[JIRA] (JENKINS-47839) crowd2 Jenkins plugin crashes if user not found

4 views
Skip to first unread message

o.v.nenashev@gmail.com (JIRA)

unread,
Jun 6, 2018, 5:50:05 PM6/6/18
to jenkinsc...@googlegroups.com
Oleg Nenashev assigned an issue to Unassigned
 

Removing the assignee according to https://groups.google.com/forum/#!topic/jenkinsci-dev/sFejhRvZiIM
Jenkins / Bug JENKINS-47839
crowd2 Jenkins plugin crashes if user not found
Change By: Oleg Nenashev
Assignee: Kanstantsin Shautsou
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

zlei.huang@gmail.com (JIRA)

unread,
Jun 8, 2018, 6:03:01 AM6/8/18
to jenkinsc...@googlegroups.com
Zhenlei Huang commented on Bug JENKINS-47839
 
Re: crowd2 Jenkins plugin crashes if user not found

Cyril Burd Hi, I tried to reproduce this issue on my local environment, JIRA 7.1.7, but without luck. Both works regardless the order of groups in 'Restrict Groups' section.
The exception

com.atlassian.crowd.exception.InvalidCrowdServiceException

is thrown when the called REST API endpoint is not an valid url, indicates that

  1. Jenkins configured with wrong crowd / JIRA(with embedded crowd) instance (not likely in this case)
  2. Bad configured proxies between jenkins and crowd that does not enforce HTTP RFCs
  3. Bugs in crowd / JIRA. (not likely since I've tested with the same version JIRA 7.1.7)

Would you please verify that there is no proxies between your Jenkins instance and JIRA server, including reverse proxies such as Nginx / Apache HTTP Server?

cyrilburd@gmail.com (JIRA)

unread,
Jun 13, 2018, 7:32:02 AM6/13/18
to jenkinsc...@googlegroups.com
Cyril Burd edited a comment on Bug JENKINS-47839
Hi   [~gmshake]

Thanks for your response. Hereinafter my points:
# Jenkins is configured correct with JIRA. We are able to authenticate and login, this is not an issue.
# We do not use any proxies
# Here is the fix that solved the problem on our side, made by our developers. Hope it helps.

{code:java}
diff -r jenkins-crowd2-plugin/src/main/java/de/theit/jenkins/crowd/CrowdConfigurationService.java crowd2-plugin/src/main/java/de/theit/jenkins/crowd/CrowdConfigurationService.java
115c115
< this.allowedGroupNames.add(group.trim());
---
> this.allowedGroupNames.add(group);
187,199c187,197
< try {
< if (this.crowdClient.isUserDirectGroupMember(username, group)) {
< retval = true;
< if (LOG.isLoggable(Level.FINER)) {
< LOG.finer("=> user is a direct group member");
< }
< } else if (this.nestedGroups
< && this.crowdClient
< .isUserNestedGroupMember(username, group)) {
< retval = true;
< if (LOG.isLoggable(Level.FINER)) {
< LOG.finer("=> user is a nested group member");
< }
---
> if (this.crowdClient.isUserDirectGroupMember(username, group)) {
> retval = true;
> if (LOG.isLoggable(Level.FINER)) {
> LOG.finer("=> user is a direct group member");
> }
> } else if (this.nestedGroups
> && this.crowdClient
> .isUserNestedGroupMember(username, group)) {
> retval = true;
> if (LOG.isLoggable(Level.FINER)) {
> LOG.finer("=> user is a nested group member");
201,202d198
< } catch (Exception e) {
< LOG.warning(e.getMessage());
246,247d241
< } catch (Exception e) {
< LOG.warning(e.getMessage());

{code}

cyrilburd@gmail.com (JIRA)

unread,
Jun 13, 2018, 7:32:02 AM6/13/18
to jenkinsc...@googlegroups.com

Thanks for your response. Hereinafter my points:

  1. Jenkins is configured correct with JIRA. We are able to authenticate and login, this is not an issue.
  1. We do not use any proxies
  1. Here is the fix that solved the problem on our side, made by our developers. Hope it helps.
    diff -r jenkins-crowd2-plugin/src/main/java/de/theit/jenkins/crowd/CrowdConfigurationService.java crowd2-plugin/src/main/java/de/theit/jenkins/crowd/CrowdConfigurationService.java
115c115
< this.allowedGroupNames.add(group.trim());
---
> this.allowedGroupNames.add(group);
187,199c187,197
< try {
< if (this.crowdClient.isUserDirectGroupMember(username, group)) {
< retval = true;
< if (LOG.isLoggable(Level.FINER)) {
< LOG.finer("=> user is a direct group member");
< }
< } else if (this.nestedGroups
< && this.crowdClient
< .isUserNestedGroupMember(username, group)) {
< retval = true;
< if (LOG.isLoggable(Level.FINER)) {
< LOG.finer("=> user is a nested group member");
< }
---
> if (this.crowdClient.isUserDirectGroupMember(username, group)) {
> retval = true;
> if (LOG.isLoggable(Level.FINER)) {
> LOG.finer("=> user is a direct group member");
> }
> } else if (this.nestedGroups
> && this.crowdClient
> .isUserNestedGroupMember(username, group)) {
> retval = true;
> if (LOG.isLoggable(Level.FINER)) {
> LOG.finer("=> user is a nested group member");
201,202d198
< } catch (Exception e) {
< LOG.warning(e.getMessage());
246,247d241
< } catch (Exception e) {
< LOG.warning(e.getMessage());

    zlei.huang@gmail.com (JIRA)

    unread,
    Jun 14, 2018, 12:17:02 AM6/14/18
    to jenkinsc...@googlegroups.com

    Cyril Burd Your patch works but it actually covers some important failures such as network / configuration problems, as it catches all exceptions including that it should not, i.e. 

    com.atlassian.crowd.exception.OperationFailedException

    It's weird that the URL of JIRA REST API looks good,

    com.atlassian.crowd.exception.InvalidCrowdServiceException: The following URL does not specify a valid Crowd User Management REST service: https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev    at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:455)

    Can you please run this command snip on your jenkins master instance and post the result? It will be much helpful.

    Please note change application and password, and mask out sensitive information in the result, e.g. cookies, ASEN

    zlei.huang@gmail.com (JIRA)

    unread,
    Jun 14, 2018, 12:40:01 AM6/14/18
    to jenkinsc...@googlegroups.com
    Zhenlei Huang edited a comment on Bug JENKINS-47839
    [~cyril] Your patch works but it actually covers some important failures such as network / configuration problems, as it catches all exceptions including that it should not, i.e.

    {code:java}
    com.atlassian.crowd.exception.OperationFailedException
    {code}
    It's weird that the URL of JIRA REST API looks good but fails on remote invoke ,
     {quote} 
    bq. {code:java}

    com.atlassian.crowd.exception.InvalidCrowdServiceException: The following URL does not specify a valid Crowd User Management REST service: https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev    at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:455)
    {code}
      
    {quote}
    Can you please run this command snip on your jenkins master instance and post the result? It will be much helpful.
    {code:none}
    {code}
    Please note change {{application}} and {{password}}, and mask out sensitive information in the result, e.g. cookies, ASEN

    cyrilburd@gmail.com (JIRA)

    unread,
    Jun 14, 2018, 4:49:02 AM6/14/18
    to jenkinsc...@googlegroups.com

    Hi Zhenlei Huang

    Upon your request: (dev is not in systems group)

    curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev"
    HTTP/1.1 404 Not Found
    Date: Thu, 14 Jun 2018 08:42:33 GMT
    Server: Apache
    Vary: Accept-Encoding
    Content-Length: 237
    Content-Type: text/html; charset=iso-8859-1

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL /rest/usermanagement/1/group/user/direct was not found on this server.</p>
    </body></html>

     

    However, when user sys is in systems group:

    curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=sys"
    HTTP/1.1 200 200
    Date: Thu, 14 Jun 2018 08:42:22 GMT
    Server: Apache
    X-AREQUESTID: 522x36860744x2
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy: frame-ancestors 'self'
    X-Embedded-Crowd-Version: JIRA/7.6.1
    X-Crowd-User-Management-Version: 1.4
    X-ASEN: SEN-2075590
    Set-Cookie: JSESSIONID=BLABLASESSION;path=/;Secure;HttpOnly
    Set-Cookie: atlassian.xsrf.token=BLABLATOKEN|lout;path=/;Secure
    X-ASESSIONID: 4ioxjr
    X-AUSERNAME: anonymous
    Cache-Control: no-cache, no-store, no-transform
    Content-Length: 182
    Content-Type: application/xml;charset=UTF-8

    As I said JIRA returns 404 instead of proper response.

    Thanks.

    zlei.huang@gmail.com (JIRA)

    unread,
    Jun 14, 2018, 5:07:01 AM6/14/18
    to jenkinsc...@googlegroups.com

    Cyril Burd I've noticed that your JIRA instance is behind a proxy. That probably causing this issue.

    curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev" 
HTTP/1.1 404 Not Found
Date: Thu, 14 Jun 2018 08:42:33 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 237
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /rest/usermanagement/1/group/user/direct was not found on this server.</p>
</body></html>


    curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=sys" 
HTTP/1.1 200 200
Date: Thu, 14 Jun 2018 08:42:22 GMT
Server: Apache
X-AREQUESTID: 522x36860744x2
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Embedded-Crowd-Version: JIRA/7.6.1
X-Crowd-User-Management-Version: 1.4
X-ASEN: SEN-2075590
Set-Cookie: JSESSIONID=BLABLASESSION;path=/;Secure;HttpOnly
Set-Cookie: atlassian.xsrf.token=BLABLATOKEN|lout;path=/;Secure
X-ASESSIONID: 4ioxjr
X-AUSERNAME: anonymous
Cache-Control: no-cache, no-store, no-transform
Content-Length: 182
Content-Type: application/xml;charset=UTF-8

    See the response header

    Server: Apache

    .

    From my local setup with not proxies, response from JIRA server contains almost the same headers regardless of the error code.

    It seems that Apache HTTP Server is trimming response from upstreams when the response HTTP error code is 404. Need further investigation.

    zlei.huang@gmail.com (JIRA)

    unread,
    Jun 14, 2018, 5:21:02 AM6/14/18
    to jenkinsc...@googlegroups.com
    Zhenlei Huang edited a comment on Bug JENKINS-47839
    [~cyril] I've noticed that your JIRA instance is behind a proxy. That probably causing this issue.
     bq. { quote} 
    {     noformat}

    curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev"
    HTTP/1.1 404 Not Found
    Date: Thu, 14 Jun 2018 08:42:33 GMT
    Server: Apache
    Vary: Accept-Encoding
    Content-Length: 237
    Content-Type: text/html; charset=iso-8859-1
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL /rest/usermanagement/1/group/user/direct was not found on this server.</p>
    </body></html>
    {noformat}
     bq.  
     { quote}
    {quote} 
    {     noformat}

    curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=sys"
    HTTP/1.1 200 200
    Date: Thu, 14 Jun 2018 08:42:22 GMT
    Server: Apache
    X-AREQUESTID: 522x36860744x2
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy: frame-ancestors 'self'
    X-Embedded-Crowd-Version: JIRA/7.6.1
    X-Crowd-User-Management-Version: 1.4
    X-ASEN: SEN-2075590
    Set-Cookie: JSESSIONID=BLABLASESSION;path=/;Secure;HttpOnly
    Set-Cookie: atlassian.xsrf.token=BLABLATOKEN|lout;path=/;Secure
    X-ASESSIONID: 4ioxjr
    X-AUSERNAME: anonymous
    Cache-Control: no-cache, no-store, no-transform
    Content-Length: 182
    Content-Type: application/xml;charset=UTF-8
    {noformat}
      
    {quote}
     See the response header
    {quote}Server: Apache
    {quote}
    .

      

     From my local setup with not proxies, response from JIRA server contains almost the same headers regardless of the error code.
    {noformat}
    curl -D- -u test:test -X GET "http://localhost:8080/rest/usermanagement/1/group/user/direct?groupname=developers&username=admin"
    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    X-AREQUESTID: 1033x5x1
    X-Embedded-Crowd-Version: JIRA/7.1.7
    X-Crowd-User-Management-Version: 1.4
    X-ASEN: SEN-...
    Set-Cookie: JSESSIONID=...; Path=/; HttpOnly
    Set-Cookie: atlassian.xsrf.token=...|lout; Path=/
    X-ASESSIONID: 4114ft

    X-AUSERNAME: anonymous
    Cache-Control: no-cache, no-store, no-transform
    X-Content-Type-Options: nosniff
    Content-Type: application/xml;charset=UTF-8
    Content-Length: 170
    Date: Thu, 14 Jun 2018 09:13:33 GMT

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?><user name="admin"><link href="http://localhost:8080/rest/usermanagement/1/user?username=admin" rel="self"/></user>
    {noformat}
    and
    {noformat}
    curl -D- -u test:test -X GET "http://localhost:8080/rest/usermanagement/1/group/user/direct?groupname=developers&username=foo"
    HTTP/1.1 404 Not Found
    Server: Apache-Coyote/1.1
    X-AREQUESTID: 1036x6x1
    X-Embedded-Crowd-Version: JIRA/7.1.7
    X-Crowd-User-Management-Version: 1.4
    X-ASEN: SEN-...
    Set-Cookie: JSESSIONID=...; Path=/; HttpOnly
    Set-Cookie: atlassian.xsrf.token=...|lout; Path=/
    X-ASESSIONID: 5t0jxu

    X-AUSERNAME: anonymous
    Cache-Control: no-cache, no-store, no-transform
    X-Content-Type-Options: nosniff
    Content-Type: application/xml;charset=UTF-8
    Content-Length: 203
    Date: Thu, 14 Jun 2018 09:16:23 GMT

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error><reason>MEMBERSHIP_NOT_FOUND</reason><message>The child entity &lt;foo&gt; is not a member of the parent &lt;developers&gt;</message></error>
    {noformat}
     

     It seems that Apache HTTP Server is trimming response from upstreams when the response HTTP error code is 404. Need Check your Apache proxy configuration first and this need further investigation. :)

    zlei.huang@gmail.com (JIRA)

    unread,
    Jun 14, 2018, 7:23:02 AM6/14/18
    to jenkinsc...@googlegroups.com

    Cyril Burd Take care of this config, ProxyErrorOverride Directive . The default value is Off. It would cause problems like this issue if ProxyErrorOverride is turned on.

    I've set up an Apache HTTP Server reverse proxy, referring https://confluence.atlassian.com/adminjiraserver070/integrating-jira-with-apache-749383658.html

    LoadModule proxy_module ....
LoadModule proxy_http_module ....
<Location />
    ProxyPreserveHost On
    ProxyPass http://jira.internal:8080/
    ProxyPassReverse http://jira.internal:8080/
    ProxyErrorOverride On
    ErrorDocument 404 "Not Found"
</Location>

    and reproduced the issue as yours.

    curl -D- -u test:test -X GET "http://192.168.11.153/rest/usermanagement/1/group/user/directabc?groupname=developers&username=foo"
HTTP/1.1 404 Not Found
Date: Thu, 14 Jun 2018 11:00:29 GMT
Server: Apache/2.4.33 (FreeBSD)
Content-Length: 9
Content-Type: text/html; charset=iso-8859-1

Not found

    From a developer's point of view, 

            int executeCrowdServiceMethod(HttpMethod method) throws InvalidCrowdServiceException, IOException {
            int statusCode = RestExecutor.this.client.executeMethod(method);
            if(!this.isCrowdRestService(method)) {
                throw new InvalidCrowdServiceException(String.format("The following URL does not specify a valid Crowd User Management REST service: %s", new Object[]{method.getURI().toString()}));
            } else {
                return statusCode;
            }
        }

        private boolean isCrowdRestService(HttpMethod method) {
            return method.getResponseHeader("X-Embedded-Crowd-Version") != null;
        }

    Any response of REST API without header "X-Embedded-Crowd-Version" would certainly raise an InvalidCrowdServiceException. So be careful with any proxy configuration in production environment, esp REST API upstream.

    For short, enforce HTTP RFCs, less problems.

    zlei.huang@gmail.com (JIRA)

    unread,
    Jun 14, 2018, 7:26:02 AM6/14/18
    to jenkinsc...@googlegroups.com
    Zhenlei Huang edited a comment on Bug JENKINS-47839
    [~cyril] Take care of this config, [ProxyErrorOverride Directive |https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxyerroroverride]. The default value is Off. It would cause problems like this issue if ProxyErrorOverride is turned on.

    I've set up an Apache HTTP Server reverse proxy, referring [https://confluence.atlassian.com/adminjiraserver070/integrating-jira-with-apache-749383658.html|https://confluence.atlassian.com/adminjiraserver070/integrating-jira-with-apache-749383658.html]
    {code:xml}

    LoadModule proxy_module ....
    LoadModule proxy_http_module ....
    <Location />
        ProxyPreserveHost On
        ProxyPass http://jira.internal:8080/
        ProxyPassReverse http://jira.internal:8080/
        ProxyErrorOverride On
        ErrorDocument 404 "Not Found"
    </Location>
    {code}

    and reproduced the issue as yours.
    {noformat}

    curl -D- -u test:test -X GET "http://192.168.11.153/rest/usermanagement/1/group/user/directabc?groupname=developers&username=foo"
    HTTP/1.1 404 Not Found
    Date: Thu, 14 Jun 2018 11:00:29 GMT
    Server: Apache/2.4.33 (FreeBSD)
    Content-Length: 9
    Content-Type: text/html; charset=iso-8859-1

    Not found
    {noformat}


    From a developer's point of view,
    {code:java}

            int executeCrowdServiceMethod(HttpMethod method) throws InvalidCrowdServiceException, IOException {
                int statusCode = RestExecutor.this.client.executeMethod(method);
                if(!this.isCrowdRestService(method)) {
                    throw new InvalidCrowdServiceException(String.format("The following URL does not specify a valid Crowd User Management REST service: %s", new Object[]{method.getURI().toString()}));
                } else {
                    return statusCode;
                }
            }

            private boolean isCrowdRestService(HttpMethod method) {
                return method.getResponseHeader("X-Embedded-Crowd-Version") != null;
            }
    {code}
     Any In this case, any response of REST API from proxy without header "X-Embedded-Crowd-Version" would certainly raise an InvalidCrowdServiceException. So be careful with any proxy configuration in production environment not to violate the designed feature , esp REST API upstream upstreams .

    For short, enforce HTTP RFCs, less problems. :)

    cyrilburd@gmail.com (JIRA)

    unread,
    Jun 14, 2018, 8:56:02 AM6/14/18
    to jenkinsc...@googlegroups.com

    Oh... Thanks a lot!

    zlei.huang@gmail.com (JIRA)

    unread,
    Jun 14, 2018, 9:23:01 PM6/14/18
    to jenkinsc...@googlegroups.com

    Cyril Burd You’re welcome 
    Have you solved the problem? I'd close this issue since Crowd2 plugin works as expected.

    cyrilburd@gmail.com (JIRA)

    unread,
    Jun 15, 2018, 4:44:01 AM6/15/18
    to jenkinsc...@googlegroups.com

    I have not tested it yet, but I guess you can close the ticket. Thanks again.

    zlei.huang@gmail.com (JIRA)

    unread,
    Jun 15, 2018, 5:28:02 AM6/15/18
    to jenkinsc...@googlegroups.com
    Zhenlei Huang resolved as Not A Defect
     

    Cyril Burd

    Change By: Zhenlei Huang
    Status: Open Resolved
    Resolution: Not A Defect

    mail@martinspielmann.de (JIRA)

    unread,
    Jun 17, 2018, 5:35:02 AM6/17/18
    to jenkinsc...@googlegroups.com
    Martin Spielmann assigned an issue to Martin Spielmann
    Change By: Martin Spielmann
    Assignee: Martin Spielmann

    mail@martinspielmann.de (JIRA)

    unread,
    Jun 17, 2018, 5:35:02 AM6/17/18
    to jenkinsc...@googlegroups.com
    Martin Spielmann closed an issue as Not A Defect
    Change By: Martin Spielmann
    Status: Resolved Closed

    mail@pascalhofmann.de (JIRA)

    unread,
    Jul 5, 2019, 9:07:02 AM7/5/19
    to jenkinsc...@googlegroups.com
    Pascal Hofmann commented on Bug JENKINS-47839
     
    Re: crowd2 Jenkins plugin crashes if user not found

    I just ran into the same problem.

     

    Zhenlei Huang: I guess this is the RFC that you are referring to?

    "A proxy MUST forward unrecognized header fields[…]"
    https://tools.ietf.org/html/rfc7230#section-3.2.1

     
    This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

    zlei.huang@gmail.com (JIRA)

    unread,
    Jul 7, 2019, 10:28:02 PM7/7/19
    to jenkinsc...@googlegroups.com

    Pascal Hofmann There's no more detailed info that can help me figure out the the problem you encounter. But I guess probably there're bad proxies between your Jenkins instance and JIRA/Crowd.

    I'd suggest your debugging the REST API response using curl / postman before further investigation.

    For the RFC, yes, exactly.


    "A proxy MUST forward unrecognized header fields[…]"

    Reply all
    Reply to author
    Forward
    0 new messages