First version of password hashing for jenkins.

commit: d8e042998dac45243abed3208fcb27fee409138d [log] [tgz]
author: Jakub Josef <jakub.josef@gmail.com> Mon Nov 28 18:02:27 2016 +0100
committer: Jakub Josef <jakub.josef@gmail.com> Mon Nov 28 18:02:27 2016 +0100
tree: 5c145c85ac0d565bc9019bfc5e0642af0138fd57
parent: 12e45943cdfbb3ae61be45628a70762a17137902 [diff]
diff --git a/README.rst b/README.rst
index a83d61f..1d20ec7 100644
--- a/README.rst
+++ b/README.rst

@@ -306,6 +306,65 @@
             - repository: base
               file: macros/git.groovy
 
+SMTP server settings
+
+.. code-block:: yaml
+
+    jenkins:
+      master:
+        email:
+          engine: "smtp"
+          host: "smtp.domain.com"
+          user: "user@domain.cz"
+          password: "smtp-password"
+          port: 25
+
+Jenkins script approvals
+
+.. code-block:: yaml
+    
+    jenkins:
+      master:
+        approved_scripts:
+        - method groovy.json.JsonSlurperClassic parseText java.lang.String
+
+Credentials enforcing
+
+.. code-block:: yaml
+    
+    jenkins:
+      master:
+        credentials:
+          - type: username_password
+            scope: GLOBAL
+            id: credential-1
+            desc: ""
+            username: admin
+            password: "password"
+          - type: ssh_key
+            scope: GLOBAL
+            id: key-credential
+            desc: ""
+            username: admin
+            password: "key-password"
+            key: |
+               xxxxxxxxxxxxxxxxxxxx
+
+Users enforcing 
+
+.. code-block:: yaml
+
+    jenkins:
+      user:
+        admin:
+          api_token: xxxxxxxxxx
+          password: admin_password
+          email: admin@domain.com
+        user01:
+          api_token: xxxxxxxxxx
+          password: user_password
+          email: user01@domain.com
+
 Usage
 =====
 

diff --git a/_modules/jenkins_hash.py b/_modules/jenkins_hash.py
new file mode 100644
index 0000000..6796bbd
--- /dev/null
+++ b/_modules/jenkins_hash.py

@@ -0,0 +1,9 @@
+import hashlib
+import random
+import string
+
+def encode_password(password):
+    salt = ''.join(random.SystemRandom().choice(string.ascii_letters)
+                   for i in range(6))
+    hash_ = hashlib.sha256("%s{%s}" % (password, salt)).hexdigest()
+    return "%s:%s" % (salt, hash_)
\ No newline at end of file

diff --git a/jenkins/files/config.xml.user b/jenkins/files/config.xml.user
index 9d442a4..aca8b2b 100644
--- a/jenkins/files/config.xml.user
+++ b/jenkins/files/config.xml.user

@@ -27,7 +27,7 @@
       <insensitiveSearch>false</insensitiveSearch>
     </hudson.search.UserSearchProperty>
     <hudson.security.HudsonPrivateSecurityRealm_-Details>
-      <passwordHash>{{ user.password_hash }}</passwordHash>
+      <passwordHash>{{ salt['jenkins_hash.encode_password'](user.password) }}</passwordHash>
     </hudson.security.HudsonPrivateSecurityRealm_-Details>
     {%- if user.public_keys is defined %}
     <org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>

diff --git a/jenkins/files/credentials.xml b/jenkins/files/credentials.xml
index 8e3da7b..fc6c244 100644
--- a/jenkins/files/credentials.xml
+++ b/jenkins/files/credentials.xml

@@ -14,7 +14,7 @@
                 <id>{{ credential.id }}</id>
                 <description>{{ credential.desc }}</description>
                 <username>{{ credential.username }}</username>
-                <password>{{ credential.password_hash }}</password>
+                <password>{{ salt['jenkins_hash.encode_password'](credential.password) }}</password>
             </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
             {%- elif credential.type == "ssh_key" %}
             <com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey plugin="ssh-credentials@1.12">
@@ -22,7 +22,9 @@
                 <id>{{ credential.id }}</id>
                 <description>{{ credential.desc }}</description>
                 <username>{{ credential.username }}</username>
-                <passphrase>{{ credential.password_hash }}</passphrase>
+                {%- if credential.password is defined %}
+                <passphrase>{{ salt['jenkins_hash.encode_password'](credential.password) }}</passphrase>
+                {%- endif %}
                 <privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
                     <privateKey>{{ credential.key }}</privateKey>
                 </privateKeySource>

diff --git a/jenkins/files/hudson.tasks.Mailer.xml b/jenkins/files/hudson.tasks.Mailer.xml
index ab60d4d..00c146d 100644
--- a/jenkins/files/hudson.tasks.Mailer.xml
+++ b/jenkins/files/hudson.tasks.Mailer.xml

@@ -3,7 +3,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <hudson.tasks.Mailer_-DescriptorImpl plugin="mailer@1.18">
   <smtpAuthUsername>{{ master.email.user }}</smtpAuthUsername>
-  <smtpAuthPassword>{{ master.email.password_hash }}</smtpAuthPassword>
+  <smtpAuthPassword>{{ salt['jenkins_hash.encode_password'](master.email.password) }}</smtpAuthPassword>
   <smtpHost>{{ master.email.host }}</smtpHost>
   <useSsl>false</useSsl>
   <smtpPort>{{ master.email.port }}</smtpPort>

diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index 0d27f12..238fe90 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml

@@ -29,7 +29,6 @@
         admin:
           api_token: ${_param:jenkins_admin_token}
           password: ${_param:jenkins_admin_password}
-          password_hash: ${_param:jenkins_admin_password_hash}
           email: root@domain.com
     job_builder:
       enabled: true
commit	d8e042998dac45243abed3208fcb27fee409138d	[log] [tgz]
author	Jakub Josef <jakub.josef@gmail.com>	Mon Nov 28 18:02:27 2016 +0100
committer	Jakub Josef <jakub.josef@gmail.com>	Mon Nov 28 18:02:27 2016 +0100
tree	5c145c85ac0d565bc9019bfc5e0642af0138fd57
parent	12e45943cdfbb3ae61be45628a70762a17137902 [diff]