[JIRA] [core] (JENKINS-34775) Broken jobs after upgrade to 1.651.2 security update

[leandro.lucarella@sociomantic.com (JIRA)]

Leandro Lucarella created an issue

Jenkins / JENKINS-34775 Broken jobs after upgrade to 1.651.2 security update Issue Type: Bug Assignee: Unassigned Components: core Created: 2016/May/12 6:01 PM Environment: Ubuntu 14.04 Priority: Blocker Reporter: Leandro Lucarella After upgrading to 1.651.2 security update, jobs are getting this error: FATAL: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken java.lang.ClassCastException: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:644) at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1049) at hudson.model.User.get(User.java:395) at hudson.model.User.get(User.java:364) at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:374) at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:435) at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:350) at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:346) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:672) at hudson.model.Run.execute(Run.java:1763) at hudson.matrix.MatrixRun.run(MatrixRun.java:146) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410) Also, in the "Manage Old Data" section, I see very suspicious stuff: hudson.matrix.MatrixRun Team » carbon-c-relay » precise #2 1.653 hudson.matrix.MatrixBuild Team » proj #22 1.653 hudson.model.FreeStyleBuild Team » other #255 1.653 Why is there any data in 1.653 format if I'm using 1.651.2 (and upgraded from 1.651.1)? Is there any archive with old debian packages to be able to downgrade? All our jobs are broken now. Thanks! Add Comment

This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)

[leandro.lucarella@sociomantic.com (JIRA)]

Leandro Lucarella commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update I could find the old version in http://pkg.jenkins-ci.org/debian-stable/ and reverted and all works fine with 1.651.1.

Add Comment

[marco@eveoh.nl (JIRA)]

Marco Krikke commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Same issue here, downgrading Jenkins resolved the issue. After upgrading to 2.3, I did not update any plugins. The only change was related to the Github Pull Request Builder (adding the -Dhudson.model.ParametersAction.safeParameters parameter, see JENKINS-34762). In which step in the job do you see this error? For me, it seems related to updating the commit status by the Github Pull Request builder plugin (test results are recorded). 00:04:23.555 Total time: 4 mins 15.361 secs 00:04:24.812 Build step 'Invoke Gradle script' changed build result to SUCCESS 00:04:24.820 [workspace] $ /bin/sh -xe /tmp/hudson3135090572493614307.sh 00:04:24.824 + find . -name TEST-*.xml -type f -exec touch {} ; 00:04:53.112 Recording test results 00:04:54.418 FATAL: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken 00:04:54.419 java.lang.ClassCastException: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken 00:04:54.419 at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:639) 00:04:54.419 at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1048) 00:04:54.419 at hudson.model.User.get(User.java:394) 00:04:54.419 at hudson.model.User.get(User.java:363) 00:04:54.419 at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:374) 00:04:54.419 at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:435) 00:04:54.419 at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:350) 00:04:54.419 at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:346) 00:04:54.419 at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:672) 00:04:54.419 at hudson.model.Run.execute(Run.java:1763) 00:04:54.419 at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 00:04:54.419 at hudson.model.ResourceController.execute(ResourceController.java:98) 00:04:54.419 at hudson.model.Executor.run(Executor.java:410) 00:04:54.722 Setting status of xxx to FAILURE with url https://xxx/job/xxx/4095/ and message: 'Build failed 00:04:54.722 ' 00:04:55.165 Finished: FAILURE

Add Comment

[leandro.lucarella@sociomantic.com (JIRA)]

Leandro Lucarella commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

After recording fingerprints: Recording test results Archiving artifacts Recording fingerprints FATAL: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken java.lang.ClassCastException: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:644) at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1049) ... The step after recording fingerprints in the job there is the Chuck Norris plugin and that's the last step in the job.

Add Comment

[leandro.lucarella@sociomantic.com (JIRA)]

Leandro Lucarella edited a comment on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

After recording  artefact’s  fingerprints: {noformat}

Recording test results Archiving artifacts Recording fingerprints FATAL: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken java.lang.ClassCastException: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:644) at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1049) ...

{noformat}

The step after recording fingerprints in the job there is the Chuck Norris plugin and that's the last step in the job.

Add Comment

[marco@eveoh.nl (JIRA)]

Marco Krikke commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Are you running a Pull Request job using the Github Pull Request Builder plugin? Not sure when that plugin sets the commit status, but that might be the last step in the build?

Add Comment

[leandro.lucarella@sociomantic.com (JIRA)]

Leandro Lucarella commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Yes, I am, so it could be that.

Add Comment

[marco@eveoh.nl (JIRA)]

Marco Krikke updated an issue

Jenkins / JENKINS-34775

Broken jobs after upgrade to 1.651.2 security update

Change By: Marco Krikke Component/s: ghprb-plugin

Add Comment

[marco@eveoh.nl (JIRA)]

Marco Krikke commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update Honza Brázdil any clue if this is related to the ghprb-plugin? Thanks.

Add Comment

[nick.lykins@bigasssolutions.com (JIRA)]

Nick Lykins commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

We were seeing the same thing on our system after upgrading to Jenkins 2.3. A downgrade back to 2.2 resolved the issue. It was concerning though since we saw the problem occurring in some build jobs but not other ones. I can confirm, in cases where it happened, it was associated with the "setting commit status" build step. The failures were happening in cases where the builds were kicked off by an upstream pull request job. 14:25:11 Setting commit status on GitHub for https://github.com/*** 14:25:11 Archiving artifacts 14:25:12 FATAL: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken 14:25:12 java.lang.ClassCastException: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken 14:25:12 at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:639) 14:25:12 at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1048) 14:25:12 at hudson.model.User.get(User.java:394) 14:25:12 at hudson.model.User.get(User.java:363) 14:25:12 at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:374) 14:25:12 at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:435) 14:25:12 at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:350) 14:25:12 at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:672) 14:25:12 at hudson.model.Run.execute(Run.java:1763) 14:25:12 at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 14:25:12 at hudson.model.ResourceController.execute(ResourceController.java:98) 14:25:12 at hudson.model.Executor.run(Executor.java:410)??

Add Comment

[nick.lykins@bigasssolutions.com (JIRA)]

Nick Lykins edited a comment on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

We were seeing the same thing on our system after upgrading to Jenkins 2.3. A downgrade back to 2.2 resolved the issue. It was concerning though since we saw the problem occurring in some build jobs but not other ones. I can confirm, in cases where it happened, it was associated with the "setting commit status" build step. The failures were happening in cases where the builds were kicked off by an upstream pull request job.  Note, this was happening on a Windows build machine, so the issue doesn't seem to be platform specific. {code:java}

14:25:11 Setting commit status on GitHub for https://github.com/*** 14:25:11 Archiving artifacts 14:25:12 FATAL: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken 14:25:12 java.lang.ClassCastException: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken 14:25:12  at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:639) 14:25:12  at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1048) 14:25:12  at hudson.model.User.get(User.java:394) 14:25:12  at hudson.model.User.get(User.java:363) 14:25:12  at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:374) 14:25:12  at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:435) 14:25:12  at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:350) 14:25:12  at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:672) 14:25:12  at hudson.model.Run.execute(Run.java:1763) 14:25:12  at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 14:25:12  at hudson.model.ResourceController.execute(ResourceController.java:98) 14:25:12  at hudson.model.Executor.run(Executor.java:410)??

{code}

Add Comment

[scb147@bakerpage.com (JIRA)]

Shawn Baker commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

I'm seeing this issue too, and I upgraded from 1.625.3 to 1.651.2. Same old data messages with something about 1.653 as the version. It looked fishy, so I reverted back to 1.625.3.

Add Comment

[lee.porte@footballradar.com (JIRA)]

Lee Porte commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Looks like I'll be downgrading to 2.2 unless there is progress on this issue over the weekend.

Add Comment

[adeza@redhat.com (JIRA)]

Alfredo Deza commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

This seems to be linked to the ghprb-plugin but this looks like a github-oauth-plugin issue. We are facing the same problems

Add Comment

[lee.porte@footballradar.com (JIRA)]

Lee Porte commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

I saw this issue with the previous github-oauth-plugin.

Add Comment

[chris@orr.me.uk (JIRA)]

Christopher Orr commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

This is related to the fix for SECURITY-243 mentioned here: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 Enabling the system property mentioned in that part of the security advisory should temporarily work around this problem.

Add Comment

[chris@orr.me.uk (JIRA)]

Christopher Orr updated an issue

Jenkins / JENKINS-34775

Broken jobs after upgrade to 1.651.2 security update

Change By: Christopher Orr Labels: security-243

Add Comment

[chris@orr.me.uk (JIRA)]

Christopher Orr updated an issue

Jenkins / JENKINS-34775 Broken jobs after upgrade to 1.651.2 security update

Change By: Christopher Orr Component/s: google-oauth-plugin Component/s: core Component/s: ghprb-plugin

Add Comment

[chris@orr.me.uk (JIRA)]

Christopher Orr assigned an issue to Andrey Stroilov

Jenkins / JENKINS-34775 Broken jobs after upgrade to 1.651.2 security update

Change By: Christopher Orr Assignee: Andrey Stroilov

Add Comment

[lee.porte@footballradar.com (JIRA)]

Lee Porte commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update As a workaround I added in -Dhudson.model.ParametersAction.keepUndefinedParameters=true To bypass this security update. This can be seen as being passed to jenkins jenkins 14461 0.0 0.0 18744 604 ? S 10:08 0:00 /usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /usr/bin/java -Djava.awt.headless=true -Dhudson.model.ParametersAction.keepUndefinedParameters=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1 Upon a build running I am still seeing

FATAL: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast

to org.jenkinsci.plugins.GithubAuthenticationToken java.lang.ClassCastException: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:639) at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1048) at hudson.model.User.get(User.java:394) at hudson.model.User.get(User.java:363) at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:374) at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:435) at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:350) at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:346) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:672) at hudson.model.Run.execute(Run.java:1763) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410)

Add Comment

[jnord@cloudbees.com (JIRA)]

James Nord updated an issue

Jenkins / JENKINS-34775

Broken jobs after upgrade to 1.651.2 security update

Change By: James Nord Component/s: github-oauth-plugin Component/s: google-oauth-plugin

Add Comment

[jnord@cloudbees.com (JIRA)]

James Nord commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update Lee Porte read the page again and the comment from Christopher again. is related to the fix for *SECURITY-243* You added a workaround for a completely different issue.

Add Comment

[chris@orr.me.uk (JIRA)]

Christopher Orr assigned an issue to Sam Gleske

Jenkins / JENKINS-34775

Broken jobs after upgrade to 1.651.2 security update

Change By: Christopher Orr Assignee: Andrey Stroilov Sam Gleske

Add Comment

[joe@dashride.com (JIRA)]

Joseph Thibeault commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update I'm having this issue as well. I'm struggling to find where I can disable that option though. Which file should I be looking in?

Add Comment

[andrew.stiegmann@gmail.com (JIRA)]

Andrew Stiegmann commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

You need to add it as part of your Java options. On CentOS 7 the file is /etc/sysconfig/jenkins and you need to set the following: JENKINS_JAVA_OPTIONS="-Dhudson.model.User.SECURITY_243_FULL_DEFENSE=false" or whatever works best for you. In my case I also had to disable the fix for SECURITY-170 since that was interfering with one of my plugins.

Add Comment

[joe@dashride.com (JIRA)]

Joseph Thibeault commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Thanks! That seems to have fixed it for now. I had to disable SECURITY-170 as well.

Add Comment

[haberlerm@gmail.com (JIRA)]

Michael Haberler commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Thanks! using this in /etc/default/jenkins on debian jessie did the trick: JAVA_ARGS="-Djava.awt.headless=true -Dhudson.model.User.SECURITY_243_FULL_DEFENSE=false -Dhudson.model.ParametersAction.keepUndefinedParameters=true" I'd appreciate a hint on how to continue without this (somewhat sledgehammer) measure ?

Add Comment

[sorin.sbarnea@gmail.com (JIRA)]

Sorin Sbarnea updated an issue

Jenkins / JENKINS-34775

Broken jobs after upgrade to 1.651.2 security update

Change By: Sorin Sbarnea Environment: Ubuntu 14.04 , 15.04, 15.10

Add Comment

[scb147@bakerpage.com (JIRA)]

Shawn Baker updated an issue

Jenkins / JENKINS-34775 Broken jobs after upgrade to 1.651.2 security update

I saw this issue using Windows Server 2012 R2, so I thought I'd update the ticket to state this. Change By: Shawn Baker Environment: Ubuntu 14.04, 15.04, 15.10 Windows Server 2012 R2

Add Comment

[jsca@loc.gov (JIRA)]

John Scancella commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update I am also experiencing this, it happens after it is done recording junit information using the xUnit plugin.

Add Comment

[jsca@loc.gov (JIRA)]

John Scancella edited a comment on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

I am also experiencing this, it happens after it is done recording junit information using the xUnit plugin.  However, if it goes away after deleting the project and recreating it.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Ideally, I would appreciate it if someone contributes a patch. I am the maintainer of the plugin but I mostly: Merge pull requests after testing them. Ensure upgrade stability. Perform releases to the update center. For the most part, I don't do much development on the plugin since it has been largely stable in the past. If you or someone you know is capable and willing to patch for this issue I would review and welcome it.

Add Comment

[roberto@connexer.com (JIRA)]

Roberto Sanchez commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

I don't believe that this has anything to do with GitHub. I updated to 1.651.2 (on Debian Jessie) earlier this week and started seeing failures that appear similar to this. However, in my environment I am running a Samba Active Directory, as you can see from the stack trace: BUILD SUCCESSFUL Total time: 5 minutes 23 seconds Sending e-mails to: bi...@example.com t...@example.com FATAL: Failed to retrieve user information for Bill S. Preston; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00002020: Operation unavailable without authentication]; remaining name 'DC=example,DC=com' org.acegisecurity.BadCredentialsException: Failed to retrieve user information for Bill S. Preston; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00002020: Operation unavailable without authentication]; remaining name 'DC=example,DC=com' at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:343) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:223) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:167) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:54) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:678) at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1049) at hudson.model.User.get(User.java:395) at hudson.model.User.get(User.java:364) at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:374) at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:435) at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:350) at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:346) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:672) at hudson.model.Run.execute(Run.java:1763) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410) Caused by: javax.naming.NamingException: [LDAP: error code 1 - 00002020: Operation unavailable without authentication]; remaining name 'DC=example,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3128) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3034) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2841) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1850) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1773) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1790) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376) at hudson.plugins.active_directory.LDAPSearchBuilder.search(LDAPSearchBuilder.java:112) at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:84) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:293) ... 16 more Finished: FAILURE Reverting to 1.651.1 caused the builds to start working again.

Add Comment

[jafarre@insags.com (JIRA)]

Juan Farré commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Looks like this upgrade broke several things, apparently unrelated. In my case, it's about parameterized trigger plugin: JENKINS-34954 It does not copy any file to the child job. And I also can see these messages regarding config format compatible with 1.653. I'd bet there's a single problem with this update which breaks builds otherwise not related.

Add Comment

[git.feedback.rawmind@gmail.com (JIRA)]

Andrei Kovrov commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

As workaround you can delete user from data/users and restart Jenkins. For me it works.

Add Comment

[dominic@varspool.com (JIRA)]

Dominic Scheirlinck commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Sam Gleske I've prepared a patch at https://github.com/jenkinsci/github-oauth-plugin/pull/56 - it looks like the problem is just a bad assumption/cast to GithubAuthenticationToken, and the fix just adds an `instanceof` check. I don't think I have to convert the UserPasswordAuthenticationToken as well (just bailing out of loadUserByUsername works fine for me). Roberto Sanchez That's an unrelated error ("LDAP: error code 1 - 00002020: Operation unavailable without authentication") from your LDAP server. Please start a new issue.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Thanks for the patch Dominic Scheirlinck! I've started reviewing it and posted a comment. I'll test it and if it works then I'll merge and release. Many thanks.

Add Comment

[scm_issue_link@java.net (JIRA)]

SCM/JIRA link daemon commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Code changed in jenkins User: Dominic Scheirlinck Path: src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java http://jenkins-ci.org/commit/github-oauth-plugin/d6bc0211b9627ecdc6687e34d97483146d06eff5 Log: JENKINS-34775 Don't cast inconvertible un/pw token Fixes JENKINS-34775. The loadUserByUsername method expects to be able to get the current user's token with `SecurityContextHolder.getContext().getAuthentication()`, and assumes this method will return a GithubAuthenticationToken. When it returns a UserPasswordAuthenticationToken instead, a fatal cast was performed. We now handle the case where the current authentication context contains a UserPasswordAuthenticationToken (by throwing an exception - so, not successfully handled, but this prevents the loadUserByUsername failure bubbling up to become a job failure).

Add Comment

[scm_issue_link@java.net (JIRA)]

SCM/JIRA link daemon commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Code changed in jenkins User: Sam Gleske Path: src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java http://jenkins-ci.org/commit/github-oauth-plugin/986d98e7698b968eaa09270e57223312fb1aaa56 Log: Merge PR #56 JENKINS-34775 Don't cast inconvertible un/pw token Compare: https://github.com/jenkinsci/github-oauth-plugin/compare/c21013f3341e...986d98e7698b

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Released 0.24. It should be available in about 8 hrs in the update center. Or download it at https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/github-oauth/0.24/github-oauth-0.24.hpi Please confirm for me if this issue is resolved.

Add Comment

[git.feedback.rawmind@gmail.com (JIRA)]

Andrei Kovrov commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Sam Gleske issue still exists in v0.24 Sending email to: so...@mail.ru

FATAL: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast to org.jenkinsci.plugins.GithubAuthenticationToken java.lang.ClassCastException: org.acegisecurity.providers.UsernamePasswordAuthenticationToken cannot be cast

to org.jenkinsci.plugins.GithubAuthenticationToken at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:644) at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1049) at hudson.model.User.get(User.java:395) at hudson.model.User.get(User.java:364) at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:374) at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:435) at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:350) at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:346) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:672) at hudson.model.Run.execute(Run.java:1763) at hudson.matrix.MatrixBuild.run(MatrixBuild.java:301) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410) Finished: FAILURE

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

I'm not personally able to create this exception. I am still not clear on how it's produced so I can't reproduce it.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Andrei Kovrov Are you sure you're on 0.24? Your stack trace seems to indicate you may be on an older version. For example, github-oauth-0.22.3 has the casting error at line 644 like in your stack trace.

Add Comment

[git.feedback.rawmind@gmail.com (JIRA)]

Andrei Kovrov commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Sam Gleske yes I do. Image

Add Comment

[git.feedback.rawmind@gmail.com (JIRA)]

Andrei Kovrov commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Sam Gleske I wrote some workaround. ... UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { GHUser user = null; GithubAuthenticationToken token = doForceLogin(); ... private GithubAuthenticationToken doForceLogin(){ Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if(authentication instanceof GithubAuthenticationToken){ return (GithubAuthenticationToken) authentication; } try { return new GithubAuthenticationToken(authentication.getCredentials().toString(), getGithubApiUri()); } catch (IOException e) { throw new IllegalStateException(e); } } and got FATAL: org.kohsuke.github.HttpException: Server returned HTTP response code: 401, message: 'Unauthorized' for URL: https://api.github.com/user java.lang.IllegalStateException: org.kohsuke.github.HttpException: Server returned HTTP response code: 401, message: 'Unauthorized' for URL: https://api.github.com/user at org.jenkinsci.plugins.GithubSecurityRealm.doForceLogin(GithubSecurityRealm.java:677) at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:640) at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1049) ... I guess it happens when token has expired.

Add Comment

[git.feedback.rawmind@gmail.com (JIRA)]

Andrei Kovrov edited a comment on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

[~sag47] I wrote some workaround.   ps: I don't sure that I correctly understand how it works. {code}

... UserDetails loadUserByUsername(String username)             throws UsernameNotFoundException, DataAccessException {         GHUser user = null;         GithubAuthenticationToken token = doForceLogin(); ...     private GithubAuthenticationToken doForceLogin(){         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();         if(authentication instanceof GithubAuthenticationToken){             return (GithubAuthenticationToken) authentication;         }         try {             return new GithubAuthenticationToken(authentication.getCredentials().toString(), getGithubApiUri());         } catch (IOException e) {             throw new IllegalStateException(e);         }     }

{code} and got  {code}

FATAL: org.kohsuke.github.HttpException: Server returned HTTP response code: 401, message: 'Unauthorized' for URL: https://api.github.com/user java.lang.IllegalStateException: org.kohsuke.github.HttpException: Server returned HTTP response code: 401, message: 'Unauthorized' for URL: https://api.github.com/user at org.jenkinsci.plugins.GithubSecurityRealm.doForceLogin(GithubSecurityRealm.java:677) at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:640) at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1049) ...

{code}

I guess it happens when token has expired.

Add Comment

[jnord@cloudbees.com (JIRA)]

James Nord commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

loadUserByUsername is called for cases when there is no corresponding user, or a user is not attempting to log in. It is used by Jenkins to test if user zyx is a authenticated user (ie one in GitHUb) vs a virtual user (e.g. from an SCM commit). The previous fix is enough and the stack from Andrei Kovrov shows that he is not running the 0.24 release (did you restart Jenkins after upgrtading?) as there is no cast on line 644 at all so this is an impossible exception stack according to the code in github..

Add Comment

[git.feedback.rawmind@gmail.com (JIRA)]

Andrei Kovrov commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Update: I printed authentication.getCredentials().toString() and so see "SYSTEM" from my previous patch. James Nord You are right. There is mismatch between my trace and v .24. Possibly it is my bad and I forgot to restart Jenkins. But now I applied patch to code from master. In my case I should get UserMayOrMayNotExistException. I'll check it.

Add Comment

[git.feedback.rawmind@gmail.com (JIRA)]

Andrei Kovrov edited a comment on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Update: I printed authentication.getCredentials().toString() and so see "SYSTEM" from my previous patch.

[~teilo] You are right. There is mismatch between my trace and  v  code v0  .24. Possibly it is my bad and I forgot to restart Jenkins.

But now I applied patch to code from master. In my case I should get UserMayOrMayNotExistException. I'll check it.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Andrei Kovrov According to your screenshot it looks like you're in the plugin updates section of the configuration. Meaning you're running 0.22.2. i.e. you haven't upgraded yet. I also confirm that the casting exception occurs in line 644 of github-oauth-0.22.2.

Add Comment

[git.feedback.rawmind@gmail.com (JIRA)]

Andrei Kovrov commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Sam Gleske I confirm that is my fail and I didn't restart Jenkins, but issue still exists in v0.24. My described update above is actual. Steps to reproduce: create job with git repo a) specify Repository URL,GitHub project URL, Branch and set "Build when a change is pushed to GitHub" on Source Code Management b) create Post-build Actions-> Editable Email Notification and specify (Project Recipient List =<your_email>, Project Reply-To List=$DEFAULT_REPLYTO, Default Subject="$ {GIT_COMMIT} -$BUILD_STATUS" (without doubleqoutes), Content Type =HTML, Default Content = $DEFAULT_CONTENT) do commit and push any change to <branch> described in (a) Empirically way I found, that job begins to fall about hour after Jenkins was started.

Add Comment

[jnord@cloudbees.com (JIRA)]

James Nord commented on JENKINS-34775

Re: Broken jobs after upgrade to 1.651.2 security update

Andrei Kovrov that sounds like a different issue. Can you create a new issue for it please?

Add Comment

[jnord@cloudbees.com (JIRA)]

James Nord resolved as Fixed

Jenkins / JENKINS-34775

Broken jobs after upgrade to 1.651.2 security update

Change By: James Nord Status: Open Resolved Resolution: Fixed

Add Comment