Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49682

Blue Ocean - hangs after selecting github organization

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Review (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: blueocean-plugin
    • Environment:
    • Similar Issues:
    • Sprint:
      Blue Ocean - Candidates, Blue Ocean 1.6 - beta 2

      Description

      I am attempting to link a github repository from my company to Blue Ocean.  Note that I have my personal github and repositories for the company I work for (see blueocean hang.png).  When I get to the "Which organization does the repository belong to", if I just click my personal one it shows all my repositories with no problem.  If I select my work organization, it hangs on the next step (see blueocean hang.png screenshot).  I've attached the jenkins.log file which shows the following error: "Github accessToken does not have required scopes. Expected scopes 'user:email, repo'"

       

      But if you look at the blueocean github token.png, you'll see the appropriate scope is set.  Also I have no problem if I select my personal "organization".

       

      Any help would be much appreciated.

        Attachments

        1. blueocean github token.png
          blueocean github token.png
          31 kB
        2. blueocean hang.png
          blueocean hang.png
          45 kB
        3. har.txt
          10 kB
        4. var-log-jenkins-jenkins.log
          10 kB

          Activity

          Hide
          vivek Vivek Pandey added a comment -

          Alex Kravetz,

          Glad you found the problem.

          > I am happy to contribute this bug fix.

          That will be awesome.

          > Where should I implement the error checking? Is it githubscm::connect?

          Code at https://github.com/jenkinsci/blueocean-plugin/blob/4201a1ac9675e6ecf752c83e449d46682d386b34/blueocean-github-pipeline/src/main/java/io/jenkins/blueocean/blueocean_github_pipeline/GithubScm.java#L307 sends back 428 (precondition required) when 403 error is received. The generic message `Github accessToken does not have required scopes. Expected scopes 'user:email, repo'` is unclear given it could be github enterprise integrated with different auth systems, like SAML in your case. Please open a PR with your fix, it will be great to get your contribution!

          As mentioned in my previous comment, front end code throws error in the absence of repoData.repositories field. It should do it only if its 200 response.

          Show
          vivek Vivek Pandey added a comment - Alex Kravetz , Glad you found the problem. > I am happy to contribute this bug fix. That will be awesome. > Where should I implement the error checking? Is it githubscm::connect? Code at https://github.com/jenkinsci/blueocean-plugin/blob/4201a1ac9675e6ecf752c83e449d46682d386b34/blueocean-github-pipeline/src/main/java/io/jenkins/blueocean/blueocean_github_pipeline/GithubScm.java#L307 sends back 428 (precondition required) when 403 error is received. The generic message `Github accessToken does not have required scopes. Expected scopes 'user:email, repo'` is unclear given it could be github enterprise integrated with different auth systems, like SAML in your case. Please open a PR with your fix, it will be great to get your contribution! As mentioned in my previous comment, front end code throws error in the absence of repoData.repositories field. It should do it only if its 200 response.
          Hide
          akravetz Alex Kravetz added a comment -

          Vivek Pandey,

          Thank you this is very helpful.  The curl request you was successful and returned my profile info.  I then tried the repo list api via curl:

          curl -v -H 'Authorization: token XXX' https://api.github.com/orgs/my_employer/repos 

          This is where I get a 403 error and the following JSON:

          {
           "message": "Resource protected by organization SAML enforcement. You must grant your personal token access to this organization.",
           "documentation_url": "https://help.github.com/articles/authorizing-a-personal-access-token-for-use-with-a-saml-single-sign-on-organization"
          }

          This was my mistake - we use federated authentication and I hadn't granted access to the org via the SSO button in github.  After granting that authorization, everything worked just fine.  This is obviously a user error, but a more useful error message would be helpful.  I am happy to contribute this bug fix.  Where should I implement the error checking?  Is it githubscm::connect?

           

          Thank you, Alex.

          Show
          akravetz Alex Kravetz added a comment - Vivek Pandey , Thank you this is very helpful.  The curl request you was successful and returned my profile info.  I then tried the repo list api via curl: curl -v -H 'Authorization: token XXX' https: //api.github.com/orgs/my_employer/repos  This is where I get a 403 error and the following JSON: { "message" : "Resource protected by organization SAML enforcement. You must grant your personal token access to this organization." , "documentation_url" : "https: //help.github.com/articles/authorizing-a-personal-access-token- for -use-with-a-saml-single-sign-on-organization" } This was my mistake - we use federated authentication and I hadn't granted access to the org via the SSO button in github.  After granting that authorization, everything worked just fine.  This is obviously a user error, but a more useful error message would be helpful.  I am happy to contribute this bug fix.  Where should I implement the error checking?  Is it githubscm::connect?   Thank you, Alex.
          Hide
          vivek Vivek Pandey added a comment -

          Alex Kravetz Thanks for providing logs/har file. It helped me understand whats going on. There is 403 error reported by github during access token validation. We call:

          curl -v -H 'Authorization: token XXXXX'  https://api.github.com/user
          

          Reported error:

          Caused by: io.jenkins.blueocean.commons.ServiceException$PreconditionRequired: Github accessToken does not have required scopes. Expected scopes 'user:email, repo'
            at io.jenkins.blueocean.blueocean_github_pipeline.GithubScm.connect(GithubScm.java:307)
            at io.jenkins.blueocean.blueocean_github_pipeline.GithubRepositories.<init>(GithubRepositories.java:62)
            at io.jenkins.blueocean.blueocean_github_pipeline.GithubRespositoryContainer.getRepositories(GithubRespositoryContainer.java:46)
            at io.jenkins.blueocean.commons.stapler.export.MethodProperty.getValue(MethodProperty.java:72)
          

          For some reason, github reporting 403. Is it possible there is mix of access token?

          Can you Try the above curl with the access token you entered when you created github pipeline in blueocean for the first time? To be sure, you can delete the existing credential tied to github access token (credential id 'github') and try creating new pipeline and entered the access token with right github scope. You can delete github credential generated by blueocean by clicking on your username on top right side then click on Credentials and look for 'github' credential.

          BTW, the hang in UI is because UI not able to handle error condition. Its expecting repoData.repositories to be always non-null (TypeError: Cannot read property 'items' of undefined): https://github.com/jenkinsci/blueocean-plugin/blob/e8cc816f2e8ce3b8a1718c41297df3cca0b9970f/blueocean-dashboard/src/main/js/creation/github/GithubFlowManager.js#L244.

          The bug seems to have a bug where it returns 200 when the exception thrown is 403: https://github.com/jenkinsci/blueocean-plugin/blob/4201a1ac9675e6ecf752c83e449d46682d386b34/blueocean-github-pipeline/src/main/java/io/jenkins/blueocean/blueocean_github_pipeline/GithubScm.java#L307.

          Show
          vivek Vivek Pandey added a comment - Alex Kravetz Thanks for providing logs/har file. It helped me understand whats going on. There is 403 error reported by github during access token validation. We call: curl -v -H 'Authorization: token XXXXX' https: //api.github.com/user Reported error: Caused by: io.jenkins.blueocean.commons.ServiceException$PreconditionRequired: Github accessToken does not have required scopes. Expected scopes 'user:email, repo' at io.jenkins.blueocean.blueocean_github_pipeline.GithubScm.connect(GithubScm.java:307) at io.jenkins.blueocean.blueocean_github_pipeline.GithubRepositories.<init>(GithubRepositories.java:62) at io.jenkins.blueocean.blueocean_github_pipeline.GithubRespositoryContainer.getRepositories(GithubRespositoryContainer.java:46) at io.jenkins.blueocean.commons.stapler.export.MethodProperty.getValue(MethodProperty.java:72) For some reason, github reporting 403. Is it possible there is mix of access token? Can you Try the above curl with the access token you entered when you created github pipeline in blueocean for the first time? To be sure, you can delete the existing credential tied to github access token (credential id 'github') and try creating new pipeline and entered the access token with right github scope. You can delete github credential generated by blueocean by clicking on your username on top right side then click on Credentials and look for 'github' credential. BTW, the hang in UI is because UI not able to handle error condition. Its expecting repoData.repositories to be always non-null (TypeError: Cannot read property 'items' of undefined): https://github.com/jenkinsci/blueocean-plugin/blob/e8cc816f2e8ce3b8a1718c41297df3cca0b9970f/blueocean-dashboard/src/main/js/creation/github/GithubFlowManager.js#L244 . The bug seems to have a bug where it returns 200 when the exception thrown is 403: https://github.com/jenkinsci/blueocean-plugin/blob/4201a1ac9675e6ecf752c83e449d46682d386b34/blueocean-github-pipeline/src/main/java/io/jenkins/blueocean/blueocean_github_pipeline/GithubScm.java#L307 .
          Hide
          akravetz Alex Kravetz added a comment -

          HAR attached: har.txt

          From the browser console:

          blueocean-core-js.js:2963 Browser configuration of @jenkins-cd/logging is explained at https://tfennelly.github.io/jenkins-js-logging/index.html#browser-config
          jenkins-js-extension.js:117367 TypeError: Cannot read property 'items' of undefined
          at GithubFlowManager._updateRepositories (jenkins-js-extension.js:117384)
          at executeAction (jenkins-js-extension.js:57770)
          at GithubFlowManager.res (jenkins-js-extension.js:57742)
          at jenkins-js-extension.js:117365
          at <anonymous>

          Show
          akravetz Alex Kravetz added a comment - HAR attached:  har.txt From the browser console: blueocean-core-js.js:2963 Browser configuration of @jenkins-cd/logging is explained at https://tfennelly.github.io/jenkins-js-logging/index.html#browser-config jenkins-js-extension.js:117367 TypeError: Cannot read property 'items' of undefined at GithubFlowManager._updateRepositories (jenkins-js-extension.js:117384) at executeAction (jenkins-js-extension.js:57770) at GithubFlowManager.res (jenkins-js-extension.js:57742) at jenkins-js-extension.js:117365 at <anonymous>
          Hide
          vivek Vivek Pandey added a comment -

          Can you check browser console for any error? It will also help debug if you can include HAR file. If there are sensitive info then send it directly to me: vpandey at cloudbees.com.

          Show
          vivek Vivek Pandey added a comment - Can you check browser console for any error? It will also help debug if you can include HAR file. If there are sensitive info then send it directly to me: vpandey at cloudbees.com.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            akravetz Alex Kravetz
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: