Custom plugins with secret not being passed

Drone Support
1

I have written a simple plugin to curl artifacts to our Nexus server, but I can’t seem to pass the credential secrets to the plugin properly. I have tried many combinations of how to pass and none of them seem to work.

plugin_username
Events: push, tag, deployment
Images: docker.example.com/mq/drone-curl

plugin_password
Events: push, tag, deployment
Images: docker.example.com/mq/drone-curl

pipeline:
build:
image: alpine:3.7
commands:
- touch test_package.tgz
- ls -l /tmp
nexus:
image: docker.example.com/mq/drone-curl
pull: true
file: test_package.tgz
url: https://nexus3.example.com/repository/3rd-party/
secrets: [ plugin_username, plugin_password ]

Following the docs.drone.io plugin guide I created a simple script using curl

#!/bin/sh
env

echo “User: ${PLUGIN_USERNAME}”
curl -v
-u ${PLUGIN_USERNAME}:${PLUGIN_PASSWORD}
-T ${PLUGIN_FILE}
${PLUGIN_URL}

The plugin never seems to get the secrets passed to it, but the URL and FILE are there. I have tried variations of all sorts in the .drone.yml file, but I cant seem to get secrets passed. Any recommendations?

2

I recommend taking a look at this guide for working through issues with secrets: http://docs.drone.io/secrets-not-working/

The first thing that jumps out is that your bash command is missing $ when referencing environment variables:

-echo "User: {PLUGIN_USERNAME}" curl -v \ -u {PLUGIN_USERNAME}:{PLUGIN_PASSWORD} \ -T {PLUGIN_FILE} 
+echo "User: ${PLUGIN_USERNAME}" curl -v \ -u ${PLUGIN_USERNAME}:${PLUGIN_PASSWORD} \ -T ${PLUGIN_FILE}

The second thing that jumps out is that you are prefixing secrets with PLUGIN_. The PLUGIN_ prefix is not typically used for secrets and is reserved for parameters defined inline in the yaml file.

I would also make sure you post as much of the actual shell script and yaml file if possible, to ensure that a small but important detail is not being accidentally omitted.

3

The post removed my $ from the vars in the script.

$ drone secret ls ecray/test_curl
nexus_username
Events: push, tag, deployment
Images: <any>

nexus_password
Events: push, tag, deployment
Images: <any>

The plugin script

#!/bin/sh

echo "User: ${PLUGIN_NEXUS_USERNAME}"

env

curl -v \
    -u ${PLUGIN_NEXUS_USERNAME}:${PLUGIN_NEXUS_PASSWORD} \
        -T ${PLUGIN_FILE} \
        ${PLUGIN_URL}

pipeline:
  nexus:
    image: docker.example.com/mq/drone-curl
    pull: true
    file: test_package.tgz
    url: https://nexus3.example.com/repository/3rd-party/
    secrets: [ nexus_username, nexus_password ]

The command env shows all drone environment variables and shows the PLUGIN_URL and PLUGIN_FILE, but nothing else in regards to the secret.

4

You should not use PLUGIN_ prefix for secrets. Change to:

#!/bin/sh

-echo "User: ${PLUGIN_NEXUS_USERNAME}"
+echo "User: ${NEXUS_USERNAME}"
env

curl -v \
-    -u ${PLUGIN_NEXUS_USERNAME}:${PLUGIN_NEXUS_PASSWORD} \
+    -u ${NEXUS_USERNAME}:${NEXUS_PASSWORD} \
        -T ${PLUGIN_FILE} \
        ${PLUGIN_URL}

also in our secrets troubleshooting guide, there is some additional information that we ask that you provide. Please make sure all items are included in this thread: http://docs.drone.io/secrets-not-working/#still-having-trouble

5

This should be everything relevant. I removed PLUGIN_ for secrets

$ drone secret ls ecray/test_curl
nexus_username
Events: push, tag, deployment
Images: docker.example.com/drone-curl

nexus_password
Events: push, tag, deployment
Images: docker.example.com/drone-curl

$ drone repo info ecray/test_curl
Owner: ecray
Repo: test_curl
Type: git
Config: .drone.yml
Visibility: private
Private: true
Trusted: false
Gated: false
Remote: https://github.example.com/ecray/test_curl.git

$ drone build info ecray/test_curl 30
Number: 30
Status: success
Event: pull_request
Commit: 0d6b13230ed83f3b067fd2f398000a1141869acd
Branch: master
Ref: refs/pull/1/merge
Message: adding tests
Author: ecray

.drone.yml file

pipeline:
  build:
    image: docker.example.com/alpine:3.7
    commands:
      - touch test_package.tgz
  nexus:
    image: docker.example.com/drone-curl
    pull: true
    file: test_package.tgz
    url: https://nexus3.example.com/repository/3rd-party/
    secrets: [ nexus_username, nexus_password ]

Plugin script

#!/bin/sh
echo "User: ${NEXUS_USERNAME}"

#env

curl -v \
    -u ${NEXUS_USERNAME}:${NEXUS_PASSWORD} \
    -T ${PLUGIN_FILE} \
    ${PLUGIN_URL}

Example from build:

User:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   

Trying 1.1.1.3

* TCP_NODELAY set
* Connected to nexus3.example.com (1.1.1.3) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [233 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [89 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4765 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
...  removing identity info
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.10.2
< Date: Fri, 22 Jun 2018 02:53:00 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=5
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
< X-Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
* Authentication problem. Ignoring this.
< WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager"
* HTTP error before end of send, stop sending
<
{ [5 bytes data]

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
} [2 bytes data]

Thanks for the help!

6

I JUST fixed it.

+ -event pull_request

The secrets did not have pull_request events. This is the first time I have had to do this, which seems very strange considering I have over 50 jobs using secrets with plugins.

7

Yep, that would be the issue. Secrets are disabled by default for pull request events, for security reasons, and need to be manually enabled.