After updating to 887 the repo isn't cloned

[rpaasche]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.452.2 OS: Linux - 5.10.0-29-amd64 Java: 17.0.11 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- additional-identities-plugin:59.vf1fc061d496e analysis-model-api:12.3.3 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.3.1-1.0 asm-api:9.7-33.v4d23ef79fcc8 atlassian-bitbucket-server-integration:4.0.0 atlassian-jira-software-cloud:2.0.14 authentication-tokens:1.113.v81215a_241826 basic-branch-build-strategies:81.v05e333931c7d bitbucket-kubernetes-credentials:336.vc0a_911cde608 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-233.vfdcdeb_0a_08a_a_ branch-api:2.1169.va_f810c56e895 buildtriggerbadge:251.vdf6ef853f3f5 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloudbees-bitbucket-branch-source:886.v44cf5e4ecec5 cloudbees-folder:6.928.v7c780211d66e command-launcher:107.v773860566e2e commons-compress-api:1.26.1-2 commons-lang3-api:3.14.0-76.vda_5591261cfe commons-text-api:1.12.0-119.v73ef73f2345d config-file-provider:973.vb_a_80ecb_9a_4d0 configuration-as-code:1810.v9b_c30a_249a_4c credentials:1344.v5a_3f65a_1e173 credentials-binding:677.vdc9d38cb_254d dark-theme:439.vdef09f81f85e data-tables-api:2.0.8-1 dependency-check-jenkins-plugin:5.5.0 display-url-api:2.204.vf6fddd8a_8b_e9 docker-commons:439.va_3cb_0a_6a_fb_29 docker-workflow:580.vc0c340686b_54 durable-task:555.v6802fe0f0b_82 echarts-api:5.5.0-1 eddsa-api:0.3.0-4.v84c6f0f4969e email-ext:1814.v404722f34263 font-awesome-api:6.5.2-1 forensics-api:2.4.0 git:5.2.2 git-client:5.0.0 git-forensics:2.1.0 google-login:109.v022b_cf87b_e5b_ gradle:2.12 gson-api:2.11.0-41.v019fcf6125dc handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 http_request:1.18 instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jacoco:3.3.6 jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 junit-attachments:205.vc0677977deb_0 kubernetes:4248.vfa_9517757b_b_a_ kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:174.va_36e093562d9 kubernetes-credentials-provider:1.262.v2670ef7ea_0c5 lockable-resources:1255.vf48745da_35d0 mailer:472.vf7c289a_4b_420 matrix-project:832.va_66e270d2946 maven-plugin:3.23 metrics:4.2.21-451.vd51df8df52ec mina-sshd-api-common:2.12.1-113.v4d3ea_5eb_7f72 mina-sshd-api-core:2.12.1-113.v4d3ea_5eb_7f72 okhttp-api:4.11.0-172.vda_da_1feeb_c6e pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-graph-view:304.va_f2a_16b_e4964 pipeline-groovy-lib:727.ve832a_9244dfa_ pipeline-input-step:495.ve9c153f6067b_ pipeline-maven:1421.v610fa_b_e2d60e pipeline-maven-api:1421.v610fa_b_e2d60e pipeline-maven-database:1421.v610fa_b_e2d60e pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2198.v41dd8ef6dd56 pipeline-model-definition:2.2198.v41dd8ef6dd56 pipeline-model-extensions:2.2198.v41dd8ef6dd56 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2198.v41dd8ef6dd56 pipeline-stage-view:2.34 pipeline-utility-steps:2.17.0 plain-credentials:183.va_de8f1dd5a_2b_ plugin-util-api:4.1.0 postgresql-api:42.7.2-40.v76d376d65c77 prism-api:1.29.0-15 robot:3.5.2 scm-api:690.vfc8b_54395023 script-security:1341.va_2819b_414686 snakeyaml-api:2.2-111.vc6598e30cc65 sonar:2.17.2 ssh-credentials:337.v395d2403ccd4 sshd:3.330.vc866a_8389b_58 structs:338.v848422169819 theme-manager:262.vc57ee4a_eda_5d timestamper:1.27 token-macro:400.v35420b_922dcb_ trilead-api:2.147.vb_73cc728a_32e variant:60.v7290fc0eb_b_cd view-job-filters:382.vdf2d5e3f02f0 warnings-ng:11.3.0 workflow-aggregator:596.v8c21c963d92d workflow-api:1316.v33eb_726c50b_a_ workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3903.v48a_8836749e9 workflow-durable-task-step:1353.v1891a_b_01da_18 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:783.787.v50539468395f workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:907.v6713a_ed8a_573 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Kubernetes.

Reproduction steps

1. trigger a build
   • no cloning
   • wokspace is empty

Expected Results

Cloning the repo works

Actual Results

The whole cloning part is missing from the log: Cloning the remote Git repository Cloning with configured refspecs honoured and without tags

Anything else?

Downgrade to 886 is a workaround.

Are you interested in contributing a fix?

No response

[pedroyzkrak]

Same, since the update I can't clone anymore, I get a java.io.IOException: Communication error for request: (...)

[KalleOlaviNiemitalo]

@rpaasche and @pedroyzkrak, are both of you using Bitbucket Cloud? Cloning from in-premises Bitbucket without OAuth seems to be working OK with 887.

@rpaasche, do you too get the java.io.IOException: Communication error for request exception?

Comparing between 886.v44cf5e4ecec5 to 887.va_d359b_3d2d8d shows only the SECURITY-3363 commit ad359b3d2d8d6c114025d81abc59b3c9acb636df.

One suspicious thing in the commit is that, in BitbucketOAuthAuthenticator, userInfo used to be "x-token-auth:{" + token.getToken() + "}", and now it instead uses StringUtils.EMPTY, token.getToken(); the username changed from "x-token-auth" to an empty string, and the braces around the token were removed. I don't know whether 886.v44cf5e4ecec5 actually sent those braces to the HTTP server, or whether they were deleted in some Java code. Anyway, you could try changing BitbucketOAuthAuthenticator like so:

     @Override
     public StandardUsernameCredentials getCredentialsForScm() {
         return new UsernamePasswordCredentialsImpl(
-                CredentialsScope.GLOBAL, null, null, StringUtils.EMPTY, token.getToken());
+                CredentialsScope.GLOBAL, null, null, "x-token-auth", "{" + token.getToken() + "}");
     }

[KalleOlaviNiemitalo]

https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/#Cloning-a-repository-with-an-access-token says the literal string "x-token-auth" is required when cloning. This plugin no longer uses "x-token-auth" anywhere, so that's a bug at least.

The example there also shows braces around {access_token} but it's not clear to me whether those are required in the request itself, or only shown to indicate variable content.

[rpaasche]

@rpaasche and @pedroyzkrak, are both of you using Bitbucket Cloud? Cloning from in-premises Bitbucket without OAuth seems to be working OK with 887.

@rpaasche, do you too get the java.io.IOException: Communication error for request exception?

Comparing between 886.v44cf5e4ecec5 to 887.va_d359b_3d2d8d shows only the SECURITY-3363 commit ad359b3.

One suspicious thing in the commit is that, in BitbucketOAuthAuthenticator, userInfo used to be "x-token-auth:{" + token.getToken() + "}", and now it instead uses StringUtils.EMPTY, token.getToken(); the username changed from "x-token-auth" to an empty string, and the braces around the token were removed. I don't know whether 886.v44cf5e4ecec5 actually sent those braces to the HTTP server, or whether they were deleted in some Java code. Anyway, you could try changing BitbucketOAuthAuthenticator like so:

     @Override
     public StandardUsernameCredentials getCredentialsForScm() {
         return new UsernamePasswordCredentialsImpl(
-                CredentialsScope.GLOBAL, null, null, StringUtils.EMPTY, token.getToken());
+                CredentialsScope.GLOBAL, null, null, "x-token-auth", "{" + token.getToken() + "}");
     }

We are using Bitbucket DC with an local user and cloning over ssh.

For the exception I have to look on Monday.

[KalleOlaviNiemitalo]

@rpaasche, for the clone over SSH, are you using a password or an SSH key?

[KalleOlaviNiemitalo]

Trying to understand the scope of this issue…

• 887, in-premises Bitbucket, single server, clone over HTTP, password: ❔
• 887, in-premises Bitbucket, single server, clone over HTTP, personal access key: 🆗
• 887, in-premises Bitbucket, single server, clone over SSH, password: ❔
• 887, in-premises Bitbucket, single server, clone over SSH, SSH key: 🆗
• 887, in-premises Bitbucket, mirror, clone over HTTP, password: ❔
• 887, in-premises Bitbucket, mirror, clone over HTTP, personal access key: ❔
• 887, in-premises Bitbucket, mirror, clone over SSH, password: ❔
• 887, in-premises Bitbucket, mirror, clone over SSH, SSH key: ❔
• 887, Bitbucket Cloud, clone over HTTP, password: ❓ IIRC, Atlassian doesn't allow this any more.
• 887, Bitbucket Cloud, clone over HTTP, access token: ❓ probably fails because "x-token-auth" and braces were removed.
• 887, Bitbucket Cloud, clone over SSH, password: ❓ I'm not sure Atlassian ever supported this.
• 887, Bitbucket Cloud, clone over SSH, SSH key: ❔

[pedroyzkrak]

@KalleOlaviNiemitalo Ok I have super weird news about my current status, so that error just stopped showing up. I restarted Jenkins and I started having another issue which pointed to how I was doing git checkout, which I believe might not have anything do with Bitbucket branch source plugin. I'm sorry for wasting your time...

But for the record I am using Bitbucket DC, Bitbucket branch source plugin in a multibranch pipeline + configured with a HTTP access token.

[rpaasche]

@rpaasche, for the clone over SSH, are you using a password or an SSH key?

Ssh key.

[rpaasche]

@rpaasche, for the clone over SSH, are you using a password or an SSH key?

Ssh key.

But it tries to use http: 2024-07-01 10:59:00 | Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 01cabc94-545d-42f4-a251-dd3ad1af8f82 2024-07-01 10:59:00 | java.lang.IllegalStateException: Can't find clone link for protocol HTTP

[rpaasche]

Ok reindexing the organisation folder and project fixed it for me ...