Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42006

REGRESSION: NPE when checking permissions - UserImpl.getPermission

    XMLWordPrintable

    Details

    • Epic Link:
    • Sprint:
      iapetus
    • Similar Issues:

      Description

      Attempting to load: https://ci.blueocean.io/blue/organizations/jenkins/blueocean/activity when logged in:

      Results in the following:
      https://gist.github.com/michaelneale/6c26c9dd8597a1c9a69abb39db92e5ea

      The /activity screen is also a bit slow to load as well.

      Caused by: java.lang.NullPointerException
      	at org.jenkinsci.plugins.GithubAuthenticationToken.getGrantedAuthorities(GithubAuthenticationToken.java:388)
      	at org.jenkinsci.plugins.GithubOAuthUserDetails.getAuthorities(GithubOAuthUserDetails.java:45)
      	at hudson.model.User.impersonate(User.java:317)
      	at io.jenkins.blueocean.service.embedded.rest.UserImpl.getPermission(UserImpl.java:100)
      	at io.jenkins.blueocean.commons.stapler.export.MethodProperty.getValue(MethodProperty.java:72)
      

      Only when logged in.

      where the NPE happens:
      https://github.com/jenkinsci/blueocean-plugin/blob/master/blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/rest/UserImpl.java#L100
      Which is odd, not sure why ti has to impersonate, I am logged in as me... In any case - it only started with this PR: https://github.com/jenkinsci/blueocean-plugin/pull/808/files

      In github oauth plugin:
      https://github.com/jenkinsci/github-oauth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java#L388

      (do not know what is null... but it seems new).

      I wondered if this may be a variant of the https://issues.jenkins-ci.org/browse/JENKINS-40088 WSOD - but I don't think so:

      at io.jenkins.blueocean.commons.stapler.export.Property.safeGetValue(Property.java:152)
      	at io.jenkins.blueocean.commons.stapler.export.Property.writeTo(Property.java:127)
      	at io.jenkins.blueocean.commons.stapler.export.Model.writeNestedObjectTo(Model.java:228)
      	at io.jenkins.blueocean.commons.stapler.export.Model.writeNestedObjectTo(Model.java:224)
      	at io.jenkins.blueocean.commons.stapler.export.Property.writeValue(Property.java:280)
      	at io.jenkins.blueocean.commons.stapler.export.Property.writeValue(Property.java:169)
      

        Attachments

          Activity

          Hide
          vivek Vivek Pandey added a comment -
          Show
          vivek Vivek Pandey added a comment - Opened PR on github-oauth plugin https://github.com/jenkinsci/github-oauth-plugin/pull/76 .
          Hide
          michaelneale Michael Neale added a comment -

          Vivek Pandey yes removing it sounds like the reasonable and conservative approach, but I am not sure I have the full picture.

          Show
          michaelneale Michael Neale added a comment - Vivek Pandey yes removing it sounds like the reasonable and conservative approach, but I am not sure I have the full picture.
          Hide
          vivek Vivek Pandey added a comment -

          Michael NealeJames Dumay
          At present, User API allows fetching other user's permissions. At present it's determine by checking authenticated user's userid with the user id being asked in the API url e.g. /users/:id. If they do not match, and logged in user has admin rights, requested user is impersonated and his permissions are read.

          Its during this impersonation, NPE is happening from github-oauth-plugin. its a bug there, a null check is missing.

          There is also perf implication, however it can happen only if something is calling user API during activities rendering.

          In any case, I don't know if there is use case to serve other user's permission. I propose we remove this feature of returning other user's permission. thoughts?

          Show
          vivek Vivek Pandey added a comment - Michael Neale James Dumay At present, User API allows fetching other user's permissions. At present it's determine by checking authenticated user's userid with the user id being asked in the API url e.g. /users/:id. If they do not match, and logged in user has admin rights, requested user is impersonated and his permissions are read. Its during this impersonation, NPE is happening from github-oauth-plugin. its a bug there, a null check is missing. There is also perf implication, however it can happen only if something is calling user API during activities rendering. In any case, I don't know if there is use case to serve other user's permission. I propose we remove this feature of returning other user's permission. thoughts?

            People

            • Assignee:
              vivek Vivek Pandey
              Reporter:
              michaelneale Michael Neale
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: