search

jenkinsci / azure-ad-plugin

Authentication and Authorization with Azure AD
https://plugins.jenkins.io/azure-ad/
MIT License
28 stars 56 forks source link

(' is added when searching for user #170

Closed tzachs closed 2 years ago

tzachs commented 2 years ago

Version report

Jenkins and plugins versions report:

Jenkins: 2.277.4
OS: Linux - 4.4.0-1128-aws
---
Parameterized-Remote-Trigger:3.1.3
ace-editor:1.1
all-changes:1.5
ansicolor:1.0.0
ant:1.11
antisamy-markup-formatter:2.1
apache-httpcomponents-client-4-api:4.5.13-1.0
audit-trail:3.8
authentication-tokens:1.4
authorize-project:1.4.0
azure-ad:158.v437429002c6b
azure-commons:1.1.3
azure-sdk:12.vc102aedd3c66
bitbucket:1.1.29
blueocean:1.24.1
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.24.7
blueocean-commons:1.24.7
blueocean-config:1.24.7
blueocean-core-js:1.24.7
blueocean-dashboard:1.24.7
blueocean-display-url:2.4.1
blueocean-events:1.24.7
blueocean-git-pipeline:1.24.7
blueocean-github-pipeline:1.24.7
blueocean-i18n:1.24.7
blueocean-jira:1.24.7
blueocean-jwt:1.24.7
blueocean-personalization:1.24.7
blueocean-pipeline-api-impl:1.24.7
blueocean-pipeline-editor:1.24.7
blueocean-pipeline-scm-api:1.24.7
blueocean-rest:1.24.7
blueocean-rest-impl:1.24.7
blueocean-web:1.24.7
bootstrap4-api:4.6.0-3
bouncycastle-api:2.20
branch-api:2.6.4
build-blocker-plugin:1.7.7
build-timeout:1.20
build-token-root:1.7
build-user-vars-plugin:1.7
build-with-parameters:1.5.1
caffeine-api:2.9.1-23.v51c4e2c879c8
changes-since-last-success:0.6
checks-api:1.7.0
cloudbees-bitbucket-branch-source:2.9.9
cloudbees-folder:6.15
command-launcher:1.6
conditional-buildstep:1.4.1
copyartifact:1.46.1
credentials:2.4.1
credentials-binding:1.24
custom-checkbox-parameter:1.1
dashboard-view:2.17
description-setter:1.10
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
durable-task:1.36
echarts-api:5.1.0-2
email-ext:2.83
envinject:2.4.0
envinject-api:1.7
extended-read-permission:3.2
external-monitor-job:1.7
favorite:2.3.3
font-awesome-api:5.15.3-2
git:4.7.1
git-client:3.7.1
git-parameter:0.9.13
git-server:1.9
github:1.33.1
github-api:1.123
github-branch-source:2.10.4
global-build-stats:1.5
google-login:1.6
gradle:1.36
groovy:2.4
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.25
jackson2-api:2.12.3
javadoc:1.6
jdk-tool:1.5
jenkins-design-language:1.24.7
jira:3.3
jjwt-api:0.11.2-9.c8b45b8bb173
jobConfigHistory:2.27
jquery:1.12.4-1
jquery-detached:1.2.1
jquery-ui:1.0.2
jquery3-api:3.6.0-1
jsch:0.1.55.2
junit:1.49
ldap:2.7
lockable-resources:2.10
mail-watcher-plugin:1.16
mailer:1.34
mapdb-api:1.0.9.0
matrix-auth:2.6.7
matrix-project:1.18
maven-plugin:3.10
mercurial:2.15
metrics:4.0.2.7
momentjs:1.1.1
nodelabelparameter:1.9.2
okhttp-api:3.14.9
pam-auth:1.6
parameterized-scheduler:1.0
parameterized-trigger:2.40
pipeline-build-step:2.13
pipeline-github-lib:1.0
pipeline-graph-analysis:1.10
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.8.4
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:1.8.4
pipeline-model-extensions:1.8.4
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.8.4
pipeline-stage-view:2.19
pipeline-utility-steps:2.8.0
plain-credentials:1.7
plugin-util-api:2.2.0
popper-api:1.16.1-2
project-build-times:1.2.1
project-description-setter:1.2
pubsub-light:1.14
rebuild:1.32
resource-disposer:0.15
role-strategy:3.1.1
run-condition:1.5
saml:2.0.5
scm-api:2.6.4
script-security:1.77
shelve-project-plugin:3.1
slack:2.23
snakeyaml-api:1.27.0
sse-gateway:1.24
ssh-credentials:1.18.1
ssh-slaves:1.31.5
started-by-envvar:1.0
structs:1.23
subversion:2.14.2
test-results-analyzer:0.3.5
timestamper:1.13
token-macro:2.15
trilead-api:1.0.13
uno-choice:2.5.6
variant:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.42
workflow-basic-steps:2.23
workflow-cps:2.92
workflow-cps-global-lib:2.19
workflow-durable-task-step:2.39
workflow-job:2.40
workflow-multibranch:2.24
workflow-scm-step:2.12
workflow-step-api:2.23
workflow-support:3.8
ws-cleanup:0.39
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.5 LTS
Release:    16.04
Codename:   xenial

Reproduction steps

Unfortunately, I don't know how to reproduce this. The job is a simple job that only gets trigger from bitbucket and then pull the code. It then triggers a different job. The job now fails on FATAL: com.microsoft.graph.http.GraphServiceException: Error code: BadRequest

See below for more info

Results

Expected result:

Job is finished OK pulling the repo and not User is found

Actual result: Build log has the following exception

FATAL: com.microsoft.graph.http.GraphServiceException: Error code: BadRequest
Error message: Bad Request - Error in query syntax.

GET https://graph.microsoft.com/v1.0/users/('My-Temp-User
SdkVersion : graph-java/v3.4.0

400 : Bad Request
[...]

[Some information was truncated for brevity, enable debug logging for more details]
com.microsoft.graph.http.GraphServiceException: Error code: BadRequest
Error message: Bad Request - Error in query syntax.

GET https://graph.microsoft.com/v1.0/users/('My-Temp-User
SdkVersion : graph-java/v3.4.0

400 : Bad Request
[...]

[Some information was truncated for brevity, enable debug logging for more details]
    at com.microsoft.graph.http.GraphServiceException.createFromResponse(GraphServiceException.java:419)
    at com.microsoft.graph.http.GraphServiceException.createFromResponse(GraphServiceException.java:378)
    at com.microsoft.graph.http.CoreHttpProvider.handleErrorResponse(CoreHttpProvider.java:503)
    at com.microsoft.graph.http.CoreHttpProvider.processResponse(CoreHttpProvider.java:432)
    at com.microsoft.graph.http.CoreHttpProvider.sendRequestInternal(CoreHttpProvider.java:398)
    at com.microsoft.graph.http.CoreHttpProvider.send(CoreHttpProvider.java:220)
    at com.microsoft.graph.http.CoreHttpProvider.send(CoreHttpProvider.java:197)
    at com.microsoft.graph.http.BaseRequest.send(BaseRequest.java:332)
    at com.microsoft.graph.requests.UserRequest.get(UserRequest.java:138)
    at com.microsoft.jenkins.azuread.AzureSecurityRealm.lambda$null$5(AzureSecurityRealm.java:428)
    at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2405)
    at java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1853)
    at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2403)
    at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2386)
    at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108)
    at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62)
    at com.microsoft.jenkins.azuread.AzureSecurityRealm.lambda$createSecurityComponents$6(AzureSecurityRealm.java:416)
    at hudson.security.SecurityRealm.loadUserByUsername2(SecurityRealm.java:410)
    at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:165)
    at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:154)
    at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4767)
    at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
    at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
    at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
    at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
Caused: com.google.common.util.concurrent.UncheckedExecutionException
    at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2234)
    at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
    at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4764)
    at jenkins.security.UserDetailsCache.loadUserByUsername(UserDetailsCache.java:122)
    at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1241)
    at hudson.model.User$CanonicalIdResolver.resolve(User.java:1182)
    at hudson.model.User.get(User.java:516)
    at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:457)
    at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:538)
    at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:137)
    at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
    at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:95)
    at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
    at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:132)
    at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
    at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:95)
    at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
    at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:132)
    at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
    at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:95)
    at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
    at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:132)
    at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
    at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:95)
    at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
    at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:132)
    at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)

Jenkins Log file is filled with 

2021-10-24 06:36:13.308+0000 [id=6786521]       INFO    c.a.c.util.logging.ClientLogger#performLogging: Azure Identity => getToken() result for scopes [https://graph.microsoft.com/.default]: SUCCESS
2021-10-24 06:36:13.319+0000 [id=6786473]       SEVERE  c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 398Graph service exception Error code: BadRequest
2021-10-24 06:36:13.321+0000 [id=6786473]       SEVERE  c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 398SdkVersion : graph-java/v3.4.0
2021-10-24 06:36:13.322+0000 [id=6786473]       SEVERE  c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 398
2021-10-24 06:36:13.322+0000 [id=6786473]       SEVERE  c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 398
2021-10-24 06:36:13.323+0000 [id=6786473]       SEVERE  c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 398400 : Bad Request
2021-10-24 06:36:13.324+0000 [id=6786473]       SEVERE  c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 398[...]
2021-10-24 06:36:13.324+0000 [id=6786473]       SEVERE  c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 398
2021-10-24 06:36:13.325+0000 [id=6786473]       SEVERE  c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 398[Some information was truncated for brevity, enable debug logging for more details]
2021-10-24 06:36:13.325+0000 [id=6786473]       SEVERE  c.m.graph.logger.DefaultLogger#logError: Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: BadRequest
Error message: Bad Request - Error in query syntax.

GET https://graph.microsoft.com/v1.0/users/('My-Temp-User
SdkVersion : graph-java/v3.4.0

400 : Bad Request
timja commented 2 years ago

@MarkEWaite can you take a look? not sure if this plugin is doing something wrong here, maybe we shouldn't be throwing an exception, but shouldn't the git plugin be ignoring errors?

MarkEWaite commented 2 years ago

@MarkEWaite can you take a look? not sure if this plugin is doing something wrong here, maybe we shouldn't be throwing an exception, but shouldn't the git plugin be ignoring errors?

It seems like it would require an overly broad catch to catch that unchecked exception. Isn't it better to identify why the User.get() method threw the exception?

timja commented 2 years ago

I saw a similar issue recently on issues.jenkins.io I believe where the Ldap plugin was throwing a disabled user exception in the same place I think.

MarkEWaite commented 2 years ago

I saw a similar issue recently on issues.jenkins.io I believe where the Ldap plugin was throwing a disabled user exception in the same place I think.

I'll investigate further this weekend.

KalleOlaviNiemitalo commented 2 years ago

https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http#http-request gives /users('$AdeleVance@contoso.com') as an example and com.microsoft.graph.http.BaseRequestBuilder.getRequestUrlWithAdditionalParameter generates that syntax. However, GET https://graph.microsoft.com/v1.0/users/('My-Temp-User has an extra slash in front of the parenthesis and seems truncated somehow; was there a space character in the string?

I don't see what would even call getRequestUrlWithAdditionalParameter; com.microsoft.graph.requests.GraphServiceClient.users(String) doesn't look like it would do so. Perhaps the parenthesis and apostrophe came from the Git commits, or does the changelog use mailmap files as well?

Anyway, if msgraph-sdk-java embeds the user identifiers directly in the URL, I think azure-ad-plugin should check for metacharacters and either encode them or reject the query outright.

timja commented 2 years ago

Generally the plugin does encode possibly not in this place, can check later on.

Here's a reference to the other place I saw the issue: https://stackoverflow.com/questions/68913022/jenkins-disabled-user-exception

I've seen it also on issues.jenkins.io or on community.jenkins.io but can't find it right now

tzachs commented 2 years ago

Looks like the issue is resolved after upgrading jenkins to 2.303.2

Jenkins: 2.303.2
OS: Linux - 4.4.0-1128-aws
---
Parameterized-Remote-Trigger:3.1.3
ace-editor:1.1
all-changes:1.5
ansicolor:1.0.0
ant:1.12
antisamy-markup-formatter:2.4
apache-httpcomponents-client-4-api:4.5.13-1.0
audit-trail:3.10
authentication-tokens:1.4
authorize-project:1.4.0
azure-ad:185.v3b416408dcb1
azure-commons:1.1.3
azure-sdk:61.v6a8af1f5f5b6
bitbucket:1.1.29
blueocean:1.25.1
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.25.1
blueocean-commons:1.25.1
blueocean-config:1.25.1
blueocean-core-js:1.25.1
blueocean-dashboard:1.25.1
blueocean-display-url:2.4.1
blueocean-events:1.25.1
blueocean-git-pipeline:1.25.1
blueocean-github-pipeline:1.25.1
blueocean-i18n:1.25.1
blueocean-jira:1.25.1
blueocean-jwt:1.25.1
blueocean-personalization:1.25.1
blueocean-pipeline-api-impl:1.25.1
blueocean-pipeline-editor:1.25.1
blueocean-pipeline-scm-api:1.25.1
blueocean-rest:1.25.1
blueocean-rest-impl:1.25.1
blueocean-web:1.25.1
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.25
branch-api:2.7.0
build-blocker-plugin:1.7.7
build-timeout:1.20
build-token-root:1.7
build-user-vars-plugin:1.8
build-with-parameters:1.6
caffeine-api:2.9.2-29.v717aac953ff3
changes-since-last-success:0.6
checks-api:1.7.2
cloudbees-bitbucket-branch-source:2.9.11
cloudbees-folder:6.16
command-launcher:1.6
conditional-buildstep:1.4.1
copyartifact:1.46.2
credentials:2.6.1
credentials-binding:1.27
custom-checkbox-parameter:1.4
dashboard-view:2.18
description-setter:1.10
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
durable-task:1.39
echarts-api:5.2.1-2
email-ext:2.84
envinject:2.4.0
envinject-api:1.7
extended-read-permission:3.2
external-monitor-job:1.7
favorite:2.3.3
font-awesome-api:5.15.4-1
git:4.10.0
git-client:3.10.0
git-parameter:0.9.13
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
global-build-stats:1.5
google-login:1.6
gradle:1.37.1
groovy:2.4
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.27
jackson2-api:2.13.0-230.v59243c64b0a5
javadoc:1.6
jdk-tool:1.5
jenkins-design-language:1.25.1
jira:3.6
jjwt-api:0.11.2-9.c8b45b8bb173
jobConfigHistory:2.28.1
jquery:1.12.4-1
jquery-detached:1.2.1
jquery-ui:1.0.2
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
ldap:2.7
lockable-resources:2.12
mail-watcher-plugin:1.16
mailer:1.34
mapdb-api:1.0.9.0
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.15
mercurial:2.15
metrics:4.0.2.8
momentjs:1.1.1
nodelabelparameter:1.9.2
okhttp-api:3.14.9-20211029
pam-auth:1.6
parameterized-scheduler:1.0
parameterized-trigger:2.41
pipeline-build-step:2.15
pipeline-github-lib:1.0
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.7
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
project-build-times:1.2.1
project-description-setter:1.2
pubsub-light:1.16
rebuild:1.32
resource-disposer:0.16
role-strategy:3.2.0
run-condition:1.5
saml:2.0.9
scm-api:2.6.5
script-security:1.78
shelve-project-plugin:3.2
slack:2.23
snakeyaml-api:1.29.1
sse-gateway:1.24
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
started-by-envvar:1.0
structs:1.23
subversion:2.15.0
test-results-analyzer:0.3.5
timestamper:1.13
token-macro:267.vcdaea6462991
trilead-api:1.0.13
uno-choice:2.5.6
variant:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.39
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39