Package hudson.util

Class Secret

  • All Implemented Interfaces:
    Serializable
    public final class Secret
extends Object
implements Serializable
    Glorified String that uses encryption in the persisted form, to avoid accidental exposure of a secret.

    This is not meant as a protection against code running in the same VM, nor against an attacker who has local file system access on Jenkins master.

    Secrets can correctly read-in plain text password, so this allows the existing String field to be updated to Secret.

    Author:
    Kohsuke Kawaguchi
    See Also:
    Serialized Form

    • Field Detail

      • ENCRYPTED_VALUE_PATTERN

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
public static final Pattern ENCRYPTED_VALUE_PATTERN
        Pattern matching a possible output of getEncryptedValue() Basically, any Base64-encoded value optionally wrapped by {}. You must then call decrypt(String) to eliminate false positives.
        See Also:
        ENCRYPTED_VALUE_PATTERN

      • AUTO_ENCRYPT_PASSWORD_CONTROL

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
public static final boolean AUTO_ENCRYPT_PASSWORD_CONTROL

      • BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
public static boolean BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE

    • Method Detail

      • getPlainText

        @NonNull
public String getPlainText()
        Obtains the plain text password. Before using this method, ask yourself if you'd be better off using toString(Secret) to avoid NPE.

      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class Object

      • getEncryptedValue

        public String getEncryptedValue()
        Encrypts value and returns it in an encoded printable form.
        See Also:
        toString()

      • decrypt

        @CheckForNull
public static Secret decrypt​(@CheckForNull
                             String data)
        Reverse operation of getEncryptedValue(). Returns null if the given cipher text was invalid.

      • getCipher

        public static Cipher getCipher​(String algorithm)
                        throws GeneralSecurityException
        Workaround for JENKINS-6459 / GLASSFISH-11862 This method uses specific provider selected via hudson.util.Secret.provider system property to provide a workaround for the above bug where default provide gives an unusable instance. (Glassfish Enterprise users should set value of this property to "SunJCE")
        Throws:
        GeneralSecurityException

      • fromString

        @NonNull
public static Secret fromString​(@CheckForNull
                                String data)
        Attempts to treat the given string first as a cipher text, and if it doesn't work, treat the given string as the unencrypted secret value.

        Useful for recovering a value from a form field.

      • toString

        @NonNull
public static String toString​(@CheckForNull
                              Secret s)
        Works just like toString() but avoids NPE when the secret is null. To be consistent with fromString(String), this method doesn't distinguish empty password and null password.