Supply credentials to external tool Sample

You can open the samples inside an IDE using the IntelliJ native importer or Eclipse Buildship.

This sample shows how credentials can be passed to an external tool that normally accepts them via standard input.

Let’s pretend that we have to log in to some system before performing some operation. This could be some external system that requires authentication before allowing us to upload some artifacts.

This sample assumes that the external tool that requires interactive login does not support any form of non-interactive login. In reality, many tools provide options to authenticate without prompting the user for input. Command-line arguments can be passed to the Exec task using the args property.

To demonstrate the concept, we will fake the authentication using a bash script that prompts the user for username and password:

#!/bin/bash

echo Enter username:
read username
echo Enter password:
if [ -t 0 ] ; then # if connected to a terminal, do not echo the password input
    stty -echo
    read password
    stty echo
    echo
else
    read password
fi

if [ "$username" = "secret-user" ] && [ "$password" = "secret-password" ] ; then
    echo "Welcome, $username!"
else
    echo "Bad credentials!"
    exit 1
fi

It has a hardcoded username/password pair that will result in successful login. The script can be executed without Gradle - it will mimic a tool that requires an interactive login.

Gradle build file registers two tasks - one performs a login and the other one depends on the login having succeeded:

build.gradle.kts

val login = tasks.register<Exec>("login") {
    val loginProvider = providers.credentials(PasswordCredentials::class.java, "login")
    inputs.property("credentials", loginProvider)

    commandLine = listOf("sh", "login.sh")
    doFirst {
        val loginCredentials = loginProvider.get()
        standardInput = java.io.ByteArrayInputStream("${loginCredentials.username}\n${loginCredentials.password}".toByteArray())
    }
}

tasks.register("doAuthenticated") {
    dependsOn(login)
    doLast {
        println("Doing authenticated task")
    }
}

build.gradle

def login = tasks.register('login', Exec) {
    def loginProvider = providers.credentials(PasswordCredentials, 'login')
    inputs.property('credentials', loginProvider)

    commandLine = ['sh', 'login.sh']
    doFirst {
        def loginCredentials = loginProvider.get()
        standardInput = new ByteArrayInputStream("$loginCredentials.username\n$loginCredentials.password".getBytes())
    }
}

tasks.register('doAuthenticated') {
    dependsOn(login)
    doLast {
        println 'Doing authenticated task'
    }
}

The login task declares an input property and connects it with a credentials provider. The credentials provider will fetch the credentials pieces from the project properties.

Credentials can be passed to a task in multiple ways:

via command-line properties:

$ ./gradlew doAuthenticated -PloginUsername=secret-user -PloginPassword=secret-password

via environment variables:

$ ORG_GRADLE_PROJECT_loginUsername=secret-user ORG_GRADLE_PROJECT_loginPassword=secret-password ./gradlew doAuthenticated

by setting the properties in gradle.properties file:

loginUsername=secret-user
loginPassword=secret-password

and running

$ ./gradlew doAuthenticated

This way the sensitive data can be kept outside of the project sources - gradle.properties can reside in the user’s ~/.gradle directory. The values are also not echoed anywhere this way. For more information about using Gradle properties, see Gradle Properties user manual chapter.

The output with correct credentials will be:

> Task :login
Enter userame:
Enter password:
Welcome, secret-user!

> Task :doAuthenticated
doAuthenticated

BUILD SUCCESSFUL in 496ms
2 actionable tasks: 2 executed