-
Type:
Bug
-
Resolution: Won't Fix
-
Priority:
Low
-
None
-
Affects Version/s: 7.12.3
-
Component/s: Jira Importers Plugin
-
7.12
-
1
-
Severity 3 - Minor
Summary
JIRA Importer for Redmine to bypass basic authentication when it gets redirected
Environment
- Redmine that store the attachment in AWS S3.
- JIRA Importer version 2.1.9.
Steps to Reproduce
- Import a Redmine project that store attachments in AWS S3 storage.
- During the import, the attachments will not be uploaded successfully with an only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified error below:
<?xml version="1.0" encoding="UTF-8"?> <Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>Basic XXXXXXXXXXX</ArgumentValue><RequestId>DE4FD70BEA91A5EB</RequestId><HostId>m4SyImw7h/m2VxCiFb5WVnLDk2wNOIcMrysUAwdLekZGYAf0uxDm6S7zh/ktO1vJsJCSfMEJDFQ=</HostId></Error>
This is because in to get the attachment in our Importer it used a Basic authorization:
Importer when the attachment is stored locally
2018-11-21 14:56:41,045 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] >> "GET /attachments/download/10800/screenshot_3_1536863061_Screenshot_20180913-111313.jpg HTTP/1.1[\r][\n]" 2018-11-21 14:56:41,045 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] >> "Authorization: Basic XXXXXXXXXX[\r][\n]" 2018-11-21 14:56:41,045 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] >> "Accept-Encoding: gzip[\r][\n]" 2018-11-21 14:56:41,045 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] >> "Host: redmine.com [\r][\n]" 2018-11-21 14:56:41,045 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] >> "Connection: Keep-Alive[\r][\n]" 2018-11-21 14:56:41,045 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] >> "User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_121)[\r][\n]"
Noted that the Authorization used is Basic : i.e username and password
Authorization: Basic XXXXXXXXXXXXXX
Importer when the attachment is stored in AWS S3 storage
2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "HTTP/1.1 302 Found [\r][\n]" 2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "Date: Wed, 21 Nov 2018 03:56:41 GMT[\r][\n]" 2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "Content-Type: text/html; charset=utf-8[\r][\n]" 2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "Content-Length: 1314[\r][\n]" 2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "Connection: keep-alive[\r][\n]" 2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "Server: nginx[\r][\n]" 2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "X-Frame-Options: SAMEORIGIN[\r][\n]" 2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "X-Xss-Protection: 1; mode=block[\r][\n]" 2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "X-Content-Type-Options: nosniff[\r][\n]" 2018-11-21 14:56:41,266 JiraTaskExectionThread-3 DEBUG admin 896x995x1 1j2vu3y 0:0:0:0:0:0:0:1 /secure/admin/ImporterLogsPage%21import.jspa [o.apache.http.wire] << "Location: https://s3.amazonaws.com/redmine-test.com/redmine/2018/09/3182421_e7445a24a0a9def3da52d17e83f26c66.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIASDAVXBX7USRY5SLA%2F20181121%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20181121T035641Z&X-Amz-Expires=900&X-Amz-Security-Token=FQoGZXIvYXdzEJX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDPzu66%2FpCmrMiBcUhSKRBEHV0XfK9oJAkz9%2Bir5Oh5YYZkczl5xHlxEQJjIBMd5uBWcaXGjpBELVEAb8W3bTDn9%2BmtAMwqevmLGr4y1c10w4M0PxWwCkF8ZOlL9zHaYDMd2174cHmezvP3eLlhvmH%2F4tRxNLVIbh%2BtvxYb3ebxVDy1OtEoWFknwAJI1I8iFt%2Fb%2BmKNt8TxfV3%2FXraxmEVWHzFewKWaJKJ0UWQtz90KcayqtY98za8aOjvuWyPrfCz5LtUyNA9uRy49GLaN2bJLyIy4Vds0aDQrsd1ih80OKWglVQIm0JVER9oJMrY3Lf2288BAJ%2Bo92vxuJonvLpWTop%2FVqyTNpYA0MPyUuZxdWrgdA6fwGN7s13T%2BBAlx66xYWXsJzCwxJFvGT4hhP2w4PFJJCeJXsLinLsf4gE7VCUBNer%2B%2FDUT412kGCH%2FI9Fe%2BiNd10kC667TvgccaaXtazR3vQixb3p0j%2FNRGUySXgWvz%2FCRPwR8Ggf0Tuoi00LQjhVkp9wJpYu6MhVQfJgRwOZiKDxwcmSlGlCoMBnl1yx6WpbaI7hfT2t7svV8GvP12tvN6idxD6OA89ZrrhlPMKjPu0tfCpVgrF6aiFOTKt3JNDcdFfyKBBdBK3a8olafT3wU%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=95b89b723cf18bc5a604a1f1e2801a5a44e4c4ab0ffea48483238e672742ba0b[\r][\n]"
Please note that Redmine Importer in JIRA used the redirection URL from S3 that contain AMZ token in the URL. When passing this through the importer that use Basic authentication, it will cause the error in Steps 2.
Expected Results
JIRA will bypass the Basic authentication and used the token provided by AWS URL to transfer attachment over.
Actual Results
JIRA will still use a Basic authentication and will cause the error in Steps 2.
Workaround
- Upload the attachment using Importing data from CSV - Importing attachments.
- Move the attachments from the AWS to a local server that will allow a Basic authentication.