JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 8

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The fist job encrypt-variables looks is implemented like this:

Code Block
languagebash
titleExample how to encrypt variables from a job
linenumberstrue
#!/bin/bash
set -e

# encrypt variable values using the Agent's public key
##!include Crypto

EncryptVariable myVar1 "secret1"
EncryptVariable myVar2 "secret2"

...

Second Job: decrypt-variables

The second job decrypt-variables-variables maps workflow variables to environment variables like this:

Image Added


Explanation:

  • MY_VAR1: environment variable that holds the encrypted value of the myVar1 workflow variable created by the encrypt-variables job.
  • MY_VAR1_KEY: environment variable that holds the encrypted value of the symmetric key. The variable is implicitly created by the encrypt-variables job.
  • MY_VAR2, MY_VAR2_KEY: similar to above variables.


The second job decrypt-variables is implemented looks like this:

Code Block
languagebash
titleExample how to decrypt variables in a job
linenumberstrue
#!/bin/bash
set -e

# decrypt variable values using the Agent's private key
##!include Crypto

secret1=$(DecryptVariable "${MY_VAR1}" "${MY_VAR1_KEY}")
echo "${secret1}"

secret2=$(DecryptVariable "${MY_VAR2}" "${MY_VAR2_KEY}")
echo "${secret2}"

...

  • The job makes use of JS7 - Script Includes: the Crypto Script Include holds the shell functions used in the job.
    • The ##!include Crypto inserts the shell code available from the indicated Crypto Script Include.
    • The Script Include can be parameterized to specify the location of the private key.
      • ##!include Crypto --replace="<private-key>","/var/sos-berlin.com/js7/agent/config/private/agent.key"
      • The first argument of the --replace option is a placeholder available with the Crypto Script Include.
      • The second argument represents the value by which the placeholder will be replaced. The above value represents the default value that will be used of the Script Include is invoked without replacement options.
    • The Script Include can be parameterized to specify a passphrase required by the private key.
      • ##!include Crypto --replace="<passphrase>","jobscheduler"
      • The Script Include can be invoked with repeated --replace=<what>,<with> options.
  • The DecryptVariable function expects the encrypted value of the variable and the encrypted value of the symmetric key:
    • DecryptVariable <value> <key-value> [<private-key> [,<passphrase>]]
      • <value>: The encrypted value of the variable is required.
      • <key-value>: The value of the variable holding the encrypted symmetric key is required.
      • <private-key>: The path to the private key file is specified. Defaults to <agent-data>/config/private/agent.key.
      • <passphrase>: The passphrase of the private key is specified.
    • The function will decrypt the encrypted symmetric key and will decrypt the encrypted variable value using the decrypted symmetric key.
  • The DecryptVariable function returns the secret that can be assigned an environment variable or other function.
  • It is recommended not to write the secret to a file or to perform any operation that will expose the secret to logging of output in the stdout and stderr channels.

Anchor
script_include_crypto
script_include_crypto
Script Include: Crypto

The Crypto Script Include is located in the related system folder and looks is implemented like this:


Explanation:

  • The Crypto Script Include implements the EncryptVariables and DecryptVariables shell functions.
  • Both functions create a temporary file for the symmetric key. The Script Include implements a trap to reliably remove the symmetric key file on termination of the job.
  • The operation of encryption and decryption is performed using the openssl utility.

...