jenkinsci / in-toto-plugin

A Jenkins plugin to track steps and create in-toto link metadata
https://plugins.jenkins.io/in-toto/
MIT License
10 stars 14 forks source link

Not able to read keys from Jenkins slave workspace #35

Open SaiJyothiGudibandi opened 2 years ago

SaiJyothiGudibandi commented 2 years ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.263.4 OS: Linux - 3.10.0-862.14.4.el7.x86_64 --- ace-editor:1.1 analysis-model-api:10.5.4 ansicolor:1.0.0 ant:1.11 antisamy-markup-formatter:2.1 apache-httpcomponents-client-4-api:4.5.13-1.0 artifactory:3.13.0 authentication-tokens:1.4 basic-branch-build-strategies:1.3.2 bitbucket-approve:1.0.3 bitbucket-build-status-notifier:1.4.2 bitbucket-oauth:0.10 bitbucket-pullrequest-builder:1.5.0 bitbucket-push-and-pull-request:2.7.2 blackduck-detect:2.1.1 blueocean:1.24.8 blueocean-autofavorite:1.2.4 blueocean-bitbucket-pipeline:1.24.8 blueocean-commons:1.24.8 blueocean-config:1.24.8 blueocean-core-js:1.24.8 blueocean-dashboard:1.24.8 blueocean-display-url:2.4.1 blueocean-events:1.24.8 blueocean-git-pipeline:1.24.8 blueocean-github-pipeline:1.24.8 blueocean-i18n:1.24.8 blueocean-jira:1.24.8 blueocean-jwt:1.24.8 blueocean-personalization:1.24.8 blueocean-pipeline-api-impl:1.24.8 blueocean-pipeline-editor:1.24.8 blueocean-pipeline-scm-api:1.24.8 blueocean-rest:1.24.8 blueocean-rest-impl:1.24.8 blueocean-web:1.24.8 bootstrap4-api:4.6.0-3 bootstrap5-api:5.1.1-1 bouncycastle-api:2.23 branch-api:2.6.2 build-name-setter:2.1.0 build-timeout:1.20 caffeine-api:2.9.2-29.v717aac953ff3 checks-api:1.7.2 cloudbees-bitbucket-branch-source:2.9.10 cloudbees-folder:6.16 clover:4.12.1 cobertura:1.16 code-coverage-api:1.4.0 command-launcher:1.6 config-file-provider:3.8.0 credentials:2.6.1 credentials-binding:1.27 cvs:2.19 dashboard-view:2.16 data-tables-api:1.11.3-1 description-setter:1.10 display-url-api:2.3.5 docker-build-step:2.8 docker-commons:1.17 docker-java-api:3.1.5.2 docker-plugin:1.2.3 docker-workflow:1.26 dtkit-api:3.0.0 durable-task:1.37 echarts-api:5.2.1-2 email-ext:2.83 embeddable-build-status:2.0.3 envinject:2.3.0 envinject-api:1.7 extended-choice-parameter:0.82 extensible-choice-parameter:1.8.0 external-monitor-job:1.7 favorite:2.3.2 folder-auth:1.3 folder-properties:1.2.1 font-awesome-api:5.15.4-1 forensics-api:1.3.0 gcp-secrets-manager-credentials-provider:0.2.6 generic-webhook-trigger:1.75 ghprb:1.42.2 git:4.8.2 git-client:3.9.0 git-server:1.9 github:1.34.0 github-api:1.123 github-branch-source:2.9.9 github-checks:1.0.13 github-oauth:0.33 github-organization-folder:1.6 github-pr-coverage-status:2.1.1 github-pullrequest:0.3.0 global-build-stats:1.5 google-chat-notification:1.4 google-compute-engine:4.3.11 google-hangouts-chat-notifier:1.0 google-kubernetes-engine:0.8.6 google-metadata-plugin:0.3.1 google-oauth-plugin:1.0.6 google-storage-plugin:1.5.4 gradle:1.37.1 greenballs:1.15.1 h2-api:1.4.199 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-1.0 hashicorp-vault-plugin:3.8.0 htmlpublisher:1.25 http_request:1.10 icon-shim:2.0.3 in-toto:0.3.1 ivy:2.1 jackson2-api:2.12.4 jacoco:3.2.0 javadoc:1.6 jaxb:2.3.0.1 jdk-tool:1.5 jenkins-design-language:1.24.8 jenkins-jira-issue-updater:1.18 jira:3.3 jira-steps:1.6.0 jjwt-api:0.11.2-9.c8b45b8bb173 job-dsl:1.77 job-import-plugin:3.4 jobConfigHistory:2.28.1 jobrevision:0.6 join:1.21 jquery:1.12.4-1 jquery-detached:1.2.1 jquery3-api:3.6.0-2 jsch:0.1.55.2 junit:1.52 kubernetes:1.30.1 kubernetes-client-api:5.4.1 kubernetes-credentials:0.9.0 ldap:1.26 lockable-resources:2.11 locks-and-latches:0.6 log-parser:2.1 mailer:1.34 mapdb-api:1.0.9.0 matrix-auth:2.6.8 matrix-project:1.18 maven-plugin:3.8 mercurial:2.15 metrics:4.0.2.8 momentjs:1.1.1 monitoring:1.88.0 multibranch-build-strategy-extension:1.0.10 multibranch-scan-webhook-trigger:1.0.9 multiple-scms:0.6 nodejs:1.4.0 oauth-credentials:0.4 okhttp-api:3.14.9 pam-auth:1.6 percentage-du-node-column:0.1.0 pipeline-build-step:2.15 pipeline-github:2.7 pipeline-github-lib:1.0 pipeline-githubnotify-step:1.0.5 pipeline-graph-analysis:1.11 pipeline-input-step:2.12 pipeline-maven:3.10.0 pipeline-milestone-step:1.3.2 pipeline-model-api:1.9.1 pipeline-model-declarative-agent:1.1.1 pipeline-model-definition:1.9.1 pipeline-model-extensions:1.9.1 pipeline-rest-api:2.19 pipeline-stage-step:2.5 pipeline-stage-tags-metadata:1.9.1 pipeline-stage-view:2.19 pipeline-utility-steps:2.8.0 plain-credentials:1.7 plugin-util-api:2.5.0 popper-api:1.16.1-2 popper2-api:2.10.2-1 postbuild-task:1.9 pubsub-light:1.13 python:1.3 qualys-cs:1.6.2.5 resource-disposer:0.16 role-strategy:3.2.0 run-condition:1.5 scm-api:2.6.5 scm-filter-branch-pr:0.5.1 script-security:1.78 shared-objects:0.44 simple-build-for-pipeline:0.2 slack:2.48 snakeyaml-api:1.29.1 sonar:2.13.1 sonarqube-generic-coverage:1.0 sse-gateway:1.24 ssh-agent:1.22 ssh-credentials:1.18.1 ssh-slaves:1.31.5 stashNotifier:1.20 structs:1.23 subversion:2.14.4 synopsys-coverity:2.4.1 timestamper:1.13 token-macro:2.13 trilead-api:1.0.13 variant:1.4 violation-comments-to-stash:1.127 violations:0.7.11 warnings-ng:9.5.2 webhook-step:1.4 windows-slaves:1.8 workflow-aggregator:2.6 workflow-api:2.46 workflow-basic-steps:2.24 workflow-cps:2.93 workflow-cps-global-lib:2.19 workflow-durable-task-step:2.39 workflow-job:2.41 workflow-multibranch:2.24 workflow-scm-step:2.13 workflow-step-api:2.24 workflow-support:3.8 ws-cleanup:0.39 xml-job-to-job-dsl:0.1.13 xunit:2.3.9 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"

Reproduction steps

  1. Using slave to run the pipeline.
  2. in one of the step I am using below code in one of the step def keyPathTest = "${WORKSPACE}/resources/keys/cosign" sh("chmod 777 ${WORKSPACE}/resources/keys/cosign") sh("cat ${WORKSPACE}/resources/keys/cosign") in_toto_wrap(['stepName': 'Test','keyPath': keyPathTest,'transport': '']) { echo "## At parallel 3" sh("ls -al") }
  3. Problem is, I am able to see the cosign key and able to print. But getting This signing keypath (/tmp/workspace/helm-helloworld_feature-rekor-sg/resources/keys/cosign) does not exist! error.
  4. I tried using jenkins credential, same problem with that also.

Note: When I run this code on msater directly, its able to find the provided key path.

Expected Results

Key Should be found from the slave workspace and proceed with the next step in creating link meta data.

Actual Results

ERROR: Key path or credentialId not found.

Anything else?

No response

SaiJyothiGudibandi commented 2 years ago

@lakshya8066 Can you please look into this.

adityasaky commented 2 years ago

Hi @SaiJyothiGudibandi, thanks for opening this issue. Are you running into this error specifically? https://github.com/jenkinsci/in-toto-plugin/blob/master/src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java#L434-L435

I want to confirm it's indeed that and not a key type mismatch. Can you share the stack trace?

SaiJyothiGudibandi commented 2 years ago

@adityasaky Thanks for the response.

I am running pipeline on slave I tried with both key path and credential(secret file type).

For key path getting the below error.

adityasaky commented 2 years ago

Hmm, as an initial step, can you try passing in the absolute path to the key?