Unexpected token used for setting up webhooks

[Novakov]

Jenkins and plugins versions report

Environment

Jenkins: 2.487
OS: Windows 11 - 10.0
Java: 17.0.11 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
asm-api:9.7.1-97.v4cc844130d97
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1200.v4b_a_3da_2eb_db_4
caffeine-api:3.1.8-133.v17b_1ff2e0599
cloudbees-folder:6.959.v4ed5cc9e2dd4
credentials:1389.vd7a_b_f5fa_50a_2
credentials-binding:687.v619cb_15e923f
display-url-api:2.209.v582ed814ff2f
git:5.6.0
git-client:6.1.0
gitlab-api:5.6.0-97.v6603a_83f8690
gitlab-branch-source:715.v4c830b_ca_ef95
gson-api:2.11.0-85.v1f4e87273c33
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
jaxb:2.3.9-1
jersey2-api:2.44-151.v6df377fff741
joda-time-api:2.13.0-93.v9934da_29b_a_e9
json-api:20240303-101.v7a_8666713110
locale:549.v824602fe3393
mailer:489.vd4b_25144138f
mina-sshd-api-common:2.14.0-133.vcc091215a_358
mina-sshd-api-core:2.14.0-133.vcc091215a_358
plain-credentials:183.va_de8f1dd5a_2b_
scm-api:698.v8e3b_c788f0a_6
script-security:1369.v9b_98a_4e95b_2d
snakeyaml-api:2.3-123.v13484c65210a_
ssh-credentials:349.vb_8b_6b_9709f5b_
structs:338.v848422169819
variant:60.v7290fc0eb_b_cd
workflow-api:1336.vee415d95c521
workflow-cps:3996.va_f5c1799f978
workflow-job:1468.vcf4f5ee92395
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:936.v9fa_77211ca_e1

What Operating System are you using (both controller, and any agents involved in the problem)?

Windows 11

Reproduction steps

1. GitLab setup
   1. Generate personal access token with required API access
   2. Create new group
   3. Create single project in that group
2. Setup credentials in Jenkins in System -> Global credentials
   1. Add Secret text credentials named dummy_connection_string with random text as secret
   2. Create GitLab Personal Access Token gitlab_token with token created in "GitLab Setup"
   3. Create secret text gitlab_webhook_secret with random text as secret
3. Define GitLab server
   1. Credentials = gitlab_token
   2. 'Manage Web Hooks' disabled
   3. 'Manage System Hooks' disabled
   4. Secret Toekn = gitlab_webhook_secret
4. Define orgranization Folder job
   1. Add New Item -> Organization Folder
      2.Add GitLab Group as repository source
   2. Select server defined in "Define GitLab server"
   3. Enter name of group created in "GitLab setup"
   4. Remove all behaviours except "Discover branches" (probably not necessary)
   5. Add "Override GitLab hook management modes"
      1. Set Web Hook Strategy to "Use Item credentials for Web Hook management'
      2. Set System Hook Strategy to 'Disable System Hook management'
   6. Save
5. Trigger GitLab Group Scan
6. Check 'Scan GitLab Group Log'

Expected Results

Webhook is created

Actual Results

• Cannot set web hook: Unauthorized is reported in GitLab group scan log. Inspection of HTTP requests between Jenkins and GitLab show that for all requests except hooks-related token defined in server is used. For request that lists hooks configured in project (/api/v4/groups/<groupname>%2f<projectname>/hooks) different token is used. In fact it is token created as dummy_connection_string.

Anything else?

My bet is on usage of firstOrNull in https://github.com/jenkinsci/gitlab-branch-source-plugin/blob/master/src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabSCMSource.java#L789.
If more localized token is not found, it should fallback to token defined in server, not random credential from Jenkins instance.

Are you interested in contributing a fix?

With some guidance I can try but I've never done any Jenkins development, so it might not be easy for me.