Skip to content

Fix for NPE in GithubOAuthUserDetails.getAuthorities() #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 26, 2017
Merged

Fix for NPE in GithubOAuthUserDetails.getAuthorities() #76

merged 1 commit into from
Feb 26, 2017

Conversation

vivek
Copy link

@vivek vivek commented Feb 15, 2017

There is missing null check in GithubOAuthUserDetails.getAuthorities(). NPE can happen if authenticationToken.loadUser(getUsername()); returns null.

To reproduce NPE:

  • Install github-oauth plugin and GitHub authentication and authorization are enabled.
  • Login in to Jenkins (it should log you in using your GitHub user).
  • Assuming you have another user in Jenkins, try impersonating him. e.g. running this script causes NPE:
User user = Jenkins.getInstance().getUser("otherUser")
user.impersonate()

java.lang.NullPointerException
	at org.jenkinsci.plugins.GithubAuthenticationToken.getGrantedAuthorities(GithubAuthenticationToken.java:388)
	at org.jenkinsci.plugins.GithubOAuthUserDetails.getAuthorities(GithubOAuthUserDetails.java:45)
	at hudson.model.User.impersonate(User.java:317)

Reported in this BlueOcean ticket: https://issues.jenkins-ci.org/browse/JENKINS-42006.

@michaelneale
Copy link
Member

👍

@samrocketman
Copy link
Member

samrocketman commented Feb 15, 2017
edited
Loading

Thanks for the PR I'll open this for additional code review, test it to reproduce, and merge if it checks out. I'll let it be open for at least a day or two to get 24hr exposure.

If you think this applies to any Jenkins github-oauth JIRA issues, please link them as well.

@samrocketman
Copy link
Member

Since this is considered a regression; could unit tests be added as well? This seems to be a fix for something that was fixed in the past (regression).

@vivek
Copy link
Author

vivek commented Feb 23, 2017

@samrocketman This is simple null check that should always have been there as authenticationToken.loadUser(getUsername()) can return null. Only regression this null check can do is to avoid NPE:)

Not easy to write unit tests unless there are existing mocks for GitHub authentication and authorization. If there are existing test that test this part of code, I can look at them as inspiration so please point me to them.

@samrocketman
Copy link
Member

Doesn't look like there's tests for that specific class. However, you can find all tests for this project in https://github.com/jenkinsci/github-oauth-plugin/tree/master/src/test/java/org/jenkinsci/plugins

Regarding an example of where mocking is used; please refer to https://github.com/jenkinsci/github-oauth-plugin/blob/master/src/test/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACLTest.java

@vivek
Copy link
Author

vivek commented Feb 23, 2017

@samrocketman Thanks, although such simple NPE fix should not mandate a unit test. Will see what I can do.

@samrocketman
Copy link
Member

samrocketman commented Feb 23, 2017
edited
Loading

My request isn't really a mandate. Currently, this project is sorely lacking in unit tests. If you try and can't figure it out then I'll still merge. Though, to me regression indicates this is something that was fixed in the past and was broken again at some point. Without tests it is at risk of being broken again.

@vivek
Copy link
Author

vivek commented Feb 23, 2017

Point taken, I will see what I can do. thanks.

@samrocketman
Copy link
Member

I was able to reproduce this locally. Still not really sure how to test it myself. For now, I'll merge it after testing but I think it would be great if you could submit a follow-up PR which includes tests for this scenario.

@samrocketman
Copy link
Member

Tested, all looks good to me.

@samrocketman samrocketman merged commit 120f8ec into jenkinsci:master Feb 26, 2017
@vivek
Copy link
Author

vivek commented Apr 21, 2017

@samrocketman Can we get a release that includes this patch?

It's breaking use cases in blueocean during GitHub based pipeline creation and any other places (e.g. listing credentials in user scope) and anywhere else user.impersonate() is used with github-oauth plugin.

cc:@i386, @michaelneale

@samrocketman
Copy link
Member

@vivek I didn't realize it was unreleased. I can perform a release.

@vivek
Copy link
Author

vivek commented Apr 22, 2017

@samrocketman Awesome, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
candidate to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vivek @michaelneale @samrocketman