Details
-
Bug
-
Resolution: Fixed
-
Low
-
7.2.2
-
None
-
1
-
Severity 3 - Minor
-
Description
XSRF failure for GET REST requests for new users when "Default Group Memberships:" is enabled.
Issue Summary
If a value is defined to Default Group Memberships: GET requests to REST APIs will fail.
Steps to Reproduce
- Hook Bamboo up to Crowd or LDAP
- Ensure to use the Default Group Memberships option
- Create a user in LDAP and add it to a Bamboo group
- Perform a GET request to $BAMBOO_BASE_URL/rest/api/latest/result/PLAN_KEY
Expected Results
Request succeeds
Actual Results
Request fails with XSRF failure.
"Internal server error" in the REST call response:
gabriel@labLDAP ~ % curl --user botuser:password http://bamboo:8085/rest/api/latest/result/PLAN-KEY
<html>
<head>
<title>Internal server error</title>
<meta name="decorator" content="install" />
</head>
<body>
<h1>Internal server error</h1>
<h4>Go to...</h4>
<ul>
<li><a href="/">Site homepage</a></li>
</ul>
A system error has occurred - our apologies! <p>
Please create a problem report on our <b>support system</b> at <a href="https://support.atlassian.com/contact/">https://support.atlassian.com</a> with the following information: </p>
<ol class="standard">
<li>a description of your problem and what you were doing at the time it occurred
<li>cut & paste the error and system information found below
<li>attach the <strong>atlassian-bamboo.log</strong> log file found in your application home.
</ol>
We will respond as promptly as possible.<br/>Thank you!
<p>
<b>Version:</b> 7.2.2<br>
<b>Build:</b> 70209<br>
<b>Build Date:</b> 22 Jan 2021
</p>
<h4>Request information:</h4>
<ul class="standard">
<li>Request URL: http://bamboo:8085/500.action</li>
<li>Scheme: http</li>
<li>Server: bamboo</li>
<li>Port: 8085</li>
<li>URI: /500.action</li>
<li>Context path: </li>
<li>Servlet path: /500.action</li>
<li>Path info: </li>
<li>Query string: </li>
</ul>
<p><b>Stack Trace:</b></p>
<pre>java.lang.NullPointerException
at com.atlassian.bamboo.util.BambooHibernateUtils.getPropertyByName(BambooHibernateUtils.java:216)
at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.getInternalUserAttributeName(ReadOnlyGetMethodEnforcer.java:257)
at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.isEntityMutationAllowed(ReadOnlyGetMethodEnforcer.java:245)
at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.onFlushDirty(ReadOnlyGetMethodEnforcer.java:77)
at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onFlushDirty(ChainedInterceptorSupport.java:104)
at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onFlushDirty(ChainedInterceptorSupport.java:104)
at org.hibernate.event.internal.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:371)
at org.hibernate.event.internal.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:348)
at org.hibernate.event.internal.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:299)
at org.hibernate.event.internal.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:170)
at org.hibernate.event.internal.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:232)
at org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:92)
(...)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1626)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
</pre>
</body>
</html
An "XSRF: A mutative operation was attempted on InternalUserAttribute within a non-mutative HTTP" error is thrown in the atlassian-bamboo.log file:
2021-02-15 15:03:21,014 ERROR [http-nio-8085-exec-13] [AutoGroupAdderListener] Could not auto add user botuser to group bamboo-viewer, because the group is read only. User is authenticatingto directory LDAPserver from application crowd-embedded
2021-02-15 15:03:21,018 ERROR [http-nio-8085-exec-13] [ReadOnlyGetMethodEnforcer] State mutation is not allowed
2021-02-15 15:03:21,019 WARN [http-nio-8085-exec-13] [XsrfUtils] XSRF: A mutative operation was attempted on InternalUserAttribute within a non-mutative HTTP request: http://bamboo:8085/rest/api/latest/result/PROJ-PLAN : [null]->
->[[com.atlassian.crowd.model.user.InternalUser@711df7d8[id=115507209,name=botuser,createdDate=2021-02-15 15:03:14.291,updatedDate=Mon Feb 15 15:03:21 GMT 2021,active=true,emailAddress=,firstName=NPM 3,lastName=Bot,displayName=NPM Bot 3,credential=com.atlassian.crowd.embedded.api.PasswordCredential@26e9f9e0[credential=********,encryptedCredential=true],lowerName=botuser,lowerEmailAddress=,lowerFirstName=npm 3,lowerLastName=bot,lowerDisplayName=npm bot 3,directoryId=115441665,externalId=2555fade-03ea-103b-919f-bdb0bf4f07c8], com.atlassian.crowd.model.directory.DirectoryImpl$HibernateProxy$SJIxzaTx@118cc2d1[lowerName=ldapserver,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.OpenLDAP,allowedOperations=[CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP],attributes={ldap.basedn=dc=custom,dc=openldap,dc=com, ldap.user.filter=(objectclass=inetorgperson), ldap.user.username=cn, ldap.usermembership.use=false, ldap.password=********, com.atlassian.crowd.directory.sync.lastdurationms=80, autoAddGroups=bamboo-viewer, ldap.group.usernames=uniqueMember, crowd.sync.incremental.enabled=true, ldap.pagedresults.size=1000, ldap.read.timeout=120000, ldap.connection.timeout=10000, crowd.sync.group.membership.after.successful.user.auth.enabled=true, ldap.userdn=cn=admin,dc=custom,dc=openldap,dc=com, ldap.group.filter=(objectclass=groupOfUniqueNames), ldap.roles.disabled=true, ldap.external.id=entryUUID, ldap.url=ldap://ldap:389, ldap.usermembership.use.for.groups=false, ldap.pagedresults=false, ldap.user.password=userPassword, ldap.user.lastname=sn, ldap.group.name=cn, ldap.user.objectclass=inetorgperson, ldap.nestedgroups.disabled=true, directory.cache.synchronise.interval=3600, ldap.secure=false, ldap.referral=false, ldap.user.username.rdn=cn, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.propogate.changes=false, ldap.pool.timeout=0, ldap.user.displayname=displayName, ldap.relaxed.dn.standardisation=true, com.atlassian.crowd.directory.sync.laststartsynctime=1613401394252, ldap.user.firstname=givenName, ldap.user.email=mail, ldap.user.group=memberOf, localUserStatusEnabled=false, ldap.user.encryption=sha, ldap.local.groups=true, ldap.group.description=description, configuration.change.timestamp=1613401031015, ldap.filter.expiredUsers=false, ldap.group.objectclass=groupOfUniqueNames, ldap.search.timelimit=60000}], autoGroupsAdded, true, true, null]]
2021-02-15 15:03:21,020 ERROR [http-nio-8085-exec-13] [AutoGroupAdderListener] Could not call back resolver
com.atlassian.crowd.exception.OperationFailedException: java.lang.IllegalStateException: XSRF: A mutative operation was attempted on InternalUserAttribute within a non-mutative HTTP request: http://bamboo:8085/rest/api/latest/result/PROJ-PLAN : [null]->
->[[com.atlassian.crowd.model.user.InternalUser@711df7d8[id=115507209,name=botuser,createdDate=2021-02-15 15:03:14.291,updatedDate=Mon Feb 15 15:03:21 GMT 2021,active=true,emailAddress=,firstName=NPM 3,lastName=Bot,displayName=NPM Bot 3,credential=com.atlassian.crowd.embedded.api.PasswordCredential@26e9f9e0[credential=********,encryptedCredential=true],lowerName=botuser,lowerEmailAddress=,lowerFirstName=npm 3,lowerLastName=bot,lowerDisplayName=npm bot 3,directoryId=115441665,externalId=2555fade-03ea-103b-919f-bdb0bf4f07c8], com.atlassian.crowd.model.directory.DirectoryImpl$HibernateProxy$SJIxzaTx@118cc2d1[lowerName=ldapserver,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.OpenLDAP,allowedOperations=[CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP],attributes={ldap.basedn=dc=custom,dc=openldap,dc=com, ldap.user.filter=(objectclass=inetorgperson), ldap.user.username=cn, ldap.usermembership.use=false, ldap.password=********, com.atlassian.crowd.directory.sync.lastdurationms=80, autoAddGroups=bamboo-viewer, ldap.group.usernames=uniqueMember, crowd.sync.incremental.enabled=true, ldap.pagedresults.size=1000, ldap.read.timeout=120000, ldap.connection.timeout=10000, crowd.sync.group.membership.after.successful.user.auth.enabled=true, ldap.userdn=cn=admin,dc=custom,dc=openldap,dc=com, ldap.group.filter=(objectclass=groupOfUniqueNames), ldap.roles.disabled=true, ldap.external.id=entryUUID, ldap.url=ldap://ldap:389, ldap.usermembership.use.for.groups=false, ldap.pagedresults=false, ldap.user.password=userPassword, ldap.user.lastname=sn, ldap.group.name=cn, ldap.user.objectclass=inetorgperson, ldap.nestedgroups.disabled=true, directory.cache.synchronise.interval=3600, ldap.secure=false, ldap.referral=false, ldap.user.username.rdn=cn, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.propogate.changes=false, ldap.pool.timeout=0, ldap.user.displayname=displayName, ldap.relaxed.dn.standardisation=true, com.atlassian.crowd.directory.sync.laststartsynctime=1613401394252, ldap.user.firstname=givenName, ldap.user.email=mail, ldap.user.group=memberOf, localUserStatusEnabled=false, ldap.user.encryption=sha, ldap.local.groups=true, ldap.group.description=description, configuration.change.timestamp=1613401031015, ldap.filter.expiredUsers=false, ldap.group.objectclass=groupOfUniqueNames, ldap.search.timelimit=60000}], autoGroupsAdded, true, true, null]]
at com.atlassian.crowd.directory.AbstractInternalDirectory.storeUserAttributes(AbstractInternalDirectory.java:664)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.storeUserAttributes(DbCachingRemoteDirectory.java:616)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.storeUserAttributes(DirectoryManagerGeneric.java:433)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
(...)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.valves.StuckThreadDetectionValve.invoke(StuckThreadDetectionValve.java:206)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1626)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: XSRF: A mutative operation was attempted on InternalUserAttribute within a non-mutative HTTP request: http://bamboo:8085/rest/api/latest/result/PROJ-PLAN : [null]->
->[[com.atlassian.crowd.model.user.InternalUser@711df7d8[id=115507209,name=botuser,createdDate=2021-02-15 15:03:14.291,updatedDate=Mon Feb 15 15:03:21 GMT 2021,active=true,emailAddress=,firstName=NPM 3,lastName=Bot,displayName=NPM Bot 3,credential=com.atlassian.crowd.embedded.api.PasswordCredential@26e9f9e0[credential=********,encryptedCredential=true],lowerName=botuser,lowerEmailAddress=,lowerFirstName=npm 3,lowerLastName=bot,lowerDisplayName=npm bot 3,directoryId=115441665,externalId=2555fade-03ea-103b-919f-bdb0bf4f07c8], com.atlassian.crowd.model.directory.DirectoryImpl$HibernateProxy$SJIxzaTx@118cc2d1[lowerName=ldapserver,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.OpenLDAP,allowedOperations=[CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP],attributes={ldap.basedn=dc=custom,dc=openldap,dc=com, ldap.user.filter=(objectclass=inetorgperson), ldap.user.username=cn, ldap.usermembership.use=false, ldap.password=********, com.atlassian.crowd.directory.sync.lastdurationms=80, autoAddGroups=bamboo-viewer, ldap.group.usernames=uniqueMember, crowd.sync.incremental.enabled=true, ldap.pagedresults.size=1000, ldap.read.timeout=120000, ldap.connection.timeout=10000, crowd.sync.group.membership.after.successful.user.auth.enabled=true, ldap.userdn=cn=admin,dc=custom,dc=openldap,dc=com, ldap.group.filter=(objectclass=groupOfUniqueNames), ldap.roles.disabled=true, ldap.external.id=entryUUID, ldap.url=ldap://ldap:389, ldap.usermembership.use.for.groups=false, ldap.pagedresults=false, ldap.user.password=userPassword, ldap.user.lastname=sn, ldap.group.name=cn, ldap.user.objectclass=inetorgperson, ldap.nestedgroups.disabled=true, directory.cache.synchronise.interval=3600, ldap.secure=false, ldap.referral=false, ldap.user.username.rdn=cn, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.propogate.changes=false, ldap.pool.timeout=0, ldap.user.displayname=displayName, ldap.relaxed.dn.standardisation=true, com.atlassian.crowd.directory.sync.laststartsynctime=1613401394252, ldap.user.firstname=givenName, ldap.user.email=mail, ldap.user.group=memberOf, localUserStatusEnabled=false, ldap.user.encryption=sha, ldap.local.groups=true, ldap.group.description=description, configuration.change.timestamp=1613401031015, ldap.filter.expiredUsers=false, ldap.group.objectclass=groupOfUniqueNames, ldap.search.timelimit=60000}], autoGroupsAdded, true, true, null]]
at com.atlassian.bamboo.utils.XsrfUtils.fail(XsrfUtils.java:27)
at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.fail(ReadOnlyGetMethodEnforcer.java:129)
at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.failIfStateMutationNotAllowed(ReadOnlyGetMethodEnforcer.java:106)
at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.onSave(ReadOnlyGetMethodEnforcer.java:90)
at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onSave(ChainedInterceptorSupport.java:118)
at com.atlassian.bamboo.persister.OidGenerationInterceptor.onSave(OidGenerationInterceptor.java:46)
at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onSave(ChainedInterceptorSupport.java:118)
(...)
at com.atlassian.crowd.util.persistence.hibernate.InternalDirectoryEntityHibernateDao.lambda$storeAttributes$5(InternalDirectoryEntityHibernateDao.java:117)
at java.util.ArrayList.forEach(ArrayList.java:1259)
at com.atlassian.crowd.util.persistence.hibernate.InternalDirectoryEntityHibernateDao.storeAttributes(InternalDirectoryEntityHibernateDao.java:117)
at com.atlassian.crowd.dao.user.UserDAOHibernate.storeAttributes(UserDAOHibernate.java:451)
at com.atlassian.crowd.directory.AbstractInternalDirectory.storeUserAttributes(AbstractInternalDirectory.java:662)
... 160 more
Workaround
- Make sure to log in using the UI for new users before using them to authenticate REST calls.
OR
- Not use the Default Group Memberships: option.