Re: Migrate a token stored in plain text to one that uses Secret

2019-04-18 Thread Mez Pahlan 
> The plain text tokens are already potentially compromised and need to
> be regenerated and stored encrypted anyways. This is specific to each
> plugin on how to go about regenerating keys and whatnot.
>

Yes, when you put it like that it makes more sense not to worry about
migration.

Thank you all again.

>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAD7v5GuTwZWcUebtpbAjuz4wm3Gm8GcjGNvx%3Dhcae-r8wXMnug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Migrate a token stored in plain text to one that uses Secret

2019-04-18 Thread Matt Sicker 
On Thu, Apr 18, 2019 at 8:57 AM Mez Pahlan  wrote:
> I could ignore it, for sure. But that was the reason I received a security 
> bug that I'm looking to fix. That the tokens in my plugin were being stored 
> in plain text. If I leave them in plain text what am I actually fixing? I'm 
> fixing forward for new configurations but for existing configurations I'd 
> like to do something.

The plain text tokens are already potentially compromised and need to
be regenerated and stored encrypted anyways. This is specific to each
plugin on how to go about regenerating keys and whatnot.


-- 
Matt Sicker
Senior Software Engineer, CloudBees

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oypMhap7dxMyyrePWWcH_6G5pvY4j0NL3G4vz74eZNzWg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Migrate a token stored in plain text to one that uses Secret

2019-04-18 Thread Daniel Beck 



> On 18. Apr 2019, at 15:50, Jesse Glick  wrote:
> 
> On Thu, Apr 18, 2019 at 2:53 AM Mez Pahlan  wrote:
>> What's the best way to migrate those over without asking the user to go into 
>> each of their jobs updating it?
> 
> There is not any good way that I know of. I would just ignore it.

This.

As a courtesy you can provide a script to run in the script console that just 
saves every job again, but otherwise ignore it except perhaps documenting this.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/16C3A0BE-B192-40BE-A1C3-160C8E9C1659%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

Re: Migrate a token stored in plain text to one that uses Secret

2019-04-18 Thread Mez Pahlan 
>
> There is not any good way that I know of. I would just ignore it.
>

I could ignore it, for sure. But that was the reason I received a security
bug that I'm looking to fix. That the tokens in my plugin were being stored
in plain text. If I leave them in plain text what am I actually fixing? I'm
fixing forward for new configurations but for existing configurations I'd
like to do something.

Anyways, thanks for the suggestions so far.

>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAD7v5Guy7%3DtvcvgGJkhO_D-YELLdC7cLt4JqkKkPWdxAwbGLbQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Migrate a token stored in plain text to one that uses Secret

2019-04-18 Thread Jesse Glick 
On Thu, Apr 18, 2019 at 2:53 AM Mez Pahlan  wrote:
> What's the best way to migrate those over without asking the user to go into 
> each of their jobs updating it?

There is not any good way that I know of. I would just ignore it.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3YY0m23WbZz7t1Dfn3e9xjFeUdtMJnQwNF5bjhEexEKA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Migrate a token stored in plain text to one that uses Secret

2019-04-18 Thread Robert Sandell 
Maybe you can try and report the job to the old data monitor somehow?
That way an admin can batch save the affected jobs, I think :)

/B

Den tors 18 apr. 2019 kl 12:44 skrev Slide :

> Did you mark the old field as transient in your code? If you mark it as
> transient and have a readResolve, it shouldn't get resaved once the upgrade
> happens.
>
> On Wed, Apr 17, 2019 at 11:53 PM Mez Pahlan  wrote:
>
>> Morning
>>
>> I'm trying to migrate a plugin that used to use plain text for handling
>> tokens to one that uses Secret. I am following
>> https://wiki.jenkins.io/display/JENKINS/Hint+on+retaining+backward+compatibility
>>  and
>> have converted all my field types to Secret from String for the token in
>> question.
>>
>> This all works fine when I run the plugin (I think the readResolve method
>> is doing some magic at runtime) and if I create a new job configuration (I
>> can see an encrypted form of my entered token in the config.xml file).
>> However for existing jobs that already that an unencrypted plain text token
>> in the config.xml it remains that way and appears never to get resaved in
>> the encrypted form. So whilst the plugin uses Secrets, there is still old
>> data that is persisted in plain text form.
>>
>> What's the best way to migrate those over without asking the user to go
>> into each of their jobs updating it?
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to jenkinsci-dev+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-dev/f532cd94-4af2-4c13-bdb9-7a94e024620d%40googlegroups.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> Website: http://earl-of-code.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CAPiUgVfFWwkECj9FSFToVGnATFasOAVr2iBrE%3DiZnFi5YVePgg%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
*Robert Sandell*
Software Engineer
CloudBees, Inc.
[image: CloudBees-Logo.png] 
E: rsand...@cloudbees.com
Twitter: robert_sandell

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS1%3DzFERENWFA7O8MEiY7Y_NZ%3DQMziz5FriyUY4aC8g48g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Migrate a token stored in plain text to one that uses Secret

2019-04-18 Thread Slide 
Did you mark the old field as transient in your code? If you mark it as
transient and have a readResolve, it shouldn't get resaved once the upgrade
happens.

On Wed, Apr 17, 2019 at 11:53 PM Mez Pahlan  wrote:

> Morning
>
> I'm trying to migrate a plugin that used to use plain text for handling
> tokens to one that uses Secret. I am following
> https://wiki.jenkins.io/display/JENKINS/Hint+on+retaining+backward+compatibility
>  and
> have converted all my field types to Secret from String for the token in
> question.
>
> This all works fine when I run the plugin (I think the readResolve method
> is doing some magic at runtime) and if I create a new job configuration (I
> can see an encrypted form of my entered token in the config.xml file).
> However for existing jobs that already that an unencrypted plain text token
> in the config.xml it remains that way and appears never to get resaved in
> the encrypted form. So whilst the plugin uses Secrets, there is still old
> data that is persisted in plain text form.
>
> What's the best way to migrate those over without asking the user to go
> into each of their jobs updating it?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/f532cd94-4af2-4c13-bdb9-7a94e024620d%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Website: http://earl-of-code.com

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAPiUgVfFWwkECj9FSFToVGnATFasOAVr2iBrE%3DiZnFi5YVePgg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.