is not clear if you would be able to use the parameter. I believe its value would still be encrypted.

Moving priority to low, as the behaviour of the plug-in is not really broken. We need to work to support this plug-in. The work involved is not trivial, but doable.

Righto, coming back to this issue now.

Set up a job again with the instructions provided in the issue description. I get a build_password is not defined for the Groovy script.

The Mask Password Plugin has a build wrapper, that uses the build_password. It is not available to any parameters, only during build time.

So in the end there is no easy way to integrate the plug-in in a transparent way to users. Users that want to use the global parameters defined in the Mask Password Plug-in need to implement the logic in their scripts.

I followed the logic in the plug-in code (in special this part).

And here's one way to get it to work.

import com.michelin.cio.hudson.plugins.maskpasswords.*;

SVN_ROOT = "https://server.com/svn/root"

// getting global masked password...
maskPasswordsConfig = MaskPasswordsConfig.getInstance()
varPasswordPairs = maskPasswordsConfig.getGlobalVarPasswordPairs()

// default to empty
build_password = ''
// check if we have a global pair with that password
varPasswordPairs.each { pair ->
    if (pair.getVar().equals("build_password")) {
        // this will use Jenkins' Secret class to decrypt it...
        build_password = pair.password
    }
}

if ( SVN_FOLDER.endsWith("/trunk") ){
    return ["N/A"]
} else {
    def SVN_LIST_URL = "${SVN_ROOT}/${SVN_FOLDER}"
    //def SVN_CMD_ARG = "svn ls --username build --password ${build_password} --non-interactive ${SVN_LIST_URL}"
    //def SVN_CMD_OUT = SVN_CMD_ARG.execute().text
    //def SVN_SELECTION_LIST = SVN_CMD_OUT.split('/\n').toList().sort().reverse()
    // Just for test, as it would be hard to share an example calling user+pass from a repo
    def SVN_SELECTION_LIST = [build_password]

    return SVN_SELECTION_LIST
}

Simplified the script a little bit as it would be too hard to provide an example that worked. But in summary, you have to get that password value programmatically in Groovy.

Added a tutorial for this integration here: http://biouno.org/tutorials/active-choices/using-masked-passwords-with-the-active-choices-plugin

thank you Bruno for your support

Thanks Bruno - this also really helped me out!

Thank you Bruno.