I am using storing MarkLogic access credentials in gradle.properties file as a plain text and it used while running Harmonization/ingestion/Corb jobs. As i am adding the credentials in the properties file as a plain text, its visible to everyone who has code access. What is best approach to encrypt these credentials
You could apply the gradle-credentials-plugin in order to use encrypted values for credentials.
Apply the nu.studer.credentials plugin to your Gradle project.
plugins {
id 'nu.studer.credentials' version '3.0'
}
https://github.com/marklogic-community/ml-gradle/wiki/Encrypting-passwords
https://www.marklogic.com/blog/protecting-password-ml-gradle/
https://help.marklogic.com/News/NewsItem/View/617/protecting-passwords-in-ml-gradle-projects
https://www.youtube.com/watch?v=KtBmH5ce2cU
CoRB also support encryption/decryption of passwords and components of the XCC connectionstring and can be configured with a DECRYPTER option, specifying a decrypter class such as PrivateKeyDecrypter or JasyptDecrypter, or HostKeyDecrypter.
Related
I am using gradle with the Download Task provided by Michael Kraemer (see: https://github.com/michel-kraemer/gradle-download-task). The remote site requires HTTPS and a Basic Auth. Although I configured everything and the task works perfectly on my local machine, execution by the GitHub Actions on a ubuntu-linux runner behaves differently.
On my local machine, the request sent contains Basic Auth headers and the server response with a 302 redirect providing the expected download file. However, on the build server it turns out, that the Download Tasks downloads a HTML file. This is the typical response of the server application if one did not specify Basic Auth. So, I now assume that the GitHub runners omit the Basic Auth headers when the above gradle plugin spawns a http client / connection with Basic Auth.
Is anyone experiencing something alike? Is there a workaround for this situation? I cannot change the authentification method of the server where I am required to download the software from, so I'd be happy to get some support here. :-)
Here is the definition of the download task from my build.gradle.kts:
tasks.register<Download>("download") {
src(https://software.vendor.com/path/to/file)
dest(file("${DOWNLOAD_FOLDER}/vendor-software-${VERSION}.zip"))
username("USER")
password("PASS")
authScheme("Basic")
overwrite(false)
tempAndMove(true)
onlyIfModified(true)
useETag(true)
}
One addition: It turns out that the fact that GitHub encodes all secrets values could be part of the issue. In fact, when I use the header configuration and configure the Basic Auth header directly, the process works:
tasks.register<Download>("download") {
src(https://software.vendor.com/path/to/file)
dest(file("${DOWNLOAD_FOLDER}/vendor-software-${VERSION}.zip"))
header("Authorization", "Basic VVNFUjpQQVNT")
overwrite(false)
tempAndMove(true)
onlyIfModified(true)
useETag(true)
}
Not a perfect answer to the issue, nor does it explain why it occurs, but as an workaround, I uploaded a new secret that contains the Base64 encoded basic authorization header and use the header notation as mentioned above. This way, the download works, still it would be great to understand, why this happens.
I have my SQ server running in Kubernetes (via Tectonic) and all is going well. We need to tighten the security of our SQ installation, so we have LDAP up and working. We are trying to get all of the projects to be Private by default (which we can do Via the GUI for each project).
However, trying to flip the switch in the GUI to make all new projects Private works, until you refresh the page, then it reverts back to Public.
I have been searching for a way to set this up via the sonar.properties file or sonar-project.properties file (first if the preferred). The server.properties file we use is encrypted as a secret (because the LDAP settings exposes a service account password) and I would like to keep settings there.
I have combed through documentation, posts, discussions and all that, but have not been able to find out what the value=key combination is.
Has anyone seen what this is or if we can even accomplish that? Is it a setting stored in the database? I'm kind of at a loss on this one.
Thanks!
In SonarQube 7.x you can find the public/private setting when you browse to Administration - Projects - Management. This only works for new projects. For existing projects you can use the "Edit the permissions" option on the same page and switch between public and private.
You can also use the web_api to achieve the same results. You can find the documentation when you add "/web_api/api/projects" after the sonarqube URL:
Example of the POST request body: project=MyProject&visibility=private
I'm trying to set a general password to my app, which means every user will have the same password to enter.
I've tried using the Project's settings - [Application.Current.Setting.Default.settingName] for the password - but then each user [in his own installed app on his PC] would have his own password, and that's not what I'm looking for.
Is there a way to set a 'general' setting to all app's instances? My project uses VSTS as well, if there's an option from there.
(I see there's a service called 'Web settings', is that it? If so, would you give me an usage example?)
Thanks!
The good way is that you can store password (can be encrypted) in the configuration file, such as app.config, web.config, then read it from configuration file before use it.
You may replace the password before deploy your app through Replace Token step (VSTS build/release)
I have been crawling through various forums and blogs for an AuthorizationPlugin example or understanding which can show me how to create a mac authorization plugin that do not affect any UI components. I want to use it for a remote access kind of solution. I have been able to get NameAndPasswordPlugin example work. But I am not able to achieve below requirements:
Do not change the default UI. i.e not have any custom UI components
Ability to read and write into default UI fields, especially username (if any) and password
Work on need basis. i.e. I need the mechanism to pass through when remote access session is not ON. In that case I want it to fall back to loginwindow:login mechanism
Also how would it communicate with outside world ? I was not able to read or write into files from plugin. I saw an example where some pipes where used. not sure what the recommended method
You don't need a SFAuthorizationPluginView, you just need an authorization plugin. You insert your plugin into the list of plugins and it can read from contexts set by previous plugins and write to or create contexts for later plugins.
For example, if you are working with console login this bash command shows you what mechanisms are configured (mechanisms are instances of a plugin)
security authorizationdb read system.login.console
If you add your plugin after builtin:authenticate,privileged then you can use this code in your mechanismInvoke function to read the values.
err = mechanism->fPlugin->fCallbacks->GetHintValue(mechanism->fEngine, "username", &value);
if (err == noErr) {
//Log the event
os_log(OS_LOG_DEBUG, "Login for user '%{public}s'.",(const char *)value->data);
}
where mechanism->fPlugin->fCallbacks->GetHintValue and mechanism->fEngine are the callback and engineref you setup as part of your plugin. There is also a "SetContextValue" function for writing the username or password.
You will need to write an authorization plugin which will set the context values "username" (kAuthorizationEnvironmentUsername) and "password" (kAuthorizationEnvironmentPassword). Then set result as kAuthorizationResultAllow. You would also need to place your plugin just before loginwindow:login.
I saved a publish profile into an .xml along wit all the login info. But when i import this XML to another computer and try to publish, it'll say that my password is incorrect.
What can I do to have the password correctly saved into the publish profile and compatible with other computer?
My guess is that the program purposely obfuscates the passwords using the current PC's "salt" and generates a unique hash. Thus, preventing the passwords from being stolen via the profile publish function.
As mentioned by user1785999, you can save the password in plain text, just add the password element to your .pubxml file:
<UserName>YourName</UserName>
<Password>YourPassword</Password>
If you want the publishing profile to work across different computers, you need to save the password in plain text.
Just to add an additional answer, this may be version specific for .pubxml, but you can add these line to ensure visual studio save the password.
Make sure to use the ".\" prefix for a local account, and "domain\" prefix for an Active Directory account.
<UserName>.\PubUser1</UserName>
<UserPWD>Password1234</UserPWD>
<_SavePWD>True</_SavePWD>