Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret resolution failure breaks work allocation in server #12764

Open
chadlwilson opened this issue May 14, 2024 · 0 comments
Open

Secret resolution failure breaks work allocation in server #12764

chadlwilson opened this issue May 14, 2024 · 0 comments
Labels
bug secrets-management

Comments

@chadlwilson
Copy link
Member

Issue Type
  • Bug Report
Summary

This might need more safety on both plugin and server, but decryption failures in file based secrets (e.g due to encryption with wrong key) here propagate back to the server as a RuntimeException which is then not handled properly and leads to a work allocation loop.

Probably needs fixed in both places.

java.lang.RuntimeException: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise i
f a bad key is used during decryption.
        at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.executeActionOnTheService(FelixGoPluginOSGiFramework.
java:209)
        at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.doOn(FelixGoPluginOSGiFramework.java:163)
        at com.thoughtworks.go.plugin.infra.DefaultPluginManager.submitTo(DefaultPluginManager.java:131)
        at com.thoughtworks.go.plugin.access.PluginRequestHelper.submitRequest(PluginRequestHelper.java:49)
        at com.thoughtworks.go.plugin.access.secrets.v1.SecretsExtensionV1.lookupSecrets(SecretsExtensionV1.java:100)
        at com.thoughtworks.go.plugin.access.secrets.SecretsExtension.lookupSecrets(SecretsExtension.java:81)
        at com.thoughtworks.go.server.service.SecretParamResolver.lambda$lookupAndUpdateSecretParamsValue$1(SecretParamResol
ver.java:187)
        at java.base/java.util.HashMap.forEach(Unknown Source)
        at com.thoughtworks.go.server.service.SecretParamResolver.resolve(SecretParamResolver.java:178)
        at com.thoughtworks.go.server.service.SecretParamResolver.resolve(SecretParamResolver.java:117)
        at com.thoughtworks.go.server.service.BuildAssignmentService.lambda$createWork$1(BuildAssignmentService.java:320)
        at com.thoughtworks.go.server.transaction.TransactionTemplate.lambda$execute$0(TransactionTemplate.java:31)
        at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:133)
        at com.thoughtworks.go.server.transaction.TransactionTemplate.execute(TransactionTemplate.java:28)
        at com.thoughtworks.go.server.service.BuildAssignmentService.lambda$createWork$2(BuildAssignmentService.java:302)
        at com.thoughtworks.go.server.transaction.TransactionTemplate.transactionSurrounding(TransactionTemplate.java:60)
        at com.thoughtworks.go.server.service.BuildAssignmentService.createWork(BuildAssignmentService.java:286)
        at com.thoughtworks.go.server.service.BuildAssignmentService.assignWorkToAgent(BuildAssignmentService.java:186)
        at com.thoughtworks.go.server.service.BuildAssignmentService.assignWorkToAgent(BuildAssignmentService.java:165)
        at com.thoughtworks.go.server.messaging.scheduling.WorkFinder.onMessage(WorkFinder.java:60)
        at com.thoughtworks.go.server.messaging.scheduling.WorkFinder.onMessage(WorkFinder.java:32)
        at com.thoughtworks.go.server.messaging.activemq.JMSMessageListenerAdapter.runImpl(JMSMessageListenerAdapter.java:83
)
        at com.thoughtworks.go.server.messaging.activemq.JMSMessageListenerAdapter.run(JMSMessageListenerAdapter.java:63)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.RuntimeException: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues
can arise if a bad key is used during decryption.
        at cd.go.plugin.secret.filebased.db.SecretsDatabase.lambda$getSecret$0(SecretsDatabase.java:75)
        at java.base/java.util.HashMap.computeIfAbsent(Unknown Source)
        at cd.go.plugin.secret.filebased.db.SecretsDatabase.getSecret(SecretsDatabase.java:70)
        at cd.go.plugin.secret.filebased.executors.LookupSecretsRequestExecutor.execute(LookupSecretsRequestExecutor.java:57
)
        at cd.go.plugin.secret.filebased.executors.LookupSecretsRequestExecutor.execute(LookupSecretsRequestExecutor.java:35
)
        at cd.go.plugin.base.executors.secrets.LookupExecutor.execute(LookupExecutor.java:28)
        at cd.go.plugin.base.dispatcher.RequestDispatcher.dispatch(RequestDispatcher.java:42)
        at cd.go.plugin.secret.filebased.FileBasedSecretsPlugin.handle(FileBasedSecretsPlugin.java:53)
        at com.thoughtworks.go.plugin.infra.DefaultPluginManager.lambda$submitTo$0(DefaultPluginManager.java:134)
        at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.executeActionOnTheService(FelixGoPluginOSGiFramework.
Environment

GoCD 24.1.0

Also see gocd/gocd-file-based-secrets-plugin#190
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug secrets-management
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chadlwilson