Gerrit 2.12 + GitHub OAuth plugin: You need at least read:org scope or user scope to list your organizations

[Matthew McCormick]

Hi there,

We upgraded our Gerrit instance to 2.12. After also updating the
GitHub OAuth plugin to a build from the origin/stable-2.12 branch,
"Sign In" on the web page results in "Server Error"

Here is the traceback in the error_log:

[2015-12-30 16:28:52,215] [HTTP-324] WARN
org.eclipse.jetty.server.HttpChannel :
/oauth?code=d7292eabe25832f84986&state=VsiZmMMlLZAnH2O4VlUrFJZYi1Q%3D%2C%2Flogin
java.io.IOException: {"message":"You need at least read:org scope or
user scope to list your
organizations.","documentation_url":"https://developer.github.com/v3/orgs/#list-your-organizations"}
at org.kohsuke.github.Requester.handleApiError(Requester.java:506) at
org.kohsuke.github.Requester._to(Requester.java:248) at
org.kohsuke.github.Requester.to(Requester.java:194) at
org.kohsuke.github.GitHub.getMyOrganizations(GitHub.java:340) at
com.googlesource.gerrit.plugins.github.oauth.OAuthWebFilter.login(OAuthWebFilter.java:128)
at com.googlesource.gerrit.plugins.github.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:89)
at com.googlesource.gerrit.plugins.github.oauth.OAuthFilter.doFilter(OAuthFilter.java:86)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499) at
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745) Caused by:
java.io.IOException: Server returned HTTP response code: 403 for URL:
https://api.github.com/user/orgs at
sun.reflect.GeneratedConstructorAccessor120.newInstance(Unknown
Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526) at
sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1676)
at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1674)
at java.security.AccessController.doPrivileged(Native Method) at
sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1672)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1245)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at org.kohsuke.github.Requester.parse(Requester.java:461) at
org.kohsuke.github.Requester._to(Requester.java:227) ... 21 more
Caused by: java.io.IOException: Server returned HTTP response code:
403 for URL: https://api.github.com/user/orgs at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1627)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at org.kohsuke.github.Requester.parse(Requester.java:457) ... 22 more
[2015-12-30 16:28:52,215] [HTTP-324] WARN
org.eclipse.jetty.server.HttpChannel : Could not send response error
500: java.io.IOException: {"message":"You need at least read:org scope
or user scope to list your
organizations.","documentation_url":"https://developer.github.com/v3/orgs/#list-your-organizations"}


Any ideas on how to proceed?


Thanks and happy New Year!

Matt

[Luca Milanesio]

Hi Matthew,

you need this patch for having the read:org in the GitHub scopes:

https://gerrit.googlesource.com/plugins/github/+/2686129ce0675ef881c6402302c75199445700d2%5E%21/#F0

As workaround you can add the read:org scope yourself by adding the following Gerrit config:

[github]
scopes = USER_EMAIL,PUBLIC_REPO,READ_ORG

Hope this helps.

Luca.

-- 
-- 
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

--- 
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matthew McCormick]

Hi Luca,

Thanks for the pointer!

I added the extra scopes to the Gerrit config.

When I tried to login with my account, it requested extra permissions
on GitHub, which makes sense.

However, a "Server Error" page still results. This time, the
traceback in the logs points an attempt to a change the username,

[2015-12-30 22:18:21,211] [HTTP-31] WARN
org.eclipse.jetty.servlet.ServletHandler : /login
java.lang.IllegalStateException: Username cannot be changed.
at com.google.gerrit.server.account.ChangeUserName.call(ChangeUserName.java:78)
at com.google.gerrit.server.account.AccountManager.update(AccountManager.java:188)
at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:124)
at com.google.gerrit.httpd.auth.container.HttpLoginServlet.doGet(HttpLoginServlet.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:287)
at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:277)
at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:182)
at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
at com.google.gerrit.httpd.GetUserFilter.doFilter(GetUserFilter.java:82)
at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:73)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:117)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:136)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:105)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)
at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)
at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)
at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at com.googlesource.gerrit.plugins.github.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:103)

at com.googlesource.gerrit.plugins.github.oauth.OAuthFilter.doFilter(OAuthFilter.java:86)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)

This account migrated to the GitHub OAuth plugin since Gerrit 2.10. Is
this expected?

Thanks,
Matt

[luca.mi...@gmail.com]

Remember that bug, it was in Gerrit but I thought it was solved ... Possibly only on master :-(

Let me dig into the Gerrit Git log ...

Luca

Sent from my iPhone

[Luca Milanesio]

Hi Matthew,
the code has been fixed and your error is a genuine one :-)

It seems you've changed your GitHub username since your first login, however changing username isn't allowed in Gerrit.
In order to resolve your problem, you can either change back your GitHub username to its original one or just recreate the Gerrit user from scratch.

Luca.

[Matthew McCormick]

Hi Luca,

Some background: this is for a relatively large open source project
that has been benefiting from code reviews via Gerrit for 5 years.
Originally, OpenID authentication was used. Then, during The Great
OpenID to GitHub Migration :-), we moved to the github-oauth plugin
for authentication.

The original Gerrit username I chose does not happen to match the
GitHub username I have. I don't think I can change my GitHub username,
and I can't sign in to Gerrit to delete my account. But there are
other normal users out there that are likely in the same boat, and it
would be nice if they could continue to use their accounts without
changes.

Taking a short look at the code, I notice that correspondence between
the authenticated username and the Gerrit username was only enforced
recently:

https://gerrit-review.googlesource.com/#/c/69811/

Is this required? Could we make it optional somehow?

Thanks,
Matt

On Thu, Dec 31, 2015 at 3:28 AM, Luca Milanesio

[lucamilanesio]

Hi Matthew,

see my feedback below.

On Thursday, December 31, 2015 at 5:42:52 PM UTC, Matthew McCormick wrote:

Hi Luca,

Some background: this is for a relatively large open source project
that has been benefiting from code reviews via Gerrit for 5 years.
Originally, OpenID authentication was used. Then, during The Great
OpenID to GitHub Migration :-), we moved to the github-oauth plugin
for authentication.

Interesting, how did you manage to keep the same users? Do they match via e-mail? Did you use the github plugins OR the github-oauth from DavidO?

 

The original Gerrit username I chose does not happen to match the
GitHub username I have. I don't think I can change my GitHub username,

Yes you can :-) GitHub allows to edit your username if you wish.

 

and I can't sign in to Gerrit to delete my account. But there are
other normal users out there that are likely in the same boat, and it
would be nice if they could continue to use their accounts without
changes.

GitHub-OAuth plugin from DavidO uses the external-id matching for logging in, so it should possibly work even if the usernames are different.

The GitHub plugin instead gets the username from GitHub and thus wouldn't work :-(

[lucamilanesio]

Just to clarify: what is the plugin you are actually using?

I assumed you installed and used:

https://gerrit-ci.gerritforge.com/view/Plugins-stable-2.12/job/plugin-github-mvn-stable-2.12/

Luca.

[Matthew McCormick]

Hi Luca,

On Thursday, December 31, 2015 at 7:05:23 PM UTC-5, lucamilanesio wrote:

Just to clarify: what is the plugin you are actually using?

We are using the github-oauth plugin built from source from:

  https://gerrit.googlesource.com/plugins/github/+/stable-2.12

On Thursday, December 31, 2015 at 5:42:52 PM UTC, Matthew McCormick wrote:

Hi Luca,

Some background: this is for a relatively large open source project
that has been benefiting from code reviews via Gerrit for 5 years.
Originally, OpenID authentication was used. Then, during The Great
OpenID to GitHub Migration :-), we moved to the github-oauth plugin
for authentication.

Interesting, how did you manage to keep the same users? Do they match via e-mail? Did you use the github plugins OR the github-oauth from DavidO?

Yes, Chris Harris wrote some migration code that matched accounts based on their emails. We used the GitHub-OAuth plugin for authentication, but we have (not yet) enabled the GitHub plugin, but we would really like to.

The original Gerrit username I chose does not happen to match the
GitHub username I have. I don't think I can change my GitHub username,

Yes you can :-) GitHub allows to edit your username if you wish.

Well, I don't want to change my username :-P, the hundreds of repositories associated with it, and someone else registered the Gerrit username.

 

and I can't sign in to Gerrit to delete my account. But there are
other normal users out there that are likely in the same boat, and it
would be nice if they could continue to use their accounts without
changes.

GitHub-OAuth plugin from DavidO uses the external-id matching for logging in, so it should possibly work even if the usernames are different.

The GitHub plugin instead gets the username from GitHub and thus wouldn't work :-(

Are there any anticipated issues if we switch out the GitHub-OAuth plugin with the DavidO plugin?

Thanks,
Matt

[Raghavendra Talur]

Hi,

We have encountered the same issue. Were you able to resolve this? It would be very helpful to know how you proceeded.

Thanks,

Raghavendra Talur

...