hashicorp-vault-plugin icon indicating copy to clipboard operation
hashicorp-vault-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Illegal character(s) in message header; Vault response returned 0 for secret path

Open jdhines opened this issue 1 year ago • 1 comments

Jenkins and plugins versions report

Environment 
Jenkins: 2.387.1
OS: Linux - 5.4.0-144-generic
Java: 11.0.18 - Ubuntu (OpenJDK 64-Bit Server VM)
---
ant:1.13
antisamy-markup-formatter:155.v795fb_8702324
apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5
authentication-tokens:1.4
bootstrap4-api:4.6.0-3
bootstrap5-api:5.2.2-2
bouncycastle-api:2.26
branch-api:2.1071.v1a_188a_562481
build-timeout:1.28
build-with-parameters:1.6
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:2.0.0
cloudbees-folder:6.815.v0dd5a_cb_40e0e
command-launcher:90.v669d7ccb_7c31
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.10.0-36.vc008c8fcda_7b_
conditional-buildstep:1.4.1
config-file-provider:3.11.1
credentials:1224.vc23ca_a_9a_2cb_0
credentials-binding:523.vd859a_4b_122e6
data-tables-api:1.13.3-3
declarative-pipeline-migration-assistant:1.5.6
declarative-pipeline-migration-assistant-api:1.5.6
display-url-api:2.3.7
docker-commons:1.19
docker-workflow:1.28
durable-task:504.vb10d1ae5ba2f
echarts-api:5.4.0-1
email-ext:2.95
envinject:2.839.v52c702c10635
envinject-api:1.180.v98d833b_27470
external-monitor-job:203.v683c09d993b_9
font-awesome-api:6.3.0-2
git:5.0.0
git-client:4.2.0
git-parameter:0.9.17
git-server:1.10
github-api:1.301-378.v9807bd746da5
gradle:1.38
hashicorp-vault-plugin:360.v0a_1c04cf807d
instance-identity:116.vf8f487400980
ionicons-api:45.vf54fca_5d2154
jackson2-api:2.14.2-319.v37853346a_229
jakarta-activation-api:2.0.1-2
jakarta-mail-api:2.0.1-2
javadoc:217.v905b_86277a_2a_
javax-activation-api:1.2.0-5
javax-mail-api:1.6.2-8
jaxb:2.3.7-1
jdk-tool:63.v62d2fd4b_4793
jnr-posix-api:3.1.7-2
job-import-plugin:3.6
jquery:1.12.4-1
jquery3-api:3.6.4-1
jsch:0.1.55.2
junit:1189.v1b_e593637fa_e
ldap:2.8
lockable-resources:1131.vb_7c3d377e723
mailer:448.v5b_97805e3767
mapdb-api:1.0.9.0
matrix-auth:3.1.5
matrix-project:785.v06b_7f47b_c631
maven-plugin:3.16
mina-sshd-api-common:2.9.2-50.va_0e1f42659a_a
mina-sshd-api-core:2.9.2-50.va_0e1f42659a_a
nodejs:1.6.0
nvm-wrapper:0.1.7
okhttp-api:4.9.3-105.vb96869f8ac3a
pam-auth:1.7
parameterized-trigger:2.45
pipeline-build-step:488.v8993df156e8d
pipeline-github-lib:36.v4c01db_ca_ed16
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:629.vb_5627b_ee2104
pipeline-input-step:466.v6d0a_5df34f81
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2125.vddb_a_44a_d605e
pipeline-model-definition:2.2125.vddb_a_44a_d605e
pipeline-model-extensions:2.2125.vddb_a_44a_d605e
pipeline-rest-api:2.32
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2125.vddb_a_44a_d605e
pipeline-stage-view:2.32
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.2.0
popper-api:1.16.1-2
popper2-api:2.11.6-2
resource-disposer:0.17
run-condition:1.5
scm-api:631.v9143df5b_e4a_a
script-security:1229.v4880b_b_e905a_6
show-build-parameters:1.0
snakeyaml-api:1.29.1
ssh-credentials:305.v8f4381501156
ssh-slaves:1.25
sshd:3.249.v2dc2ea_416e33
structs:324.va_f5d6774f3a_d
subversion:2.15.5
thinBackup:1.10
timestamper:1.17
token-macro:321.vd7cc1f2a_52c8
trilead-api:2.84.v72119de229b_7
variant:59.vf075fe829ccb
workflow-aggregator:596.v8c21c963d92d
workflow-api:1208.v0cc7c6e0da_9e
workflow-basic-steps:1010.vf7a_b_98e847c1
workflow-cps:3653.v07ea_433c90b_4
workflow-cps-global-lib:588.v576c103a_ff86
workflow-durable-task-step:1241.v1a_63e465f943
workflow-job:1289.vd1c337fd5354
workflow-multibranch:733.v109046189126
workflow-scm-step:408.v7d5b_135a_b_d49
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:839.v35e2736cfd5c
ws-cleanup:0.40

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 20

Reproduction steps

  1. Create a freestyle job
  2. Check the box for Vault plugin
  3. Provide Vault path and credentials
  4. Provide secrets path
  5. Store the secret in a variable
  6. Use script to echo the variable

Expected Results

Expected the job to run and use the credentials pulled. Confirmed the paths are correct (as they can be pulled from the same API URI outside of Jenkins).

Actual Results

The job failed due to being unable to get credentials.

Console output:

Running as SYSTEM
[EnvInject] - Loading node environment variables.
Building in workspace /var/lib/jenkins/jobs/test_vault_plugin/workspace
Retrieving secret: <secret URL redacted>
FATAL: Vault response returned 0 for secret path <secret path redacted>
java.lang.IllegalArgumentException: Illegal character(s) in message header value: <this spits out the Vault token>

	at java.base/sun.net.www.protocol.http.HttpURLConnection.checkMessageHeader(HttpURLConnection.java:559)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.isExternalMessageHeaderAllowed(HttpURLConnection.java:494)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.setRequestProperty(HttpURLConnection.java:3189)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.setRequestProperty(HttpsURLConnectionImpl.java:312)
	at com.bettercloud.vault.rest.Rest.get(Rest.java:278)
Caused: com.bettercloud.vault.rest.RestException
	at com.bettercloud.vault.rest.Rest.get(Rest.java:288)
	at com.bettercloud.vault.api.Logical.read(Logical.java:94)
Caused: com.bettercloud.vault.VaultException
	at com.bettercloud.vault.api.Logical.read(Logical.java:120)
	at com.bettercloud.vault.api.Logical.read(Logical.java:76)
	at com.datapipe.jenkins.vault.VaultAccessor.read(VaultAccessor.java:117)
	at com.datapipe.jenkins.vault.VaultAccessor.retrieveVaultSecrets(VaultAccessor.java:169)
Caused: com.datapipe.jenkins.vault.exception.VaultPluginException: Vault response returned 0 for secret path <secret path redacted>
	at com.datapipe.jenkins.vault.VaultAccessor.retrieveVaultSecrets(VaultAccessor.java:188)
	at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:99)
	at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:73)
	at jenkins.tasks.SimpleBuildWrapper.setUp(SimpleBuildWrapper.java:294)
	at hudson.model.Build$BuildExecution.doRun(Build.java:158)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:526)
	at hudson.model.Run.execute(Run.java:1900)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:44)
	at hudson.model.ResourceController.execute(ResourceController.java:101)
	at hudson.model.Executor.run(Executor.java:442)
Finished: FAILURE

Anything else?

No response

jdhines avatar Apr 06 '23 17:04 jdhines