-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
2
-
Severity 2 - Major
-
171
-
Issue Summary
Pushing an LFS object using Pipelines default authentication method does not work
Steps to Reproduce
- Create a repository and enable Pipelines on it
- Install LFS and add one file to be tracked as LFS objects. The following yml file is a sample
image: atlassian/default-image:4 clone: lfs: true pipelines: default: - step: name: Default script: - echo "Hello World" >> out1.json - apt-get update - apt-get upgrade -y - apt-get install -y git-lfs - git add . && git commit -m "[skip ci] LFS JSON Push" - git push
3. In the above example, json files are tracked as LFS. Hence, the push contains an LFS object in the commit.
Expected Results
The push is completed
Actual Results
The Pipeline fails with this error -
git push fatal: could not read Username for 'https://bitbucket.org': No such device or address fatal: could not read Username for 'https://bitbucket.org': No such device or address fatal: could not read Username for 'https://bitbucket.org': No such device or address Git credentials for https://bitbucket.org/%7B%7D/%7B<repo_UUID>%7D/info/lfs/object/verify?upload_id=<upload-ID> not found. error: failed to push some refs to 'http://bitbucket.org/<workspace-ID>/<repo-slug>'
It looks like the workspace field is empty and only contains encoded brackets - %7B%7D
Workaround
You can push using other mechanisms such as SSH or App Password. Here is a push command using App Password that has repo read permissions -
git push https://$username:$app_password@bitbucket.org/<workspace-id>/<repo-ID>.git
- mentioned in
-
Page Failed to load
[BCLOUD-23180] Pushing an LFS object using Pipelines default authentication method does not work
FWIW, I was able to make LFS partially work by mirroring the proxy settings from the Git URL:
git config http."${BITBUCKET_GIT_HTTP_ORIGIN}.git/info/lfs".proxy $(git config http.${BITBUCKET_GIT_HTTP_ORIGIN}.proxy)
With this in place, then the initial /lfs/info/batch request goes through, as well as the upload action to the S3 bucket, but the final verify action fails because the Bitbucket batch API instructed it to use the https://bitbucket.org/%7B%7D/%7B<repo_UUID>%7D/info/lfs/object/verify?upload_id=<upload-ID> URL, without providing any Authorization header to use.
If I also mirror the proxy settings to that URL using:
git config http.'https://bitbucket.org/%7B%7D/%7B<repo_UUID>%7D/info/lfs'.proxy $(git config http.${BITBUCKET_GIT_HTTP_ORIGIN}.proxy)
Then instead of the "Git credentials for ... not found" message, I get the following:
Post "https://bitbucket.org/%7B%7D/%7B<repo_UUID>%7D/info/lfs/object/verify?upload_id=<upload-ID>&file_service=true": Bad Request
I suspect the proxy does not want to forward this request through to the API server, since it does not match the expected BITBUCKET_GIT_HTTP_ORIGIN prefix (http://bitbucket.org/<workspace>/<repo_slug>)
(Note that it is possible to observe what the git lfs client is doing by passing GIT_TRACE=1 GIT_TRANSFER_TRACE=1 GIT_CURL_VERBOSE=1 to your git push command.)
What seems to be required is one of the following:
- Bitbucket's lfs/info/batch API needs to use the http://bitbucket.org/<workspace>/<repo_slug> prefix in its verify.href setting, so the Git HTTP proxy setting will work.
- https://github.com/git-lfs/git-lfs/issues/5495 needs to be implemented, so that it is possible to rewrite the https://bitbucket.org/%7B%7D/%7B<repo_UUID>%7D prefix to http://bitbucket.org/<workspace>/<repo_slug>, so the Git HTTP proxy setting will work.
- The Git LFS endpoint URL must be independently addressable & authenticated as suggested in the workaround above (i.e. https://$username:$app_password@bitbucket.org/<workspace-id>/<repo-ID>.git)
Hi, this bug should have Medium priority as per Atlassian Bug Fix Policy, thanks
Although the workaround does resolve the issue, per https://support.atlassian.com/bitbucket-cloud/docs/push-back-to-your-repository/#Pushing-back-using-authentication-methods:
It would be ideal for this bug to be fixed, so that LFS objects can be pushed from repo's pipeline without opening up write access to all other repositories in our account.