Gitlab Branch Source Plugin won't create secret token.

[jdteasler]

I am using Gitlab 14.0.12 and Jenkins 2.400. GitLab Branch Source Plugin Version660.vd45c0f4c0042 installed. When using any of the logins, it gives me the same error. When I went through and tried seeing what the cookies that are returned when going through sign in like the code does, I do not get anything that looks like the format expected. I am not sure if I am using the wrong version of something somewhere, but it's been driving me crazy that this isn't working. I cannot get my Multibranch plugins to kick off automatically because of this.
org.gitlab4j.api.GitLabApiException: authenticity_token not found, aborting!

at org.gitlab4j.api.utils.AccessTokenUtils.login(AccessTokenUtils.java:616)

at org.gitlab4j.api.utils.AccessTokenUtils.createPersonalAccessToken(AccessTokenUtils.java:159)

at io.jenkins.plugins.gitlabserverconfig.servers.helpers.GitLabPersonalAccessTokenCreator.doCreateTokenByCredentials(GitLabPersonalAccessTokenCreator.java:141)

at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:719)

at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)

at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)

at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:78)

at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)

at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)

at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)

at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)

at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)

at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)

at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)

at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:289)

at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)

at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)

at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)

at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:836)

at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)

at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:475)

at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)

at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)

at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)

at org.kohsuke.stapler.Stapler.service(Stapler.java:248)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:157)

at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)

at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)

at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:81)

at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)

at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)

at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)

at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)

at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)

at com.cloudbees.jenkins.support.slowrequest.SlowRequestFilter.doFilter(SlowRequestFilter.java:37)

at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)

at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)

at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)

at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)

at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)

at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:160)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:154)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)

at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)

at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)

at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)

at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)

at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)

at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)

at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)

at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)

at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)

at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:110)

at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)

at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)

at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)

at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)

at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)

at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)

at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)

at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)

at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)

at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)

at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)

at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)

at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:659)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)

at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)

at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1722)

at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)

at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.base/java.lang.Thread.run(Thread.java:835)

[jmini]

You need to explain what needs to be changed in this project, maybe provide a reproducer that is independent of Jenkins.

Or you need to open an issue in the corresponding Jenkins plugin:
https://github.com/jenkinsci/gitlab-branch-source-plugin/

Because the stacktrace you provided doesn't give me enough explanation about what is going wrong.

[jdteasler]

Well, I went through the code and figured out what it was doing. I went and looked at the Set-Cookie and mine shows the following: "_gitlab_session=05b30b3b1f12a51be27a1bd9e10e412a; path=/; expires=Fri, 16 Jun 2023 04:34:52 GMT; secure; HttpOnly; SameSite=None" I am just unclear on what could be wrong. It's either in my setup. I am just lost and this is where the error lead me to.

[krachynski]

I've been digging into the plugin and GitLab itself in relation to jenkinsci/gitlab-branch-source-plugin#340 and wonder if there's a roundtrip that's failing here.

GitLab's documentation says that the header is supposed to be X-GitLab-Event: System Hook but GitLab 16.1 sends is X-GitLab-Event: Repository Update Hook

[krachynski]

Unless there is an actual roundtrip with the system hook, this is probably a red herring.

[anthonyparrott]

I'm having a similar problem, and it looks to me like the issue is that the URL for the profile page changed at some point.

The gitlab branch source plugin is failing here for me: https://github.com/jenkinsci/gitlab-branch-source-plugin/blob/master/src/main/java/io/jenkins/plugins/gitlabserverconfig/servers/helpers/GitLabPersonalAccessTokenCreator.java#L141 - and that is calling into AccessTokenUtils.createPersonalAccessToken() in gitlab4j-api

That method is building a URL like this: /profile/personal_access_tokens ( https://github.com/gitlab4j/gitlab4j-api/blob/main/src/main/java/org/gitlab4j/api/utils/AccessTokenUtils.java#L165 )

But, in gitlab the correct URL seems to now be /-/user_settings/personal_access_tokens

I see in the pom file that tests appear to be running against a quite outdated version of gitlab here (12.9.2) where we're running gitlab 17.x - so I suspect it changed somewhere between those versions.

[jmini]

Thank you for the detailed analysis.

To be honest I think that AccessTokenUtils is more a hack (trying to simulate what would be sent by the GitLab UI) than a real API method.

We could try to change the mentioned line:

gitlab4j-api/src/main/java/org/gitlab4j/api/utils/AccessTokenUtils.java

Line 180 in c393f61

String urlString = baseUrl + "/profile/personal_access_tokens";

To use the new URL pattern.

But the documentation itself does not provide a REST endpoint for this operation:
https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#create-a-personal-access-token

The AccessTokenUtils.createPersonalAccessToken() will also probably not work on instances with a second factor authentication (like token or email) and requires somehow to get the username and password which is also a very bad idea.

So I think the "Gitlab Branch Source Plugin" should not use this method. I think the correct flow is to create the token before trying to configure the gitlab connection in Jenkins.