Details
-
Bug
-
Resolution: Fixed
-
High
-
6.5.1
-
3
-
Severity 2 - Major
-
11
-
Description
Issue Summary
Bitbucket 6.5.x has an issue with JWT authentication for the cloning private repositories containing LFS-tracked elements with a dot in a username while there is no issue with cloning just the repositories with a dot in a name.
Steps to Reproduce
- Create a private repository or fork a public into private
- Add Git LFS support for the repository
- Add Git LFS tracked elements to the repository
- Add SSH key into the user profile
- Try to clone the repository via SSH
Expected Results
The repository cloned successfully after asking passphrase for SSH key twice (git and git-lfs)
Actual Results
The git part cloned successfully while git lfs failed with following error:
git clone ssh://git@bitbucketdc:7999/~internet.explorer/shaleev.github.io.git Cloning into 'shaleev.github.io'... Enter passphrase for key '/Users/ashaleev/.ssh/id_rsa': remote: Enumerating objects: 438, done. remote: Counting objects: 100% (438/438), done. remote: Compressing objects: 100% (365/365), done. remote: Total 438 (delta 59), reused 408 (delta 56) Receiving objects: 100% (438/438), 8.65 MiB | 8.60 MiB/s, done. Resolving deltas: 100% (59/59), done. Enter passphrase for key '/Users/ashaleev/.ssh/id_rsa': Downloading _site/img/about-section/conference.jpg (21 KB) Error downloading object: _site/img/about-section/conference.jpg (98e9a06): Smudge error: Error downloading _site/img/about-section/conference.jpg (98e9a068d2f7adc9ce3bab3fb1783fb5c4c24b305cdabe0f8995914bf201df7a): batch response: Authentication required: Authorization error: http://bitbucketdc/scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch Check that you have proper access to the repository Errors logged to /Users/ashaleev/msbbase/support/SSP-37865/newclonessh/shaleev.github.io/.git/lfs/logs/20190823T170029.326735.log Use `git lfs logs last` to view the log. error: external filter 'git-lfs filter-process' failed fatal: _site/img/about-section/conference.jpg: smudge filter lfs failed warning: Clone succeeded, but checkout failed. You can inspect what was checked out with 'git status' and retry the checkout with 'git checkout -f HEAD'
The below exception is thrown in the atlassian-bitbucket.log file:
2019-08-23 17:00:28,056 WARN [http-nio-7990-exec-3] @1EU7XCFx1020x3469x0 172.16.71.1,172.16.71.134 "POST /scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch HTTP/1.1" c.a.j.i.s.DefaultAuthenticationResultHandler Failure during JWT authentication com.atlassian.jwt.exception.JwtInvalidClaimException: Invalid Git LFS path: /scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch at com.atlassian.bitbucket.internal.scm.git.lfs.jwt.GitLfsApiClaimVerifiersBuilder$GitLfsActionClaimVerifier.verify(GitLfsApiClaimVerifiersBuilder.java:71) at com.atlassian.jwt.core.reader.NimbusJwtReader.read(NimbusJwtReader.java:151) at com.atlassian.jwt.core.reader.NimbusJwtReader.readAndVerify(NimbusJwtReader.java:57) at com.atlassian.jwt.internal.DefaultJwtService.verifyJwt(DefaultJwtService.java:49) at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.verifyJwt(JwtAuthenticatorImpl.java:62) at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.verifyJwt(AbstractJwtAuthenticator.java:118) at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.authenticate(AbstractJwtAuthenticator.java:71) at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.authenticate(JwtAuthenticatorImpl.java:30) at com.atlassian.jwt.internal.servlet.JwtAuthFilter.mayProceed(JwtAuthFilter.java:79) at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:35) at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:33) at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73) at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:87) at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.lang.Thread.run(Thread.java:748) ... 75 frames trimmed 2019-08-23 17:00:28,082 DEBUG [http-nio-7990-exec-3] @1EU7XCFx1020x3470x0 172.16.71.1,172.16.71.134 "POST /mvc/error401 HTTP/1.1" c.a.b.i.c.s.CrowdSsoAuthenticationHandler Skipping Crowd SSO as it is not enabled 2019-08-23 17:00:28,090 DEBUG [http-nio-7990-exec-3] @1EU7XCFx1020x3470x0 172.16.71.1,172.16.71.134 "POST /mvc/error401 HTTP/1.1" c.a.s.i.i18n.PluginI18nService No values found in any valid locale for key ProviderManager.providerNotFound and locales [en_US, en] 2019-08-23 17:00:28,114 DEBUG [http-nio-7990-exec-3] @1EU7XCFx1020x3470x0 172.16.71.1,172.16.71.134 "POST /mvc/error401 HTTP/1.1" c.a.s.i.web.ErrorPageController User is not authorized to access [/scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch] 2019-08-23 17:00:29,098 WARN [http-nio-7990-exec-1] @1EU7XCFx1020x3471x0 172.16.71.1,172.16.71.134 "POST /scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch HTTP/1.1" c.a.j.i.s.DefaultAuthenticationResultHandler Failure during JWT authentication com.atlassian.jwt.exception.JwtInvalidClaimException: Invalid Git LFS path: /scm/~internet.explorer/shaleev.github.io.git/info/lfs/objects/batch at com.atlassian.bitbucket.internal.scm.git.lfs.jwt.GitLfsApiClaimVerifiersBuilder$GitLfsActionClaimVerifier.verify(GitLfsApiClaimVerifiersBuilder.java:71) at com.atlassian.jwt.core.reader.NimbusJwtReader.read(NimbusJwtReader.java:151) at com.atlassian.jwt.core.reader.NimbusJwtReader.readAndVerify(NimbusJwtReader.java:57) at com.atlassian.jwt.internal.DefaultJwtService.verifyJwt(DefaultJwtService.java:49) at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.verifyJwt(JwtAuthenticatorImpl.java:62) at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.verifyJwt(AbstractJwtAuthenticator.java:118) at com.atlassian.jwt.core.http.auth.AbstractJwtAuthenticator.authenticate(AbstractJwtAuthenticator.java:71) at com.atlassian.jwt.internal.sal.JwtAuthenticatorImpl.authenticate(JwtAuthenticatorImpl.java:30) at com.atlassian.jwt.internal.servlet.JwtAuthFilter.mayProceed(JwtAuthFilter.java:79) at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:35) at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:33) at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73) at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:87) at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.lang.Thread.run(Thread.java:748) ... 75 frames trimmed
Workaround
Please use HTTPS to clone the personal repositories of the users with dot in username.
Attachments
Issue Links
- mentioned in
-
Page Loading...