hybrid_platforms_conductor 33.4.0 → 33.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f5f1fa4755dba3c7830397e4b43204517131487eaa5942bd0492f64bb835def5
-  data.tar.gz: 3d6d5de92054abbcfebc902f523466ba79167da40e33c25defc413ed28d2cc28
+  metadata.gz: b7fbebabd55f289dc72c1882d4d02b1898035593a78cc1396e63e9f3f97405b4
+  data.tar.gz: 1b0394745277f497c7083828be1b813fe6ff60c0c6c14f22a0808e88c6d2911f
 SHA512:
-  metadata.gz: 944569bc9c74fbbbeff909f6d73ae3c2f8064cb3c6853c4f29c74e1a3e906d446f7db4600b3c66d64bc8642bdd173a694dc337fa78a411cb9da30107e14c7643
-  data.tar.gz: 13acf6ece0db85b0a92caf752aa56b6510f3cfa3f82091c38f0cbd9dc0048056c9f6e9995e5db4dd97141fe0a1bea7e7db75db954b8f114c25acaadf11a7c228
+  metadata.gz: ae3267357ec72113fc39933fd63572dce1017d27162248e6416d7621f543701e20ddc5d155eb4cb7785f572a975304399a6a512940d8c8017af9389251cbc49b
+  data.tar.gz: b8eac4d69391f5ed8a5ce9e7c495549cbfac878a9d8847e568f17989a1ed944da7a16bcc9deeebacbee522dc6cd56b937baa0dc50b2ed1070f5a247a090bee9c

data/CHANGELOG.md

@@ -1,3 +1,50 @@
+# [v33.7.1](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.7.0...v33.7.1) (2021-07-09 17:17:18)
+
+## Global changes
+### Patches
+
+* [[Bugfix(platform_handler_serverless_chef)] [#93] Make sure chef runs use colors in their output](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/14352425115cf46b92e4c747b2e34e3734314288)
+
+## Changes for platform_handler_serverless_chef
+### Patches
+
+* [[Bugfix(platform_handler_serverless_chef)] [#93] Make sure chef runs use colors in their output](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/14352425115cf46b92e4c747b2e34e3734314288)
+
+# [v33.7.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.6.0...v33.7.0) (2021-07-09 16:32:25)
+
+### Features
+
+* [[Feature] [#91] Expose log_debug? method to the config DSL to adapt configuration in case we are in debug mode](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/87f6f51df2d20c7861f9ddd59a8d7f68c27cdd74)
+
+# [v33.6.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.5.1...v33.6.0) (2021-07-07 15:45:12)
+
+## Global changes
+### Patches
+
+* [[Feature(connector_ssh)] [Feature(cmdb_host_keys)] [#78] Way to configure the SSH port being used with the ssh_port metadata](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/f1be319eae30eedcf7f901d3ce0a14f6f4d1f2ea)
+
+## Changes for cmdb_host_keys
+### Features
+
+* [[Feature(connector_ssh)] [Feature(cmdb_host_keys)] [#78] Way to configure the SSH port being used with the ssh_port metadata](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/f1be319eae30eedcf7f901d3ce0a14f6f4d1f2ea)
+
+## Changes for connector_ssh
+### Features
+
+* [[Feature(connector_ssh)] [Feature(cmdb_host_keys)] [#78] Way to configure the SSH port being used with the ssh_port metadata](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/f1be319eae30eedcf7f901d3ce0a14f6f4d1f2ea)
+
+# [v33.5.1](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.5.0...v33.5.1) (2021-07-07 12:01:32)
+
+### Patches
+
+* [[Bugfix] [#87] Make sure local nodes and root accounts are taken into account when getting sudo prefixes](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/cb626f1c99a6f1a95c9c884c03bf3fd71045259c)
+
+# [v33.5.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.4.0...v33.5.0) (2021-07-07 11:03:01)
+
+### Features
+
+* [[Feature] [Security] [#80] Use SecretString for credentials to avoid passwords and secrets accidental leakage](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/0db5f529e539b81f86b9f618a63e62bdbd58cb38)
+
 # [v33.4.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.3.0...v33.4.0) (2021-07-05 13:24:27)
 
 ### Features

data/README.md

@@ -84,9 +84,11 @@ Here are the various plugin categories:
 * **[Actions](docs/plugins/action)** implement a given **action**. For example: bash code execution, ruby code execution, file transfer...
 * **[Cmdbs](docs/plugins/cmdb)** parse **metadata** from various sources. For example: a database, Chef/Ansible inventory files, a configuration management database such as Consul...
 * **[Connectors](docs/plugins/connector)** give ways to execute commands and transfer files on **nodes**. For example: using an SSH connection, a CLI for a Cloud provider...
+* **[Logs](docs/plugins/log)** handle any deployment log storage strategy. They take deployment logs and send them wherever the plugins want.
 * **[Platform handlers](docs/plugins/platform_handler)** handle any **platform** of a given **platform type**. They read **nodes**' inventory and **services** from **platforms**, and provide **actions** to deploy a **service** on a **node**.
 * **[Provisioners](docs/plugins/provisioner)** provision (create, destroy, start, stop...) **nodes**. For example: using OpenShift, Proxmox, Docker, Podman...
 * **[Reports](docs/plugins/report)** gather **platforms** and **nodes**' inventory information and publish them to some medium. For example: on command line, as a JSON file, on a content management system like Confluence or Mediawiki...
+* **[Secrets readers](docs/plugins/secrets_reader)** reads secrets from various sources (vaults, APIs, local files...).
 * **[Tests](docs/plugins/test)** define tests to be performed on **platforms** and **nodes**.
 * **[Tests reports](docs/plugins/test_report)** publish tests results to some medium. For example: on command line, as a JSON file, on a content management system like Confluence or Mediawiki...
 
@@ -330,11 +332,9 @@ credentials_for(:bitbucket) do |resource, requester|
   puts 'Input Bitbucket password...'
   password = ''
   $stdin.noecho { |io| io.sysread(256, password) }
-  begin
-    password.chomp!
-    requester.call 'my_bitbucket_name', password
-  ensure
-    SecretString.erase(password)
+  password.chomp!
+  SecretString.protect(password) do |secret_password|
+    requester.call 'my_bitbucket_name', secret_password
   end
 end
 ```

data/docs/config_dsl.md

@@ -216,6 +216,10 @@ It takes the following parameters:
 * a code block that will be called back by any process needing credentials matching the ID and resource specification.
 The code block will be given both the resource name being accessed, and a requester object that needs to be given the corresponding user and password. When the requester finishes running, the credentials are not needed anymore and should be cleaned from memory to avoid vulnerabilities.
 
+A secure way to five the password is to use a [`SecretString`](https://github.com/Muriel-Salvan/secret_string) class that will give the following guarantees:
+* Avoid the password to leak inadvertently in logs, on-screen, files...
+* Clear the password from memory as soon as it is not needed anymore.
+
 Examples:
 ```ruby
 # Using an environment variable as a password
@@ -228,11 +232,9 @@ credentials_for(:github) do |resource, requester|
   puts 'Input Github password...'
   password = ''
   $stdin.noecho { |io| io.sysread(256, password) }
-  begin
-    password.chomp!
-    requester.call 'MyUserName', password
-  ensure
-    SecretString.erase(password)
+  password.chomp!
+  SecretString.protect(password) do |secret_password|
+    requester.call 'MyUserName', secret_password
   end
 end
 

data/docs/plugins/cmdb/host_keys.md

@@ -21,7 +21,9 @@ None
 
 | Metadata | Type | Usage
 | --- | --- | --- |
-| `hostname` | `String` | Used to query the IP from DNS records |
+| `host_ip` | `String` | Used to perform the `ssh-keyscan` |
+| `hostname` | `String` | Used in place of the `host_ip` in case `host_ip` is not available |
+| `ssh_port` | `Integer` | Port on which the `ssh-keyscan` will be performed (default: 22) |
 
 ## Used environment variables
 

data/docs/plugins/connector/ssh.md

@@ -70,6 +70,7 @@ end
 | `host_keys` | `Array<String>` | The node's host keys used to generate a `known_hosts` file with those to avoid user confirmations when connecting. |
 | `hostname` | `String` | Host name used to connect in case no IP address can be found in metadata. |
 | `private_ips` | `Array<String>` | IP list to connect in case `host_ip` is not defined in metadata. |
+| `ssh_port` | `Integer` | Port used to connect to SSH (default: 22). |
 | `ssh_session_exec` | `Boolean` | If set to `false`, then consider that the node does not have any SSH SessionExec capabilities. This will make sure that remote command executions is done using stdin piping on interactive sessions instead of SSH commands execution. |
 
 ## Used environment variables

data/lib/hybrid_platforms_conductor/actions_executor.rb

@@ -53,7 +53,8 @@ module HybridPlatformsConductor
             logger_stderr: @logger_stderr,
             config: @config,
             cmd_runner: @cmd_runner,
-            nodes_handler: @nodes_handler
+            nodes_handler: @nodes_handler,
+            actions_executor: self
           )
         end
       )
@@ -246,6 +247,33 @@ module HybridPlatformsConductor
       @connector_plugins[connector_name]
     end
 
+    # Is the access to a given node privileged?
+    # Take into account if remote actions are executed on a local node, and configurable sudos.
+    #
+    # Parameters::
+    # * *node* (String): Node on which we want privileged access
+    # Result::
+    # * Boolean: Is the access privileged?
+    def privileged_access?(node)
+      (@nodes_handler.get_local_node_of(node) ? @cmd_runner.whoami : connector(:ssh).ssh_user) == 'root'
+    end
+
+    # Get the sudo prefix to get privileged access.
+    # Take into account if remote actions are executed on a local node, and configurable sudos.
+    #
+    # Parameters::
+    # * *node* (String): Node on which we want privileged access
+    # * *forward_env* (Boolean): Do we need to forward environment in case of sudo? [default: false]
+    # Result::
+    # * String: Sudo prefix to be used (can be empty if root is being used)
+    def sudo_prefix(node, forward_env: false)
+      if privileged_access?(node)
+        ''
+      else
+        "#{@nodes_handler.sudo_on(node)} #{forward_env ? '-E ' : ''}"
+      end
+    end
+
     private
 
     # Execute a list of actions for a node, and return exit codes, stdout and stderr of those actions.

data/lib/hybrid_platforms_conductor/bitbucket.rb

@@ -77,7 +77,7 @@ module HybridPlatformsConductor
       # Parameters::
       # * *bitbucket_url* (String): The Bitbucket URL
       # * *bitbucket_user_name* (String): Bitbucket user name to be used when querying the API
-      # * *bitbucket_password* (String): Bitbucket password to be used when querying the API
+      # * *bitbucket_password* (SecretString): Bitbucket password to be used when querying the API
       # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
       # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
       def initialize(bitbucket_url, bitbucket_user_name, bitbucket_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
@@ -148,7 +148,7 @@ module HybridPlatformsConductor
         http_response = nil
         loop do
           begin
-            http_response = URI.parse(api_url).open(http_basic_authentication: [@bitbucket_user_name, @bitbucket_password])
+            http_response = URI.parse(api_url).open(http_basic_authentication: [@bitbucket_user_name, @bitbucket_password&.to_unprotected])
           rescue
             raise if retries.zero?
 

data/lib/hybrid_platforms_conductor/cmd_runner.rb

@@ -59,7 +59,7 @@ module HybridPlatformsConductor
     # Raise an exception if the exit status is not the expected one.
     #
     # Parameters::
-    # * *cmd* (String): Command to be run
+    # * *cmd* (String or SecretString): Command to be run
     # * *log_to_file* (String or nil): Log file capturing stdout or stderr (or nil for none). [default: nil]
     # * *log_to_stdout* (Boolean): Do we send the output to stdout? [default: true]
     # * *log_stdout_to_io* (IO or nil): IO to send command's stdout to, or nil for none. [default: nil]
@@ -108,7 +108,7 @@ module HybridPlatformsConductor
         bash_file = nil
         if force_bash
           bash_file = Tempfile.new('hpc_bash')
-          bash_file.write(cmd)
+          bash_file.write(cmd.to_unprotected)
           bash_file.chmod 0o700
           bash_file.close
           cmd = "/bin/bash -c #{bash_file.path}"
@@ -136,7 +136,7 @@ module HybridPlatformsConductor
                 pty: true,
                 timeout: timeout,
                 uuid: false
-              ).run!(cmd) do |stdout, stderr|
+              ).run!(cmd.to_unprotected) do |stdout, stderr|
                 stdout_queue << stdout if stdout
                 stderr_queue << stderr if stderr
               end
@@ -162,7 +162,7 @@ module HybridPlatformsConductor
           log_debug "Finished in #{elapsed} seconds with exit status #{exit_status} (#{(expected_code.include?(exit_status) ? 'success'.light_green : 'failure'.light_red).bold})"
         end
         unless expected_code.include?(exit_status)
-          error_title = "Command '#{cmd.split("\n").first}' returned error code #{exit_status} (expected #{expected_code.join(', ')})."
+          error_title = "Command '#{cmd.to_s.split("\n").first}' returned error code #{exit_status} (expected #{expected_code.join(', ')})."
           if no_exception
             # We consider the caller is responsible for logging what he wants about the details of the error (stdout and stderr)
             log_error error_title

data/lib/hybrid_platforms_conductor/config.rb

@@ -34,6 +34,8 @@ module HybridPlatformsConductor
     end
     @mixin_initializers = []
 
+    expose :log_debug?
+
     # Directory of the definition of the platforms
     #   String
     attr_reader :hybrid_platforms_dir

data/lib/hybrid_platforms_conductor/confluence.rb

@@ -34,7 +34,7 @@ module HybridPlatformsConductor
       # Parameters::
       # * *confluence_url* (String): The Confluence URL
       # * *confluence_user_name* (String): Confluence user name to be used when querying the API
-      # * *confluence_password* (String): Confluence password to be used when querying the API
+      # * *confluence_password* (SecretString): Confluence password to be used when querying the API
       # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
       # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
       def initialize(confluence_url, confluence_user_name, confluence_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
@@ -109,7 +109,7 @@ module HybridPlatformsConductor
         page_url = URI.parse("#{@confluence_url}/#{api_path}")
         Net::HTTP.start(page_url.host, page_url.port, use_ssl: true) do |http|
           request = Net::HTTP.const_get(http_method.to_s.capitalize.to_sym).new(page_url.request_uri)
-          request.basic_auth @confluence_user_name, @confluence_password
+          request.basic_auth @confluence_user_name, @confluence_password&.to_unprotected
           yield request if block_given?
           response = http.request(request)
           raise "Confluence page API request on #{page_url} returned an error: #{response.code}\n#{response.body}\n===== Request body =====\n#{request.body}" unless response.is_a?(Net::HTTPSuccess)

data/lib/hybrid_platforms_conductor/connector.rb

@@ -14,16 +14,19 @@ module HybridPlatformsConductor
     # * *config* (Config): Config to be used. [default: Config.new]
     # * *cmd_runner* (CmdRunner): Command executor to be used. [default: CmdRunner.new]
     # * *nodes_handler* (NodesHandler): NodesHandler to be used. [default: NodesHandler.new]
+    # * *actions_executor* (ActionsExecutor): ActionsExecutor to be used. [default: ActionsExecutor.new]
     def initialize(
       logger: Logger.new($stdout),
       logger_stderr: Logger.new($stderr),
       config: Config.new,
       cmd_runner: CmdRunner.new,
-      nodes_handler: NodesHandler.new
+      nodes_handler: NodesHandler.new,
+      actions_executor: ActionsExecutor.new
     )
       super(logger: logger, logger_stderr: logger_stderr, config: config)
       @cmd_runner = cmd_runner
       @nodes_handler = nodes_handler
+      @actions_executor = actions_executor
       # If the connector has an initializer, use it
       init if respond_to?(:init)
     end
@@ -67,7 +70,7 @@ module HybridPlatformsConductor
     # Handle the redirection of standard output and standard error to file and stdout depending on the context of the run.
     #
     # Parameters::
-    # * *cmd* (String): The command to be run
+    # * *cmd* (String or SecretString): The command to be run
     # * *force_bash* (Boolean): If true, then make sure command is invoked with bash instead of sh [default: false]
     # Result::
     # * Integer: Exit code

data/lib/hybrid_platforms_conductor/credentials.rb

@@ -1,4 +1,5 @@
 require 'netrc'
+require 'secret_string'
 require 'uri'
 require 'hybrid_platforms_conductor/logger_helpers'
 
@@ -65,8 +66,8 @@ module HybridPlatformsConductor
     # * Proc: Client code called with credentials provided
     #   * Parameters::
     #     * *user* (String or nil): User name, or nil if none
-    #     * *password* (String or nil): Password, or nil if none.
-    #       !!! Never store this password in a scope broader than the client code itself !!!
+    #     * *password* (SecretString or nil): Password, or nil if none.
+    #       !!! Never clone this password in a scope broader than the client code itself !!!
     def with_credentials_for(id, resource: nil)
       # Get the credentials provider
       provider = nil
@@ -81,7 +82,8 @@ module HybridPlatformsConductor
 
       provider ||= proc do |requested_resource, requester|
         # Check environment variables
-        user = ENV["hpc_user_for_#{id}"].dup
+        user = ENV["hpc_user_for_#{id}"]
+        # Clone the password as we are going to treat it as a secret string that will be wiped out
         password = ENV["hpc_password_for_#{id}"].dup
         if user.nil? || user.empty? || password.nil? || password.empty?
           log_debug "[ Credentials for #{id} ] - Credentials not found from environment variables."
@@ -103,6 +105,7 @@ module HybridPlatformsConductor
                 # TODO: Add more credentials source if needed here
                 log_warn "[ Credentials for #{id} ] - Unable to get credentials for #{id} (Resource: #{requested_resource})."
               else
+                # Clone in memory as we are going to wipe out ::Netrc's memory
                 user = netrc_user.dup
                 password = netrc_password.dup
                 log_debug "[ Credentials for #{id} ] - Credentials retrieved from .netrc using #{requested_resource}."
@@ -115,19 +118,18 @@ module HybridPlatformsConductor
                   data_string.replace('GotYou!!!' * 100)
                 end
               end
-              # We do this assignment on purpose so that GC can remove sensitive data later
-              # rubocop:disable Lint/UselessAssignment
-              netrc = nil
-              # rubocop:enable Lint/UselessAssignment
             end
           end
         else
           log_debug "[ Credentials for #{id} ] - Credentials retrieved from environment variables."
         end
-        GC.start
-        requester.call user, password
-        password&.replace('gotyou!' * 100)
-        GC.start
+        if password.nil?
+          requester.call user, password
+        else
+          SecretString.protect(password) do |secret_password|
+            requester.call user, secret_password
+          end
+        end
       end
 
       requester_called = false
@@ -135,7 +137,13 @@ module HybridPlatformsConductor
         resource,
         proc do |user, password|
           requester_called = true
-          yield user, password
+          if password.is_a?(String)
+            SecretString.protect(password) do |secret_password|
+              yield user, secret_password
+            end
+          else
+            yield user, password
+          end
         end
       )
 

data/lib/hybrid_platforms_conductor/deployer.rb

@@ -544,15 +544,13 @@ module HybridPlatformsConductor
     # Result::
     # * Hash<String, [Integer or Symbol, String, String]>: Exit status code (or Symbol in case of error or dry run), standard output and error for each node.
     def deploy(services)
-      # Get the ssh user directly from the connector
-      ssh_user = @actions_executor.connector(:ssh).ssh_user
-
       # Deploy for real
       @nodes_handler.prefetch_metadata_of services.keys, :image
       outputs = @actions_executor.execute_actions(
         services.map do |node, node_services|
           image_id = @nodes_handler.get_image_of(node)
-          sudo = (ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} ")
+          need_sudo = !@actions_executor.privileged_access?(node)
+          sudo = @actions_executor.sudo_prefix(node)
           # Install corporate certificates if present
           certificate_actions =
             if @local_environment && ENV['hpc_certificates']
@@ -568,7 +566,7 @@ module HybridPlatformsConductor
                   {
                     scp: {
                       ENV['hpc_certificates'] => '/usr/local/share/ca-certificates',
-                      :sudo => ssh_user != 'root'
+                      :sudo => need_sudo
                     },
                     remote_bash: "#{sudo}update-ca-certificates"
                   }
@@ -584,7 +582,7 @@ module HybridPlatformsConductor
                         cert_file,
                         '/etc/pki/ca-trust/source/anchors'
                       ]
-                    end.to_h.merge(sudo: ssh_user != 'root'),
+                    end.to_h.merge(sudo: need_sudo),
                     remote_bash: [
                       "#{sudo}update-ca-trust enable",
                       "#{sudo}update-ca-trust extract"
@@ -619,7 +617,7 @@ module HybridPlatformsConductor
         services.keys.map do |node|
           [
             node,
-            { remote_bash: "#{ssh_user == 'root' ? '' : "#{@nodes_handler.sudo_on(node)} "}./mutex_dir unlock /tmp/hybrid_platforms_conductor_deploy_lock" }
+            { remote_bash: "#{@actions_executor.sudo_prefix(node)}./mutex_dir unlock /tmp/hybrid_platforms_conductor_deploy_lock" }
           ]
         end.to_h,
         timeout: 10,

data/lib/hybrid_platforms_conductor/github.rb

@@ -23,7 +23,7 @@ module HybridPlatformsConductor
           c.api_endpoint = repo_info[:url]
         end
         with_credentials_for(:github, resource: repo_info[:url]) do |_github_user, github_token|
-          client = Octokit::Client.new(access_token: github_token)
+          client = Octokit::Client.new(access_token: github_token&.to_unprotected)
           (repo_info[:repos] == :all ? client.repositories(repo_info[:user]).map { |repo| repo[:name] } : repo_info[:repos]).each do |name|
             yield client, {
               name: name,

data/lib/hybrid_platforms_conductor/hpc_plugins/action/bash.rb

@@ -14,7 +14,7 @@ module HybridPlatformsConductor
         # [API] - @actions_executor is accessible
         #
         # Parameters::
-        # * *cmd* (String): The bash command to execute
+        # * *cmd* (String or SecretString): The bash command to execute
         def setup(cmd)
           @cmd = cmd
         end

data/lib/hybrid_platforms_conductor/hpc_plugins/action/remote_bash.rb

@@ -15,30 +15,30 @@ module HybridPlatformsConductor
         #
         # Parameters::
         # * *remote_bash* (Array or Object): List of commands (or single command) to be executed. Each command can be the following:
-        #   * String: Simple bash command.
+        #   * String or SecretString: Simple bash command.
         #   * Hash<Symbol, Object>: Information about the commands to execute. Can have the following properties:
-        #     * *commands* (Array<String> or String): List of bash commands to execute (can be a single one) [default: ''].
+        #     * *commands* (Array<String or SecretString> or String or SecretString): List of bash commands to execute (can be a single one) [default: ''].
         #     * *file* (String): Name of file from which commands should be taken [optional].
-        #     * *env* (Hash<String, String>): Environment variables to be set before executing those commands [default: {}].
+        #     * *env* (Hash<String, String or SecretString>): Environment variables to be set before executing those commands [default: {}].
         def setup(remote_bash)
           # Normalize the parameters.
           # Array< Hash<Symbol,Object> >: Simple array of info:
-          # * *commands* (Array<String>): List of bash commands to execute.
-          # * *env* (Hash<String, String>): Environment variables to be set before executing those commands.
+          # * *commands* (Array<String or SecretString>): List of bash commands to execute.
+          # * *env* (Hash<String, String or SecretString>): Environment variables to be set before executing those commands.
           @remote_bash = (remote_bash.is_a?(Array) ? remote_bash : [remote_bash]).map do |cmd_info|
-            if cmd_info.is_a?(String)
-              {
-                commands: [cmd_info],
-                env: {}
-              }
-            else
+            if cmd_info.is_a?(Hash)
               commands = []
-              commands.concat(cmd_info[:commands].is_a?(String) ? [cmd_info[:commands]] : cmd_info[:commands]) if cmd_info[:commands]
+              commands.concat(cmd_info[:commands].is_a?(Array) ? cmd_info[:commands] : [cmd_info[:commands]]) if cmd_info[:commands]
               commands << File.read(cmd_info[:file]) if cmd_info[:file]
               {
                 commands: commands,
                 env: cmd_info[:env] || {}
               }
+            else
+              {
+                commands: [cmd_info],
+                env: {}
+              }
             end
           end
         end
@@ -63,11 +63,21 @@ module HybridPlatformsConductor
         # [API] - @stderr_io can be used to log stderr messages
         # [API] - run_cmd(String) method can be used to execute a command. See CmdRunner#run_cmd to know about the result's signature.
         def execute
-          bash_str = @remote_bash.map do |cmd_info|
-            (cmd_info[:env].map { |var_name, var_value| "export #{var_name}='#{var_value}'" } + cmd_info[:commands]).join("\n")
-          end.join("\n")
-          log_debug "[#{@node}] - Execute remote Bash commands \"#{bash_str}\"..."
-          @connector.remote_bash bash_str
+          # The commands or ENV variables can contain secrets, so make sure to protect all strings from secrets leaking
+          bash_cmds = @remote_bash.map do |cmd_info|
+            cmd_info[:env].map do |var_name, var_value|
+              SecretString.new("export #{var_name}='#{var_value.to_unprotected}'", silenced_str: "export #{var_name}='#{var_value}'")
+            end + cmd_info[:commands]
+          end.flatten
+          begin
+            SecretString.protect(bash_cmds.map(&:to_unprotected).join("\n"), silenced_str: bash_cmds.join("\n")) do |bash_str|
+              log_debug "[#{@node}] - Execute remote Bash commands \"#{bash_str}\"..."
+              @connector.remote_bash bash_str
+            end
+          ensure
+            # Make sure we erase all secret strings
+            bash_cmds.each(&:erase)
+          end
         end
 
       end