Hiding Sensitive Values In WebHook Configuration
Since tcWebHooks-1.2-alpha8
It's possible to hide sensitive values in webhook configurations and templates. This is done by creating a Webhook Project Parameter and then referencing the parameter as a variable in a webhook configuration or webhook template code.
It's important to create the parameter as a Webhook Project Parameter because the value will be able to be resolved by tcWebHooks at any build event. Creating a "Password" value as a TeamCity Build or Project Parameter will appear to work, but is actually masked by TeamCity for the BuildFinished event (success/failure on webhooks).
Therefore, create the parameter as a Webhook Project Parameter on the WebHook editing page. Set the variable type as "Password". This tells tcWebHooks to ask TeamCity to store it securely. The value will be stored by teamcity as a hashed value, and will be externalised from the project configuration files if you have your project configured to use a VCS for storing settings.
Navigate the WebHook editing page in teamcity (see Creating-a-WebHook) and click the link labeled Click to create a new Parameter for this project
In the dialog that pops up, choose Password and fill in the values. For example:
Next, configure a webhook to refer to the variable. For example, add it into an authentication value or the URL of your webhook.
In the UI in TeamCity, the webhook history simplifies the URL to hide any values that might have been used when resolving the URL. This happens if any secure value was accessed whilst building the Webhook URL, headers, template or any other content.
Additionally, values are masked in the teamcity-server.log.
[2022-07-25 10:35:55,131] INFO - jetbrains.buildServer.SERVER - AbstractWebHookExecutor :: :: WebHook triggered : ******** using template w_slack_custom returned 200 OK
[2022-07-25 10:35:55,131] DEBUG - jetbrains.buildServer.SERVER - AbstractWebHookExecutor :: :doPost :: Hiding content payload because it may contain secured values. To log content to this log file uncheck 'Secure Values' in the WebHook edit dialog.
TeamCity will store the secure values in the project-config.xml in a format similar to the following:
<extension id="PROJECT_EXT_23" type="tcWebHookParameter">
<parameters>
<param name="boolean.forceResolveTeamCityVariable" value="false" />
<param name="boolean.includedInLegacyPayloads" value="false" />
<param name="boolean.secure" value="true" />
<param name="name" value="my-secure-value" />
<param name="secure:value" value="zxxaeec8f6f6d499cc0f0456adf...02517764625e912bbf848" />
<param name="templateEngine" value="STANDARD" />
</parameters>
</extension>
It's possible to show the full URL in the history - and to log the payload and URL to the log - by unchecking the checkbox labeled Show simplified URL in UI and prevent payload from logging secure values when editing the WebHook edit dialog box. See the above screen shot showing the editing of a webhook.