Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-19306

Repository Level Http Access Token Fails to validate

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Low
    • None
    • 8.9.0, 8.19.0
    • Authentication

    Description

      Issue Summary

      This is reproducible on Data Center: yes

      When service user is first created at a particular scope (e.g. repo), but permissions fails to be assigned to it (notice the creation of the service user and permission assignment happens in separate transactions - they really should be performed as one transaction), subsequent create tokens on the same scope (e.g. same repo) will return early and not assign permissions to the service user.

      Requests using the token will fail because service user does not have permissions assigned.

      Steps to Reproduce

      1. Create any scoped (e.g. repo) token requests
      2. Let the service user be created, but fail the permission assignment (e.g. via breakpoint)
      3. Create the same scoped token request, then use the token in a privileged REST request for the scope, e.g. archive:
      curl -v --location 'http://localhost:7990/bitbucket/rest/api/latest/projects/PROJECT_1/repos/test/archive?format=zip' --header "Authorization: Bearer BBDC-NDczMjMwMDA2MDg1OpM1LYG1VDu8KSDLNVSNA2dQtoDt" -o test.zip

      Expected Results

      Tokens successfully created should be usable

      Actual Results

      HTTP 401 Unauthorized with the following message:

      Error:
{"errors":[\{"context":null,"message":"You are not permitted to access this resource","exceptionName":"com.atlassian.bitbucket.AuthorisationException"}]}

       

      We noted that the service user did not have any permissions on the sta_repo_permission table.

      bitbucket=> SELECT * FROM sta_repo_permission where user_id=<AccessTokenServiceUserID>
bitbucket-> ;
 id | perm_id | repo_id | group_name | user_id
----+---------+---------+------------+---------
(0 rows)

      Workaround

      We need to delete the service user and associated records from the database:

      1. Make sure sta_repo_permission does not have the perms associated with the service user 'access-token-user/2/XXX' and delete them just to be safe. 
        DELETE FROM sta_repo_permission WHERE user_id IN (SELECT user_id FROM sta_service_user WHERE name='access-token-user/2/XXX');
      2. To delete all the entries from AO_E5A814_ACCESS_TOKEN_PERM and AO_E5A814_ACCESS_TOKEN associated with this service user 'access-token-user/2/XXX' 
        DELETE FROM "AO_E5A814_ACCESS_TOKEN_PERM" WHERE "FK_ACCESS_TOKEN_ID" IN 
  (SELECT "TOKEN_ID" FROM "AO_E5A814_ACCESS_TOKEN" WHERE "USER_ID" IN 
    (SELECT user_id FROM sta_service_user WHERE name='access-token-user/2/XXX'));
DELETE FROM "AO_E5A814_ACCESS_TOKEN" WHERE "USER_ID" IN 
  (SELECT user_id FROM sta_service_user WHERE name='access-token-user/2/XXX');
      3. Finally delete the actual service user 'access-token-user/2/XXX' from the sta_service_user table. 
        DELETE FROM sta_service_user WHERE name='access-token-user/2/XXX';
COMMIT;

        Replace XXX with the repo id that is affected.

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            95e5dd71de92 David Zhu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: