Issue Summary

The mirror repository service is returning with unauthorized when using a user with non-global admin credentials, like REPO_READ (which is what the endpoint needs to resolve the repository from ID). This is symptomatic in the Atlassian Bitbucket Jenkins Integration plugin- currently if non-global admin credentials are provided, Jenkins is unable to provide a list of mirrors to clone from against a repository.

This is reproducible on Data Center: yes

Steps to Reproduce

1. Create a user with repo read credentials for a repository
2. Mirror that repository
3. Hit <mirror-base-url>/rest/mirroring/latest/upstreamServers/<mirror-id>/repos/<repo-id> with username password credentials for your created user

Expected Results

The request returns the repository information

Actual Results

A 401 is returned and logged in the mirror access logs (this example from the Jenkins integration, but bug is replicable with curl):

127.0.0.1 | http | o@1861BZLx908x90x1 | user | 2024-05-13 15:08:35,224 | "GET /rest/mirroring/latest/upstreamServers/148728f5-df0f-3f3e-af11-5ca16be3725f/repos/1 HTTP/1.1" | "" "bitbucket-jenkins-integration/4.0.1-SNAPSHOT (private-aec0ff98-mhenschke)" | 401 | 0 | 152 | - | 12614 | - | 

We didn't dig deeply into this issue but it appears that when the upstream provides the effective permissions for the mirror in resolving this endpoint it is not providing the repository ID correctly (when we tested this service the DefaultMirrorAuthenticationService had a null repo ID), which explains why global admins are working and non-global admins are not.

Workaround

Use global admin credentials instead of user credentials