Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65007

Resource not accessible by integration error authenticating with GitHub app with the wrong owner

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • github-branch-source-plugin
    • None
    • GitHub Enterprise 2.22.6
      github-branch-source-plugin 2.10.2 and 8093b3d

      GitHub app authentication working in one organization, when app is installed to a second organization and a job added to Jenkins the repository scanning for that job throws errors

      Error while processing pull request 1
java.io.FileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission
	at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$OkHttpURLConnection.getInputStream(ObsoleteUrlFactory.java:490)
	at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$DelegatingHttpsURLConnection.getInputStream(ObsoleteUrlFactory.java:1204)
	at org.kohsuke.github.GitHubHttpUrlConnectionClient$HttpURLConnectionResponseInfo.bodyStream(GitHubHttpUrlConnectionClient.java:196)
	at org.kohsuke.github.GitHubResponse$ResponseInfo.getBodyAsString(GitHubResponse.java:314)
	at org.kohsuke.github.GitHubResponse.parseBody(GitHubResponse.java:92)
	at org.kohsuke.github.Requester.lambda$fetch$1(Requester.java:76)
	at org.kohsuke.github.GitHubClient.createResponse(GitHubClient.java:455)
	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:406)
Caused: org.kohsuke.github.GHFileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission {"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/enterprise/2.22/rest/reference/repos#get-repository-permissions-for-a-user"}
	at org.kohsuke.github.GitHubClient.interpretApiError(GitHubClient.java:486)
	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:414)
	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:358)
	at org.kohsuke.github.Requester.fetch(Requester.java:76)
	at org.kohsuke.github.GHRepository.getPermission(GHRepository.java:948)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$1.fetch(GitHubSCMSource.java:987)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSourceRequest.getPermissions(GitHubSCMSourceRequest.java:476)
	at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:356)
	at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:339)
	at jenkins.scm.api.trait.SCMHeadAuthority.isTrusted(SCMHeadAuthority.java:101)
	at jenkins.scm.api.trait.SCMSourceRequest.isTrusted(SCMSourceRequest.java:213)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1202)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1196)
	at jenkins.scm.api.trait.SCMSourceRequest.process(SCMSourceRequest.java:339)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrievePullRequest(GitHubSCMSource.java:1192)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1040)
	at jenkins.scm.api.SCMSource._retrieve(SCMSource.java:373)
	at jenkins.scm.api.SCMSource.fetch(SCMSource.java:283)
	at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:641)
	at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:278)
	at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:165)
	at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:1032)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)

      What happens is that Jenkins is either using the token cached for a credential that has no owner set, or the owner is set to a different organization.

      In the latter case it is picking the wrong appInstallation here
      https://github.com/jenkinsci/github-branch-source-plugin/blob/b4206a9/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L210-L218

          [JENKINS-65007] Resource not accessible by integration error authenticating with GitHub app with the wrong owner

          Carlos Sanchez created issue -
          Carlos Sanchez made changes -
          Description Original: GitHub app authentication was working fine until the app was installed to a second organization. Then as tokens expired Jenkins started throwing errors

          {code}
          java.lang.IllegalArgumentException: Couldn't authenticate with GitHub app ID <REDACTED>, has it been installed to your GitHub organisation / user?
          at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.lambda$generateAppInstallationToken$1(GitHubAppCredentials.java:216)
          at java.util.Optional.orElseThrow(Optional.java:290)
          at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:216)
          at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:269)
          at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.access$300(GitHubAppCredentials.java:47)
          at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:183)
          at org.kohsuke.github.GitHubClient.getEncodedAuthorization(GitHubClient.java:219)
          at org.kohsuke.github.GitHubHttpUrlConnectionClient$HttpURLConnectionResponseInfo.setupConnection(GitHubHttpUrlConnectionClient.java:113)
          at org.kohsuke.github.GitHubHttpUrlConnectionClient.getResponseInfo(GitHubHttpUrlConnectionClient.java:56)
          at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:394)
          at org.kohsuke.github.GitHubClient.getRateLimit(GitHubClient.java:232)
          at org.kohsuke.github.GitHubClient.rateLimit(GitHubClient.java:283)
          at org.kohsuke.github.GitHubRateLimitChecker.checkRateLimit(GitHubRateLimitChecker.java:122)
          at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:392)
          at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:129)
          at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:325)
          at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1195)
          at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:678)
          at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.connect(Connector.java:635)
          at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.access$200(Connector.java:589)
          at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:361)
          at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieveActions(GitHubSCMSource.java:1880)
          at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:848)
          at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:598)
          at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:278)
          at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:165)
          at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:1032)
          at hudson.model.ResourceController.execute(ResourceController.java:97)
          at hudson.model.Executor.run(Executor.java:429)

          {code}
          		New: GitHub app authentication working in one organization, when app is installed to a second organization and a job added to Jenkins the repository scanning for that job throws errors

          {code}
          Error while processing pull request 1
          java.io.FileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission
          at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$OkHttpURLConnection.getInputStream(ObsoleteUrlFactory.java:490)
          at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$DelegatingHttpsURLConnection.getInputStream(ObsoleteUrlFactory.java:1204)
          at org.kohsuke.github.GitHubHttpUrlConnectionClient$HttpURLConnectionResponseInfo.bodyStream(GitHubHttpUrlConnectionClient.java:196)
          at org.kohsuke.github.GitHubResponse$ResponseInfo.getBodyAsString(GitHubResponse.java:314)
          at org.kohsuke.github.GitHubResponse.parseBody(GitHubResponse.java:92)
          at org.kohsuke.github.Requester.lambda$fetch$1(Requester.java:76)
          at org.kohsuke.github.GitHubClient.createResponse(GitHubClient.java:455)
          at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:406)
          Caused: org.kohsuke.github.GHFileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission {"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/enterprise/2.22/rest/reference/repos#get-repository-permissions-for-a-user"}
          at org.kohsuke.github.GitHubClient.interpretApiError(GitHubClient.java:486)
          at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:414)
          at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:358)
          at org.kohsuke.github.Requester.fetch(Requester.java:76)
          at org.kohsuke.github.GHRepository.getPermission(GHRepository.java:948)
          at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$1.fetch(GitHubSCMSource.java:987)
          at org.jenkinsci.plugins.github_branch_source.GitHubSCMSourceRequest.getPermissions(GitHubSCMSourceRequest.java:476)
          at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:356)
          at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:339)
          at jenkins.scm.api.trait.SCMHeadAuthority.isTrusted(SCMHeadAuthority.java:101)
          at jenkins.scm.api.trait.SCMSourceRequest.isTrusted(SCMSourceRequest.java:213)
          at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1202)
          at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1196)
          at jenkins.scm.api.trait.SCMSourceRequest.process(SCMSourceRequest.java:339)
          at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrievePullRequest(GitHubSCMSource.java:1192)
          at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1040)
          at jenkins.scm.api.SCMSource._retrieve(SCMSource.java:373)
          at jenkins.scm.api.SCMSource.fetch(SCMSource.java:283)
          at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:641)
          at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:278)
          at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:165)
          at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:1032)
          at hudson.model.ResourceController.execute(ResourceController.java:97)
          at hudson.model.Executor.run(Executor.java:429)
          {code}

          What happens is that Jenkins is either using the token cached for a credential that has no owner set, or the owner is set to a different organization.

          In the latter case it is picking the wrong appInstallation here
          https://github.com/jenkinsci/github-branch-source-plugin/blob/b4206a9/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L210-L218

          Carlos Sanchez made changes -
          Link New: This issue is related to JENKINS-65006 [ JENKINS-65006 ]

          Carlos Sanchez added a comment -

          This is related to JENKINS-65006, with same workaround, have 2 credentials that are the same but with owner set to each organization

          Carlos Sanchez added a comment - This is related to JENKINS-65006 , with same workaround, have 2 credentials that are the same but with owner set to each organization
          Carlos Sanchez made changes -
          Link New: This issue is caused by JENKINS-62220 [ JENKINS-62220 ]

          Allan BURDAJEWICZ added a comment -

          Most likely fixed by https://github.com/jenkinsci/github-branch-source-plugin/releases/tag/1628.vb_2f51293cb_78.

          Before this fix, one credentials per Organization needed to be used. Each credentials carrying a different owner.
          With this fix, the Owner can be left blank for multibranch and the owner will be automatically looked up from the context.

          Allan BURDAJEWICZ added a comment - Most likely fixed by https://github.com/jenkinsci/github-branch-source-plugin/releases/tag/1628.vb_2f51293cb_78 . Before this fix, one credentials per Organization needed to be used. Each credentials carrying a different owner. With this fix, the Owner can be left blank for multibranch and the owner will be automatically looked up from the context.

          Greg Swift added a comment -

          For anyone else that stumbles across this researching an issue in Checks but isn't using multiple GitHub Orgs, see https://github.com/jenkinsci/github-checks-plugin/issues/364

          And thanks yall... this is what solved my issue.

          Greg Swift added a comment - For anyone else that stumbles across this researching an issue in Checks but isn't using multiple GitHub Orgs, see https://github.com/jenkinsci/github-checks-plugin/issues/364 And thanks yall... this is what solved my issue.

            Unassigned Unassigned
            csanchez Carlos Sanchez
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: