Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-20354

GET REST calls throwing XSRF for users without email

XMLWordPrintable

      Issue Summary

      When making a GET rest call authenticated with a user from AD which has no email, an XSRF error is thrown attempting to update the
      cwd_user.email_address table.

      This issue occurs only if Bamboo uses Oracle database.

      Environment

      • Bamboo 6.7.2
      • Oracle DB
      • Users from AD without email

      Steps to Reproduce

      1. Use a user imported from AD which has no email
      2. Make a GET REST call: 
        curl -k -u admin:adminpwd \
     -H 'Content-type: application/json' \
     -H 'Accept: application/json' \
     -X GET http://bamboo672:8085/rest/api/latest/result/TES-TES/2.json

      Expected Results

      A json in return like:

      {"expand":"changes,metadata,plan,artifacts,comments,labels,jiraIssues,stages","link":{"href":"http://bamboo663:8085/rest/api/latest/result/TES-TES-1","rel":"self"},"plan":{"shortName":"testApp","shortKey":"TES","type":"chain","enabled":true,"link":{"href":"http://bamboo663:8085/rest/api/latest/plan/TES-TES","rel":"self"},"key":"TES-TES","name":"TestAppLink - testApp","planKey":{"key":"TES-TES"}},"planName":"testApp","projectName":"TestAppLink","buildResultKey":"TES-TES-1","lifeCycleState":"Finished","id":983041,"buildStartedTime":"2019-03-18T20:36:05.827Z","prettyBuildStartedTime":"Mon, 18 Mar, 08:36 PM","buildCompletedTime":"2019-03-18T20:36:07.653Z","buildCompletedDate":"2019-03-18T20:36:07.653Z","prettyBuildCompletedTime":"Mon, 18 Mar, 08:36 PM","buildDurationInSeconds":1,"buildDuration":1826,"buildDurationDescription":"1 second","buildRelativeTime":"2 minutes ago","buildTestSummary":"No tests found","successfulTestCount":0,"failedTestCount":0,"quarantinedTestCount":0,"skippedTestCount":0,"continuable":false,"onceOff":false,"restartable":false,"notRunYet":false,"finished":true,"successful":true,"buildReason":"Manual run by <a href=\"http://bamboo663:8085/browse/user/admin\">admin</a>","reasonSummary":"Manual run by <a href=\"http://bamboo663:8085/browse/user/admin\">admin</a>","artifacts":{"size":0,"start-index":0,"max-result":0},"comments":{"size":0,"start-index":0,"max-result":0},"labels":{"size":0,"start-index":0,"max-result":0},"jiraIssues":{"size":0,"start-index":0,"max-result":0},"stages":{"size":1,"start-index":0,"max-result":1},"changes":{"size":0,"start-index":0,"max-result":0},"metadata":{"size":3,"start-index":0,"max-result":3},"key":"TES-TES-1","planResultKey":{"key":"TES-TES-1","entityKey":{"key":"TES-TES"},"resultNumber":1},"state":"Successful","buildState":"Successful","number":1,"buildNumber":1}

      Actual Results

      The below exception is thrown

      2019-03-08 14:46:30,612 ERROR [http-nio-127.0.0.1-8085-exec-136] [ApplicationServiceGeneric] Directory 'Active Directory server (282624001)' is not functional during authentication of 'admin'. Skipped.
2019-03-08 14:46:30,612 ERROR [http-nio-127.0.0.1-8085-exec-136] [ReadOnlyGetMethodEnforcer] emailAddress:null->, lowerEmailAddress:null->, updatedDate:2019-03-08 14:33:25.407->Fri Mar 08 14:46:30 EST 2019
2019-03-08 14:46:30,612 ERROR [http-nio-127.0.0.1-8085-exec-136] [ReadOnlyGetMethodEnforcer] Entity mutation is not allowed
2019-03-08 14:46:30,613 WARN [http-nio-127.0.0.1-8085-exec-136] [XsrfUtils] XSRF: A mutative operation was attempted on InternalUser within a non-mutative HTTP request: http://bamboo672:8085/rest/api/latest/result/TES-TES/2.json

      at com.atlassian.bamboo.utils.XsrfUtils.fail(XsrfUtils.java:27)
	at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.fail(ReadOnlyGetMethodEnforcer.java:124)
	at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.onFlushDirty(ReadOnlyGetMethodEnforcer.java:75)
	at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onFlushDirty(ChainedInterceptorSupport.java:104)
	at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onFlushDirty(ChainedInterceptorSupport.java:104)
	at org.hibernate.event.internal.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:355)
	at org.hibernate.event.internal.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:332)
	at org.hibernate.event.internal.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:283)
	at org.hibernate.event.internal.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:154)
	at org.hibernate.event.internal.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:235)
	at org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:94)
	at org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
	at org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1415)
	at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1952)
	at org.hibernate.internal.CriteriaImpl.list(CriteriaImpl.java:370)
	at org.hibernate.internal.CriteriaImpl.uniqueResult(CriteriaImpl.java:392)
	at com.atlassian.crowd.dao.user.UserDAOHibernate.findByNameInternal(UserDAOHibernate.java:485)
	at com.atlassian.crowd.dao.user.UserDAOHibernate.findByName(UserDAOHibernate.java:174)
	at com.atlassian.crowd.dao.user.UserDAOHibernate.findByNameWithAttributes(UserDAOHibernate.java:210)
	at com.atlassian.crowd.dao.user.UserDAOHibernate.findByNameWithAttributes(UserDAOHibernate.java:59)
	at com.atlassian.crowd.directory.AbstractInternalDirectory.authenticate(AbstractInternalDirectory.java:198)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:284)
	at sun.reflect.GeneratedMethodAccessor4205.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
	at com.sun.proxy.$Proxy178.authenticateUser(Unknown Source)
	at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:182)
	at sun.reflect.GeneratedMethodAccessor4204.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
	at com.sun.proxy.$Proxy181.authenticateUser(Unknown Source)

      Workaround

      Update the users without email, add an email which is not empty, non valid emails can be used as well.

            [BAM-20354] GET REST calls throwing XSRF for users without email

            Jeremy Owen made changes -
            Link New: This issue is related to BAM-21051 [ BAM-21051 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Bamboo Workflow 2016 v1 - Restricted [ 3120745 ] New: JAC Bug Workflow v3 [ 3380395 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Alexey Chystoprudov made changes -
            Environment New: Oracle
            Alexey Chystoprudov made changes -
            Affects Version/s New: 6.6.0 [ 79798 ]
            Affects Version/s Original: 6.7.2 [ 82591 ]
            Alexey Chystoprudov made changes -
            Fix Version/s New: 6.9.0 [ 85198 ]
            Resolution New: Fixed [ 1 ]
            Status Original: Open [ 1 ] New: Resolved [ 5 ]
            Bugfix Automation Bot made changes -
            Support reference count Original: 1 New: 2
            Pawel Skierczynski made changes -
            Labels Original: pse-request New: bamboo-bugfix-kanban-candidate pse-request
            Pawel Skierczynski made changes -
            Occurrence Factor New: 10% [ 12830 ]
            Status Original: Needs Triage [ 10030 ] New: Open [ 1 ]
            Bugfix Automation Bot made changes -
            Support reference count New: 1
            Zaro made changes -
            Summary Original: GET calls throwing XSRF for users without email New: GET REST calls throwing XSRF for users without email

              Unassigned Unassigned
              sorlovski Zaro
              Affected customers:
              1 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: