Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jenkins throws exception about secret token but reports 200 back to Gitlab #332

Open
pbradly opened this issue Jun 13, 2023 · 1 comment
Open

Jenkins throws exception about secret token but reports 200 back to Gitlab #332

pbradly opened this issue Jun 13, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@pbradly
Copy link

pbradly commented Jun 13, 2023
edited
Loading

Jenkins and plugins versions report

Environment 
Jenkins: 2.400
OS: Linux - 5.15.0-1017-aws
Java: 11.0.18 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
ace-editor:1.1
analysis-model-api:11.2.0
anchore-container-scanner:1.0.25
ansicolor:1.0.2
ant:487.vd79d090d4ea_e
antisamy-markup-formatter:159.v25b_c67cd35fb_
apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5
artifactory:3.18.1
authentication-tokens:1.53.v1c90fd9191a_b_
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.447-382.vda_68e2007233
aws-java-sdk-cloudformation:1.12.447-382.vda_68e2007233
aws-java-sdk-codebuild:1.12.447-382.vda_68e2007233
aws-java-sdk-ec2:1.12.447-382.vda_68e2007233
aws-java-sdk-ecr:1.12.447-382.vda_68e2007233
aws-java-sdk-ecs:1.12.447-382.vda_68e2007233
aws-java-sdk-efs:1.12.447-382.vda_68e2007233
aws-java-sdk-elasticbeanstalk:1.12.447-382.vda_68e2007233
aws-java-sdk-iam:1.12.447-382.vda_68e2007233
aws-java-sdk-kinesis:1.12.447-382.vda_68e2007233
aws-java-sdk-logs:1.12.447-382.vda_68e2007233
aws-java-sdk-minimal:1.12.447-382.vda_68e2007233
aws-java-sdk-sns:1.12.447-382.vda_68e2007233
aws-java-sdk-sqs:1.12.447-382.vda_68e2007233
aws-java-sdk-ssm:1.12.447-382.vda_68e2007233
azure-cli:0.9
azure-commons:1.1.3
azure-credentials:254.v64da_8176c83a
azure-sdk:132.v62b_48eb_6f32f
basic-branch-build-strategies:71.vc1421f89888e
bootstrap5-api:5.2.2-3
bouncycastle-api:2.27
branch-api:2.1071.v1a_188a_562481
caffeine-api:3.1.6-115.vb_8b_b_328e59d8
checks-api:2.0.0
cloudbees-folder:6.815.v0dd5a_cb_40e0e
code-coverage-api:4.4.0
command-launcher:100.v2f6722292ee8
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.10.0-36.vc008c8fcda_7b_
config-file-provider:3.11.1
copyartifact:698.v393f578eb_ddc
credentials:1254.vb_96f366e7b_a_d
credentials-binding:604.vb_64480b_c56ca_
cvs:2.19.1
dark-theme:315.va_22e7d692ea_a
data-tables-api:1.13.3-3
display-url-api:2.3.7
docker-commons:419.v8e3cd84ef49c
docker-java-api:3.2.13-68.va_875df25a_b_45
docker-workflow:563.vd5d2e5c4007f
durable-task:506.v1b_3e14b_6f5da_
echarts-api:5.4.0-3
envinject:2.901.v0038b_6471582
envinject-api:1.199.v3ce31253ed13
folder-auth:1.4
font-awesome-api:6.3.0-2
forensics-api:2.1.0
git:5.0.1
git-client:4.2.0
github-api:1.303-417.ve35d9dd78549
gitlab-api:5.2.0-86.v1ed41a_9cf486
gitlab-branch-source:660.vd45c0f4c0042
gitlab-logo:1.1.0
gitlab-oauth:1.16
gitlab-plugin:1.7.12
google-chat-notification:1.6
google-login:1.7
google-oauth-plugin:1.0.8
google-play-android-publisher:4.2
gradle:2.6
greenballs:1.15.1
groovy:453.vcdb_a_c5c99890
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
http_request:1.16
instance-identity:142.v04572ca_5b_265
ionicons-api:45.vf54fca_5d2154
ivy:2.4
jackson2-api:2.15.0-334.v317a_165f9b_7c
jacoco:3.3.3
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:233.vdc1a_ec702cff
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.8-1
jdk-tool:66.vd8fa_64ee91b_d
jersey2-api:2.39.1-1
job-dsl:1.83
jquery3-api:3.6.4-1
jsch:0.2.8-65.v052c39de79b_2
junit:1198.ve38db_d1b_c975
kubernetes:3923.v294a_d4250b_91
kubernetes-cli:1.12.0
kubernetes-client-api:6.4.1-215.v2ed17097a_8e9
kubernetes-credentials:0.10.0
kubernetes-credentials-provider:1.211.vc236a_f5a_2f3c
mac:1.6.1
mailer:448.v5b_97805e3767
matrix-project:789.v57a_725b_63c79
maven-plugin:3.22
metrics:4.2.13-420.vea_2f17932dd6
mina-sshd-api-common:2.9.2-62.v199162f0a_2f8
mina-sshd-api-core:2.9.2-62.v199162f0a_2f8
momentjs:1.1.1
multibranch-build-strategy-extension:1.0.10
next-build-number:1.8
nvm-wrapper:0.1.7
oauth-credentials:0.645.ve666a_c332668
okhttp-api:4.10.0-132.v7a_7b_91cef39c
pipeline-build-step:491.v1fec530da_858
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7
pipeline-input-step:468.va_5db_051498a_4
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2131.vb_9788088fdb_5
pipeline-model-definition:2.2131.vb_9788088fdb_5
pipeline-model-extensions:2.2131.vb_9788088fdb_5
pipeline-rest-api:2.32
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2131.vb_9788088fdb_5
pipeline-stage-view:2.32
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.2.0
popper2-api:2.11.6-2
prism-api:1.29.0-4
role-strategy:633.v836e5b_3e80a_5
s3:0.12.3444.vf1f416e058d3
scm-api:667.v8b_6e07cdc7f2
script-security:1244.ve463715a_f89c
simple-theme-plugin:160.vb_76454b_67900
snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4
sonar:2.15
ssh-credentials:305.v8f4381501156
ssh-slaves:2.877.v365f5eb_a_b_eec
sshd:3.275.v9e17c10f2571
structs:324.va_f5d6774f3a_d
theme-manager:193.vcef22f6c5f2b_
token-macro:359.vb_cde11682e0c
trilead-api:2.84.v72119de229b_7
variant:59.vf075fe829ccb
warnings-ng:10.1.0
workflow-aggregator:596.v8c21c963d92d
workflow-api:1208.v0cc7c6e0da_9e
workflow-basic-steps:1017.vb_45b_302f0cea_
workflow-cps:3659.v582dc37621d8
workflow-durable-task-step:1246.v5524618ea_097
workflow-job:1301.v054d9cea_9593
workflow-multibranch:746.v05814d19c001
workflow-scm-step:408.v7d5b_135a_b_d49
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:839.v35e2736cfd5c

What Operating System are you using (both controller, and any agents involved in the problem)?

OS: Linux - 5.15.0-1017-aws

Reproduction steps

We have a webhook set up in our Gitlab instance that posts to Jenkins for each commit. Jenkins returns a 200 to Gitlab when a commit is ran (and the webhook is triggered) or we run a test of it from gitlab. However Jenkins throws an exception saying a valid secret token was expected;

2023-06-13 15:25:40.496+0000 [id=411246]	WARNING	h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID fbf141e1-8d8c-4ea6-b830-f76a063feea6
java.lang.Exception: Expecting a valid secret token
	at org.kohsuke.stapler.HttpResponses.error(HttpResponses.java:92)
	at io.jenkins.plugins.gitlabbranchsource.GitLabSystemHookAction.doPost(GitLabSystemHookAction.java:74)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:475)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:157)
	at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
	at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:81)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
	at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:64)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
	at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:160)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at io.jenkins.plugins.gitlabbranchsource.GitLabSystemHookAction.process(GitLabSystemHookAction.java:49)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:128)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:145)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:549)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1383)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1305)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server.Server.handle(Server.java:563)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:416)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:385)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:272)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:140)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:934)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1078)
	at java.base/java.lang.Thread.run(Thread.java:829)

This in turn means the build is not triggered in Jenkins. From our investigation the secret token should be valid as it is used by other projects which run seccessfully and Jenkins triggers builds when the webhook is triggered.

Expected Results

Jenkins kicks of a build when a post to the webhook is sent

Actual Results

Jenkins reports a 200 back to gitlab but throws an exception saying Expecting a valid secret token

Anything else?

Our Jenkins and Gitlab instances are running as docker containers on a kubernetes cluster
@pbradly pbradly added the bug Something isn't working label Jun 13, 2023
@jmini
Copy link
Contributor

jmini commented Jun 15, 2023

IMO responding 2xx when you have received a webhook event is correct.
Even if this webhook event triggers an error later when the event is processed.

This belongs to the Webhook best practices…

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmini @pbradly