search

jenkinsci / azure-keyvault-plugin

Jenkins plugin for Azure Keyvault
https://plugins.jenkins.io/azure-keyvault/
MIT License
14 stars 21 forks source link

Using SSH key with passphrase doesn't work #227

Closed bsloan-icl closed 11 months ago

bsloan-icl commented 11 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.414.3 OS: Linux - 5.15.90.1-microsoft-standard-WSL2 Java: 11.0.20.1 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 azure-credentials:293.vb_d506148f506 azure-keyvault:214.vf667264ea_ccd azure-sdk:157.v855da_0b_eb_dc2 bouncycastle-api:2.29 branch-api:2.1128.v717130d4f816 caffeine-api:3.1.8-133.v17b_1ff2e0599 cloudbees-folder:6.858.v898218f3609d commons-lang3-api:3.13.0-62.v7d18e55f51e2 credentials:1307.v3757c78f17c3 credentials-binding:642.v737c34dea_6c2 display-url-api:2.200.vb_9327d658781 durable-task:523.va_a_22cf15d5e0 git:5.2.0 git-client:4.5.0 github:1.37.3.1 github-api:1.316-451.v15738eef3414 github-branch-source:1741.va_3028eb_9fd21 instance-identity:185.v303dc7c645f9 ionicons-api:56.v1b_1c8c49374e jackson2-api:2.15.3-366.vfe8d1fa_f8c87 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jjwt-api:0.11.5-77.v646c772fddb_0 mailer:463.vedf8358e006b_ mina-sshd-api-common:2.11.0-86.v836f585d47fa_ mina-sshd-api-core:2.11.0-86.v836f585d47fa_ okhttp-api:4.11.0-157.v6852a_a_fa_ec11 pipeline-build-step:516.v8ee60a_81c5b_9 pipeline-github-lib:42.v0739460cda_c4 pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:689.veec561a_dee13 pipeline-input-step:477.v339683a_8d55e pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2150.v4cfd8916915c pipeline-model-definition:2.2150.v4cfd8916915c pipeline-model-extensions:2.2150.v4cfd8916915c pipeline-rest-api:2.34 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2150.v4cfd8916915c pipeline-stage-view:2.34 plain-credentials:143.v1b_df8b_d3b_e48 scm-api:676.v886669a_199a_a_ script-security:1275.v23895f409fb_d snakeyaml-api:2.2-111.vc6598e30cc65 ssh-credentials:308.ve4497b_ccd8f4 ssh-slaves:2.916.vd17b_43357ce4 structs:325.vcb_307d2a_2782 token-macro:384.vf35b_f26814ec trilead-api:2.84.v72119de229b_7 variant:60.v7290fc0eb_b_cd workflow-aggregator:596.v8c21c963d92d workflow-api:1283.v99c10937efcb_ workflow-basic-steps:1042.ve7b_140c4a_e0c workflow-cps:3806.va_3a_6988277b_2 workflow-durable-task-step:1289.v4d3e7b_01546b_ workflow-job:1360.vc6700e3136f5 workflow-multibranch:756.v891d88f2cd46 workflow-scm-step:415.v434365564324 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:865.v43e78cc44e0d ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Docker Desktop on Windows 10 with the jenkins/jenkins:lts-jdk11 image (currently Jenkins 2.414.3)

Reproduction steps

  1. docker run -p 8080:8080 -p 50000:50000 --restart=on-failure jenkins/jenkins:lts-jdk11
  2. Install Key Vault plugin
  3. Configure key vault plugin with key vault URI and service principal
  4. Add the SSH key to key vault with the following tags image
  5. Add the SSH passphrase to key vault with no tags
  6. View the credentials in Jenkins

Expected Results

The SSH key should be added as a credential in Jenkins along with it's passphrase.

Actual Results

The SSH credential isn't visible in Jenkins. The passphrase is retrieved successfully from the key vault and created as a separate credential in Jenkins but not the SSH key. I've not used the AZURE_KEYVAULT_LABEL_SELECTOR to filter out any credentials. image

The logs state that the passphrase credential does not exist in the key vault but it definitely does because it's being retrieved as a separate credential okay. image

Anything else?

No response

timja commented 11 months ago

This is the code: https://github.com/jenkinsci/azure-keyvault-plugin/blob/bf30c8c9364a55efbbbaa71fb4c66580b6e2b07e/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureCredentialsProvider.java#L195-L203

I can't see anything wrong from a glance.

Can you retrieve it fine from the CLI, copying and pasting exactly from the Jenkins config?

bsloan-icl commented 11 months ago

I think the issue is that it's missing a "/" before "secrets/" in the passphrase variable. The URL specified in our config is https://name-of-keyvault.vault.azure.net with no "/" on the end. If we add a trailing "/" to the end of the URL, the passphrase is retrieved successfully.

The documentation doesn't explicitly state a trailing "/" is required so it would be easy for end users to miss. image

timja commented 11 months ago

Right it should work either way, that's a bug, are you interested in contributing a fix?

bsloan-icl commented 11 months ago

Yeah I can have a look. Should be a relatively straightforward fix