[JIRA] (JENKINS-59840) NullPointerException when activating the plugin

[stefan.voelkel.external@knorr-bremse.com (JIRA)]

Stefan created an issue

Jenkins / JENKINS-59840 NullPointerException when activating the plugin Issue Type: Bug Assignee: Tomas Westling Attachments: stacktrace.txt Components: kerberos-sso-plugin Created: 2019-10-18 08:52 Environment: Jenkins 2.176.4 kerberos-sso 1.6 Priority: Minor Reporter: Stefan While updating from kerberos-sso 1.4 to 1.6 we encountered a NPE when activating the plugin: java.lang.NullPointerException at org.codelibs.spnego.SpnegoFilterConfig.doClientModule(SpnegoFilterConfig.java:179) at org.codelibs.spnego.SpnegoFilterConfig.<init>(SpnegoFilterConfig.java:138) Version 1.5 works, and after git bisecting 1.5..1.6 I found the problematic commit to be 9a3cffe: "Add support for JCasC" Looking at SpnegoFilterConfig.java:179 (specified as v1.0.1 in kerberos-sso's pom) // we only expect one entry final AppConfigurationEntry entry = config.getAppConfigurationEntry(moduleName)[0]; There is no changelog entry for 1.6 on the wiki, and I can not find a difference between the provided login.conf and ours, besides principal and keytab filename.   Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[tomas.westling@axis.com (JIRA)]

Tomas Westling assigned an issue to Oliver Gondža

Jenkins / JENKINS-59840 NullPointerException when activating the plugin

Change By: Tomas Westling Assignee: Tomas Westling Oliver Gondža

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža commented on JENKINS-59840

Re: NullPointerException when activating the plugin Stefan, can you be more specific what are the circumstances? I presume you have upgraded pre-configured instance when this happened (you have not used JCasC nor configured it from scratch, right?). What is the content of kerberos-sso.xml? It appears some key of the spnego config map is null, but the library is not telling us which one ...

Add Comment

[stefan.voelkel.external@knorr-bremse.com (JIRA)]

Stefan updated an issue

Jenkins / JENKINS-59840

NullPointerException when activating the plugin

Change By: Stefan Attachment: kerberos.conf Attachment: kerberos-sso.xml

Add Comment

[stefan.voelkel.external@knorr-bremse.com (JIRA)]

Stefan commented on JENKINS-59840

Re: NullPointerException when activating the plugin I have attached both, the login.conf (called kerberos.conf) and kerberos-sso.xml. HOST, DOMAIN and REALM have been replaced by placeholders. As has the password, which is unused. Initially this was a pre-configured installation, with an existing kerberos-sso.xml. JCasC is not used. However I can also reproduce this stacktrace by deleting kerberos-sso.xml and trying to activate the plugin with 9a3cffe and 1.6. In both cases, no kerberos-sso.xml is generated. I'll try to setup this plugin via JCasC, as that would be a workaround for us.

Add Comment

[stefan.voelkel.external@knorr-bremse.com (JIRA)]

Stefan updated an issue

Jenkins / JENKINS-59840

NullPointerException when activating the plugin

Change By: Stefan Attachment: jenkins.yaml

Add Comment

[stefan.voelkel.external@knorr-bremse.com (JIRA)]

Stefan commented on JENKINS-59840

Re: NullPointerException when activating the plugin With the attached jenkins.yaml CasC file, I can enable the kerberos-sso 1.6 plugin. After that has happened, I am also able to dis-/reen-able the plugin via the UI. I think I saw redirectEnabled: to be displayed as true by the UI, but I have not been able to reproduce this.

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža commented on JENKINS-59840

Re: NullPointerException when activating the plugin

Stefan, I have failed to reproduce this using same Jenkins version and your `.conf` and `.xml`. I am not aware of any recent changes around the actual spnego configuration and library version have not changed for sure. Can you retry with assertions enabled (-ea added as JVM argument)? The spnego library is relying on assertions to check the config sanity apparently, so we can get some actual diagnostics (which are otherwise hidden in production) this way. https://github.com/codelibs/spnego/blob/spnego-1.0.1/src/main/java/org/codelibs/spnego/SpnegoFilterConfig.java#L117 https://github.com/codelibs/spnego/blob/spnego-1.0.1/src/main/java/org/codelibs/spnego/SpnegoFilterConfig.java#L169

Add Comment

[stefan.voelkel.external@knorr-bremse.com (JIRA)]

Stefan updated an issue

Jenkins / JENKINS-59840

NullPointerException when activating the plugin

Change By: Stefan Attachment: assert.txt

Add Comment

[stefan.voelkel.external@knorr-bremse.com (JIRA)]

Stefan commented on JENKINS-59840

Re: NullPointerException when activating the plugin With asserts on, I am seeing: java.lang.IllegalArgumentException: The client module name was not found in the login file: spnego-client at org.codelibs.spnego.SpnegoFilterConfig.moduleExists(SpnegoFilterConfig.java:383) at org.codelibs.spnego.SpnegoFilterConfig.doClientModule(SpnegoFilterConfig.java:169) ... I unpacked the *.jar files in our jre (java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64) and can see the configured class: # find -name Krb5LoginModule.class ./com/sun/security/auth/module/Krb5LoginModule.class Some other things I have noticed: With 1.6, the file where the plugin saves it's config has been renamed kerberos-sso.xml => com.sonymobile.jenkins.plugins.kerberossso.PluginImpl.xml. I tried any combination of names, both files present/absent but can still only enable the plugin via CasC. With no CasC, plugin installed but deactivated I can see this when strace'ing a freshly started java process: 29455 openat(AT_FDCWD, "/var/lib/jenkins/./kerberos.conf", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOTDIR (Not a directory) 29455 openat(AT_FDCWD, "/tmp/kerberos.conf", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOTDIR (Not a directory) So something tries to open these paths as directory. When I then try to activate the plugin, I can see stats on the config file: 29439 stat("/var/lib/jenkins/kerberos.conf", {st_mode=S_IFREG|0644, st_size=1059, ...}) = 0 29439 stat("/var/lib/jenkins/kerberos.conf", {st_mode=S_IFREG|0644, st_size=1059, ...}) = 0 29439 stat("/var/lib/jenkins/kerberos.conf", {st_mode=S_IFREG|0644, st_size=1059, ...}) = 0 With CasC the order changes and the plugin is enabled: 30937 stat("/var/lib/jenkins/kerberos.conf", <unfinished ...> 30937 stat("/var/lib/jenkins/kerberos.conf", {st_mode=S_IFREG|0644, st_size=1059, ...}) = 0 30937 open("/var/lib/jenkins/kerberos.conf", O_RDONLY <unfinished ...> 30937 openat(AT_FDCWD, "/var/lib/jenkins/./kerberos.conf", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOTDIR (Not a directory) 30937 openat(AT_FDCWD, "/tmp/kerberos.conf", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOTDIR (Not a directory) When I change the name of the login.conf file to foo.conf, the openat() also changes it's parameters:   32823 stat("/var/lib/jenkins/foo.conf", <unfinished ...> 32823 stat("/var/lib/jenkins/foo.conf", {st_mode=S_IFREG|0644, st_size=1059, ...}) = 0 32823 open("/var/lib/jenkins/foo.conf", O_RDONLY) = 685 32823 openat(AT_FDCWD, "/var/lib/jenkins/./foo.conf", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOTDIR (Not a directory)

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža commented on JENKINS-59840

Re: NullPointerException when activating the plugin

Thanks for the assert message. You are likely onto something. The config file path might have been accidentally changed during that migration causing your old config to break. That is certainly something to fix.   The meaningless NPE you got is another thing to improve.   When it comes to the dir opening dance, it is probably some spnego wizardry.

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža commented on JENKINS-59840

Re: NullPointerException when activating the plugin

Proposing config file path fix

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža commented on JENKINS-59840

Re: NullPointerException when activating the plugin

Stefan, even when using the file you provided, I di not get the NPE you have witnessed. I could have been caused by the fact config was essentially reset to defaults and spnego misbehaved this way, but I am convinced. I have proposed a fix to address that and added logging with the effective config that is being passed to spnego.

Add Comment

[stefan.voelkel.external@knorr-bremse.com (JIRA)]

Stefan commented on JENKINS-59840

Re: NullPointerException when activating the plugin

Oliver Gondža, thanks. In case you have a pull request or branch on github, I can try and build and test the change here.

Add Comment

[stefan.voelkel.external@knorr-bremse.com (JIRA)]

Stefan commented on JENKINS-59840

Re: NullPointerException when activating the plugin

I just saw that 1.7 was released including #18. Should that fix this issue?

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža updated an issue

Jenkins / JENKINS-59840

NullPointerException when activating the plugin

Change By: Oliver Gondža Priority: Minor Major

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža commented on JENKINS-59840

Re: NullPointerException when activating the plugin Stefan, My apology for not waiting for your confirmation. Yes, this is expected to resolve that issue.

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža edited a comment on JENKINS-59840

Re: NullPointerException when activating the plugin

[~stefan_kb], even when using the file you provided, I di did not get the NPE you have witnessed. I could have been caused by the fact config was essentially reset to defaults and spnego misbehaved this way, but I am not convinced. I have proposed a fix to address that and added logging with the effective config that is being passed to spnego.

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža edited a comment on JENKINS-59840

Re: NullPointerException when activating the plugin

[~stefan_kb], My apology for not waiting for your confirmation. Yes, this is expected to resolve that the issue with config lost . The NPE will either go away as well or we will have better diagnostics.

Add Comment

[ogondza@gmail.com (JIRA)]

Oliver Gondža resolved as Fixed

Jenkins / JENKINS-59840

NullPointerException when activating the plugin

Change By: Oliver Gondža Status: Open Resolved Resolution: Fixed Released As: 1.7

Add Comment