[JIRA] (JENKINS-57936) Git plugin password bug

12 views
Skip to first unread message

gabriele.fatigati@gmail.com (JIRA)

unread,
Jun 10, 2019, 7:59:02 AM6/10/19
to jenkinsc...@googlegroups.com
Fabriele Fatigati created an issue
 
Jenkins / Bug JENKINS-57936
Git plugin password bug
Issue Type: Bug Bug
Assignee: Fabriele Fatigati
Components: git-plugin
Created: 2019-06-10 11:58
Environment: Jenkins 2.164.3
Priority: Minor Minor
Reporter: Fabriele Fatigati

Dear Jenkins users,

I'm use Jenkins 2.164.3 and trying to clone a repository with Git Plugin I get the error " authentication failed", because for some reason git plugin add "%24" in front of my password read from password parameter. 

I read from ticket JENKINS-20533

It was an old bug of 5 years ago of very old git plugin, but now should be solved!

Could you help me? Thanks.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

gabriele.fatigati@gmail.com (JIRA)

unread,
Jun 10, 2019, 8:01:02 AM6/10/19
to jenkinsc...@googlegroups.com
Fabriele Fatigati updated an issue
Change By: Fabriele Fatigati
Environment: Jenkins 2.164.3 git plugin 3.10.0

gabriele.fatigati@gmail.com (JIRA)

unread,
Jun 10, 2019, 8:02:02 AM6/10/19
to jenkinsc...@googlegroups.com
Fabriele Fatigati updated an issue
Change By: Fabriele Fatigati
Environment: Jenkins 2.164.3 git plugin 3.10.0 git-client 2.7.7

mark.earl.waite@gmail.com (JIRA)

unread,
Jun 15, 2019, 5:27:02 PM6/15/19
to jenkinsc...@googlegroups.com
Mark Waite commented on Bug JENKINS-57936
 
Re: Git plugin password bug

Please provide a numbered series of steps which will duplicate the problem you are seeing. As an example of the steps that I use to test various authentication schemes with the Jenkins git plugin, I use:

  1. Define a Jenkins username / password credential using a valid username and password for the git account that will provide the repository
  2. Define a Freestyle job that uses the https protocol to clone that repository and users the credential defined in the previous step
  3. Run the Freestyle job to confirm that the https protocol clone works as expected.

You say that

for some reason git plugin add "%24" in front of my password read from password parameter.

How can you see that Jenkins is adding "%24" to the front of your password? Are you cloning without using the git plugin? Does your password start with the character '$' (which might be HTML escaped to '%24')?

Are you cloning an authenticated repository by embedding the username and password into the URL instead of using a credential? If so, does it work any better if you use a Jenkins credential instead of embedding the username and password in the repository URL?

mark.earl.waite@gmail.com (JIRA)

unread,
Jun 18, 2019, 10:16:04 AM6/18/19
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on Bug JENKINS-57936
[~unrue] Please please provide a numbered series of steps which will duplicate the problem you are seeing.  As an example of the steps that I use to test various authentication schemes with the Jenkins git plugin, I use:

# Define a Jenkins username / password credential using a valid username and password for the git account that will provide the repository
# Define a Freestyle job that uses the https protocol to clone that repository and users the credential defined in the previous step
# Run the Freestyle job to confirm that the https protocol clone works as expected.

You say that
bq. for some reason git plugin add "%24" in front of my password read from password parameter.

How can you see that Jenkins is adding "%24" to the front of your password?  Are you cloning without using the git plugin?  Does your password start with the character '$' (which might be HTML escaped to '%24')?  

Are you cloning an authenticated repository by embedding the username and password into the URL instead of using a credential?  If so, does it work any better if you use a Jenkins credential instead of embedding the username and password in the repository URL?

mark.earl.waite@gmail.com (JIRA)

unread,
Jun 18, 2019, 10:16:04 AM6/18/19
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on Bug JENKINS-57936
[~unrue] Please provide a numbered series of steps which will duplicate the problem you are seeing.  As an example of the steps that I use to test various authentication schemes with the Jenkins git plugin, I use:

gabriele.fatigati@gmail.com (JIRA)

unread,
Jun 19, 2019, 3:55:02 AM6/19/19
to jenkinsc...@googlegroups.com

Mark White, my steps:

  • Created new freestyle jobs 
  • Set password parameter
  • Pass password parameter to Jenkins Git form

My password does not start with '$', but it is a job password parameter, so in my opinion Jenkins fail expanding such variable. The same problem appears on Hudson some years ago.

The "%24" is shown from the build log

gabriele.fatigati@gmail.com (JIRA)

unread,
Jun 19, 2019, 3:55:02 AM6/19/19
to jenkinsc...@googlegroups.com
Gabriele Fatigati edited a comment on Bug JENKINS-57936
@ Mark White, my steps:
* Created new freestyle jobs 
* Set password parameter
* Pass password parameter to Jenkins Git form


My password does not start with '$', but it is a job password parameter, so in my opinion Jenkins fail expanding such variable. The same problem appears on Hudson some years ago.

The "%24" is shown from the build log

mark.earl.waite@gmail.com (JIRA)

unread,
Jun 19, 2019, 11:55:02 AM6/19/19
to jenkinsc...@googlegroups.com

Thanks for the steps. I've confirmed that the bug can be duplicated. Steps I took:

  1. Define a parameterized job with two parameters, a String parameter USERNAME with default value MarkEWaite and a Password parameter PASSWORD with default value of a newly created GitHub personal access token
  2. Define the git repository for that job as https://${USERNAME}:${PASSWORD}@github.com/${USERNAME}/jenkins-bugs-private
  3. Run the job

The job fails and provides the following output:

No credentials specified
 > git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url https://%24{USERNAME}:%24{PASSWORD}@github.com/MarkEWaite/jenkins-bugs-private # timeout=10
Fetching upstream changes from https://%24{USERNAME}@github.com/MarkEWaite/jenkins-bugs-private
 > git --version # timeout=10
 > git fetch --no-tags --force --progress https://%24{USERNAME}@github.com/MarkEWaite/jenkins-bugs-private +refs/heads/master:refs/remotes/origin/master # timeout=10
ERROR: Error fetching remote repo 'origin'
hudson.plugins.git.GitException: Failed to fetch from https://%24{USERNAME}@github.com/MarkEWaite/jenkins-bugs-private
	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:904)
	at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1119)
	at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1150)
	at hudson.scm.SCM.checkout(SCM.java:504)
	at hudson.model.AbstractProject.checkout(AbstractProject.java:1208)
	at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:574)
	at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:499)
	at hudson.model.Run.execute(Run.java:1818)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)
Caused by: hudson.plugins.git.GitException: Command "git fetch --no-tags --force --progress https://%24{USERNAME}@github.com/MarkEWaite/jenkins-bugs-private +refs/heads/master:refs/remotes/origin/master" returned status code 128:
stdout: 
stderr: remote: Invalid username or password.
fatal: Authentication failed for 'https://%24{USERNAME}@github.com/MarkEWaite/jenkins-bugs-private/'

	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2298)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1910)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$400(CliGitAPIImpl.java:81)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:488)
	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:161)
	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:154)
	at hudson.remoting.UserRequest.perform(UserRequest.java:212)
	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
	at hudson.remoting.Request$2.run(Request.java:369)
	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
	Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to testing-a-jagent
		at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1743)
		at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:357)
		at hudson.remoting.Channel.call(Channel.java:957)
		at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146)
		at sun.reflect.GeneratedMethodAccessor535.invoke(Unknown Source)
		at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.lang.reflect.Method.invoke(Method.java:498)
		at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132)
		at com.sun.proxy.$Proxy99.execute(Unknown Source)
		at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:902)
		at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1119)
		at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1150)
		at hudson.scm.SCM.checkout(SCM.java:504)
		at hudson.model.AbstractProject.checkout(AbstractProject.java:1208)
		at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:574)
		at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
		at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:499)
		at hudson.model.Run.execute(Run.java:1818)
		at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
		at hudson.model.ResourceController.execute(ResourceController.java:97)
		at hudson.model.Executor.run(Executor.java:429)
ERROR: Error fetching remote repo 'origin'

A similar stack trace is reported when JGit is used as the implementation instead of command line git.

One of the parameters is replaced in the repository URL (the user name after the hostname in the URL) while the other two parameters are not replaced in the repository URL.

mark.earl.waite@gmail.com (JIRA)

unread,
Jun 19, 2019, 12:12:03 PM6/19/19
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on Bug JENKINS-57936
Thanks for the steps.  I've confirmed that the bug can be duplicated.  Steps I took:

# Define a parameterized job with two parameters, a String parameter {{USERNAME}} with default value {{MarkEWaite}} and a Password parameter {{PASSWORD}} with default value of a newly created GitHub personal access token
# Define the git repository for that job as {{https://${USERNAME}:${PASSWORD}@github.com/${USERNAME}/jenkins-bugs-private}}
# Run the job


The job fails and provides the following output:
{noformat}
{noformat}


A similar stack trace is reported when JGit is used as the implementation instead of command line git.

One of the parameters is replaced in the repository URL (the user name after the hostname in the URL) while the other two parameters are not replaced in the repository URL.


Even embedding the username and password directly into the repository URL does not work for cloning from GitHub.  Thus, there are at least two bugs here, first that parameter expansion is not being performed in the optional username/password portion of the repository URL and second that a username and password embedded in a repository URL are not supported.
Reply all
Reply to author
Forward
0 new messages