Details
-
Bug
-
Status: Resolved (View Workflow)
-
Minor
-
Resolution: Duplicate
-
Jenkins: 2.138.1
BlueOcean plugin: 1.8.2
A clean install on Windows 7 with just a standard set of plugins
Reproed with Chrome on Windows and Firefox on a Linux desktop
Description
When a string is displayed in the BlueOcean UI from an "echo" step, the string "Print Message" is displayed IF the string being echoed contains a substring that matches the contents of any environment variable.
Repro steps:
Create a pipeline with this code:
pipeline {
agent any
stages {
stage('test') {
environment {
THING = 'foobarbuzz'
}
steps {
echo "blah"
echo "foobarbuzz"
echo "foobarZZZbuzz"
echo "This is a $THING here"
}
}
}
}
Run the pipeline via Blue Ocean
Observe that there are four step labels displayed in the Blue Ocean UI. (see attached screenshot) The first and third steps display the strings from "echo" as expected. But, the second and fourth steps display only "Print Message" and don't show the expected string. The user needs to click the step to expand it to see the string. I would expect that all strings from all echo statements should show up in the main Blue Ocean UI and would not require some to be manually expended.
Attachments
Issue Links
- duplicates
-
-
- Resolved
-
- is duplicated by
-
-
- Closed
-
- is related to
-
JENKINS-55612 Add optional label attribute for echo step to improve usability
-
- Open
-
Activity
Been affected by this issue as well and debugged further. Based on my findings the "flaw" is in the attempt of locating environment variables that might be credentials bindings.
My "slightly more than minimal failing" example after configuring a secret text with the id hello is:
withEnv(['FOO=bar']) { echo "Testing bar world" withCredentials([string(credentialsId: 'hello', variable: 'MY_SECRET')]) { echo "Testing bar world" withEnv(['BAR=baz']) { echo "Testing bar world" withCredentials([string(credentialsId: 'hello', variable: 'MY_OTHER_SECRET')]) { echo "Testing bar world" } } } }
The issue is that we can currently not cleanly separate credentials from other env variables. As a result, all env vars are effectively treated as credentials and their output is masked. That's also why I don't think this is an issue with Blue Ocean.
I think the system would function as intended if only env vars used as credentials were passed in as constructors to ArgumentsActionImpl at https://github.com/jenkinsci/workflow-cps-plugin/blame/master/src/main/java/org/jenkinsci/plugins/workflow/cps/DSL.java#L246.
jglick what would be a clean way to only determine env vars that were added as credentials?
Well known limitation of the current design. Essentially the same problem as what is described in JENKINS-47101, though with different symptoms. APIs to solve this have been discussed recently, but no promises.
jglick JENKINS-47101 seems to be the conflicting requirement to suppress credentials in a step, which is different from this issue where non-credentials are suppressed.
Where are these discussions taking place? Would be happy to help!
What if `EnvironmentExpander` had a method to yield only env vars that represent a `Secret`. With that the env vars passed into the sanitization could only retain those and argument masking should work as intended!?
JENKINS-47101seems to be the conflicting requirement
Yes, as I said the symptoms are different. The underlying problem is the lack of an API to determine whether environment variables are sensitive, something like AbstractBuild.getSensitiveBuildVariables but suited to Pipeline’s needs; in lieu of that, workflow-cps assumes most variables are sensitive, but makes exemptions for a fixed list of common system variables. And yes EnvironmentExpander is the likely locus of such a new API, such as Set<String> getSensitiveVariables().
In the same vein as zett42 I created a groovy library to wrap his method for easy use in my pipelines.
I call the file unsafeEcho.groovy and call it via
unsafeEcho "SHORT_BUILD_VERSION: $SHORT_BUILD_VERSION"