Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-11919

Git LFS JWT authentication is failing for the private repositories with a dot in a user name

    XMLWordPrintable

    Details

      Description

      Issue Summary

      Bitbucket 6.5.x has an issue with JWT authentication for the cloning private repositories containing LFS-tracked elements with a dot in a username while there is no issue with cloning just the repositories with a dot in a name.

      Steps to Reproduce

      1. Create a private repository or fork a public into private
      2. Add Git LFS support for the repository
      3. Add Git LFS tracked elements to the repository
      4. Add SSH key into the user profile
      5. Try to clone the repository via SSH

      Expected Results

      The repository cloned successfully after asking passphrase for SSH key twice (git and git-lfs)

      Actual Results

      The git part cloned successfully while git lfs failed with following error:

      git clone ssh://git@bitbucketdc:7999/~internet.explorer/shaleev.github.io.git
      Cloning into 'shaleev.github.io'...
      Enter passphrase for key '/Users/ashaleev/.ssh/id_rsa':
      remote: Enumerating objects: 438, done.
      remote: Counting objects: 100% (438/438), done.
      remote: Compressing objects: 100% (365/365), done.
      remote: Total 438 (delta 59), reused 408 (delta 56)
      Receiving objects: 100% (438/438), 8.65 MiB | 8.60 MiB/s, done.
      Resolving deltas: 100% (59/59), done.
      Enter passphrase for key '/Users/ashaleev/.ssh/id_rsa':
      Downloading _site/img/about-section/conference.jpg (21 KB)
      Error downloading object: _site/img/about-section/conference.jpg (98e9a06): Smudge error: Error downloading _site/img/about-section/conference.jpg (98e9a068d2f7adc9ce3bab3fb1783fb5c4c24b305cdabe0f8995914bf201df7a): batch response: Authentication required: Authorization error: http://bitbucketdc/scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch
      Check that you have proper access to the repository
      
      Errors logged to /Users/ashaleev/msbbase/support/SSP-37865/newclonessh/shaleev.github.io/.git/lfs/logs/20190823T170029.326735.log
      Use `git lfs logs last` to view the log.
      error: external filter 'git-lfs filter-process' failed
      fatal: _site/img/about-section/conference.jpg: smudge filter lfs failed
      warning: Clone succeeded, but checkout failed.
      You can inspect what was checked out with 'git status'
      and retry the checkout with 'git checkout -f HEAD'
      

      The below exception is thrown in the atlassian-bitbucket.log file:

      2019-08-23 17:00:28,056 WARN  [http-nio-7990-exec-3] @1EU7XCFx1020x3469x0 172.16.71.1,172.16.71.134 "POST /scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch HTTP/1.1" c.a.j.i.s.DefaultAuthenticationResultHandler Failure during JWT authentication
      com.atlassian.jwt.exception.JwtInvalidClaimException: Invalid Git LFS path: /scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch
      	at com.atlassian.bitbucket.internal.scm.git.lfs.jwt.GitLfsApiClaimVerifiersBuilder$GitLfsActionClaimVerifier.verify(GitLfsApiClaimVerifiersBuilder.java:71)
      	at com.atlassian.jwt.core.reader.NimbusJwtReader.read(NimbusJwtReader.java:151)
      	at com.atlassian.jwt.core.reader.NimbusJwtReader.readAndVerify(NimbusJwtReader.java:57)
      	at com.atlassian.jwt.internal.DefaultJwtService.verifyJwt(DefaultJwtService.java:49)
      	at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.verifyJwt(JwtAuthenticatorImpl.java:62)
      	at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.verifyJwt(AbstractJwtAuthenticator.java:118)
      	at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.authenticate(AbstractJwtAuthenticator.java:71)
      	at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.authenticate(JwtAuthenticatorImpl.java:30)
      	at com.atlassian.jwt.internal.servlet.JwtAuthFilter.mayProceed(JwtAuthFilter.java:79)
      	at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:35)
      	at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:33)
      	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33)
      	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
      	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90)
      	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73)
      	at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:87)
      	at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.lang.Thread.run(Thread.java:748)
      	... 75 frames trimmed
      2019-08-23 17:00:28,082 DEBUG [http-nio-7990-exec-3] @1EU7XCFx1020x3470x0 172.16.71.1,172.16.71.134 "POST /mvc/error401 HTTP/1.1" c.a.b.i.c.s.CrowdSsoAuthenticationHandler Skipping Crowd SSO as it is not enabled
      2019-08-23 17:00:28,090 DEBUG [http-nio-7990-exec-3] @1EU7XCFx1020x3470x0 172.16.71.1,172.16.71.134 "POST /mvc/error401 HTTP/1.1" c.a.s.i.i18n.PluginI18nService No values found in any valid locale for key ProviderManager.providerNotFound and locales [en_US, en]
      2019-08-23 17:00:28,114 DEBUG [http-nio-7990-exec-3] @1EU7XCFx1020x3470x0 172.16.71.1,172.16.71.134 "POST /mvc/error401 HTTP/1.1" c.a.s.i.web.ErrorPageController User is not authorized to access [/scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch]
      2019-08-23 17:00:29,098 WARN  [http-nio-7990-exec-1] @1EU7XCFx1020x3471x0 172.16.71.1,172.16.71.134 "POST /scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch HTTP/1.1" c.a.j.i.s.DefaultAuthenticationResultHandler Failure during JWT authentication
      com.atlassian.jwt.exception.JwtInvalidClaimException: Invalid Git LFS path: /scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch
      	at com.atlassian.bitbucket.internal.scm.git.lfs.jwt.GitLfsApiClaimVerifiersBuilder$GitLfsActionClaimVerifier.verify(GitLfsApiClaimVerifiersBuilder.java:71)
      	at com.atlassian.jwt.core.reader.NimbusJwtReader.read(NimbusJwtReader.java:151)
      	at com.atlassian.jwt.core.reader.NimbusJwtReader.readAndVerify(NimbusJwtReader.java:57)
      	at com.atlassian.jwt.internal.DefaultJwtService.verifyJwt(DefaultJwtService.java:49)
      	at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.verifyJwt(JwtAuthenticatorImpl.java:62)
      	at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.verifyJwt(AbstractJwtAuthenticator.java:118)
      	at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.authenticate(AbstractJwtAuthenticator.java:71)
      	at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.authenticate(JwtAuthenticatorImpl.java:30)
      	at com.atlassian.jwt.internal.servlet.JwtAuthFilter.mayProceed(JwtAuthFilter.java:79)
      	at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:35)
      	at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:33)
      	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33)
      	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
      	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90)
      	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73)
      	at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:87)
      	at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.lang.Thread.run(Thread.java:748)
      	... 75 frames trimmed
      

      Workaround

      Please use HTTPS to clone the personal repositories of the users with dot in username.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ysun Yingran Sun
              Reporter:
              ashaleev Anton Shaleev
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: