Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65007

Resource not accessible by integration error authenticating with GitHub app with the wrong owner

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Labels:
      None
    • Environment:
      GitHub Enterprise 2.22.6
      github-branch-source-plugin 2.10.2 and 8093b3d
    • Similar Issues:

      Description

      GitHub app authentication working in one organization, when app is installed to a second organization and a job added to Jenkins the repository scanning for that job throws errors

      Error while processing pull request 1
      java.io.FileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission
      	at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$OkHttpURLConnection.getInputStream(ObsoleteUrlFactory.java:490)
      	at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$DelegatingHttpsURLConnection.getInputStream(ObsoleteUrlFactory.java:1204)
      	at org.kohsuke.github.GitHubHttpUrlConnectionClient$HttpURLConnectionResponseInfo.bodyStream(GitHubHttpUrlConnectionClient.java:196)
      	at org.kohsuke.github.GitHubResponse$ResponseInfo.getBodyAsString(GitHubResponse.java:314)
      	at org.kohsuke.github.GitHubResponse.parseBody(GitHubResponse.java:92)
      	at org.kohsuke.github.Requester.lambda$fetch$1(Requester.java:76)
      	at org.kohsuke.github.GitHubClient.createResponse(GitHubClient.java:455)
      	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:406)
      Caused: org.kohsuke.github.GHFileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission {"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/enterprise/2.22/rest/reference/repos#get-repository-permissions-for-a-user"}
      	at org.kohsuke.github.GitHubClient.interpretApiError(GitHubClient.java:486)
      	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:414)
      	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:358)
      	at org.kohsuke.github.Requester.fetch(Requester.java:76)
      	at org.kohsuke.github.GHRepository.getPermission(GHRepository.java:948)
      	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$1.fetch(GitHubSCMSource.java:987)
      	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSourceRequest.getPermissions(GitHubSCMSourceRequest.java:476)
      	at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:356)
      	at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:339)
      	at jenkins.scm.api.trait.SCMHeadAuthority.isTrusted(SCMHeadAuthority.java:101)
      	at jenkins.scm.api.trait.SCMSourceRequest.isTrusted(SCMSourceRequest.java:213)
      	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1202)
      	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1196)
      	at jenkins.scm.api.trait.SCMSourceRequest.process(SCMSourceRequest.java:339)
      	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrievePullRequest(GitHubSCMSource.java:1192)
      	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1040)
      	at jenkins.scm.api.SCMSource._retrieve(SCMSource.java:373)
      	at jenkins.scm.api.SCMSource.fetch(SCMSource.java:283)
      	at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:641)
      	at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:278)
      	at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:165)
      	at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:1032)
      	at hudson.model.ResourceController.execute(ResourceController.java:97)
      	at hudson.model.Executor.run(Executor.java:429)
      

      What happens is that Jenkins is either using the token cached for a credential that has no owner set, or the owner is set to a different organization.

      In the latter case it is picking the wrong appInstallation here
      https://github.com/jenkinsci/github-branch-source-plugin/blob/b4206a9/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L210-L218

        Attachments

          Issue Links

            Activity

            Hide
            csanchez Carlos Sanchez added a comment -

            This is related to JENKINS-65006, with same workaround, have 2 credentials that are the same but with owner set to each organization

            Show
            csanchez Carlos Sanchez added a comment - This is related to JENKINS-65006 , with same workaround, have 2 credentials that are the same but with owner set to each organization

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              csanchez Carlos Sanchez
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: