Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-17393

Remote trigger triggers build without checking build permission

XMLWordPrintable

      Summary

      • Bamboo run builds without checking users' build permission when:
        • Anonymous users permission has been disabled AND;
        • Logged in users have only View permission AND;
        • user does not have build permission to the plan

      Steps to Reproduce

      1. create a group in Bamboo (e.g.: bamboo-user)
      2. create a user in Bamboo (e.g.: userA) and add the same to bamboo-user group 
        /* get user/group */
select users.name, groups.groupname
  from users
  join local_members on local_members.userid = users.id
  join groups on groups.id = local_members.groupid
        name groupname
        admin bamboo-admin
        userA bamboo-user 
        /* global permission */
select AE.TYPE as TYPE,
       AE.SID as ENTITY,
       AE.MASK as PERMISSION_TYPE
  from ACL_ENTRY as AE
  join ACL_OBJECT_IDENTITY as AOI on AE.ACL_OBJECT_IDENTITY = AOI.ID
 where AOI.OBJECT_ID_CLASS = 'com.atlassian.bamboo.security.GlobalApplicationSecureObject'
   and AE.TYPE in ('PRINCIPAL','GROUP_PRINCIPAL')
   and AE.MASK = 16;
        TYPE ENTITY PERMISSION_TYPE
        GROUP_PRINCIPAL bamboo-admin 16
      3. create a Project / Plan (e.g.: PROJ-PLAN)
      4. remove Anonymous users permission from Plan configuration >> Permissions
        /* plan permission */
select PROJECT.TITLE as PROJECT_TITLE,
       PLAN.TITLE as PLAN_TITLE,
       PLAN.FULL_KEY as PLAN_KEY,
       AE.SID as ENTITY,
       AE.MASK as PERMISSION_TYPE
  from ACL_ENTRY as AE
  join ACL_OBJECT_IDENTITY as AOI on AE.ACL_OBJECT_IDENTITY = AOI.ID
  join BUILD as PLAN on AOI.OBJECT_ID_IDENTITY = PLAN.build_id
  join PROJECT on PLAN.project_id = PROJECT.PROJECT_ID
 where AE.TYPE in ('PRINCIPAL','GROUP_PRINCIPAL')
   and AE.GRANTING = TRUE
   and PLAN.build_type = 'CHAIN'
   and PLAN.FULL_KEY = 'PROJ-PLAN'
 order by PLAN_KEY, ENTITY, PERMISSION_TYPE
        PROJECT_TITLE PLAN_TITLE PLAN_KEY ENTITY PERMISSION_TYPE
        Project Plan PROJ-PLAN admin 1
        Project Plan PROJ-PLAN admin 2
        Project Plan PROJ-PLAN admin 16
        Project Plan PROJ-PLAN admin 64
        Project Plan PROJ-PLAN admin 128
      5. add Subversion repository to Plan configuration >> Repositories
      6. add Remote trigger to Plan configuration >> Triggers 
        /* get plan configuration */
select xml_definition_data
  from build_definition
  join build on build.build_id = build_definition.build_id
 where build.full_key = 'PROJ-PLAN'

        <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration xml:space="preserve">
  <isMergedConfiguration>false</isMergedConfiguration>
  <cleanWorkingDirectory>false</cleanWorkingDirectory>
  <repositoryDefiningWorkingDirectory>0</repositoryDefiningWorkingDirectory>
  <buildStrategies>
    <defined>true</defined>
    <buildStrategy>
      <id>2</id>
      <key>trigger</key>
      <name/>
      <triggeringRepositories>2064385</triggeringRepositories>
      <config>
        <item>
          <key>bambooDelimiterParsingDisabled</key>
          <value>true</value>
        </item>
        <item>
          <key>custom.triggerrCondition.plansGreen.enabled</key>
          <value>false</value>
        </item>
        <item>
          <key>repository.change.trigger.triggerIpAddress</key>
          <value>127.0.0.1</value>
        </item>
      </config>
    </buildStrategy>
  </buildStrategies>
  <triggers>
    <defined>true</defined>
    <triggerDefinition>
      <id>2</id>
      <name>Remote trigger</name>
      <userDescription/>
      <isEnabled>true</isEnabled>
      <pluginKey>com.atlassian.bamboo.triggers.atlassian-bamboo-triggers:remote</pluginKey>
      <triggeringRepositories>2064385</triggeringRepositories>
      <config>
        <item>
          <key>repository.change.trigger.triggerIpAddress</key>
          <value>127.0.0.1</value>
        </item>
      </config>
      <conditions>
        <item>
          <key>custom.triggerrCondition.plansGreen.enabled</key>
          <value>false</value>
        </item>
      </conditions>
    </triggerDefinition>
  </triggers>
  <branches>
    <branchCreationEnabled>false</branchCreationEnabled>
    <branchRemovalCleanUpEnabled>false</branchRemovalCleanUpEnabled>
    <inactiveBranchCleanupEnabled>false</inactiveBranchCleanupEnabled>
    <matchingPattern>.*</matchingPattern>
    <removalCleanupPeriodInDays>7</removalCleanupPeriodInDays>
    <inactivityInDays>30</inactivityInDays>
    <defaultNotificationStrategy>notifyCommitters</defaultNotificationStrategy>
    <issueLinking>true</issueLinking>
    <monitorPullRequests>false</monitorPullRequests>
    <branchTriggering>inherited</branchTriggering>
  </branches>
  <branches>
    <defaultBranchIntegration>
      <enabled>false</enabled>
    </defaultBranchIntegration>
  </branches>
  <branchIntegration>
    <enabled>false</enabled>
  </branchIntegration>
  <branchConfiguration>
    <cleanup>
      <disabled>false</disabled>
    </cleanup>
    <notificationStrategy>notifyCommitters</notificationStrategy>
  </branchConfiguration>
  <custom>
    <dependencies>
      <triggerForBranches>true</triggerForBranches>
      <trigger>
        <remote>
          <strategy>None</strategy>
        </remote>
      </trigger>
    </dependencies>
  </custom>
  <bambooDelimiterParsingDisabled>true</bambooDelimiterParsingDisabled>
</configuration>
      7. add Source code checkout task 
        /* get job definition */
select xml_definition_data
  from build_definition
  join build on build.build_id = build_definition.build_id
 where build.full_key = 'PROJ-PLAN-JOB1'

        <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration xml:space="preserve">
  <isMergedConfiguration>false</isMergedConfiguration>
  <cleanWorkingDirectory>false</cleanWorkingDirectory>
  <repositoryDefiningWorkingDirectory>-1</repositoryDefiningWorkingDirectory>
  <buildTasks>
    <taskDefinition>
      <id>1</id>
      <userDescription/>
      <isEnabled>true</isEnabled>
      <pluginKey>com.atlassian.bamboo.plugins.vcs:task.vcs.checkout</pluginKey>
      <finalising>false</finalising>
      <rootDirectoryType>INHERITED</rootDirectoryType>
      <repositoryDefiningWorkingDir>-1</repositoryDefiningWorkingDir>
      <config>
        <item>
          <key>cleanCheckout</key>
          <value>true</value>
        </item>
        <item>
          <key>selectedRepository_0</key>
          <value>defaultRepository</value>
        </item>
        <item>
          <key>checkoutDir_0</key>
          <value/>
        </item>
      </config>
    </taskDefinition>
  </buildTasks>
  <buildStrategies>
    <defined>true</defined>
  </buildStrategies>
  <triggers>
    <defined>true</defined>
  </triggers>
  <branches>
    <branchCreationEnabled>false</branchCreationEnabled>
    <branchRemovalCleanUpEnabled>false</branchRemovalCleanUpEnabled>
    <inactiveBranchCleanupEnabled>false</inactiveBranchCleanupEnabled>
    <matchingPattern>.*</matchingPattern>
    <removalCleanupPeriodInDays>7</removalCleanupPeriodInDays>
    <inactivityInDays>30</inactivityInDays>
    <defaultNotificationStrategy>notifyCommitters</defaultNotificationStrategy>
    <issueLinking>true</issueLinking>
    <monitorPullRequests>false</monitorPullRequests>
    <branchTriggering>inherited</branchTriggering>
  </branches>
  <branches>
    <defaultBranchIntegration>
      <enabled>false</enabled>
    </defaultBranchIntegration>
  </branches>
  <branchIntegration>
    <enabled>false</enabled>
  </branchIntegration>
  <branchConfiguration>
    <cleanup>
      <disabled>false</disabled>
    </cleanup>
    <notificationStrategy>notifyCommitters</notificationStrategy>
  </branchConfiguration>
  <bambooDelimiterParsingDisabled>true</bambooDelimiterParsingDisabled>
</configuration>
      8. commit something to Subversion repository
      9. run cURL to trigger build 
        curl -u userA:userA -X GET http://localhost:8085/api/rest/updateAndBuild.action?buildKey=PROJ-PLAN

      Expected Results

      Build should not get trigger due to missing permission.

      Actual Results

      Build gets trigger as per follow:

      <bamboo-install>/logs/catalina.out
      2016-03-29 09:15:38,640 INFO [http-nio-8085-exec-13] [AccessLogFilter] userA GET http://localhost:8085/api/rest/updateAndBuild.action?buildKey=PROJ-PLAN 14976kb
2016-03-29 09:15:38,668 INFO [10-BAM::PlanExec:pool-17-thread-3] [SvnRepository] Collecting changes for 'PROJ-PLAN' on path 'http://svn.webserver/repositoryA' from version 16 to -1
2016-03-29 09:15:38,699 INFO [10-BAM::PlanExec:pool-17-thread-3] [ChangeDetectionListenerAction] : Change detection found 1 change for plan PROJ-PLAN
2016-03-29 09:15:39,013 INFO [10-BAM::PlanExec:pool-17-thread-3] [ChainExecutionManagerImpl] Build PROJ-PLAN-JOB1-2 has been dispatched
2016-03-29 09:15:39,018 INFO [AtlassianEvent::0-BAM::EVENTS:pool-2-thread-8] [BuildQueueManagerImpl] Attempting to queue Project - Plan - Default Job #14 (PROJ-PLAN-JOB1-2).
2016-03-29 09:15:39,019 INFO [AtlassianEvent::0-BAM::EVENTS:pool-2-thread-8] [ExecutionPhaseServiceImpl] Project - Plan - Default Job #2 (PROJ-PLAN-JOB1-2) queued

        1. planPermission.png
          planPermission.png
          188 kB

            [BAM-17393] Remote trigger triggers build without checking build permission

            No work has yet been logged on this issue.

              Unassigned Unassigned
              rsperafico Rafael Sperafico (Inactive)
              Affected customers:
              1 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: