Password of windows domain user running jenkins-slave is exposed in jenkins-slave.xml

[timor-raiman]

Cookbook version

5.0.5

Chef-client version

12.9.41

Platform Details

Windows 10.0.15063

Scenario:

Configure a windows jenkins jnlp agent running as a domain user.
Supply the domain password of the user to chef.
Chef should configure the agent while not exposing the password.

Steps to Reproduce:

Configure jenkins slave in a recipe as follows:

    jenkins_home = "C:\\jenkins_#{windows_user}"
    jenkins_user = "#{windows_domain}\\#{windows_user}"
    windows_password    = credentials_vault['password']
    jenkins_windows_slave node.name do
        description     'Configured by chef'
        remote_fs       jenkins_home
        user            jenkins_user
        password        windows_password.encode(:xml => :text)
        executors       1
        usage_mode      'exclusive'
        labels          all_labels
    end

Expected Result:

Jenkins service configured; secret password is not exposed to users logging in to the machine.
(either the password does not appear in jenkins-slave.xml or the file is removed after the service is configured, or the permissions on the file are such that only very special users can read it)

Actual Result:

Jenkins service configured; secret password appears as plain text in $JENKINS_HOME/jenkins-slave.xml and any "Authenticated Users" are allowed to read jenkins-slave.xml
From jenkins-slave.xml:

 <serviceaccount>
  <domain>DOM</domain>
  <user>user_name</user>
  <password>verySecretPassworD!</password>
<allowservicelogon>true</allowservicelogon>
</serviceaccount>

[timor-raiman]

This is related to winsw/winsw#30, however, here the issue is that jenkins-slave-xml is a. persisted and b. readable to all users

[timor-raiman]

One potential solution is to pass the username / password via stdin, per the merged winsw/winsw#19

[mbaitelman]

This was addressed by #703