[JENKINS-65007] Resource not accessible by integration error authenticating with GitHub app with the wrong owner

Type: Bug
Resolution: Unresolved
Priority: Major
Component/s: github-branch-source-plugin
Labels:
None
Environment:
GitHub Enterprise 2.22.6
github-branch-source-plugin 2.10.2 and 8093b3d

Similar Issues:
Powered by SuggestiMate

Show

GitHub app authentication working in one organization, when app is installed to a second organization and a job added to Jenkins the repository scanning for that job throws errors

Error while processing pull request 1
java.io.FileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission
	at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$OkHttpURLConnection.getInputStream(ObsoleteUrlFactory.java:490)
	at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$DelegatingHttpsURLConnection.getInputStream(ObsoleteUrlFactory.java:1204)
	at org.kohsuke.github.GitHubHttpUrlConnectionClient$HttpURLConnectionResponseInfo.bodyStream(GitHubHttpUrlConnectionClient.java:196)
	at org.kohsuke.github.GitHubResponse$ResponseInfo.getBodyAsString(GitHubResponse.java:314)
	at org.kohsuke.github.GitHubResponse.parseBody(GitHubResponse.java:92)
	at org.kohsuke.github.Requester.lambda$fetch$1(Requester.java:76)
	at org.kohsuke.github.GitHubClient.createResponse(GitHubClient.java:455)
	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:406)
Caused: org.kohsuke.github.GHFileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission {"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/enterprise/2.22/rest/reference/repos#get-repository-permissions-for-a-user"}
	at org.kohsuke.github.GitHubClient.interpretApiError(GitHubClient.java:486)
	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:414)
	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:358)
	at org.kohsuke.github.Requester.fetch(Requester.java:76)
	at org.kohsuke.github.GHRepository.getPermission(GHRepository.java:948)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$1.fetch(GitHubSCMSource.java:987)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSourceRequest.getPermissions(GitHubSCMSourceRequest.java:476)
	at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:356)
	at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:339)
	at jenkins.scm.api.trait.SCMHeadAuthority.isTrusted(SCMHeadAuthority.java:101)
	at jenkins.scm.api.trait.SCMSourceRequest.isTrusted(SCMSourceRequest.java:213)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1202)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1196)
	at jenkins.scm.api.trait.SCMSourceRequest.process(SCMSourceRequest.java:339)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrievePullRequest(GitHubSCMSource.java:1192)
	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1040)
	at jenkins.scm.api.SCMSource._retrieve(SCMSource.java:373)
	at jenkins.scm.api.SCMSource.fetch(SCMSource.java:283)
	at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:641)
	at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:278)
	at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:165)
	at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:1032)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)

What happens is that Jenkins is either using the token cached for a credential that has no owner set, or the owner is set to a different organization.

In the latter case it is picking the wrong appInstallation here
https://github.com/jenkinsci/github-branch-source-plugin/blob/b4206a9/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L210-L218

is caused by

JENKINS-62220 GitHub App to support credentials with multiple organizations

Resolved

is related to

JENKINS-65006 Couldn't authenticate with GitHub app ID when app is installed in 2+ organizations

Open

Carlos Sanchez created issue - 2021-03-03 17:42

Carlos Sanchez made changes - 2021-03-03 17:48

Description

Original: GitHub app authentication was working fine until the app was installed to a second organization. Then as tokens expired Jenkins started throwing errors

{code}
java.lang.IllegalArgumentException: Couldn't authenticate with GitHub app ID <REDACTED>, has it been installed to your GitHub organisation / user?
at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.lambda$generateAppInstallationToken$1(GitHubAppCredentials.java:216)
at java.util.Optional.orElseThrow(Optional.java:290)
at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:216)
at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:269)
at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.access$300(GitHubAppCredentials.java:47)
at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:183)
at org.kohsuke.github.GitHubClient.getEncodedAuthorization(GitHubClient.java:219)
at org.kohsuke.github.GitHubHttpUrlConnectionClient$HttpURLConnectionResponseInfo.setupConnection(GitHubHttpUrlConnectionClient.java:113)
at org.kohsuke.github.GitHubHttpUrlConnectionClient.getResponseInfo(GitHubHttpUrlConnectionClient.java:56)
at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:394)
at org.kohsuke.github.GitHubClient.getRateLimit(GitHubClient.java:232)
at org.kohsuke.github.GitHubClient.rateLimit(GitHubClient.java:283)
at org.kohsuke.github.GitHubRateLimitChecker.checkRateLimit(GitHubRateLimitChecker.java:122)
at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:392)
at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:129)
at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:325)
at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1195)
at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:678)
at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.connect(Connector.java:635)
at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.access$200(Connector.java:589)
at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:361)
at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieveActions(GitHubSCMSource.java:1880)
at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:848)
at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:598)
at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:278)
at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:165)
at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:1032)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)

{code}

New: GitHub app authentication working in one organization, when app is installed to a second organization and a job added to Jenkins the repository scanning for that job throws errors

{code}
Error while processing pull request 1
java.io.FileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission
at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$OkHttpURLConnection.getInputStream(ObsoleteUrlFactory.java:490)
at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$DelegatingHttpsURLConnection.getInputStream(ObsoleteUrlFactory.java:1204)
at org.kohsuke.github.GitHubHttpUrlConnectionClient$HttpURLConnectionResponseInfo.bodyStream(GitHubHttpUrlConnectionClient.java:196)
at org.kohsuke.github.GitHubResponse$ResponseInfo.getBodyAsString(GitHubResponse.java:314)
at org.kohsuke.github.GitHubResponse.parseBody(GitHubResponse.java:92)
at org.kohsuke.github.Requester.lambda$fetch$1(Requester.java:76)
at org.kohsuke.github.GitHubClient.createResponse(GitHubClient.java:455)
at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:406)
Caused: org.kohsuke.github.GHFileNotFoundException: https://git.example.com/api/v3/repos/SECOND_ORG/EXAMPLE_REPO/collaborators/csanchez/permission {"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/enterprise/2.22/rest/reference/repos#get-repository-permissions-for-a-user"}
at org.kohsuke.github.GitHubClient.interpretApiError(GitHubClient.java:486)
at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:414)
at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:358)
at org.kohsuke.github.Requester.fetch(Requester.java:76)
at org.kohsuke.github.GHRepository.getPermission(GHRepository.java:948)
at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$1.fetch(GitHubSCMSource.java:987)
at org.jenkinsci.plugins.github_branch_source.GitHubSCMSourceRequest.getPermissions(GitHubSCMSourceRequest.java:476)
at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:356)
at org.jenkinsci.plugins.github_branch_source.ForkPullRequestDiscoveryTrait$TrustPermission.checkTrusted(ForkPullRequestDiscoveryTrait.java:339)
at jenkins.scm.api.trait.SCMHeadAuthority.isTrusted(SCMHeadAuthority.java:101)
at jenkins.scm.api.trait.SCMSourceRequest.isTrusted(SCMSourceRequest.java:213)
at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1202)
at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource$4.create(GitHubSCMSource.java:1196)
at jenkins.scm.api.trait.SCMSourceRequest.process(SCMSourceRequest.java:339)
at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrievePullRequest(GitHubSCMSource.java:1192)
at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1040)
at jenkins.scm.api.SCMSource._retrieve(SCMSource.java:373)
at jenkins.scm.api.SCMSource.fetch(SCMSource.java:283)
at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:641)
at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:278)
at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:165)
at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:1032)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)
{code}

What happens is that Jenkins is either using the token cached for a credential that has no owner set, or the owner is set to a different organization.

In the latter case it is picking the wrong appInstallation here
https://github.com/jenkinsci/github-branch-source-plugin/blob/b4206a9/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L210-L218

Carlos Sanchez made changes - 2021-03-03 17:49

Link

New: This issue is related to JENKINS-65006 [ JENKINS-65006 ]

Carlos Sanchez made changes - 2021-03-07 10:01

Link

New: This issue is caused by ~~JENKINS-62220~~ [ ~~JENKINS-62220~~ ]

Jenkins

Details

Description

Attachments

Issue Links

Activity

People

Dates