hybrid_platforms_conductor 33.4.0 → 33.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f5f1fa4755dba3c7830397e4b43204517131487eaa5942bd0492f64bb835def5
-  data.tar.gz: 3d6d5de92054abbcfebc902f523466ba79167da40e33c25defc413ed28d2cc28
+  metadata.gz: daf46892dd3b5a79ff0e54f16d6881b80519e8fe926e9952ad7faafd1706c31e
+  data.tar.gz: 84f9ee06afb8141f140a8754d0961217ceb14b3f8d2d1d2577792be420d42aa2
 SHA512:
-  metadata.gz: 944569bc9c74fbbbeff909f6d73ae3c2f8064cb3c6853c4f29c74e1a3e906d446f7db4600b3c66d64bc8642bdd173a694dc337fa78a411cb9da30107e14c7643
-  data.tar.gz: 13acf6ece0db85b0a92caf752aa56b6510f3cfa3f82091c38f0cbd9dc0048056c9f6e9995e5db4dd97141fe0a1bea7e7db75db954b8f114c25acaadf11a7c228
+  metadata.gz: 7b1355694d9c7dbc5b2d2f9f6555972c25033d11bd07b14dfc728c94b2965ac1a852c91cb6ed4f20a26bc41cceb12f437a8b599177331cbf544e38ebc387cd4a
+  data.tar.gz: 8636507ef5724bd9f0b3ffbb1f08c3efd1a48d39fe7161a4421350b4a03a9afff279b5522175418742ba87f7daca4dcdb4382e10f3283c39f9816eceba04bdc3

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+# [v33.5.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.4.0...v33.5.0) (2021-07-07 11:03:01)
+
+### Features
+
+* [[Feature] [Security] [#80] Use SecretString for credentials to avoid passwords and secrets accidental leakage](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/0db5f529e539b81f86b9f618a63e62bdbd58cb38)
+
 # [v33.4.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.3.0...v33.4.0) (2021-07-05 13:24:27)
 
 ### Features

data/README.md

@@ -330,11 +330,9 @@ credentials_for(:bitbucket) do |resource, requester|
   puts 'Input Bitbucket password...'
   password = ''
   $stdin.noecho { |io| io.sysread(256, password) }
-  begin
-    password.chomp!
-    requester.call 'my_bitbucket_name', password
-  ensure
-    SecretString.erase(password)
+  password.chomp!
+  SecretString.protect(password) do |secret_password|
+    requester.call 'my_bitbucket_name', secret_password
   end
 end
 ```

data/docs/config_dsl.md

@@ -216,6 +216,10 @@ It takes the following parameters:
 * a code block that will be called back by any process needing credentials matching the ID and resource specification.
 The code block will be given both the resource name being accessed, and a requester object that needs to be given the corresponding user and password. When the requester finishes running, the credentials are not needed anymore and should be cleaned from memory to avoid vulnerabilities.
 
+A secure way to five the password is to use a [`SecretString`](https://github.com/Muriel-Salvan/secret_string) class that will give the following guarantees:
+* Avoid the password to leak inadvertently in logs, on-screen, files...
+* Clear the password from memory as soon as it is not needed anymore.
+
 Examples:
 ```ruby
 # Using an environment variable as a password
@@ -228,11 +232,9 @@ credentials_for(:github) do |resource, requester|
   puts 'Input Github password...'
   password = ''
   $stdin.noecho { |io| io.sysread(256, password) }
-  begin
-    password.chomp!
-    requester.call 'MyUserName', password
-  ensure
-    SecretString.erase(password)
+  password.chomp!
+  SecretString.protect(password) do |secret_password|
+    requester.call 'MyUserName', secret_password
   end
 end
 

data/lib/hybrid_platforms_conductor/bitbucket.rb

@@ -77,7 +77,7 @@ module HybridPlatformsConductor
       # Parameters::
       # * *bitbucket_url* (String): The Bitbucket URL
       # * *bitbucket_user_name* (String): Bitbucket user name to be used when querying the API
-      # * *bitbucket_password* (String): Bitbucket password to be used when querying the API
+      # * *bitbucket_password* (SecretString): Bitbucket password to be used when querying the API
       # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
       # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
       def initialize(bitbucket_url, bitbucket_user_name, bitbucket_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
@@ -148,7 +148,7 @@ module HybridPlatformsConductor
         http_response = nil
         loop do
           begin
-            http_response = URI.parse(api_url).open(http_basic_authentication: [@bitbucket_user_name, @bitbucket_password])
+            http_response = URI.parse(api_url).open(http_basic_authentication: [@bitbucket_user_name, @bitbucket_password&.to_unprotected])
           rescue
             raise if retries.zero?
 

data/lib/hybrid_platforms_conductor/cmd_runner.rb

@@ -59,7 +59,7 @@ module HybridPlatformsConductor
     # Raise an exception if the exit status is not the expected one.
     #
     # Parameters::
-    # * *cmd* (String): Command to be run
+    # * *cmd* (String or SecretString): Command to be run
     # * *log_to_file* (String or nil): Log file capturing stdout or stderr (or nil for none). [default: nil]
     # * *log_to_stdout* (Boolean): Do we send the output to stdout? [default: true]
     # * *log_stdout_to_io* (IO or nil): IO to send command's stdout to, or nil for none. [default: nil]
@@ -108,7 +108,7 @@ module HybridPlatformsConductor
         bash_file = nil
         if force_bash
           bash_file = Tempfile.new('hpc_bash')
-          bash_file.write(cmd)
+          bash_file.write(cmd.to_unprotected)
           bash_file.chmod 0o700
           bash_file.close
           cmd = "/bin/bash -c #{bash_file.path}"
@@ -136,7 +136,7 @@ module HybridPlatformsConductor
                 pty: true,
                 timeout: timeout,
                 uuid: false
-              ).run!(cmd) do |stdout, stderr|
+              ).run!(cmd.to_unprotected) do |stdout, stderr|
                 stdout_queue << stdout if stdout
                 stderr_queue << stderr if stderr
               end
@@ -162,7 +162,7 @@ module HybridPlatformsConductor
           log_debug "Finished in #{elapsed} seconds with exit status #{exit_status} (#{(expected_code.include?(exit_status) ? 'success'.light_green : 'failure'.light_red).bold})"
         end
         unless expected_code.include?(exit_status)
-          error_title = "Command '#{cmd.split("\n").first}' returned error code #{exit_status} (expected #{expected_code.join(', ')})."
+          error_title = "Command '#{cmd.to_s.split("\n").first}' returned error code #{exit_status} (expected #{expected_code.join(', ')})."
           if no_exception
             # We consider the caller is responsible for logging what he wants about the details of the error (stdout and stderr)
             log_error error_title

data/lib/hybrid_platforms_conductor/confluence.rb

@@ -34,7 +34,7 @@ module HybridPlatformsConductor
       # Parameters::
       # * *confluence_url* (String): The Confluence URL
       # * *confluence_user_name* (String): Confluence user name to be used when querying the API
-      # * *confluence_password* (String): Confluence password to be used when querying the API
+      # * *confluence_password* (SecretString): Confluence password to be used when querying the API
       # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
       # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
       def initialize(confluence_url, confluence_user_name, confluence_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
@@ -109,7 +109,7 @@ module HybridPlatformsConductor
         page_url = URI.parse("#{@confluence_url}/#{api_path}")
         Net::HTTP.start(page_url.host, page_url.port, use_ssl: true) do |http|
           request = Net::HTTP.const_get(http_method.to_s.capitalize.to_sym).new(page_url.request_uri)
-          request.basic_auth @confluence_user_name, @confluence_password
+          request.basic_auth @confluence_user_name, @confluence_password&.to_unprotected
           yield request if block_given?
           response = http.request(request)
           raise "Confluence page API request on #{page_url} returned an error: #{response.code}\n#{response.body}\n===== Request body =====\n#{request.body}" unless response.is_a?(Net::HTTPSuccess)

data/lib/hybrid_platforms_conductor/connector.rb

@@ -67,7 +67,7 @@ module HybridPlatformsConductor
     # Handle the redirection of standard output and standard error to file and stdout depending on the context of the run.
     #
     # Parameters::
-    # * *cmd* (String): The command to be run
+    # * *cmd* (String or SecretString): The command to be run
     # * *force_bash* (Boolean): If true, then make sure command is invoked with bash instead of sh [default: false]
     # Result::
     # * Integer: Exit code

data/lib/hybrid_platforms_conductor/credentials.rb

@@ -1,4 +1,5 @@
 require 'netrc'
+require 'secret_string'
 require 'uri'
 require 'hybrid_platforms_conductor/logger_helpers'
 
@@ -65,8 +66,8 @@ module HybridPlatformsConductor
     # * Proc: Client code called with credentials provided
     #   * Parameters::
     #     * *user* (String or nil): User name, or nil if none
-    #     * *password* (String or nil): Password, or nil if none.
-    #       !!! Never store this password in a scope broader than the client code itself !!!
+    #     * *password* (SecretString or nil): Password, or nil if none.
+    #       !!! Never clone this password in a scope broader than the client code itself !!!
     def with_credentials_for(id, resource: nil)
       # Get the credentials provider
       provider = nil
@@ -81,7 +82,8 @@ module HybridPlatformsConductor
 
       provider ||= proc do |requested_resource, requester|
         # Check environment variables
-        user = ENV["hpc_user_for_#{id}"].dup
+        user = ENV["hpc_user_for_#{id}"]
+        # Clone the password as we are going to treat it as a secret string that will be wiped out
         password = ENV["hpc_password_for_#{id}"].dup
         if user.nil? || user.empty? || password.nil? || password.empty?
           log_debug "[ Credentials for #{id} ] - Credentials not found from environment variables."
@@ -103,6 +105,7 @@ module HybridPlatformsConductor
                 # TODO: Add more credentials source if needed here
                 log_warn "[ Credentials for #{id} ] - Unable to get credentials for #{id} (Resource: #{requested_resource})."
               else
+                # Clone in memory as we are going to wipe out ::Netrc's memory
                 user = netrc_user.dup
                 password = netrc_password.dup
                 log_debug "[ Credentials for #{id} ] - Credentials retrieved from .netrc using #{requested_resource}."
@@ -115,19 +118,18 @@ module HybridPlatformsConductor
                   data_string.replace('GotYou!!!' * 100)
                 end
               end
-              # We do this assignment on purpose so that GC can remove sensitive data later
-              # rubocop:disable Lint/UselessAssignment
-              netrc = nil
-              # rubocop:enable Lint/UselessAssignment
             end
           end
         else
           log_debug "[ Credentials for #{id} ] - Credentials retrieved from environment variables."
         end
-        GC.start
-        requester.call user, password
-        password&.replace('gotyou!' * 100)
-        GC.start
+        if password.nil?
+          requester.call user, password
+        else
+          SecretString.protect(password) do |secret_password|
+            requester.call user, secret_password
+          end
+        end
       end
 
       requester_called = false
@@ -135,7 +137,13 @@ module HybridPlatformsConductor
         resource,
         proc do |user, password|
           requester_called = true
-          yield user, password
+          if password.is_a?(String)
+            SecretString.protect(password) do |secret_password|
+              yield user, secret_password
+            end
+          else
+            yield user, password
+          end
         end
       )
 

data/lib/hybrid_platforms_conductor/github.rb

@@ -23,7 +23,7 @@ module HybridPlatformsConductor
           c.api_endpoint = repo_info[:url]
         end
         with_credentials_for(:github, resource: repo_info[:url]) do |_github_user, github_token|
-          client = Octokit::Client.new(access_token: github_token)
+          client = Octokit::Client.new(access_token: github_token&.to_unprotected)
           (repo_info[:repos] == :all ? client.repositories(repo_info[:user]).map { |repo| repo[:name] } : repo_info[:repos]).each do |name|
             yield client, {
               name: name,

data/lib/hybrid_platforms_conductor/hpc_plugins/action/bash.rb

@@ -14,7 +14,7 @@ module HybridPlatformsConductor
         # [API] - @actions_executor is accessible
         #
         # Parameters::
-        # * *cmd* (String): The bash command to execute
+        # * *cmd* (String or SecretString): The bash command to execute
         def setup(cmd)
           @cmd = cmd
         end

data/lib/hybrid_platforms_conductor/hpc_plugins/action/remote_bash.rb

@@ -15,30 +15,30 @@ module HybridPlatformsConductor
         #
         # Parameters::
         # * *remote_bash* (Array or Object): List of commands (or single command) to be executed. Each command can be the following:
-        #   * String: Simple bash command.
+        #   * String or SecretString: Simple bash command.
         #   * Hash<Symbol, Object>: Information about the commands to execute. Can have the following properties:
-        #     * *commands* (Array<String> or String): List of bash commands to execute (can be a single one) [default: ''].
+        #     * *commands* (Array<String or SecretString> or String or SecretString): List of bash commands to execute (can be a single one) [default: ''].
         #     * *file* (String): Name of file from which commands should be taken [optional].
-        #     * *env* (Hash<String, String>): Environment variables to be set before executing those commands [default: {}].
+        #     * *env* (Hash<String, String or SecretString>): Environment variables to be set before executing those commands [default: {}].
         def setup(remote_bash)
           # Normalize the parameters.
           # Array< Hash<Symbol,Object> >: Simple array of info:
-          # * *commands* (Array<String>): List of bash commands to execute.
-          # * *env* (Hash<String, String>): Environment variables to be set before executing those commands.
+          # * *commands* (Array<String or SecretString>): List of bash commands to execute.
+          # * *env* (Hash<String, String or SecretString>): Environment variables to be set before executing those commands.
           @remote_bash = (remote_bash.is_a?(Array) ? remote_bash : [remote_bash]).map do |cmd_info|
-            if cmd_info.is_a?(String)
-              {
-                commands: [cmd_info],
-                env: {}
-              }
-            else
+            if cmd_info.is_a?(Hash)
               commands = []
-              commands.concat(cmd_info[:commands].is_a?(String) ? [cmd_info[:commands]] : cmd_info[:commands]) if cmd_info[:commands]
+              commands.concat(cmd_info[:commands].is_a?(Array) ? cmd_info[:commands] : [cmd_info[:commands]]) if cmd_info[:commands]
               commands << File.read(cmd_info[:file]) if cmd_info[:file]
               {
                 commands: commands,
                 env: cmd_info[:env] || {}
               }
+            else
+              {
+                commands: [cmd_info],
+                env: {}
+              }
             end
           end
         end
@@ -63,11 +63,21 @@ module HybridPlatformsConductor
         # [API] - @stderr_io can be used to log stderr messages
         # [API] - run_cmd(String) method can be used to execute a command. See CmdRunner#run_cmd to know about the result's signature.
         def execute
-          bash_str = @remote_bash.map do |cmd_info|
-            (cmd_info[:env].map { |var_name, var_value| "export #{var_name}='#{var_value}'" } + cmd_info[:commands]).join("\n")
-          end.join("\n")
-          log_debug "[#{@node}] - Execute remote Bash commands \"#{bash_str}\"..."
-          @connector.remote_bash bash_str
+          # The commands or ENV variables can contain secrets, so make sure to protect all strings from secrets leaking
+          bash_cmds = @remote_bash.map do |cmd_info|
+            cmd_info[:env].map do |var_name, var_value|
+              SecretString.new("export #{var_name}='#{var_value.to_unprotected}'", silenced_str: "export #{var_name}='#{var_value}'")
+            end + cmd_info[:commands]
+          end.flatten
+          begin
+            SecretString.protect(bash_cmds.map(&:to_unprotected).join("\n"), silenced_str: bash_cmds.join("\n")) do |bash_str|
+              log_debug "[#{@node}] - Execute remote Bash commands \"#{bash_str}\"..."
+              @connector.remote_bash bash_str
+            end
+          ensure
+            # Make sure we erase all secret strings
+            bash_cmds.each(&:erase)
+          end
         end
 
       end

data/lib/hybrid_platforms_conductor/hpc_plugins/connector/local.rb

@@ -35,9 +35,11 @@ module HybridPlatformsConductor
         # [API] - @stderr_io can be used to send stderr output
         #
         # Parameters::
-        # * *bash_cmds* (String): Bash commands to execute
+        # * *bash_cmds* (String or SecretString): Bash commands to execute. Use #to_unprotected to access the real content (otherwise secrets are obfuscated).
         def remote_bash(bash_cmds)
-          run_cmd "cd #{workspace_for(@node)} ; #{bash_cmds}", force_bash: true
+          SecretString.protect("cd #{workspace_for(@node)} ; #{bash_cmds.to_unprotected}", silenced_str: "cd #{workspace_for(@node)} ; #{bash_cmds}") do |cmd|
+            run_cmd cmd, force_bash: true
+          end
         end
 
         # Execute an interactive shell on the remote node

data/lib/hybrid_platforms_conductor/hpc_plugins/connector/my_connector.rb.sample

@@ -104,7 +104,7 @@ module HybridPlatformsConductor
         # [API] - @stderr_io can be used to send stderr output
         #
         # Parameters::
-        # * *bash_cmds* (String): Bash commands to execute
+        # * *bash_cmds* (String or SecretString): Bash commands to execute. Use #to_unprotected to access the real content (otherwise secrets are obfuscated).
         def remote_bash(bash_cmds)
           MyConnectLib.connect_to(@nodes_handler.get_host_ip_of(@node)).run_bash(bash_cmds)
         end

data/lib/hybrid_platforms_conductor/hpc_plugins/connector/ssh.rb

@@ -236,31 +236,40 @@ module HybridPlatformsConductor
         # [API] - @stderr_io can be used to send stderr output
         #
         # Parameters::
-        # * *bash_cmds* (String): Bash commands to execute
+        # * *bash_cmds* (String or SecretString): Bash commands to execute. Use #to_unprotected to access the real content (otherwise secrets are obfuscated).
         def remote_bash(bash_cmds)
-          ssh_cmd =
+          SecretString.protect(
             if @nodes_handler.get_ssh_session_exec_of(@node) == false
               # When ExecSession is disabled we need to use stdin directly
-              "{ cat | #{ssh_exec} #{ssh_url} -T; } <<'HPC_EOF'\n#{bash_cmds}\nHPC_EOF"
+              "{ cat | #{ssh_exec} #{ssh_url} -T; } <<'HPC_EOF'\n#{bash_cmds.to_unprotected}\nHPC_EOF"
             else
-              "#{ssh_exec} #{ssh_url} /bin/bash <<'HPC_EOF'\n#{bash_cmds}\nHPC_EOF"
-            end
-          # Due to a limitation of Process.spawn, each individual argument is limited to 128KB of size.
-          # Therefore we need to make sure that if bash_cmds exceeds MAX_CMD_ARG_LENGTH bytes (considering EOF chars) then we use an intermediary shell script to store the commands.
-          if bash_cmds.size > MAX_CMD_ARG_LENGTH
-            # Write the commands in a file
-            temp_file = "#{Dir.tmpdir}/hpc_temp_cmds_#{Digest::MD5.hexdigest(bash_cmds)}.sh"
-            File.open(temp_file, 'w+') do |file|
-              file.write ssh_cmd
-              file.chmod 0o700
-            end
-            begin
-              run_cmd(temp_file)
-            ensure
-              File.unlink(temp_file)
+              "#{ssh_exec} #{ssh_url} /bin/bash <<'HPC_EOF'\n#{bash_cmds.to_unprotected}\nHPC_EOF"
+            end,
+            silenced_str:
+              if @nodes_handler.get_ssh_session_exec_of(@node) == false
+                # When ExecSession is disabled we need to use stdin directly
+                "{ cat | #{ssh_exec} #{ssh_url} -T; } <<'HPC_EOF'\n#{bash_cmds}\nHPC_EOF"
+              else
+                "#{ssh_exec} #{ssh_url} /bin/bash <<'HPC_EOF'\n#{bash_cmds}\nHPC_EOF"
+              end
+          ) do |ssh_cmd|
+            # Due to a limitation of Process.spawn, each individual argument is limited to 128KB of size.
+            # Therefore we need to make sure that if bash_cmds exceeds MAX_CMD_ARG_LENGTH bytes (considering EOF chars) then we use an intermediary shell script to store the commands.
+            if bash_cmds.to_unprotected.size > MAX_CMD_ARG_LENGTH
+              # Write the commands in a file
+              temp_file = "#{Dir.tmpdir}/hpc_temp_cmds_#{Digest::MD5.hexdigest(bash_cmds.to_unprotected)}.sh"
+              File.open(temp_file, 'w+') do |file|
+                file.write ssh_cmd.to_unprotected
+                file.chmod 0o700
+              end
+              begin
+                run_cmd(temp_file)
+              ensure
+                File.unlink(temp_file)
+              end
+            else
+              run_cmd ssh_cmd
             end
-          else
-            run_cmd ssh_cmd
           end
         end
 

data/lib/hybrid_platforms_conductor/hpc_plugins/provisioner/proxmox.rb

@@ -284,7 +284,7 @@ module HybridPlatformsConductor
               # cf https://pve.proxmox.com/wiki/Renaming_a_PVE_node
               URI.parse(url).host.downcase.split('.').first,
               user,
-              password,
+              password&.to_unprotected,
               ENV['hpc_realm_for_proxmox'] || 'pam',
               {
                 verify_ssl: false,

data/lib/hybrid_platforms_conductor/hpc_plugins/secrets_reader/keepass.rb

@@ -90,7 +90,7 @@ module HybridPlatformsConductor
                   key_file = ENV['hpc_key_file_for_keepass']
                   password_enc = ENV['hpc_password_enc_for_keepass']
                   keepass_credentials = {}
-                  keepass_credentials[:password] = password if password
+                  keepass_credentials[:password] = password.to_unprotected if password
                   keepass_credentials[:password_enc] = password_enc if password_enc
                   keepass_credentials[:key_file] = key_file if key_file
                   KeepassKpscript.

data/lib/hybrid_platforms_conductor/hpc_plugins/test/jenkins_ci_conf.rb

@@ -26,7 +26,7 @@ module HybridPlatformsConductor
             else
               with_credentials_for(:jenkins_ci, resource: repo_info[:jenkins_ci_url]) do |jenkins_user, jenkins_password|
                 # Get its config
-                doc = Nokogiri::XML(URI.parse("#{repo_info[:jenkins_ci_url]}/config.xml").open(http_basic_authentication: [jenkins_user, jenkins_password]).read)
+                doc = Nokogiri::XML(URI.parse("#{repo_info[:jenkins_ci_url]}/config.xml").open(http_basic_authentication: [jenkins_user, jenkins_password&.to_unprotected]).read)
                 # Check that this job builds the correct Bitbucket repository
                 assert_equal(
                   doc.xpath('/org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject/sources/data/jenkins.branch.BranchSource/source/serverUrl').text,

data/lib/hybrid_platforms_conductor/hpc_plugins/test/jenkins_ci_masters_ok.rb

@@ -34,10 +34,10 @@ module HybridPlatformsConductor
               master_info_url = "#{repo_info[:jenkins_ci_url]}/job/master/api/json"
               with_credentials_for(:jenkins_ci, resource: master_info_url) do |jenkins_user, jenkins_password|
                 # Get the master branch info from the API
-                master_info = JSON.parse(URI.parse(master_info_url).open(http_basic_authentication: [jenkins_user, jenkins_password]).read)
+                master_info = JSON.parse(URI.parse(master_info_url).open(http_basic_authentication: [jenkins_user, jenkins_password&.to_unprotected]).read)
                 # Get the last build's URL
                 last_build_info_url = "#{master_info['lastBuild']['url']}/api/json"
-                last_build_info = JSON.parse(URI.parse(last_build_info_url).open(http_basic_authentication: [jenkins_user, jenkins_password]).read)
+                last_build_info = JSON.parse(URI.parse(last_build_info_url).open(http_basic_authentication: [jenkins_user, jenkins_password&.to_unprotected]).read)
                 log_debug "Build info for #{master_info_url}:\n#{JSON.pretty_generate(last_build_info)}"
                 error "Last build for job #{repo_info[:project]}/#{repo_info[:name]} is in status #{last_build_info['result']}: #{master_info['lastBuild']['url']}" unless SUCCESS_STATUSES.include?(last_build_info['result'])
               rescue

data/lib/hybrid_platforms_conductor/logger_helpers.rb

@@ -1,6 +1,23 @@
 require 'colorize'
 require 'logger'
 require 'ruby-progressbar'
+require 'secret_string'
+
+# Add colorization methods to SecretString, but always directed to the silenced string as we NEVER want to modiy/clone a secret
+class SecretString
+
+  extend Colorize::ClassMethods
+
+  def_delegators :@silenced_str, *%i[
+    colorize
+    uncolorize
+    colorized?
+  ]
+
+  color_methods
+  modes_methods
+
+end
 
 module HybridPlatformsConductor
 

data/lib/hybrid_platforms_conductor/thycotic.rb

@@ -33,7 +33,7 @@ module HybridPlatformsConductor
       # Parameters::
       # * *url* (String): URL of the Thycotic Secret Server
       # * *user* (String): User name to be used to connect to Thycotic
-      # * *password* (String): Password to be used to connect to Thycotic
+      # * *password* (SecretString): Password to be used to connect to Thycotic
       # * *domain* (String): Domain to use for authentication to Thycotic [default: ENV['hpc_domain_for_thycotic']]
       # * *logger* (Logger): Logger to be used [default: Logger.new(STDOUT)]
       # * *logger_stderr* (Logger): Logger to be used for stderr [default: Logger.new(STDERR)]
@@ -57,7 +57,7 @@ module HybridPlatformsConductor
           :authenticate,
           message: {
             username: user,
-            password: password,
+            password: password&.to_unprotected,
             domain: domain
           }
         ).to_hash.dig(:authenticate_response, :authenticate_result, :token)

data/lib/hybrid_platforms_conductor/version.rb

@@ -1,5 +1,5 @@
 module HybridPlatformsConductor
 
-  VERSION = '33.4.0'
+  VERSION = '33.5.0'
 
 end

data/spec/hybrid_platforms_conductor_test/api/actions_executor/actions/bash_spec.rb

@@ -17,6 +17,21 @@ describe HybridPlatformsConductor::ActionsExecutor do
       end
     end
 
+    it 'executes local Bash code from a SecretString' do
+      with_test_platform_for_action_plugins do |repository|
+        expect(
+          test_actions_executor.execute_actions(
+            {
+              'node' => {
+                bash: SecretString.new("echo TestContent >#{repository}/test_file ; echo TestStdout ; echo TestStderr 1>&2", silenced_str: '__INVALID_BASH__')
+              }
+            }
+          )['node']
+        ).to eq [0, "TestStdout\n", "TestStderr\n"]
+        expect(File.read("#{repository}/test_file")).to eq "TestContent\n"
+      end
+    end
+
     it 'executes local Bash code with timeout' do
       with_test_platform_for_action_plugins do
         expect(test_actions_executor.execute_actions(

data/spec/hybrid_platforms_conductor_test/api/actions_executor/actions/remote_bash_spec.rb

@@ -13,6 +13,17 @@ describe HybridPlatformsConductor::ActionsExecutor do
       end
     end
 
+    it 'executes remote Bash code from a SecretString' do
+      with_test_platform_for_action_plugins do
+        test_actions_executor.execute_actions({ 'node' => { remote_bash: SecretString.new('remote_bash_cmd.bash', silenced_str: '__INVALID_BASH__') } })
+        expect(test_actions_executor.connector(:test_connector).calls).to eq [
+          [:connectable_nodes_from, ['node']],
+          [:with_connection_to, ['node'], { no_exception: true }],
+          [:remote_bash, 'remote_bash_cmd.bash']
+        ]
+      end
+    end
+
     it 'executes remote Bash code with timeout' do
       with_test_platform_for_action_plugins do
         test_actions_executor.connector(:test_connector).remote_bash_code = proc do |_stdout, _stderr, connector|
@@ -124,6 +135,27 @@ describe HybridPlatformsConductor::ActionsExecutor do
       end
     end
 
+    it 'executes remote Bash code with environment variables set using SecretStrings' do
+      with_test_platform_for_action_plugins do
+        test_actions_executor.execute_actions(
+          {
+            'node' => { remote_bash: {
+              commands: 'bash_cmd.bash',
+              env: {
+                'var1' => SecretString.new('value1', silenced_str: 'SILENCED_VALUE'),
+                'var2' => 'value2'
+              }
+            } }
+          }
+        )
+        expect(test_actions_executor.connector(:test_connector).calls).to eq [
+          [:connectable_nodes_from, ['node']],
+          [:with_connection_to, ['node'], { no_exception: true }],
+          [:remote_bash, "export var1='value1'\nexport var2='value2'\nbash_cmd.bash"]
+        ]
+      end
+    end
+
   end
 
 end

data/spec/hybrid_platforms_conductor_test/api/actions_executor/connectors/local/remote_actions_spec.rb

@@ -54,6 +54,15 @@ describe HybridPlatformsConductor::ActionsExecutor do
         end
       end
 
+      it 'executes bash commands remotely from a SecretString' do
+        with_test_platform_for_remote_testing(
+          expected_cmds: [['cd /tmp/hpc_local_workspaces/node ; bash_cmd.bash', proc { [0, 'Bash commands executed on node', ''] }]],
+          expected_stdout: 'Bash commands executed on node'
+        ) do
+          test_connector.remote_bash(SecretString.new('bash_cmd.bash', silenced_str: '__INVALID_BASH__'))
+        end
+      end
+
       it 'executes bash commands remotely with timeout' do
         with_test_platform_for_remote_testing(
           expected_cmds: [

data/spec/hybrid_platforms_conductor_test/api/actions_executor/connectors/ssh/remote_actions_spec.rb

@@ -13,6 +13,15 @@ describe HybridPlatformsConductor::ActionsExecutor do
         end
       end
 
+      it 'executes bash commands remotely from a SecretString' do
+        with_test_platform_for_remote_testing(
+          expected_cmds: [[%r{.+/ssh hpc\.node /bin/bash <<'HPC_EOF'\nbash_cmd.bash\nHPC_EOF}, proc { [0, 'Bash commands executed on node', ''] }]],
+          expected_stdout: 'Bash commands executed on node'
+        ) do
+          test_connector.remote_bash(SecretString.new('bash_cmd.bash', silenced_str: '__INVALID_BASH__'))
+        end
+      end
+
       it 'executes bash commands remotely with timeout' do
         with_test_platform_for_remote_testing(
           expected_cmds: [
@@ -88,6 +97,25 @@ describe HybridPlatformsConductor::ActionsExecutor do
         end
       end
 
+      it 'executes really big bash commands remotely using a SecretString' do
+        cmd = "echo #{'1' * 131_060}"
+        with_test_platform_for_remote_testing(
+          expected_cmds: [
+            [
+              %r{.+/hpc_temp_cmds_.+\.sh$},
+              proc do |received_cmd|
+                expect(File.read(received_cmd)).to match(%r{.+/ssh hpc\.node /bin/bash <<'HPC_EOF'\n#{Regexp.escape(cmd)}\nHPC_EOF})
+                [0, 'Bash commands executed on node', '']
+              end
+            ]
+          ],
+          expected_stdout: 'Bash commands executed on node'
+        ) do
+          # Use an argument that exceeds the max arg length limit
+          test_connector.remote_bash(SecretString.new(cmd, silenced_str: '__INVALID_BASH__'))
+        end
+      end
+
       it 'copies files remotely with sudo' do
         with_test_platform_for_remote_testing(
           expected_cmds: [
@@ -153,6 +181,16 @@ describe HybridPlatformsConductor::ActionsExecutor do
         end
       end
 
+      it 'executes bash commands remotely without Session Exec capabilities using a SecretString' do
+        with_test_platform_for_remote_testing(
+          expected_cmds: [[%r{^\{ cat \| .+/ssh hpc\.node -T; \} <<'HPC_EOF'\nbash_cmd.bash\nHPC_EOF$}, proc { [0, 'Bash commands executed on node', ''] }]],
+          expected_stdout: 'Bash commands executed on node',
+          session_exec: false
+        ) do
+          test_connector.remote_bash(SecretString.new('bash_cmd.bash', silenced_str: '__INVALID_BASH__'))
+        end
+      end
+
       it 'copies files remotely without Session Exec capabilities' do
         with_test_platform_for_remote_testing(
           expected_cmds: [

data/spec/hybrid_platforms_conductor_test/api/cmd_runner_spec.rb

@@ -7,6 +7,13 @@ describe HybridPlatformsConductor::CmdRunner do
     end
   end
 
+  it 'runs a simple bash command in a SecretString' do
+    with_repository do |repository|
+      test_cmd_runner.run_cmd SecretString.new("echo TestContent >#{repository}/test_file", silenced_str: '__INVALID_BASH__')
+      expect(File.read("#{repository}/test_file")).to eq "TestContent\n"
+    end
+  end
+
   it 'runs a simple bash command and returns exit code, stdout and stderr correctly' do
     with_repository do
       expect(test_cmd_runner.run_cmd('echo TestStderr 1>&2 ; echo TestStdout')).to eq [0, "TestStdout\n", "TestStderr\n"]
@@ -20,6 +27,13 @@ describe HybridPlatformsConductor::CmdRunner do
     end
   end
 
+  it 'runs a simple bash command and forces usage of bash in a SecretString' do
+    with_repository do
+      # Use set -o pipefail that does not work in /bin/sh
+      expect(test_cmd_runner.run_cmd(SecretString.new('set -o pipefail ; echo TestStderr 1>&2 ; echo TestStdout', silenced_str: '__INVALID_BASH__'), force_bash: true)).to eq [0, "TestStdout\n", "TestStderr\n"]
+    end
+  end
+
   it 'runs a simple bash command and logs stdout and stderr to a file' do
     with_repository do |repository|
       test_cmd_runner.run_cmd 'echo TestStderr 1>&2 ; sleep 1 ; echo TestStdout', log_to_file: "#{repository}/test_file"

data/spec/hybrid_platforms_conductor_test/api/credentials_spec.rb

@@ -15,15 +15,19 @@ describe HybridPlatformsConductor::Credentials do
   # * *resource* (String or nil): The resource for which we query the credentials, or nil if none [default: nil]
   def expect_credentials_to_be(expected_user, expected_password, resource: nil)
     creds = {}
+    password_class = nil
     credential_tester_class.new(logger: logger, logger_stderr: logger, config: test_config).instance_exec do
       with_credentials_for(:test_credential, resource: resource) do |user, password|
+        password_class = password.class
         creds = {
           user: user,
           # We clone the value as for security reasons it is removed when exiting the block
-          password: password.clone
+          password: password&.to_unprotected.clone
         }
       end
     end
+    # Make sure we always return a SecretString for the password
+    expect(password_class).to be SecretString unless password_class == NilClass
     expect(creds).to eq(
       user: expected_user,
       password: expected_password
@@ -64,7 +68,7 @@ describe HybridPlatformsConductor::Credentials do
             leaked_password = password
           end
         end
-        expect(leaked_password).to eq 'gotyou!' * 100
+        expect(leaked_password.to_unprotected).to eq "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
       ensure
         ENV.delete('hpc_user_for_test_credential')
         ENV.delete('hpc_password_for_test_credential')
@@ -96,7 +100,7 @@ describe HybridPlatformsConductor::Credentials do
     end
   end
 
-  it 'erases the value of the password taken from netrc' do
+  it 'erases the value of the password taken from netrc after usage' do
     with_platforms '' do
       netrc_data = [['mocked_data']]
       expect(::Netrc).to receive(:read) do
@@ -111,7 +115,7 @@ describe HybridPlatformsConductor::Credentials do
           leaked_password = password
         end
       end
-      expect(leaked_password).to eq 'gotyou!' * 100
+      expect(leaked_password).to eq "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
       expect(netrc_data).to eq [['GotYou!!!' * 100]]
     end
   end

data/spec/hybrid_platforms_conductor_test/test_connector.rb

@@ -100,9 +100,9 @@ module HybridPlatformsConductorTest
     # [API] - @stderr_io can be used to send stderr output
     #
     # Parameters::
-    # * *bash_cmds* (String): Bash commands to execute
+    # * *bash_cmds* (String or SecretString): Bash commands to execute. Use #to_unprotected to access the real content (otherwise secrets are obfuscated).
     def remote_bash(bash_cmds)
-      @calls << [:remote_bash, bash_cmds]
+      @calls << [:remote_bash, bash_cmds.to_unprotected.clone]
       @remote_bash_code&.call(@stdout_io, @stderr_io, self)
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hybrid_platforms_conductor
 version: !ruby/object:Gem::Version
-  version: 33.4.0
+  version: 33.5.0
 platform: ruby
 authors:
 - Muriel Salvan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-05 00:00:00.000000000 Z
+date: 2021-07-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: range_operators
@@ -276,6 +276,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: secret_string
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement