Scanning a Bamboo Spec when invalid secret exists causes scan to fail

XMLWordPrintable

    • Severity 3 - Minor

      Issue Summary

      If you run a Spec via RSS when the deployment project to be created already exists, and that project has an undecryptable secret stored in one of its variables, then the spec will fail with a "pad block corrupted" error.

      Environment

      • sandbox-bamboo.internal.atlassian.com
      • Bamboo version 6.9.0-m644 build 60901 - 11 Mar 19
      • using Repository Stored Specs

      Steps to Reproduce

      1. Scan a spec that contains an encrypted secret that was generated on a different Bamboo instance (in my case, this was server-syd.internal.atlassian.com). For example, include this in the spec:

      .variables(new Variable("micros.token.password",
                        "BAMSCRT@0@0@3GPaSljgVp43rDYn5Cpq6waAfEnRy/oTBqId8Z0wbZT2StKg4P4Wk6tHwXZuXXo0"))

      2. In my case, the scan failed, either because of this undecryptable secret or some other reason (not sure)
      3. Remove the secret from the spec and re-run it
      4. The re-run fails with a "pad block corrupted" error

      Expected Results

      A correct spec throws no errors regardless of existing invalid secrets.

      Actual Results

      Bamboo seems to be trying to decrypt the existing secrets, which causes the Spec to fail if any of those existing secrets can't be decrypted for some reason (in my case because they were generated on a different instance).

      The below exception is thrown in the spec-logs log file:

      org.bouncycastle.crypto.InvalidCipherTextException: pad block corrupted
java.lang.RuntimeException: org.bouncycastle.crypto.InvalidCipherTextException: pad block corrupted
	at com.google.common.base.Throwables.propagate(Throwables.java:160)
	at com.atlassian.bamboo.crypto.instance.SecretEncryptionServiceInternalImpl.decrypt(SecretEncryptionServiceInternalImpl.java:137)
	at com.atlassian.bamboo.crypto.instance.SecretEncryptionServiceInternalImpl.decrypt(SecretEncryptionServiceInternalImpl.java:109)
	at sun.reflect.GeneratedMethodAccessor336.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:206)
	at com.sun.proxy.$Proxy240.decrypt(Unknown Source)
	at com.atlassian.bamboo.crypto.instance.SecretEncryptionServiceImpl.decrypt(SecretEncryptionServiceImpl.java:21)
	at sun.reflect.GeneratedMethodAccessor335.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:206)
	at com.sun.proxy.$Proxy213.decrypt(Unknown Source)
	at com.atlassian.bamboo.variable.VariableDefinitionManagerImpl.decrypt(VariableDefinitionManagerImpl.java:190)
	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
	at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374)
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
	at com.atlassian.bamboo.variable.VariableDefinitionManagerImpl.decrypt(VariableDefinitionManagerImpl.java:199)
	at com.atlassian.bamboo.variable.VariableDefinitionManagerImpl.getDeploymentEnvironmentVariables(VariableDefinitionManagerImpl.java:129)
	at com.atlassian.bamboo.variable.VariableConfigurationServiceImpl.lambda$setDeploymentEnvironmentVariables$7(VariableConfigurationServiceImpl.java:250)
	at com.atlassian.bamboo.core.ScopedExclusionServiceHelper$2.apply(ScopedExclusionServiceHelper.java:119)
	at com.atlassian.bamboo.core.ScopedExclusionServiceHelper$2.apply(ScopedExclusionServiceHelper.java:115)
	at com.atlassian.bamboo.core.ScopedExclusionServiceImpl.withLock(ScopedExclusionServiceImpl.java:63)
	at com.atlassian.bamboo.variable.VariableConfigurationServiceImpl.setDeploymentEnvironmentVariables(VariableConfigurationServiceImpl.java:247)
	at com.atlassian.bamboo.configuration.external.DeploymentImportServiceImpl.updateEnvironmentData(DeploymentImportServiceImpl.java:727)
	at com.atlassian.bamboo.configuration.external.DeploymentImportServiceImpl.updateEnvironments(DeploymentImportServiceImpl.java:660)
	at com.atlassian.bamboo.configuration.external.DeploymentImportServiceImpl.lambda$modifyExistingDeploymentFunction$6(DeploymentImportServiceImpl.java:497)
	at com.atlassian.bamboo.core.ScopedExclusionServiceImpl.tryWithLock(ScopedExclusionServiceImpl.java:74)
	at com.atlassian.bamboo.configuration.external.DeploymentImportServiceImpl.modifyExistingDeployment(DeploymentImportServiceImpl.java:445)
	at com.atlassian.bamboo.configuration.external.DeploymentImportServiceImpl.lambda$importDeployment$0(DeploymentImportServiceImpl.java:267)
	at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:140)
	at com.atlassian.bamboo.persistence.BambooTransactionHibernateTemplate.execute(BambooTransactionHibernateTemplate.java:28)
	at com.atlassian.bamboo.configuration.external.DeploymentImportServiceImpl.importDeployment(DeploymentImportServiceImpl.java:247)
	at com.atlassian.bamboo.configuration.external.RepositoryStoredSpecsServiceImpl.importDeploymentProperties(RepositoryStoredSpecsServiceImpl.java:968)
	at com.atlassian.bamboo.configuration.external.RepositoryStoredSpecsServiceImpl.importBambooYamlForDeploymentProject(RepositoryStoredSpecsServiceImpl.java:964)
	at com.atlassian.bamboo.configuration.external.RepositoryStoredSpecsServiceImpl.lambda$importBambooYamlsOfAllTypes$7(RepositoryStoredSpecsServiceImpl.java:659)
	at com.atlassian.bamboo.configuration.external.RepositoryStoredSpecsServiceImpl.importBambooYamlsWithImporter(RepositoryStoredSpecsServiceImpl.java:695)
	at com.atlassian.bamboo.configuration.external.RepositoryStoredSpecsServiceImpl.importBambooYamlsOfAllTypes(RepositoryStoredSpecsServiceImpl.java:664)
	at com.atlassian.bamboo.configuration.external.RepositoryStoredSpecsServiceImpl.processSpecs(RepositoryStoredSpecsServiceImpl.java:440)
	at com.atlassian.bamboo.configuration.external.RepositoryStoredSpecsServiceImpl.runBambooSpecs(RepositoryStoredSpecsServiceImpl.java:291)
	at com.atlassian.bamboo.configuration.external.RssDetectionServiceImpl.runRssDetection(RssDetectionServiceImpl.java:262)
	at com.atlassian.bamboo.configuration.external.detection.RssDetectionRunnable.run(RssDetectionRunnable.java:42)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at com.atlassian.bamboo.utils.BambooRunnables$1.run(BambooRunnables.java:48)
	at com.atlassian.bamboo.security.ImpersonationHelper.runWith(ImpersonationHelper.java:26)
	at com.atlassian.bamboo.security.ImpersonationHelper.runWithSystemAuthority(ImpersonationHelper.java:17)
	at com.atlassian.bamboo.security.ImpersonationHelper$1.run(ImpersonationHelper.java:41)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.bouncycastle.crypto.InvalidCipherTextException: pad block corrupted
	at org.bouncycastle.crypto.paddings.PKCS7Padding.padCount(Unknown Source)
	at org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher.doFinal(Unknown Source)
	at com.atlassian.bamboo.crypto.instance.SecretEncryptionServiceInternalImpl.decrypt(SecretEncryptionServiceInternalImpl.java:135)
	... 56 more

      Notes

      • Spec source code is here (run revision 262b0c41cc1 to create the invalid secret)
      • Linked repo (where you can see the Specs run history) is here

      Workaround

      The workaround suggested by BuildEng was to delete the deployment project, which did the trick (presumably this deleted the stored undecryptable secret).

            Assignee:
            Marcin Gardias
            Reporter:
            Andrew S (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: