search

jenkinsci / gitlab-plugin

A Jenkins plugin for interfacing with GitLab
https://plugins.jenkins.io/gitlab-plugin/
GNU General Public License v2.0
1.44k stars 612 forks source link

Error 403 anonymous is missing the Tarea/Build permission on multibranch project when executing webhook push #1636

Open PauAL opened 4 months ago

PauAL commented 4 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.440.1 OS: Linux - 5.15.0-94-generic Java: 11.0.21 - Ubuntu (OpenJDK 64-Bit Server VM) --- ace-editor:1.1 active-directory:2.35 ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.2.1-1.0 authentication-tokens:1.53.v1c90fd9191a_b_ blueocean:1.27.11 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.11 blueocean-commons:1.27.11 blueocean-config:1.27.11 blueocean-core-js:1.27.11 blueocean-dashboard:1.27.11 blueocean-display-url:2.4.2 blueocean-events:1.27.11 blueocean-git-pipeline:1.27.11 blueocean-github-pipeline:1.27.11 blueocean-i18n:1.27.11 blueocean-jira:1.27.5 blueocean-jwt:1.27.11 blueocean-personalization:1.27.11 blueocean-pipeline-api-impl:1.27.11 blueocean-pipeline-editor:1.27.11 blueocean-pipeline-scm-api:1.27.11 blueocean-rest:1.27.11 blueocean-rest-impl:1.27.11 blueocean-web:1.27.11 bootstrap4-api:4.6.0-6 bootstrap5-api:5.3.2-4 bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 branch-api:2.1152.v6f101e97dd77 build-history-metrics-plugin:112.v476124de7dfc build-timeout:1.32 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.0.2 cloud-stats:336.v788e4055508b_ cloudbees-bitbucket-branch-source:874.v659a_b_70f5e69 cloudbees-folder:6.901.vb_4c7a_da_75da_3 command-launcher:107.v773860566e2e commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.11.0-95.v22a_d30ee5d36 config-file-provider:968.ve1ca_eb_913f8c configuration-as-code:1775.v810dc950b_514 credentials:1319.v7eb_51b_3a_c97b_ credentials-binding:657.v2b_19db_7d6e6d data-tables-api:1.13.8-4 display-url-api:2.200.vb_9327d658781 docker-build-publish:1.4.0 docker-commons:439.va_3cb_0a_6a_fb_29 docker-java-api:3.3.4-86.v39b_a_5ede342c docker-plugin:1.6 docker-workflow:572.v950f58993843 durable-task:550.v0930093c4b_a_6 echarts-api:5.4.3-4 email-ext:2.104 external-monitor-job:215.v2e88e894db_f8 favorite:2.208.v91d65b_7792a_c font-awesome-api:6.5.1-3 git:5.2.1 git-client:4.6.0 git-server:114.v068a_c7cc2574 github:1.38.0 github-api:1.318-461.v7a_c09c9fa_d63 github-branch-source:1772.va_69eda_d018d4 gitlab-plugin:1.8.0 gradle:2.8.2 greenballs:1.15.1 h2-api:11.1.4.199-12.v9f4244395f7a_ handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 htmlpublisher:1.32 instance-identity:185.v303dc7c645f9 ionicons-api:56.v1b_1c8c49374e jackson2-api:2.16.1-373.ve709c6871598 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jenkins-design-language:1.27.11 jersey2-api:2.41-133.va_03323b_a_1396 jira:3.12 jjwt-api:0.11.5-77.v646c772fddb_0 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery:1.12.4-1 jquery-detached:1.2.1 jquery3-api:3.7.1-2 jsch:0.2.8-65.v052c39de79b_2 json-api:20240205-27.va_007549e895c json-path-api:2.9.0-33.v2527142f2e1d junit:1240.vf9529b_881428 kubernetes:4186.v1d804571d5d4 kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:0.11 ldap:682.v7b_544c9d1512 lockable-resources:1184.va_6f2fc274b_e4 mailer:463.vedf8358e006b_ mapdb-api:1.0.9-28.vf251ce40855d matrix-auth:3.2.1 matrix-project:822.824.v14451b_c0fd42 maven-plugin:3.23 mercurial:1260.vdfb_723cdcc81 metrics:4.2.21-449.v6960d7c54c69 mina-sshd-api-common:2.12.0-90.v9f7fb_9fa_3d3b_ mina-sshd-api-core:2.12.0-90.v9f7fb_9fa_3d3b_ momentjs:1.1.1 nodejs:1.6.1 okhttp-api:4.11.0-172.vda_da_1feeb_c6e openshift-client:1.1.0.424.v829cb_ccf8798 pam-auth:1.10 pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-github-lib:42.v0739460cda_c4 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:704.vc58b_8890a_384 pipeline-input-step:491.vb_07d21da_1a_fb_ pipeline-maven:1376.v18876d10ce9c pipeline-maven-api:1376.v18876d10ce9c pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2175.v76a_fff0a_2618 pipeline-model-definition:2.2144.v077a_d1928a_40 pipeline-model-extensions:2.2175.v76a_fff0a_2618 pipeline-npm:204.v4dc4c2202625 pipeline-rest-api:2.34 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2175.v76a_fff0a_2618 pipeline-stage-view:2.34 pipeline-utility-steps:2.16.2 plain-credentials:143.v1b_df8b_d3b_e48 plugin-util-api:4.1.0 popper-api:1.16.1-3 prism-api:1.29.0-13 pubsub-light:1.17 resource-disposer:0.22 role-strategy:670.vc71a_a_c00039e scm-api:683.vb_16722fb_b_80b_ script-security:1326.vdb_c154de8669 snakeyaml-api:2.2-111.vc6598e30cc65 sonar:2.15 sse-gateway:1.26 ssh:2.6.1 ssh-agent:333.v878b_53c89511 ssh-credentials:308.ve4497b_ccd8f4 ssh-slaves:2.948.vb_8050d697fec sshd:3.312.v1c601b_c83b_0e structs:337.v1b_04ea_4df7c8 subversion:2.17.2 timestamper:1.26 token-macro:400.v35420b_922dcb_ trilead-api:2.84.v72119de229b_7 variant:60.v7290fc0eb_b_cd windows-slaves:1.8.1 workflow-aggregator:596.v8c21c963d92d workflow-api:1291.v51fd2a_625da_7 workflow-basic-steps:1042.ve7b_140c4a_e0c workflow-cps:3867.v535458ce43fd workflow-cps-global-lib:609.vd95673f149b_b workflow-durable-task-step:1331.vc8c2fed35334 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:773.vc4fe1378f1d5 workflow-scm-step:415.v434365564324 workflow-step-api:657.v03b_e8115821b_ workflow-support:865.v43e78cc44e0d ws-cleanup:0.45 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-94-generic x86_64)

Reproduction steps

  1. Enable "Enable authentication for '/project' end-point" of Gitlab plugin in Jenkins.
  2. Create a multibranch project in Jenkins.
  3. Create a Branch Source targeting a gitlab project.
  4. Configure a Webhook in Gitlab targeting "https://#jenkins#/project/#project# for push events (all branches).
  5. Test the webhook with a push event.

Expected Results

HTTP 200 response code is received.

Actual Results

Hook executed successfully but returned HTTP 403 
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
        <title>Error 403 anonymous is missing the Tarea/Build permission</title>
    </head>
    <body>
        <h2>HTTP ERROR 403 anonymous is missing the Tarea/Build permission</h2>
        <table>
            <tr>
                <th>URI:</th>
                <td>/project/#project#</td>
            </tr>
            <tr>
                <th>STATUS:</th>
                <td>403</td>
            </tr>
            <tr>
                <th>MESSAGE:</th>
                <td>anonymous is missing the Tarea/Build permission</td>
            </tr>
            <tr>
                <th>SERVLET:</th>
                <td>Stapler</td>
            </tr>
        </table>
        <hr/>
        <a href="https://eclipse.org/jetty">Powered by Jetty:// 10.0.18</a>
        <hr/>
    </body>
</html>

Anything else?

This same configuration was working with previous version Jenkins: 2.401.3 and gitlab-plugin:1.7.15.

Are you interested in contributing a fix?

No response