Details
-
Bug
-
Resolution: Duplicate
-
Medium
-
None
-
8.2.6
-
None
-
Severity 3 - Minor
-
Description
Problem
If the Bamboo Amazon S3 artifact handler configuration was disabled and saved with an empty Secret Access Key, Bamboo will log entries such as:
2023-01-06 18:08:35,348 INFO [https-jsse-nio-45825-exec-2 url: /build/admin/triggerManualBuild.action; user: username] [SecretEncryptionServiceImpl] Can't decrypt data. It's possible data was encrypted by different cipher. Run Bamboo with system property -Dbamboo.security.decryption.ignore.errors=true to ignore this error 2023-01-06 18:08:35,348 ERROR [https-jsse-nio-45825-exec-2 url: /build/admin/triggerManualBuild.action; user: username] [BambooPluginUtils] class com.atlassian.bamboo.build.artifact.S3ArtifactHandlerConfigurator has failed to decorate configuration for runtime java.lang.IllegalArgumentException: Unknown encrypted data format: [] at com.atlassian.bamboo.crypto.instance.SecretEncryptionServiceInternalImpl$ArmoredString.from(SecretEncryptionServiceInternalImpl.java:67) at com.atlassian.bamboo.crypto.instance.SecretEncryptionServiceInternalImpl.decrypt(SecretEncryptionServiceInternalImpl.java:101) at jdk.internal.reflect.GeneratedMethodAccessor307.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) ...
Hence for every build, the error and Java stack trace will be printed to the logs, causing a massive noise, and making it very hard to understand legitimate messages.
Environment
Bamboo 8.2, 9.0, 9.1
Steps to Reproduce
- Configure a valid Amazon S3 Artifact Handler, and make sure to use a manual Access Key and Secret access key (do not reuse the one used by Elastic Agents)
- On the Artifact Handlers configuration, enable both Amazon S3 Shared and Non-Shared artifacts - I have not tested with only one artifact type, but will probably be reproducible as well
- Have a Plan that would publish an artifact to S3 (run it at least once)
- Disable the Amazon S3 Shared and Non-Shared artifacts on the Artifact Handlers configuration and SAVE
- Click on "Change secret access key" and click on SAVE again (do not add a Secret access key) - it should remain empty
- Run the Plan again
- Observe the logs
Expected Results
Bamboo should run the Plan and not notify any errors or tentatives to decrypt data - Why is it even accessing S3 artifact handler information if it is disabled?
Actual Results
Bamboo tries to decrypt an empty string from the DB bandana.serialized_data#custom.artifactHandlers.comAtlassianBambooPluginArtifactHandlerRemote:S3ArtifactHandler:accessKeyId
<entry> <string>custom.artifactHandlers.comAtlassianBambooPluginArtifactHandlerRemote:S3ArtifactHandler:accessKeyId</string> <string/> </entry>
Workaround
- Add a valid Secret access key to the Amazon S3 artifact handler, but keep it disabled
- Review the Plans configuration (under "Other" tab) and validate if "Use custom artifact handler settings" >> "Amazon S3" is not enabled as well (to prevent users from using it)