Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74970

Could not send notifications to Bitbucket Server, when access to source repository of pull request is not granted

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • Jenkins 2.479.2
      Bitbucket Branch Source plugin 933.v7119e94e8f56
      Bitbucket Server 7

      The Bitbucket Branch Source plugin version 930.ve6a_885b_3558f or later is unable to send build status notifications to Bitbucket Server, when Jenkins is building a pull request from a fork, and read access to the source repository of the PR has not been granted in Bitbucket. (If read access to the target repository of the PR had not been granted, then Jenkins would not even know about the PR.) This error did not occur in Bitbucket Branch Source 922.va_71d0e0b_7b_8d.

      The Jenkins console log shows:

      [Bitbucket] Notifying pull request build result
      ERROR: Could not send notifications
      com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRequestException: HTTP request error. Status: 401: .
      HttpResponseProxy{HTTP/1.1 401  [X-AREQUESTID: @1NS3KNXx914x317527x0, X-AUSERID: [REDACTED], X-AUSERNAME: [REDACTED], Cache-Control: no-cache, no-transform, Vary: x-ausername,x-auserid,cookie,accept-encoding, X-Content-Type-Options: nosniff, WWW-Authenticate: OAuth realm="https%3A%2F%2Fbitbucket.[REDACTED]", Content-Type: application/json;charset=UTF-8, Transfer-Encoding: chunked, Date: Mon, 09 Dec 2024 13:14:04 GMT, Keep-Alive: timeout=20, Connection: keep-alive] org.apache.http.client.entity.DecompressingEntity@28ea3beb}
      	at PluginClassLoader for cloudbees-bitbucket-branch-source//com.cloudbees.jenkins.plugins.bitbucket.server.client.BitbucketServerAPIClient.doRequest(BitbucketServerAPIClient.java:1097)
      	at PluginClassLoader for cloudbees-bitbucket-branch-source//com.cloudbees.jenkins.plugins.bitbucket.server.client.BitbucketServerAPIClient.postRequest(BitbucketServerAPIClient.java:1078)
      	at PluginClassLoader for cloudbees-bitbucket-branch-source//com.cloudbees.jenkins.plugins.bitbucket.server.client.BitbucketServerAPIClient.postRequest(BitbucketServerAPIClient.java:1074)
      	at PluginClassLoader for cloudbees-bitbucket-branch-source//com.cloudbees.jenkins.plugins.bitbucket.server.client.BitbucketServerAPIClient.postBuildStatus(BitbucketServerAPIClient.java:521)
      	at PluginClassLoader for cloudbees-bitbucket-branch-source//com.cloudbees.jenkins.plugins.bitbucket.BitbucketChangesetCommentNotifier.buildStatus(BitbucketChangesetCommentNotifier.java:50)
      	at PluginClassLoader for cloudbees-bitbucket-branch-source//com.cloudbees.jenkins.plugins.bitbucket.BitbucketBuildStatusNotifications.createStatus(BitbucketBuildStatusNotifications.java:173)
      	at PluginClassLoader for cloudbees-bitbucket-branch-source//com.cloudbees.jenkins.plugins.bitbucket.BitbucketBuildStatusNotifications.sendNotifications(BitbucketBuildStatusNotifications.java:237)
      	at PluginClassLoader for cloudbees-bitbucket-branch-source//com.cloudbees.jenkins.plugins.bitbucket.BitbucketBuildStatusNotifications$JobCheckoutListener.onCheckout(BitbucketBuildStatusNotifications.java:296)
      	at PluginClassLoader for workflow-scm-step//org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:182)
      	at PluginClassLoader for workflow-scm-step//org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:101)
      	at PluginClassLoader for workflow-scm-step//org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:88)
      	at PluginClassLoader for workflow-step-api//org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
      	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
      	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
      	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
      	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
      	at java.base/java.lang.Thread.run(Thread.java:840)
      

      Desired changes:

      • Document the need to grant this access.
      • Make the plugin show which repository it attempted to access, when it gets this HTTP 401 error.

          [JENKINS-74970] Could not send notifications to Bitbucket Server, when access to source repository of pull request is not granted

          Granting READ access helped.

          I think the plugin should be changed to recognize HTTP status 401 and log a message that shows the specific repository on which it needs access and the user account (or credential ID) that it attempted to use.

          Kalle Niemitalo added a comment - Granting READ access helped. I think the plugin should be changed to recognize HTTP status 401 and log a message that shows the specific repository on which it needs access and the user account (or credential ID) that it attempted to use.

          Although granting READ access fixes the HTTP 401 error, Bitbucket Server still isn't showing the build statuses for pull requests from forks where I expect:

          • On the "Overview" page of a pull request in the target repository: Shows OK.
          • On the "Commits" page of a pull request in the target repository: Shows OK.
          • On the "Builds" page of a pull request in the target repository: Shows OK.
          • On the "Pull requests" page in the target repository: Doesn't show; this makes it more difficult to see which pull requests are ready to be merged.
          • On the "Commits" page in the target repository: Doesn't show.
          • On the "Commits" page in the source repository: Shows OK; but doesn't show build statuses that were made in the target repository.

          Jenkins has been configured to build the source branch of each pull request, plus specific named branches of the target repository.

          Some of this behaviour may be by design, but it doesn't quite fit my previous workflow.  I intend to use curl to test the effects of the new build-status API a bit, and then perhaps file a separate issue for Bitbucket Branch Source plugin changes that would make the build statuses more visible.

           

          Kalle Niemitalo added a comment - Although granting READ access fixes the HTTP 401 error, Bitbucket Server still isn't showing the build statuses for pull requests from forks where I expect: On the "Overview" page of a pull request in the target repository: Shows OK. On the "Commits" page of a pull request in the target repository: Shows OK. On the "Builds" page of a pull request in the target repository: Shows OK. On the "Pull requests" page in the target repository: Doesn't show; this makes it more difficult to see which pull requests are ready to be merged. On the "Commits" page in the target repository: Doesn't show. On the "Commits" page in the source repository: Shows OK; but doesn't show build statuses that were made in the target repository. Jenkins has been configured to build the source branch of each pull request, plus specific named branches of the target repository. Some of this behaviour may be by design, but it doesn't quite fit my previous workflow.  I intend to use curl to test the effects of the new build-status API a bit, and then perhaps file a separate issue for Bitbucket Branch Source plugin changes that would make the build statuses more visible.  

          I intend to use curl to test the effects of the new build-status API a bit, and then perhaps file a separate issue for Bitbucket Branch Source plugin changes that would make the build statuses more visible.

          Filed as JENKINS-75083.

          Kalle Niemitalo added a comment - I intend to use curl to test the effects of the new build-status API a bit, and then perhaps file a separate issue for Bitbucket Branch Source plugin changes that would make the build statuses more visible. Filed as JENKINS-75083 .

          Nikolas Falco added a comment -

          I'm not sure this is a bug, I mean "Could not send notifications to Bitbucket Server, when access to source repository of pull request is not granted" it's obvious if the user does not grant the right permission. Could be a bug in terms of lack of user documentation if does not specify to grant read permission.

          Nikolas Falco added a comment - I'm not sure this is a bug, I mean "Could not send notifications to Bitbucket Server, when access to source repository of pull request is not granted" it's obvious if the user does not grant the right permission. Could be a bug in terms of lack of user documentation if does not specify to grant read permission.

          Jan Gałda added a comment -

          Hello kon , any updates in this topic?
          We upgraded plugin recently and reporting build statuses to BB stopped working.
          It is a bit inconvenient to grant access for specific user to all forks in BB organization

          Jan Gałda added a comment - Hello kon , any updates in this topic? We upgraded plugin recently and reporting build statuses to BB stopped working. It is a bit inconvenient to grant access for specific user to all forks in BB organization

          Nikolas Falco added a comment - - edited

          build notification is bind to a commit. Is this use case commit is placed in the forked repository
          As per documentation (https://developer.atlassian.com/server/bitbucket/rest/v905/api-group-builds-and-deployments/#api-api-latest-projects-projectkey-repos-repositoryslug-commits-commitid-builds-post)

          The authenticated user must have REPO_READ permission for the repository that this build status is for. The request can also be made with anonymous 2-legged OAuth.

          There is not workaround to use this API

          Nikolas Falco added a comment - - edited build notification is bind to a commit. Is this use case commit is placed in the forked repository As per documentation ( https://developer.atlassian.com/server/bitbucket/rest/v905/api-group-builds-and-deployments/#api-api-latest-projects-projectkey-repos-repositoryslug-commits-commitid-builds-post ) The authenticated user must have REPO_READ permission for the repository that this build status is for. The request can also be made with anonymous 2-legged OAuth. There is not workaround to use this API

          Jan Gałda added a comment -

          Hi nfalco,

          Thanks for the response. Can you please double check the code changed in 930.ve6a_885b_3558f release.

          Reporting statuses worked before this version, so I expect unintended change was committed.

           

          I tried rest API and after you open a PR commit from fork repository is available in "main" repository.

          First, I crated a forked of repository and pushed commit <commit-id> there.

          I used another user with write access to main repository but no access to forked one. I sent following requests:

          • rest/api/latest/projects/<main-project>/repos/<repository>/commits/<commit-id>- responds with 404 (commit not found)
          • rest/api/latest/projects/<forked-project>/repos/<repository>/commits/<commit-id> - responds with 401 (unathorized)

          But then, I opened PR from forked repository to main and sent requestes once again:

          • rest/api/latest/projects/<main-project>/repos/<repository>/commits/<commit-id>- responds with 200 - commit available
          • rest/api/latest/projects/<forked-project>/repos/<repository>/commits/<commit-id> - responds with 401 (unathorized)

           

          What I suspect, some requests flow changed in 930.ve6a_885b_3558f release and now plugin sens rest request to forked url instead of main url. 

          Because granting read access to forked repository fixes reporting problem, I expect the change in url was in GET request, not POST one.

          Jan Gałda added a comment - Hi nfalco , Thanks for the response. Can you please double check the code changed in 930.ve6a_885b_3558f release. Reporting statuses worked before this version, so I expect unintended change was committed.   I tried rest API and after you open a PR commit from fork repository is available in "main" repository. First, I crated a forked of repository and pushed commit <commit-id> there. I used another user with write access to main repository but no access to forked  one. I sent following requests: rest/api/latest/projects/ <main-project> /repos/<repository>/commits/ <commit-id> - responds with 404 (commit not found) rest/api/latest/projects/ <forked-project> /repos/<repository>/commits/ <commit-id> -  responds with 401 (unathorized) But then, I opened PR from  forked repository to  main and sent requestes once again: rest/api/latest/projects/ <main-project> /repos/<repository>/commits/ <commit-id> - responds with 200 - commit available rest/api/latest/projects/ <forked-project> /repos/<repository>/commits/ <commit-id> -  responds with 401 (unathorized)   What I suspect, some requests flow changed in 930.ve6a_885b_3558f release and now plugin sens rest request to forked url instead of main url.   Because granting read access to forked repository fixes reporting problem, I expect the change in url was in GET request, not POST one.

          Nikolas Falco added a comment - - edited

          We change the build status API from deprecated to new API that support some other fields (like ref) required to close issues about build status.
          The reason why this issue is yet open is update user documentation saved in the plugin repository

          Nikolas Falco added a comment - - edited We change the build status API from deprecated to new API that support some other fields (like ref) required to close issues about build status. The reason why this issue is yet open is update user documentation saved in the plugin repository

          Vitor added a comment -

          I'm having the same problem. I've upgraded my plugin version from 906.vedf430cb_4481 to the latest and all of the sudden the build notifications stopped working because the Bitbucket service account only has permissions on the main repository and not the fork repositories.

          It used to work before (in version 906.vedf430cb_4481) even without granting the service account read permissions on the fork repos. Is it possible to fix it?

          Vitor added a comment - I'm having the same problem. I've upgraded my plugin version from 906.vedf430cb_4481 to the latest and all of the sudden the build notifications stopped working because the Bitbucket service account only has permissions on the main repository and not the fork repositories. It used to work before (in version 906.vedf430cb_4481) even without granting the service account read permissions on the fork repos. Is it possible to fix it?

          Nikolas Falco added a comment -

          It is not a bug, it's how works the new notification endpoint

          Nikolas Falco added a comment - It is not a bug, it's how works the new notification endpoint

            kon Kalle Niemitalo
            kon Kalle Niemitalo
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: