configuration-as-code-plugin: JCASC creating corrupted file credential from DSA private key

Your checklist for this issue

🚨 Please review the guidelines for contributing to this repository.

  • Jenkins version 2.269
  • Plugin version
Plugin Version
JCasC 1.46
Credentials 2.3.14
Plain Credentials 1.7
  • OS Ubuntu

Description

I’m using JCasC to inject DSA credentials as a secret file and I’m getting unusual behavior that seemingly results in a corrupted credential file.

I’m setting up the file credential by doing the following:

credentials:
  system:
    domainCredentials:
    - credentials:
      - file:
          description: "DSA private key"
          fileName: "dsa_priv.pem"
          id: "dsa_priv"
          scope: GLOBAL
          secretBytes: "${base64:${file}}"

And by placing my credential at /run/secrets/file in order to load it via the docker secrets mechanism and then applying my configuration.

But JCasC doesn’t appear to be generating the same credential that would be created if I went through the Jenkins GUI and manually added a secret file to the credential store.

I noticed this because the script I’m running that attempts to read the JCasC created credential bombs because it can’t correctly deserialize it. But it works just fine on a file credential created from the GUI with the same contents.

But it’s also pretty easy to observe the difference in behavior with a simple pipeline script on a test key:

pipeline {
    agent any

    stages {
        stage('test') {
            environment {
                 dsa_priv= credentials('dsa_priv')
             }
            steps {
                script {
                    def contents = readFile file: env.dsa_priv
                    echo contents
                }
            }
        }
    }
}

When I attempt to read the credential loaded via the Jenkins GUI using the above pipeline, I get something that looks like:

-----BEGIN DSA PRIVATE KEY-----
...
-----END DSA PRIVATE KEY-----

But when I do same on the JCasC generated file credential, I get a bunch of mojibake:

���b
...
���b

Playing around some, if I swap the file contents for something like:

asdfsdf---
hello world
--asdfasdf

JCasC correctly creates the credential and dumps the contents:

[Pipeline] echo
asdfsdf---
hello world
--asdfasdf

But the moment I add a leading - to the file:

-asdfsdf---
hello world
--asdfasdf

Something goes wrong and I get nothing:

[Pipeline] echo

I’m not quite sure if the problem is with my usage, JCasC, or one of its dependent plugins (credentials, plain-credentials, etc.).

Thanks for all the work maintaining this great plugin and for taking the time to read my bug report!

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 20 (8 by maintainers)

Most upvoted comments

not sure how your passing in the file attribute but it my be the source of messing with the input.

Could you try using ${readFileBase64:myFilePath}

+1
jetersen on Dec 7, 2020
Read more comments on GitHub
← configuration-as-code-plugin: java.lang.IllegalArgumentException: Permission can not be null for sid:[USERNAME]
configuration-as-code-plugin: Jenkins credential changes every time redeploy and No longer useful →