Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
8.9.0, 8.19.0
-
1
-
Severity 3 - Minor
-
Description
Issue Summary
This is reproducible on Data Center: yes
When service user is first created at a particular scope (e.g. repo), but permissions fails to be assigned to it (notice the creation of the service user and permission assignment happens in separate transactions - they really should be performed as one transaction), subsequent create tokens on the same scope (e.g. same repo) will return early and not assign permissions to the service user.
Requests using the token will fail because service user does not have permissions assigned.
Steps to Reproduce
- Create any scoped (e.g. repo) token requests
- Let the service user be created, but fail the permission assignment (e.g. via breakpoint)
- Create the same scoped token request, then use the token in a privileged REST request for the scope, e.g. archive:
curl -v --location 'http://localhost:7990/bitbucket/rest/api/latest/projects/PROJECT_1/repos/test/archive?format=zip' --header "Authorization: Bearer BBDC-NDczMjMwMDA2MDg1OpM1LYG1VDu8KSDLNVSNA2dQtoDt" -o test.zip
Expected Results
Tokens successfully created should be usable
Actual Results
HTTP 401 Unauthorized with the following message:
Error: {"errors":[\{"context":null,"message":"You are not permitted to access this resource","exceptionName":"com.atlassian.bitbucket.AuthorisationException"}]}
We noted that the service user did not have any permissions on the sta_repo_permission table.
bitbucket=> SELECT * FROM sta_repo_permission where user_id=<AccessTokenServiceUserID> bitbucket-> ; id | perm_id | repo_id | group_name | user_id ----+---------+---------+------------+--------- (0 rows)
Workaround
We need to delete the service user and associated records from the database:
- Make sure sta_repo_permission does not have the perms associated with the service user 'access-token-user/2/XXX' and delete them just to be safe.
DELETE FROM sta_repo_permission WHERE user_id IN (SELECT user_id FROM sta_service_user WHERE name='access-token-user/2/XXX');
- To delete all the entries from AO_E5A814_ACCESS_TOKEN_PERM and AO_E5A814_ACCESS_TOKEN associated with this service user 'access-token-user/2/XXX'
DELETE FROM "AO_E5A814_ACCESS_TOKEN_PERM" WHERE "FK_ACCESS_TOKEN_ID" IN (SELECT "TOKEN_ID" FROM "AO_E5A814_ACCESS_TOKEN" WHERE "USER_ID" IN (SELECT user_id FROM sta_service_user WHERE name='access-token-user/2/XXX')); DELETE FROM "AO_E5A814_ACCESS_TOKEN" WHERE "USER_ID" IN (SELECT user_id FROM sta_service_user WHERE name='access-token-user/2/XXX');
- Finally delete the actual service user 'access-token-user/2/XXX' from the sta_service_user table.
DELETE FROM sta_service_user WHERE name='access-token-user/2/XXX'; COMMIT;
Replace XXX with the repo id that is affected.