Using Credentials plugin in a safe way with Datahub and ml-gradle

.gitignore

# hide secrets
secrets.properties

build.gradle

buildscript {
  repositories {
    mavenLocal()
    jcenter()
    maven {
      url "https://plugins.gradle.org/m2/"
    }
  }
  dependencies {
    // Gradle Properties plugin
    classpath 'net.saliman:gradle-properties-plugin:1.5.1'

    // Gradle plugin for storing/retrieving secured credentials
    classpath "nu.studer:gradle-credentials-plugin:3.0"

    // Data Hub plugin
    classpath "com.marklogic:ml-data-hub:${mlDataHubVersion}"
  }
}

apply plugin: "net.saliman.properties" // run this first, so that secrets.gradle and properties.gradle can override 

apply from: "secrets.gradle" // must run before credentials init!!
logger.debug("credentialsPassphrase=" + credentialsPassphrase)

apply plugin: "nu.studer.credentials"

apply from: "properties.gradle" // must run before ml-data-hub init, and after credentials init!!

apply plugin: "com.marklogic.ml-data-hub"

gradle.properties

# Credentials stuff
credentialsLocation=credentials/
credentialsPassphrase=
svcMarkLogicPwd=badbutcantbeempty
mlAppServicesCertPassword=
mlRestCertPassword=

properties.gradle

// Configure properties based on encrypted credentials
project.ext.setProperty("mlUsername", credentials.forKey('mlUsername') ?: mlUsername)
project.ext.setProperty("mlPassword", credentials.forKey('mlPassword') ?: mlPassword)

project.ext.setProperty("mlAppServicesUsername", credentials.forKey('mlAppServicesUsername') ?: findProperty('mlAppServicesUsername') ?: mlUsername)
project.ext.setProperty("mlAppServicesPassword", credentials.forKey('mlAppServicesPassword') ?: findProperty('mlAppServicesPassword') ?: mlPassword)
project.ext.setProperty("mlManageUsername", credentials.forKey('mlManageUsername') ?: findProperty('mlManageUsername') ?: mlUsername)
project.ext.setProperty("mlManagePassword", credentials.forKey('mlManagePassword') ?: findProperty('mlManagePassword') ?: mlPassword)
project.ext.setProperty("mlRestAdminUsername", credentials.forKey('mlRestAdminUsername') ?: findProperty('mlRestAdminUsername') ?: mlUsername)
project.ext.setProperty("mlRestAdminPassword", credentials.forKey('mlRestAdminPassword') ?: findProperty('mlRestAdminPassword') ?: mlPassword)
project.ext.setProperty("mlSecurityUsername", credentials.forKey('mlSecurityUsername') ?: findProperty('mlSecurityUsername') ?: mlManageUsername)
project.ext.setProperty("mlSecurityPassword", credentials.forKey('mlSecurityPassword') ?: findProperty('mlSecurityPassword') ?: mlManagePassword)

project.ext.setProperty("mlAppServicesCertPassword", credentials.forKey('mlAppServicesCertPassword') ?: mlAppServicesCertPassword)
project.ext.setProperty("mlRestCertPassword", credentials.forKey('mlRestCertPassword') ?: mlRestCertPassword)

logger.debug("mlUsername=" + mlUsername)
logger.debug("mlPassword=" + mlPassword)
logger.debug("mlAppServicesUsername=" + mlAppServicesUsername)
logger.debug("mlAppServicesPassword=" + mlAppServicesPassword)
logger.debug("mlManageUsername=" + mlManageUsername)
logger.debug("mlManagePassword=" + mlManagePassword)
logger.debug("mlRestAdminUsername=" + mlRestAdminUsername)
logger.debug("mlRestAdminPassword=" + mlRestAdminPassword)
logger.debug("mlSecurityUsername=" + mlSecurityUsername)
logger.debug("mlSecurityPassword=" + mlSecurityPassword)
logger.debug("mlAppServicesCertPassword=" + mlAppServicesCertPassword)
logger.debug("mlRestCertPassword=" + mlRestCertPassword)

secrets.gradle

Properties props = new Properties()
InputStream fis
try {
  fis = new FileInputStream("$projectDir/secrets.properties")
  props.load(fis)
} catch (err) {
  println err
} finally {
  if (fis) {
    fis.close()
  }
}
props.each { prop ->
  if (prop.key.startsWith(environmentName + ".")) {
    def key = prop.key.replace(environmentName + ".", "")
    logger.debug("Setting " + key + "=" + prop.value)
    rootProject.ext.set(key, prop.value)
  }
}

secrets.properties

local.credentialsPassphrase=**somegeneratedhash**