Security concern for Gitlab webhook token to Jenkins

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Security concern for Gitlab webhook token to Jenkins

Jheison Rodriguez

currently I'm using a webhooks token for trigger Jobs from GitLab to Jenkins, I have a global user so a token set up for all project something like this: https://USERID:APITOKEN@JENKINS_URL/project/YOUR_JOB

Additionally, when I create a new version of the Jenkins master the token is updated and I need to update in each GitLab project.

I'd like to know if someone has experienced this and had managed this kind of set up in another way? Also to avoid expose the token in the webhooks' URL (security concern) or update it (even with scripts) for each GitLab project.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7d84e91d-3682-4a56-b366-7b92dbbac51e%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security concern for Gitlab webhook token to Jenkins

Gianluca
In our case, we are using GitHub but we had similar concerns.
Our solution was to create a little server with NGINX configured to forward the webhooks to our Jenkins masters.
In this way, we could achieve the following:
1) Jenkins masters are not exposed at all to internet
2) The configuration are kept inside the server with NGINX (in your the token)
3) Changing the Jenkins master only require a change into the NGINX server and everything remains the same on GitHub


On Thursday, 19 March 2020 01:05:37 UTC, Jheison Rodriguez wrote:

currently I'm using a webhooks token for trigger Jobs from GitLab to Jenkins, I have a global user so a token set up for all project something like this: <a href="https://USERID:APITOKEN@jenkins_url/project/YOUR_JOB" rel="nofollow" style="font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;color:var(--blue-700)" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2FUSERID%3AAPITOKEN%40jenkins_url%2Fproject%2FYOUR_JOB\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF6s67XMIkpa8Ygo0DvOm88RoC0OQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2FUSERID%3AAPITOKEN%40jenkins_url%2Fproject%2FYOUR_JOB\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF6s67XMIkpa8Ygo0DvOm88RoC0OQ&#39;;return true;">https://USERID:APITOKEN@JENKINS_URL/project/YOUR_JOB

Additionally, when I create a new version of the Jenkins master the token is updated and I need to update in each GitLab project.

I'd like to know if someone has experienced this and had managed this kind of set up in another way? Also to avoid expose the token in the webhooks' URL (security concern) or update it (even with scripts) for each GitLab project.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f170fc2c-fabc-40f7-8f41-f8e804355f02%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security concern for Gitlab webhook token to Jenkins

Richard Bywater-3
In reply to this post by Jheison Rodriguez
I haven't tried it so I don't know if it works, but have you tried passing the Authorization header in the request rather than setting username & password as part of the URL? e.g. `Authorization:Basic username:apiToken`  where the whole `username:apiToken` is base-64 encoded

Richard.

On Thu, 19 Mar 2020 at 14:05, Jheison Rodriguez <[hidden email]> wrote:

currently I'm using a webhooks token for trigger Jobs from GitLab to Jenkins, I have a global user so a token set up for all project something like this: https://USERID:APITOKEN@JENKINS_URL/project/YOUR_JOB

Additionally, when I create a new version of the Jenkins master the token is updated and I need to update in each GitLab project.

I'd like to know if someone has experienced this and had managed this kind of set up in another way? Also to avoid expose the token in the webhooks' URL (security concern) or update it (even with scripts) for each GitLab project.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7d84e91d-3682-4a56-b366-7b92dbbac51e%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAAy0hwf5A2xgwxsJzPteKQ78aYG1KSCy1jLOzcWCGsoJ14DX6w%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Security concern for Gitlab webhook token to Jenkins

Dirk Heinrichs-3
In reply to this post by Jheison Rodriguez
Am Mittwoch, den 18.03.2020, 17:10 -0700 schrieb Jheison Rodriguez:

I'd like to know if someone has experienced this and had managed this kind of set up in another way?

We use Smee (https://smee.io/) for this.

HTH...

Dirk
-- 
Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/744da1ccb6c653f20dfb85130e1b3b062adb29b7.camel%40opentext.com.