in core/src/main/java/hudson/Functions.java [2054:2100]
public String getPasswordValue(Object o) {
if (o == null) {
return null;
}
/*
Return plain value if it's the default value for PasswordParameterDefinition.
This needs to work even when the user doesn't have CONFIGURE permission
*/
if (o.equals(PasswordParameterDefinition.DEFAULT_VALUE)) {
return o.toString();
}
/* Mask from Extended Read */
StaplerRequest req = Stapler.getCurrentRequest();
if (o instanceof Secret || Secret.BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE) {
if (req != null) {
Item item = req.findAncestorObject(Item.class);
if (item != null && !item.hasPermission(Item.CONFIGURE)) {
return "********";
}
Computer computer = req.findAncestorObject(Computer.class);
if (computer != null && !computer.hasPermission(Computer.CONFIGURE)) {
return "********";
}
}
}
/* Return encrypted value if it's a Secret */
if (o instanceof Secret) {
return ((Secret) o).getEncryptedValue();
}
/* Log a warning if we're in development mode (core or plugin): There's an f:password backed by a non-Secret */
if (req != null && (Boolean.getBoolean("hudson.hpi.run") || Boolean.getBoolean("hudson.Main.development"))) {
LOGGER.log(Level.WARNING, () -> "<f:password/> form control in " + getJellyViewsInformationForCurrentRequest() +
" is not backed by hudson.util.Secret. Learn more: https://jenkins.io/redirect/hudson.util.Secret");
}
/* Return plain value if it's not a Secret and the escape hatch is set */
if (!Secret.AUTO_ENCRYPT_PASSWORD_CONTROL) {
return o.toString();
}
/* Make it a Secret and return its encrypted value */
return Secret.fromString(o.toString()).getEncryptedValue();
}