Unknown error when clicking on Jira issue

Summary

Clicking on Jira issue link in Bitbucket Server will have Unknown error in the pop up window

Environment

Jira Service Desk 3.12.2 (Jira Server 7.9.2)

Steps to Reproduce

1. Create Application Link OAuth with Impersonation between Bitbucket Server and Jira Service Desk
2. Create an issue, ex TST-1
3. Create a user with Jira Service Desk group in Jira Service Desk
4. Create a user with the same username in Bitbucket Server
5. Push a commit with message TST-1 into Bitbucket Server
6. Click on the link TST-1 in Bitbucket Server Commit list
   It works fine
7. Remove the user in Step 3 from all the groups in Jira Service Desk (the user become Jira Service Desk Customer)
8. Click on the link TST-1 in Bitbucket Server Commit list again

Expected Results

It will show that the user does not have permission to access the issue or it will not work for Jira Service Desk Customer.

Actual Results

The pop up window showing "Unknown error" message and the below exception is thrown in the atlassian-bitbucket.log file:

2018-05-23 19:50:44,918 ERROR [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" c.a.p.r.c.e.j.ThrowableExceptionMapper Uncaught exception thrown by REST service: null
java.lang.NullPointerException: null
	at net.oauth.signature.OAuthSignatureMethod.normalizeUrl(OAuthSignatureMethod.java:161)
	at net.oauth.signature.OAuthSignatureMethod.getBaseString(OAuthSignatureMethod.java:155)
	at net.oauth.signature.OAuthSignatureMethod.getSignature(OAuthSignatureMethod.java:81)
	at net.oauth.signature.OAuthSignatureMethod.sign(OAuthSignatureMethod.java:53)
	at net.oauth.OAuthMessage.sign(OAuthMessage.java:295)
	at net.oauth.OAuthMessage.addRequiredParameters(OAuthMessage.java:285)
	at net.oauth.OAuthAccessor.newRequestMessage(OAuthAccessor.java:91)
	at net.oauth.OAuthAccessor.newRequestMessage(OAuthAccessor.java:97)
	at com.atlassian.oauth.consumer.core.ConsumerServiceImpl.sign(ConsumerServiceImpl.java:160)
	at com.atlassian.oauth.consumer.core.ConsumerServiceImpl.sign(ConsumerServiceImpl.java:139)
	at com.atlassian.oauth.consumer.core.ConsumerServiceImpl.sign(ConsumerServiceImpl.java:114)
	at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:56)
	at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:60)
	at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invokeUnprivileged(ServiceTCCLInterceptor.java:70)
	at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invoke(ServiceTCCLInterceptor.java:53)
	at org.eclipse.gemini.blueprint.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:57)
	at com.atlassian.applinks.oauth.auth.OAuthRequest.signRequest(OAuthRequest.java:97)
	at com.atlassian.applinks.oauth.auth.twolo.impersonation.TwoLeggedOAuthWithImpersonationRequest.signRequest(TwoLeggedOAuthWithImpersonationRequest.java:48)
	at com.atlassian.applinks.oauth.auth.OAuthRequest.execute(OAuthRequest.java:57)
	at com.atlassian.applinks.oauth.auth.OAuthApplinksResponseHandler.handle(OAuthApplinksResponseHandler.java:73)
	at com.atlassian.sal.core.net.HttpClientRequest.executeAndReturn(HttpClientRequest.java:106)
	at com.atlassian.applinks.core.auth.ApplicationLinkRequestAdaptor.execute(ApplicationLinkRequestAdaptor.java:58)
	at com.atlassian.applinks.oauth.auth.OAuthRequest.execute(OAuthRequest.java:58)
	at com.atlassian.internal.integration.jira.DefaultJiraService.retrieveIssuesFromJira(DefaultJiraService.java:657)
	at com.atlassian.internal.integration.jira.DefaultJiraService.getIssuesAsJson(DefaultJiraService.java:319)
	at com.atlassian.internal.integration.jira.rest.JiraResource.getDetailsForIssueKeys(JiraResource.java:163)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:92)
	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.plugin.connect.plugin.auth.scope.ApiScopingFilter.doFilter(ApiScopingFilter.java:81)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:85)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:112)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75)
	at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:94)
	at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.plugin.connect.plugin.auth.oauth2.DefaultSalAuthenticationFilter.doFilter(DefaultSalAuthenticationFilter.java:69)
	at com.atlassian.plugin.connect.plugin.auth.user.ThreeLeggedAuthFilter.doFilter(ThreeLeggedAuthFilter.java:109)
	at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:32)
	at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:38)
	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73)
	at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:89)
	at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.lang.Thread.run(Thread.java:745)
	... 257 frames trimmed

Stack trace missing?
If the entire stack trace is not being logged and you would like to confirm that it matches the one above, add the -XX:-OmitStackTraceInFastThrow to the JVM_SUPPORT_RECOMMENDED_ARGS in the setenv.sh/setenv.bat file (Bitbucket up to 4.14) or _start-webapp.sh/_start-webapp.bat file (Bitbucket from 5).

Notes

• Normally, Bitbucket Server have Application Links to Jira Software (primary) and Jira Service Desk
• Even though the Jira issue exist in Jira Software only, it will still throw the error
• When clicking on the Jira issue key, Bitbucket sends a request to all the Jira instances connected via application link.
  Even if the issue key is found in the first instance (or any instance before the service desk one), the issue will still occur because all Jira instances will be checked and any service desk one where the user does not have admin or agent permissions will cause this problem.
• HTTP debug logging:

  2018-05-23 19:50:44,907 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 >> "GET /rest/api/2/search?jql=issuekey+in+(TST-1)+ORDER+BY+issuekey&fields=*all,-comment&expand=renderedFields,transitions&validateQuery=false&xoauth_requestor_id=admin HTTP/1.1[\r][\n]"
  2018-05-23 19:50:44,907 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 >> "Authorization: OAuth oauth_token="", oauth_consumer_key="Bitbucket%3A6798726783", oauth_signature_method="RSA-SHA1", oauth_timestamp="1527076244", oauth_nonce="17320975851980", oauth_version="1.0", oauth_signature="YgH%2B%2BYwX1rXfN24yfuP0xUCAf0Z%2F9Pxh0mK0QcEqdl3zDSISaPNnebEAyT3MVxzwYVVgzm0IjVm%2F8LgBIQZYvaUQuTZ78tpYyD8TD0OVbTUIpXSf849IkQEluC%2B4jc43YgQUDXLfgOAT%2BbcFI%2B0oLuFV%2BajciCMImUpD5TZ5KYs%3D"[\r][\n]"
  2018-05-23 19:50:44,907 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 >> "Host: localhost:8312[\r][\n]"
  2018-05-23 19:50:44,907 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 >> "Connection: Keep-Alive[\r][\n]"
  2018-05-23 19:50:44,907 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 >> "User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_73)[\r][\n]"
  2018-05-23 19:50:44,907 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 >> "Accept-Encoding: gzip,deflate[\r][\n]"
  2018-05-23 19:50:44,907 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 >> "[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "HTTP/1.1 302 [\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "X-AREQUESTID: 1190x860x1[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "X-XSS-Protection: 1; mode=block[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "X-Content-Type-Options: nosniff[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "Content-Security-Policy: frame-ancestors 'self'[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "X-ASEN: SEN-L6702624[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "Set-Cookie: JSESSIONID=8959B6B1450A4415E48BE4D59AFDD198;path=/;HttpOnly[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "X-Seraph-LoginReason: OK[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "Set-Cookie: atlassian.xsrf.token=BWAZ-Y4NZ-MTII-HXX5|605a41f513e421a870b1fa4aee42a5da0188bbfd|lin;path=/[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "X-ASESSIONID: 14swbut[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "X-AUSERNAME: admin[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "Location: /servicedesk/customer/portals[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "Content-Type: text/html;charset=UTF-8[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "Content-Length: 0[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "Date: Wed, 23 May 2018 11:50:44 GMT[\r][\n]"
  2018-05-23 19:50:44,916 DEBUG [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" org.apache.http.wire http-outgoing-131 << "[\r][\n]"
  2018-05-23 19:50:44,918 ERROR [http-nio-7990-exec-2] admin @1FGXYHIx1190x602x0 11qed9t 0:0:0:0:0:0:0:1 "GET /rest/jira-integration/latest/issues HTTP/1.1" c.a.p.r.c.e.j.ThrowableExceptionMapper Uncaught exception thrown by REST service: null
  

To recap, this problem will occur:

• as soon as there is a Jira service desk application link and the user is not an agent or an admin on the Jira side (the permissions in Bitbucket don't control this behaviour)
• irrespectively if the Jira service desk application link is above or below the one of the instance containing the issue

Workaround

Update all the Jira Service desk instances to not return relative Location headers as detailed in this comment.

Suggested solution

• The SAL-374 bug will need to be resolved for this problem to be fixed in this case.
• More importantly, Bitbucket should properly handle cases where the user is not part of one of the Jira instances connected and carry-on with running REST calls against the next instance in the list.