Details
-
Bug
-
Resolution: Fixed
-
Low
-
7.2.2
-
None
-
1
-
Severity 3 - Minor
-
Description
XSRF failure for GET REST requests for new users when "Default Group Memberships:" is enabled.
Issue Summary
If a value is defined to Default Group Memberships: GET requests to REST APIs will fail.
Steps to Reproduce
- Hook Bamboo up to Crowd or LDAP
- Ensure to use the Default Group Memberships option
- Create a user in LDAP and add it to a Bamboo group
- Perform a GET request to $BAMBOO_BASE_URL/rest/api/latest/result/PLAN_KEY
Expected Results
Request succeeds
Actual Results
Request fails with XSRF failure.
"Internal server error" in the REST call response:
gabriel@labLDAP ~ % curl --user botuser:password http://bamboo:8085/rest/api/latest/result/PLAN-KEY <html> <head> <title>Internal server error</title> <meta name="decorator" content="install" /> </head> <body> <h1>Internal server error</h1> <h4>Go to...</h4> <ul> <li><a href="/">Site homepage</a></li> </ul> A system error has occurred - our apologies! <p> Please create a problem report on our <b>support system</b> at <a href="https://support.atlassian.com/contact/">https://support.atlassian.com</a> with the following information: </p> <ol class="standard"> <li>a description of your problem and what you were doing at the time it occurred <li>cut & paste the error and system information found below <li>attach the <strong>atlassian-bamboo.log</strong> log file found in your application home. </ol> We will respond as promptly as possible.<br/>Thank you! <p> <b>Version:</b> 7.2.2<br> <b>Build:</b> 70209<br> <b>Build Date:</b> 22 Jan 2021 </p> <h4>Request information:</h4> <ul class="standard"> <li>Request URL: http://bamboo:8085/500.action</li> <li>Scheme: http</li> <li>Server: bamboo</li> <li>Port: 8085</li> <li>URI: /500.action</li> <li>Context path: </li> <li>Servlet path: /500.action</li> <li>Path info: </li> <li>Query string: </li> </ul> <p><b>Stack Trace:</b></p> <pre>java.lang.NullPointerException at com.atlassian.bamboo.util.BambooHibernateUtils.getPropertyByName(BambooHibernateUtils.java:216) at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.getInternalUserAttributeName(ReadOnlyGetMethodEnforcer.java:257) at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.isEntityMutationAllowed(ReadOnlyGetMethodEnforcer.java:245) at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.onFlushDirty(ReadOnlyGetMethodEnforcer.java:77) at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onFlushDirty(ChainedInterceptorSupport.java:104) at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onFlushDirty(ChainedInterceptorSupport.java:104) at org.hibernate.event.internal.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:371) at org.hibernate.event.internal.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:348) at org.hibernate.event.internal.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:299) at org.hibernate.event.internal.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:170) at org.hibernate.event.internal.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:232) at org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:92) (...) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1626) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) </pre> </body> </html
An "XSRF: A mutative operation was attempted on InternalUserAttribute within a non-mutative HTTP" error is thrown in the atlassian-bamboo.log file:
2021-02-15 15:03:21,014 ERROR [http-nio-8085-exec-13] [AutoGroupAdderListener] Could not auto add user botuser to group bamboo-viewer, because the group is read only. User is authenticatingto directory LDAPserver from application crowd-embedded 2021-02-15 15:03:21,018 ERROR [http-nio-8085-exec-13] [ReadOnlyGetMethodEnforcer] State mutation is not allowed 2021-02-15 15:03:21,019 WARN [http-nio-8085-exec-13] [XsrfUtils] XSRF: A mutative operation was attempted on InternalUserAttribute within a non-mutative HTTP request: http://bamboo:8085/rest/api/latest/result/PROJ-PLAN : [null]-> ->[[com.atlassian.crowd.model.user.InternalUser@711df7d8[id=115507209,name=botuser,createdDate=2021-02-15 15:03:14.291,updatedDate=Mon Feb 15 15:03:21 GMT 2021,active=true,emailAddress=,firstName=NPM 3,lastName=Bot,displayName=NPM Bot 3,credential=com.atlassian.crowd.embedded.api.PasswordCredential@26e9f9e0[credential=********,encryptedCredential=true],lowerName=botuser,lowerEmailAddress=,lowerFirstName=npm 3,lowerLastName=bot,lowerDisplayName=npm bot 3,directoryId=115441665,externalId=2555fade-03ea-103b-919f-bdb0bf4f07c8], com.atlassian.crowd.model.directory.DirectoryImpl$HibernateProxy$SJIxzaTx@118cc2d1[lowerName=ldapserver,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.OpenLDAP,allowedOperations=[CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP],attributes={ldap.basedn=dc=custom,dc=openldap,dc=com, ldap.user.filter=(objectclass=inetorgperson), ldap.user.username=cn, ldap.usermembership.use=false, ldap.password=********, com.atlassian.crowd.directory.sync.lastdurationms=80, autoAddGroups=bamboo-viewer, ldap.group.usernames=uniqueMember, crowd.sync.incremental.enabled=true, ldap.pagedresults.size=1000, ldap.read.timeout=120000, ldap.connection.timeout=10000, crowd.sync.group.membership.after.successful.user.auth.enabled=true, ldap.userdn=cn=admin,dc=custom,dc=openldap,dc=com, ldap.group.filter=(objectclass=groupOfUniqueNames), ldap.roles.disabled=true, ldap.external.id=entryUUID, ldap.url=ldap://ldap:389, ldap.usermembership.use.for.groups=false, ldap.pagedresults=false, ldap.user.password=userPassword, ldap.user.lastname=sn, ldap.group.name=cn, ldap.user.objectclass=inetorgperson, ldap.nestedgroups.disabled=true, directory.cache.synchronise.interval=3600, ldap.secure=false, ldap.referral=false, ldap.user.username.rdn=cn, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.propogate.changes=false, ldap.pool.timeout=0, ldap.user.displayname=displayName, ldap.relaxed.dn.standardisation=true, com.atlassian.crowd.directory.sync.laststartsynctime=1613401394252, ldap.user.firstname=givenName, ldap.user.email=mail, ldap.user.group=memberOf, localUserStatusEnabled=false, ldap.user.encryption=sha, ldap.local.groups=true, ldap.group.description=description, configuration.change.timestamp=1613401031015, ldap.filter.expiredUsers=false, ldap.group.objectclass=groupOfUniqueNames, ldap.search.timelimit=60000}], autoGroupsAdded, true, true, null]] 2021-02-15 15:03:21,020 ERROR [http-nio-8085-exec-13] [AutoGroupAdderListener] Could not call back resolver com.atlassian.crowd.exception.OperationFailedException: java.lang.IllegalStateException: XSRF: A mutative operation was attempted on InternalUserAttribute within a non-mutative HTTP request: http://bamboo:8085/rest/api/latest/result/PROJ-PLAN : [null]-> ->[[com.atlassian.crowd.model.user.InternalUser@711df7d8[id=115507209,name=botuser,createdDate=2021-02-15 15:03:14.291,updatedDate=Mon Feb 15 15:03:21 GMT 2021,active=true,emailAddress=,firstName=NPM 3,lastName=Bot,displayName=NPM Bot 3,credential=com.atlassian.crowd.embedded.api.PasswordCredential@26e9f9e0[credential=********,encryptedCredential=true],lowerName=botuser,lowerEmailAddress=,lowerFirstName=npm 3,lowerLastName=bot,lowerDisplayName=npm bot 3,directoryId=115441665,externalId=2555fade-03ea-103b-919f-bdb0bf4f07c8], com.atlassian.crowd.model.directory.DirectoryImpl$HibernateProxy$SJIxzaTx@118cc2d1[lowerName=ldapserver,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.OpenLDAP,allowedOperations=[CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP],attributes={ldap.basedn=dc=custom,dc=openldap,dc=com, ldap.user.filter=(objectclass=inetorgperson), ldap.user.username=cn, ldap.usermembership.use=false, ldap.password=********, com.atlassian.crowd.directory.sync.lastdurationms=80, autoAddGroups=bamboo-viewer, ldap.group.usernames=uniqueMember, crowd.sync.incremental.enabled=true, ldap.pagedresults.size=1000, ldap.read.timeout=120000, ldap.connection.timeout=10000, crowd.sync.group.membership.after.successful.user.auth.enabled=true, ldap.userdn=cn=admin,dc=custom,dc=openldap,dc=com, ldap.group.filter=(objectclass=groupOfUniqueNames), ldap.roles.disabled=true, ldap.external.id=entryUUID, ldap.url=ldap://ldap:389, ldap.usermembership.use.for.groups=false, ldap.pagedresults=false, ldap.user.password=userPassword, ldap.user.lastname=sn, ldap.group.name=cn, ldap.user.objectclass=inetorgperson, ldap.nestedgroups.disabled=true, directory.cache.synchronise.interval=3600, ldap.secure=false, ldap.referral=false, ldap.user.username.rdn=cn, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.propogate.changes=false, ldap.pool.timeout=0, ldap.user.displayname=displayName, ldap.relaxed.dn.standardisation=true, com.atlassian.crowd.directory.sync.laststartsynctime=1613401394252, ldap.user.firstname=givenName, ldap.user.email=mail, ldap.user.group=memberOf, localUserStatusEnabled=false, ldap.user.encryption=sha, ldap.local.groups=true, ldap.group.description=description, configuration.change.timestamp=1613401031015, ldap.filter.expiredUsers=false, ldap.group.objectclass=groupOfUniqueNames, ldap.search.timelimit=60000}], autoGroupsAdded, true, true, null]] at com.atlassian.crowd.directory.AbstractInternalDirectory.storeUserAttributes(AbstractInternalDirectory.java:664) at com.atlassian.crowd.directory.DbCachingRemoteDirectory.storeUserAttributes(DbCachingRemoteDirectory.java:616) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.storeUserAttributes(DirectoryManagerGeneric.java:433) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198) (...) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.valves.StuckThreadDetectionValve.invoke(StuckThreadDetectionValve.java:206) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1626) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.IllegalStateException: XSRF: A mutative operation was attempted on InternalUserAttribute within a non-mutative HTTP request: http://bamboo:8085/rest/api/latest/result/PROJ-PLAN : [null]-> ->[[com.atlassian.crowd.model.user.InternalUser@711df7d8[id=115507209,name=botuser,createdDate=2021-02-15 15:03:14.291,updatedDate=Mon Feb 15 15:03:21 GMT 2021,active=true,emailAddress=,firstName=NPM 3,lastName=Bot,displayName=NPM Bot 3,credential=com.atlassian.crowd.embedded.api.PasswordCredential@26e9f9e0[credential=********,encryptedCredential=true],lowerName=botuser,lowerEmailAddress=,lowerFirstName=npm 3,lowerLastName=bot,lowerDisplayName=npm bot 3,directoryId=115441665,externalId=2555fade-03ea-103b-919f-bdb0bf4f07c8], com.atlassian.crowd.model.directory.DirectoryImpl$HibernateProxy$SJIxzaTx@118cc2d1[lowerName=ldapserver,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.OpenLDAP,allowedOperations=[CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP],attributes={ldap.basedn=dc=custom,dc=openldap,dc=com, ldap.user.filter=(objectclass=inetorgperson), ldap.user.username=cn, ldap.usermembership.use=false, ldap.password=********, com.atlassian.crowd.directory.sync.lastdurationms=80, autoAddGroups=bamboo-viewer, ldap.group.usernames=uniqueMember, crowd.sync.incremental.enabled=true, ldap.pagedresults.size=1000, ldap.read.timeout=120000, ldap.connection.timeout=10000, crowd.sync.group.membership.after.successful.user.auth.enabled=true, ldap.userdn=cn=admin,dc=custom,dc=openldap,dc=com, ldap.group.filter=(objectclass=groupOfUniqueNames), ldap.roles.disabled=true, ldap.external.id=entryUUID, ldap.url=ldap://ldap:389, ldap.usermembership.use.for.groups=false, ldap.pagedresults=false, ldap.user.password=userPassword, ldap.user.lastname=sn, ldap.group.name=cn, ldap.user.objectclass=inetorgperson, ldap.nestedgroups.disabled=true, directory.cache.synchronise.interval=3600, ldap.secure=false, ldap.referral=false, ldap.user.username.rdn=cn, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.propogate.changes=false, ldap.pool.timeout=0, ldap.user.displayname=displayName, ldap.relaxed.dn.standardisation=true, com.atlassian.crowd.directory.sync.laststartsynctime=1613401394252, ldap.user.firstname=givenName, ldap.user.email=mail, ldap.user.group=memberOf, localUserStatusEnabled=false, ldap.user.encryption=sha, ldap.local.groups=true, ldap.group.description=description, configuration.change.timestamp=1613401031015, ldap.filter.expiredUsers=false, ldap.group.objectclass=groupOfUniqueNames, ldap.search.timelimit=60000}], autoGroupsAdded, true, true, null]] at com.atlassian.bamboo.utils.XsrfUtils.fail(XsrfUtils.java:27) at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.fail(ReadOnlyGetMethodEnforcer.java:129) at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.failIfStateMutationNotAllowed(ReadOnlyGetMethodEnforcer.java:106) at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.onSave(ReadOnlyGetMethodEnforcer.java:90) at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onSave(ChainedInterceptorSupport.java:118) at com.atlassian.bamboo.persister.OidGenerationInterceptor.onSave(OidGenerationInterceptor.java:46) at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onSave(ChainedInterceptorSupport.java:118) (...) at com.atlassian.crowd.util.persistence.hibernate.InternalDirectoryEntityHibernateDao.lambda$storeAttributes$5(InternalDirectoryEntityHibernateDao.java:117) at java.util.ArrayList.forEach(ArrayList.java:1259) at com.atlassian.crowd.util.persistence.hibernate.InternalDirectoryEntityHibernateDao.storeAttributes(InternalDirectoryEntityHibernateDao.java:117) at com.atlassian.crowd.dao.user.UserDAOHibernate.storeAttributes(UserDAOHibernate.java:451) at com.atlassian.crowd.directory.AbstractInternalDirectory.storeUserAttributes(AbstractInternalDirectory.java:662) ... 160 more
Workaround
- Make sure to log in using the UI for new users before using them to authenticate REST calls.
OR
- Not use the Default Group Memberships: option.