[JIRA] (JENKINS-59247) "Fail if path is not found" property not working

[andres.pineros@hotmail.com (JIRA)]

Andres Pineros created an issue

Jenkins / JENKINS-59247 "Fail if path is not found" property not working Issue Type: Bug Assignee: Peter Tierno Components: hashicorp-vault-plugin Created: 2019-09-05 14:04 Priority: Minor Reporter: Andres Pineros Plugin version: 2.5.0   Even if the "Fail if path is not found" option is false, the pipeline fails whenever a path doesn't exist. java.lang.IllegalArgumentException: Vault Secret <REDACTED> at <REDACTED> is either null or empty. Please check the Secret in Vault. at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:152) at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:94) at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution2.doStart(CoreWrapperStep.java:97) at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Finished: FAILURE   The logic is: if (StringUtils.isBlank(secret)) { throw new IllegalArgumentException( "Vault Secret " + vaultKey + " at " + path + " is either null or empty. Please check the Secret in Vault."); } I didn't fully read the code but my guess is that secrets are still being evaluated in that condition even if the path doesn't exist. I'd also like to propose an alternative to the "Fail" property: withVault(vaultSecrets: [[path: "<REDACTED>", required: false, secretValues: [[vaultKey: '<REDACTED>', required: true]]]]) { echo "whats up" } In the example above, the Path isn't required BUT if it does exist, then the vaultKey is required. This idea comes from the Python library Cerberus. If a "path" isn't required and it doesn't exist, all of its "vaultKeys" should return an empty string. If a "vaultKey" isn't required and it doesn't exist, it should return an empty string.     Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[andres.pineros@hotmail.com (JIRA)]

Andres Pineros updated an issue

Jenkins / JENKINS-59247 "Fail if path is not found" property not working

Change By: Andres Pineros

Plugin version: 2.5.0   Even if the "Fail if path is not found" option is false, the pipeline fails whenever a path doesn't exist.

{code:java}

java.lang.IllegalArgumentException: Vault Secret <REDACTED> at <REDACTED> is either null or empty. Please check the Secret in Vault. at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:152) at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:94) at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution2.doStart(CoreWrapperStep.java:97) at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Finished: FAILURE

{code}   The logic is: {code:java}

if (StringUtils.isBlank(secret)) { throw new IllegalArgumentException( "Vault Secret " + vaultKey + " at " + path + " is either null or empty. Please check the Secret in Vault."); }

{code}

I didn't fully read the code but my guess is that secrets are still being evaluated in that condition even if the path doesn't exist. I'd also like to propose an alternative to the "Fail" property:

{code:java}

withVault(vaultSecrets: [[path: "<REDACTED>", required: false, secretValues: [[vaultKey: '<REDACTED>', required: true]]]]) { echo "whats up" }

{code}

In the example above, the Path isn't required BUT if it does exist, then the vaultKey is required. This idea comes from the Python library Cerberus. If a "path" isn't required and it doesn't exist, all of its "vaultKeys" should return an empty string. If a "vaultKey" isn't required and it doesn't exist, it should return an empty string.

This gives a much more granular control over the existence of secrets. Right now I have to use try{}catch(Exception e){} to validate if a secret exists....

Add Comment

[andres.pineros@hotmail.com (JIRA)]

Andres Pineros updated an issue

Jenkins / JENKINS-59247 "Fail if path is not found" property not working Change By: Andres Pineros

Plugin version: 2.5.0   Even if the "Fail if path is not found" option is false, the pipeline fails whenever a path doesn't exist. {code:java}

java.lang.IllegalArgumentException: Vault Secret <REDACTED> at <REDACTED> AWS_ACCESS_KEY_ID is either null or empty. Please check the Secret in Vault.

at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:152) at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:94) at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution2.doStart(CoreWrapperStep.java:97) at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Finished: FAILURE {code}   The logic is: {code:java} if (StringUtils.isBlank(secret)) { throw new IllegalArgumentException( "Vault Secret " + vaultKey + " at " + path + " is either null or empty. Please check the Secret in Vault."); } {code} I didn't fully read the code but my guess is that secrets are still being evaluated in that condition even if the path doesn't exist. I'd also like to propose an alternative to the "Fail" property: {code:java}

withVault(vaultSecrets: [[path: " <REDACTED> $path ", required: false, secretValues: [[vaultKey: ' <REDACTED> AWS_IAM_ROLE ', required: true]]]]) { echo " whats up wassup " }

{code} In the example above, the Path isn't required BUT if it does exist, then the vaultKey is required. This idea comes from the Python library Cerberus. If a "path" isn't required and it doesn't exist, all of its "vaultKeys" should return an empty string. If a "vaultKey" isn't required and it doesn't exist, it should return an empty string.  This gives a much more granular control over the existence of secrets. Right now I have to use try{}catch(Exception e){} to validate if a secret exists....

{code:java}   withVault(vaultSecrets: [[path: "$path", secretValues: [[vaultKey: 'AWS_ACCESS_KEY_ID'], [vaultKey: 'AWS_SECRET_ACCESS_KEY']]]]) {   def iam_role = null   try {     steps.withVault(vaultSecrets: [[path: path, secretValues: [[vaultKey: 'AWS_IAM_ROLE']]]]) { iam_role = env.AWS_IAM_ROLE }   } catch(IllegalArgumentException e) { echo "Path $path doesn't have an AWS_IAM_ROLE" }   steps.withAws(role: env.AWS_IAM_ROLE, role_session_name: ) {     echo "wassup"   } } {code}

Add Comment

[andres.pineros@hotmail.com (JIRA)]

Andres Pineros updated an issue

Jenkins / JENKINS-59247 "Fail if path is not found" property not working Change By: Andres Pineros

Plugin version: 2.5.0   Even if the "Fail if path is not found" option is false, the pipeline fails whenever a path doesn't exist. {code:java}

java.lang.IllegalArgumentException: Vault Secret <REDACTED> at AWS_ACCESS_KEY_ID is either null or empty. Please check the Secret in Vault.

at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:152) at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:94) at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution2.doStart(CoreWrapperStep.java:97) at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Finished: FAILURE {code}   The logic is: {code:java} if (StringUtils.isBlank(secret)) { throw new IllegalArgumentException( "Vault Secret " + vaultKey + " at " + path + " is either null or empty. Please check the Secret in Vault."); } {code} I didn't fully read the code but my guess is that secrets are still being evaluated in that condition even if the path doesn't exist. I'd also like to propose an alternative to the "Fail" property: {code:java}

withVault(vaultSecrets: [[path: "$path", required: false, secretValues: [[vaultKey: 'AWS_IAM_ROLE', required: true]]]]) { echo "wassup" }

{code} In the example above, the Path isn't required BUT if it does exist, then the vaultKey is required. This idea comes from the Python library Cerberus. If a "path" isn't required and it doesn't exist, all of its "vaultKeys" should return an empty string. If a "vaultKey" isn't required and it doesn't exist, it should return an empty string.  This gives a much more granular control over the existence of secrets. Right now I have to use try{}catch(Exception e){} to validate if a secret exists....   {code:java} withVault(vaultSecrets: [[path: "$path", secretValues: [[vaultKey: 'AWS_ACCESS_KEY_ID'], [vaultKey: 'AWS_SECRET_ACCESS_KEY']]]]) {   def iam_role = null   try {     steps.withVault(vaultSecrets: [[path: path, secretValues: [[vaultKey: 'AWS_IAM_ROLE']]]]) { iam_role = env.AWS_IAM_ROLE }   } catch(IllegalArgumentException e) { echo "Path $path doesn't have an AWS_IAM_ROLE" }

steps.withAws(role: env.AWS_IAM_ROLE, role_session_name: env.JOB_NAME.replaceAll("/","_" ) ) {     echo "wassup"   } } {code}

Add Comment

[josephp90@gmail.com (JIRA)]

Joseph Petersen resolved as Fixed

Fixed in https://github.com/jenkinsci/hashicorp-vault-plugin/releases/tag/hashicorp-vault-plugin-3.0.0

Jenkins / JENKINS-59247 "Fail if path is not found" property not working

Change By: Joseph Petersen Status: Open Resolved Assignee: Peter Tierno Joseph Petersen Resolution: Fixed Released As: https://github.com/jenkinsci/hashicorp-vault-plugin/releases/tag/hashicorp-vault-plugin-3.0.0

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[nl.ruslan@yandex.ru (JIRA)]

Ruslan Zhdanov commented on JENKINS-59247

Re: "Fail if path is not found" property not working Is this issues not fully completed? This does not support when vaultKey does not exist( ()

Add Comment

[nl.ruslan@yandex.ru (JIRA)]

Ruslan Zhdanov edited a comment on JENKINS-59247

Re: "Fail if path is not found" property not working

Is this issues not fully completed?

[This| [https://github.com/jenkinsci/hashicorp-vault-plugin/blob/db6485286d5c0c5d3c6f1dc28677cb66500234da/src/main/java/com/datapipe/jenkins/vault/VaultBuildWrapper.java #L161]] does not support when vaultKey does not exist( ()

Add Comment

[josephp90@gmail.com (JIRA)]

Joseph Petersen assigned an issue to Joseph Petersen

Jenkins / JENKINS-59247

"Fail if path is not found" property not working

Change By: Joseph Petersen Assignee: Joseph Petersen (old)

Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)