Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-17393

Remote trigger triggers build without checking build permission

XMLWordPrintable

      Summary

      • Bamboo run builds without checking users' build permission when:
        • Anonymous users permission has been disabled AND;
        • Logged in users have only View permission AND;
        • user does not have build permission to the plan

      Steps to Reproduce

      1. create a group in Bamboo (e.g.: bamboo-user)
      2. create a user in Bamboo (e.g.: userA) and add the same to bamboo-user group 
        /* get user/group */
select users.name, groups.groupname
  from users
  join local_members on local_members.userid = users.id
  join groups on groups.id = local_members.groupid
        name groupname
        admin bamboo-admin
        userA bamboo-user 
        /* global permission */
select AE.TYPE as TYPE,
       AE.SID as ENTITY,
       AE.MASK as PERMISSION_TYPE
  from ACL_ENTRY as AE
  join ACL_OBJECT_IDENTITY as AOI on AE.ACL_OBJECT_IDENTITY = AOI.ID
 where AOI.OBJECT_ID_CLASS = 'com.atlassian.bamboo.security.GlobalApplicationSecureObject'
   and AE.TYPE in ('PRINCIPAL','GROUP_PRINCIPAL')
   and AE.MASK = 16;
        TYPE ENTITY PERMISSION_TYPE
        GROUP_PRINCIPAL bamboo-admin 16
      3. create a Project / Plan (e.g.: PROJ-PLAN)
      4. remove Anonymous users permission from Plan configuration >> Permissions
        /* plan permission */
select PROJECT.TITLE as PROJECT_TITLE,
       PLAN.TITLE as PLAN_TITLE,
       PLAN.FULL_KEY as PLAN_KEY,
       AE.SID as ENTITY,
       AE.MASK as PERMISSION_TYPE
  from ACL_ENTRY as AE
  join ACL_OBJECT_IDENTITY as AOI on AE.ACL_OBJECT_IDENTITY = AOI.ID
  join BUILD as PLAN on AOI.OBJECT_ID_IDENTITY = PLAN.build_id
  join PROJECT on PLAN.project_id = PROJECT.PROJECT_ID
 where AE.TYPE in ('PRINCIPAL','GROUP_PRINCIPAL')
   and AE.GRANTING = TRUE
   and PLAN.build_type = 'CHAIN'
   and PLAN.FULL_KEY = 'PROJ-PLAN'
 order by PLAN_KEY, ENTITY, PERMISSION_TYPE
        PROJECT_TITLE PLAN_TITLE PLAN_KEY ENTITY PERMISSION_TYPE
        Project Plan PROJ-PLAN admin 1
        Project Plan PROJ-PLAN admin 2
        Project Plan PROJ-PLAN admin 16
        Project Plan PROJ-PLAN admin 64
        Project Plan PROJ-PLAN admin 128
      5. add Subversion repository to Plan configuration >> Repositories
      6. add Remote trigger to Plan configuration >> Triggers 
        /* get plan configuration */
select xml_definition_data
  from build_definition
  join build on build.build_id = build_definition.build_id
 where build.full_key = 'PROJ-PLAN'

        <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration xml:space="preserve">
  <isMergedConfiguration>false</isMergedConfiguration>
  <cleanWorkingDirectory>false</cleanWorkingDirectory>
  <repositoryDefiningWorkingDirectory>0</repositoryDefiningWorkingDirectory>
  <buildStrategies>
    <defined>true</defined>
    <buildStrategy>
      <id>2</id>
      <key>trigger</key>
      <name/>
      <triggeringRepositories>2064385</triggeringRepositories>
      <config>
        <item>
          <key>bambooDelimiterParsingDisabled</key>
          <value>true</value>
        </item>
        <item>
          <key>custom.triggerrCondition.plansGreen.enabled</key>
          <value>false</value>
        </item>
        <item>
          <key>repository.change.trigger.triggerIpAddress</key>
          <value>127.0.0.1</value>
        </item>
      </config>
    </buildStrategy>
  </buildStrategies>
  <triggers>
    <defined>true</defined>
    <triggerDefinition>
      <id>2</id>
      <name>Remote trigger</name>
      <userDescription/>
      <isEnabled>true</isEnabled>
      <pluginKey>com.atlassian.bamboo.triggers.atlassian-bamboo-triggers:remote</pluginKey>
      <triggeringRepositories>2064385</triggeringRepositories>
      <config>
        <item>
          <key>repository.change.trigger.triggerIpAddress</key>
          <value>127.0.0.1</value>
        </item>
      </config>
      <conditions>
        <item>
          <key>custom.triggerrCondition.plansGreen.enabled</key>
          <value>false</value>
        </item>
      </conditions>
    </triggerDefinition>
  </triggers>
  <branches>
    <branchCreationEnabled>false</branchCreationEnabled>
    <branchRemovalCleanUpEnabled>false</branchRemovalCleanUpEnabled>
    <inactiveBranchCleanupEnabled>false</inactiveBranchCleanupEnabled>
    <matchingPattern>.*</matchingPattern>
    <removalCleanupPeriodInDays>7</removalCleanupPeriodInDays>
    <inactivityInDays>30</inactivityInDays>
    <defaultNotificationStrategy>notifyCommitters</defaultNotificationStrategy>
    <issueLinking>true</issueLinking>
    <monitorPullRequests>false</monitorPullRequests>
    <branchTriggering>inherited</branchTriggering>
  </branches>
  <branches>
    <defaultBranchIntegration>
      <enabled>false</enabled>
    </defaultBranchIntegration>
  </branches>
  <branchIntegration>
    <enabled>false</enabled>
  </branchIntegration>
  <branchConfiguration>
    <cleanup>
      <disabled>false</disabled>
    </cleanup>
    <notificationStrategy>notifyCommitters</notificationStrategy>
  </branchConfiguration>
  <custom>
    <dependencies>
      <triggerForBranches>true</triggerForBranches>
      <trigger>
        <remote>
          <strategy>None</strategy>
        </remote>
      </trigger>
    </dependencies>
  </custom>
  <bambooDelimiterParsingDisabled>true</bambooDelimiterParsingDisabled>
</configuration>
      7. add Source code checkout task 
        /* get job definition */
select xml_definition_data
  from build_definition
  join build on build.build_id = build_definition.build_id
 where build.full_key = 'PROJ-PLAN-JOB1'

        <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration xml:space="preserve">
  <isMergedConfiguration>false</isMergedConfiguration>
  <cleanWorkingDirectory>false</cleanWorkingDirectory>
  <repositoryDefiningWorkingDirectory>-1</repositoryDefiningWorkingDirectory>
  <buildTasks>
    <taskDefinition>
      <id>1</id>
      <userDescription/>
      <isEnabled>true</isEnabled>
      <pluginKey>com.atlassian.bamboo.plugins.vcs:task.vcs.checkout</pluginKey>
      <finalising>false</finalising>
      <rootDirectoryType>INHERITED</rootDirectoryType>
      <repositoryDefiningWorkingDir>-1</repositoryDefiningWorkingDir>
      <config>
        <item>
          <key>cleanCheckout</key>
          <value>true</value>
        </item>
        <item>
          <key>selectedRepository_0</key>
          <value>defaultRepository</value>
        </item>
        <item>
          <key>checkoutDir_0</key>
          <value/>
        </item>
      </config>
    </taskDefinition>
  </buildTasks>
  <buildStrategies>
    <defined>true</defined>
  </buildStrategies>
  <triggers>
    <defined>true</defined>
  </triggers>
  <branches>
    <branchCreationEnabled>false</branchCreationEnabled>
    <branchRemovalCleanUpEnabled>false</branchRemovalCleanUpEnabled>
    <inactiveBranchCleanupEnabled>false</inactiveBranchCleanupEnabled>
    <matchingPattern>.*</matchingPattern>
    <removalCleanupPeriodInDays>7</removalCleanupPeriodInDays>
    <inactivityInDays>30</inactivityInDays>
    <defaultNotificationStrategy>notifyCommitters</defaultNotificationStrategy>
    <issueLinking>true</issueLinking>
    <monitorPullRequests>false</monitorPullRequests>
    <branchTriggering>inherited</branchTriggering>
  </branches>
  <branches>
    <defaultBranchIntegration>
      <enabled>false</enabled>
    </defaultBranchIntegration>
  </branches>
  <branchIntegration>
    <enabled>false</enabled>
  </branchIntegration>
  <branchConfiguration>
    <cleanup>
      <disabled>false</disabled>
    </cleanup>
    <notificationStrategy>notifyCommitters</notificationStrategy>
  </branchConfiguration>
  <bambooDelimiterParsingDisabled>true</bambooDelimiterParsingDisabled>
</configuration>
      8. commit something to Subversion repository
      9. run cURL to trigger build 
        curl -u userA:userA -X GET http://localhost:8085/api/rest/updateAndBuild.action?buildKey=PROJ-PLAN

      Expected Results

      Build should not get trigger due to missing permission.

      Actual Results

      Build gets trigger as per follow:

      <bamboo-install>/logs/catalina.out
      2016-03-29 09:15:38,640 INFO [http-nio-8085-exec-13] [AccessLogFilter] userA GET http://localhost:8085/api/rest/updateAndBuild.action?buildKey=PROJ-PLAN 14976kb
2016-03-29 09:15:38,668 INFO [10-BAM::PlanExec:pool-17-thread-3] [SvnRepository] Collecting changes for 'PROJ-PLAN' on path 'http://svn.webserver/repositoryA' from version 16 to -1
2016-03-29 09:15:38,699 INFO [10-BAM::PlanExec:pool-17-thread-3] [ChangeDetectionListenerAction] : Change detection found 1 change for plan PROJ-PLAN
2016-03-29 09:15:39,013 INFO [10-BAM::PlanExec:pool-17-thread-3] [ChainExecutionManagerImpl] Build PROJ-PLAN-JOB1-2 has been dispatched
2016-03-29 09:15:39,018 INFO [AtlassianEvent::0-BAM::EVENTS:pool-2-thread-8] [BuildQueueManagerImpl] Attempting to queue Project - Plan - Default Job #14 (PROJ-PLAN-JOB1-2).
2016-03-29 09:15:39,019 INFO [AtlassianEvent::0-BAM::EVENTS:pool-2-thread-8] [ExecutionPhaseServiceImpl] Project - Plan - Default Job #2 (PROJ-PLAN-JOB1-2) queued

        1. planPermission.png
          planPermission.png
          188 kB

            [BAM-17393] Remote trigger triggers build without checking build permission

            Martyna Wojtas (Inactive) added a comment -
            Atlassian Update - 23 June 2020

            Hi,

            Thank you for raising this issue. We regret to inform you that due to limited demand, we have no plans to implement it in the foreseeable future. In order to set expectations, we're closing this request.

            This is an automated update triggered by low user engagement with this suggestion (number of votes, number of watchers).

            Although we're aware the issue is still important to those of you who were involved in the conversations around it, we want to be clear in managing your expectations. The Bamboo team is focusing on issues that have broad impact and high value, reflected by the number of comments, votes, support cases, and customers interested. Please consult the Atlassian Bugfix Policy for more details.

            We understand how disappointing this decision may be but we want to be fully transparent when communicating with our users.

            Atlassian will continue to watch this issue for further updates, so please feel free to share your thoughts in the comments.

            Thank you,

            Bamboo Team

            Martyna Wojtas (Inactive) added a comment - Atlassian Update - 23 June 2020 Hi, Thank you for raising this issue. We regret to inform you that due to limited demand, we have no plans to implement it in the foreseeable future. In order to set expectations, we're closing this request. This is an automated update triggered by low user engagement with this suggestion (number of votes, number of watchers). Although we're aware the issue is still important to those of you who were involved in the conversations around it, we want to be clear in managing your expectations. The Bamboo team is focusing on issues that have broad impact and high value, reflected by the number of comments, votes, support cases, and customers interested. Please consult the Atlassian Bugfix Policy for more details. We understand how disappointing this decision may be but we want to be fully transparent when communicating with our users. Atlassian will continue to watch this issue for further updates, so please feel free to share your thoughts in the comments. Thank you, Bamboo Team

              Unassigned Unassigned
              rsperafico Rafael Sperafico (Inactive)
              Affected customers:
              1 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: