Sorry for the typos in my previous email. Just to make clear what I was saying about “echo”:
1. echo doesn’t shell-eval the rest of its arguments; it prints them, so you’re never actually invoking `cksum`, just printing the word “cksum” 2. the masking is evidence that you’re getting the real value of the secure variable because GoCD is hiding it for security reasons 3. If you really want to print the checksum, then change your conmand to just `cksum $GOCD_ACCESS_TOKEN` (i.e., without the preceding `echo`) On Sun, Feb 21, 2021 at 3:05 AM Marques Lee <[email protected]> wrote: > Hi there, no worries on the delay. > > When you say `echo cksum $GOCD_ACCESS_TOKEN` it's probably not doing what > you want. You’re literally echoing the work “cksum” followed by the access > token. You probably don’t want the `echo` If your intent was to display the > checksum of the secret. GoCD will print whatever is on stdout or stderr > from `cksum` to the console. > > Which brings me to my next point. GoCD masks secrets it knows about from > the console. Meaning, if it finds some console text that matches a known > secure environment variable, it replaces it with a series of asterisks of a > fixed, arbitrary length. > > Thus, the fact that it masked the value that you echoed means it printed a > secure variable. So I would conclude that your script is receiving the > right value from the environment. > > So, I’d say that solves the problem you were facing? > > On Sun, Feb 21, 2021 at 2:54 AM Sriram Narayanan <[email protected]> > wrote: > >> I the past, I've faced a similar issue where some special characters were >> escaped (or should have been escaped) and I faced such a mismatch. >> >> My solution at that time was to change the passphrase and use other >> special characters. >> >> Could you share the non-alphabetic non-numeric characters in the >> GOCD_ACCESS_TOKEN? >> >> Since you mentioning these Windows-based text editors, I wonder if >> there's some unicode related activity going on. >> >> Could you also try generating a new API token and using that instead? >> (You could set up GoCD locally and try, too). >> >> -- Ram >> >> On Sun, Feb 21, 2021 at 6:40 PM Gabriel Callaghan < >> [email protected]> wrote: >> >>> Hi, >>> >>> Thank you for your reply - sorry I got pulled away to another task. >>> >>> For the task config: >>> >>> Command: /bin/sh >>> >>> Arguments: ./{companyName}/game-deploy/checkToken.sh >>> >>> Inside the script: >>> >>> #! /bin/bash >>> >>> curl "https://{COMPANY NAME}/go/api/stages/testStage/Deploy/history" \ >>> -H "Authorization: Bearer $GOCD_ACCESS_TOKEN" \ >>> -H 'Accept: application/vnd.go.cd.v3+json' >>> >>> echo cksum $GOCD_ACCESS_TOKEN >>> >>> I have taken your suggestion of wrapping this in a script rather than >>> having it as an argument. It now passes but in the console it shows "cksum >>> *******". How would I be able to compare the cksum of the token if it is >>> hidden from me? I already have the cksum from when I tested on VS Code, I >>> am not sure how to proceed in GOCD. >>> >>> From some testing, I found that if I use my personal access token in >>> this script on Notepad++, it will return an answer. If I use >>> GOCD_ACCESS_TOKEN in Notepad, it will fail, telling me I am not >>> authenticated. However it will pass in the same script in GOCD. >>> >>> If I am correct and that when "cksum ****" appears, that means I have >>> passed the auth check, I am still not sure how I managed to fix the problem >>> for when this happens in the future. >>> >>> What would your advice for my next steps be? >>> >>> Thank you, >>> Gabes. >>> >>> On Fri, Feb 19, 2021 at 11:48 AM Marques Lee < >>> [email protected]> wrote: >>> >>>> Can you post your task config? Just a guess before actually seeing your >>>> config is that you might be putting ${GOCD_ACCESS_TOKEN} as a raw argument. >>>> Since the arguments are effectively shell-escaped, `curl` might be sending >>>> the literal text ${GOCD_ACCESS_TOKEN} instead of interpolating your secret >>>> variable. >>>> >>>> The solution to that is to either: >>>> >>>> - Wrap your `curl` call with `bash -c`, or >>>> - Wrap this in a script and call your script >>>> >>>> In either case above, curl will receive the interpolated value. >>>> >>>> But, let's take a look at your task config to confirm what's going on. >>>> >>>> Best, >>>> >>>> Marques >>>> >>>> On Thu, Feb 18, 2021 at 1:58 PM Gabriel Callaghan < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have a script which does an API call. To authenticate myself, I use >>>>> a token. >>>>> >>>>> $ curl ' >>>>> https://ci.example.com/go/api/stages/mypipeline/defaultStage/history' >>>>> \ >>>>> -H "Authorization: Bearer ${GOCD_ACCESS_TOKEN}" \ >>>>> -H 'Accept: application/vnd.go.cd.v3+json' >>>>> >>>>> When I use this api, if in my script I use my personal access token >>>>> generated by GOCD, the call works. However, if I have the same API call >>>>> with the same token, but the token is inside the secure variable section >>>>> of >>>>> the pipeline, and called using ${GOCD_ACCESS_TOKEN}, I am unable to get >>>>> authenticated. >>>>> >>>>> I have tried to hash the token to see if it matches. When doing cksum >>>>> on my personal token inside my script, I get a different result from if I >>>>> did cksum <<<${GOCD_ACCESS_TOKEN}. >>>>> >>>>> I am a junior, so I have much to learn and I would apperciate any help >>>>> in understanding how to resolve this issue. >>>>> >>>>> Thank you :) >>>>> Gabes. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "go-cd" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/go-cd/2a219c35-6c78-4ae3-8070-1e2a54118638n%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/go-cd/2a219c35-6c78-4ae3-8070-1e2a54118638n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "go-cd" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/go-cd/CAPKX9jZAnKGrupURs%3DrmR5FXceBowfG_WLQFUFdVPEYnqut70A%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/go-cd/CAPKX9jZAnKGrupURs%3DrmR5FXceBowfG_WLQFUFdVPEYnqut70A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "go-cd" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/go-cd/CAKV4bkeVVUaObxjv1S-j478UzuTDjv1d8TEhRJ%3D1U%2BCkkX69cA%40mail.gmail.com >>> <https://groups.google.com/d/msgid/go-cd/CAKV4bkeVVUaObxjv1S-j478UzuTDjv1d8TEhRJ%3D1U%2BCkkX69cA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "go-cd" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/go-cd/CANiY96YQDRTgzpMPDiG6kMkNDU5kaN1MP9O2wiixm%2BKhzHKLpQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/go-cd/CANiY96YQDRTgzpMPDiG6kMkNDU5kaN1MP9O2wiixm%2BKhzHKLpQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAPKX9ja_qf4Gx7RBCb0GmvgBkCnXr3ok-iwYiWWr_t-8VQSaDA%40mail.gmail.com.
