git-credential-manager icon indicating copy to clipboard operation
git-credential-manager copied to clipboard
verified publisher icon git-ecosystem

Bitbucket repo behind Azure Application Proxy no redirect handling

Open originx opened this issue 2 years ago • 0 comments

Version

2.3.2.0

Operating system

macOS

OS version or distribution

macOS Ventura, OSVersion: 13.5.1

Git hosting provider(s)

Bitbucket Server/DC

Other hosting provider

No response

(Azure DevOps only) What format is your remote URL?

None

Can you access the remote repository directly in the browser?

Yes, I can access the repository

Expected behavior

accessing selfhosted bitbucket git server that is behind Azure App Proxy works on following scenarios:

  • browser (on site, VPN, off-site)
  • git with GCM (on site, VPN)
  • git with GCM (off site)

Actual behavior

accessing selfhosted bitbucket git server that is behind Azure App Proxy does not works on following scenarios:

  • git with GCM (off site)

While outside of company network git gcm cannot handle Azure Application Proxy redirect. Web browser works fine for all scenarios (VPN, onsite, offsite)

fatal: unable to update url base from redirection: asked for: https://git.company.com/scm/repo/android.git/info/refs?service=git-upload-pack redirect: https://login.microsoftonline.com/1234-1234-1234-1234/oauth2/authorize?response_type=code&client_id=123412341234&scope=openid&nonce=1234abcd-1234abcd&redirect_uri=https%3a%2f%2fgit.company.com%2f&state=AppProxyState%3a%7b%22InvalidTokenRetry%22%3anull%2c%22IsMsofba%22%3afalse%2c%22OriginalRawUrl%22%3a%22https%3a%5c%2f%5c%2fgit.company.com%5c%2fscm%5c%2frepo%5c%2fandroid.git%5c%2finfo%5c%2frefs%3fservice%3dgit-upload-pack%22%2c%22RequestProfileId%22%3anull%2c%22SessionId%22%3a%221234123412341234%23EndOfStateParam%23&client-request-id=1234abcd1234abcd

Desired behaviour: In case of AAP we get prompted (either terminal or GUI) for username and pw/PAT and it gets stored for the AAP redirect scenario

Please advise how to configure GCM to work with self hosted bitbucket that is behind AzureAppProxy https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy

Logs

Here is the logs from onsite, as you can see it works fine onsite network but outside GCM does not handle AzureAppProxy redirect/auth properly

GCM_TRACE=1 GIT_TRACE=1 git fetch 09:46:25.733174 git.c:463 trace: built-in: git fetch 09:46:25.735897 run-command.c:659 trace: run_command: GIT_DIR=.git git remote-https origin https://git.company.com/scm/pgma/dsa_android.git 09:46:25.742357 git.c:749 trace: exec: git-remote-https origin https://git.company.com/scm/pgma/dsa_android.git 09:46:25.742897 run-command.c:659 trace: run_command: git-remote-https origin https://git.company.com/scm/pgma/dsa_android.git 09:46:25.803567 run-command.c:659 trace: run_command: '/usr/local/share/gcm-core/git-credential-manager get' 09:46:25.881822 git.c:463 trace: built-in: git config --null --list 09:46:25.917858 ...e/Application.cs:106 trace: [RunInternalAsync] Version: 2.3.2.0 09:46:25.918581 ...e/Application.cs:107 trace: [RunInternalAsync] Runtime: .NET 7.0.9 09:46:25.918591 ...e/Application.cs:108 trace: [RunInternalAsync] Platform: macOS (ARM64) 09:46:25.918594 ...e/Application.cs:109 trace: [RunInternalAsync] OSVersion: 13.5.1 09:46:25.918599 ...e/Application.cs:110 trace: [RunInternalAsync] AppPath: /usr/local/share/gcm-core/git-credential-manager 09:46:25.918632 ...e/Application.cs:111 trace: [RunInternalAsync] InstallDir: /usr/local/share/gcm-core/ 09:46:25.918646 ...e/Application.cs:112 trace: [RunInternalAsync] Arguments: get 09:46:25.929550 ...GitCommandBase.cs:32 trace: [ExecuteAsync] Start 'get' command... 09:46:25.933433 ...GitCommandBase.cs:46 trace: [ExecuteAsync] Detecting host provider for input: 09:46:25.934068 ...GitCommandBase.cs:47 trace: [ExecuteAsync] protocol=https 09:46:25.934084 ...GitCommandBase.cs:47 trace: [ExecuteAsync] host=git.company.com 09:46:25.934089 ...GitCommandBase.cs:47 trace: [ExecuteAsync] wwwauth=Basic realm="Atlassian Bitbucket" 09:46:25.936067 ...oviderRegistry.cs:99 trace: [GetProviderAsync] Host provider override was set id='bitbucket' 09:46:25.936800 ...GitCommandBase.cs:49 trace: [ExecuteAsync] Host provider 'Bitbucket' was selected. 09:46:25.938633 ...tHostProvider.cs:280 trace: [GetSupportedAuthenticationModesAsync] https://git.company.com/ is Bitbucket DC - checking for supported authentication schemes... 09:46:25.940566 ...bucketRestApi.cs:101 trace: [GetAuthenticationMethodsAsync] HTTP: GET https://git.company.com/rest/authconfig/1.0/login-options 09:46:25.942272 ...pClientFactory.cs:60 trace: [CreateClient] Creating new HTTP client instance... 09:46:25.945562 ...pClientFactory.cs:80 trace: [CreateClient] Git's SSL/TLS backend is: OpenSsl 09:46:25.969238 git.c:463 trace: built-in: git version 09:46:25.994588 git.c:463 trace: built-in: git config --null --type=path http.https://git.company.com.sslCAInfo 09:46:26.019780 git.c:463 trace: built-in: git config --null --type=path http.git.company.com.sslCAInfo 09:46:26.041681 git.c:463 trace: built-in: git config --null --type=path http.https://intra.company.com.sslCAInfo 09:46:26.065620 git.c:463 trace: built-in: git config --null --type=path http.intra.company.com.sslCAInfo 09:46:26.088064 git.c:463 trace: built-in: git config --null --type=path http.https://company.com.sslCAInfo 09:46:26.109406 git.c:463 trace: built-in: git config --null --type=path http.company.com.sslCAInfo 09:46:26.131892 git.c:463 trace: built-in: git config --null --type=path http.sslCAInfo 09:46:26.155725 git.c:463 trace: built-in: git config --null --type=path http.https://git.company.com.cookieFile 09:46:26.181265 git.c:463 trace: built-in: git config --null --type=path http.git.company.com.cookieFile 09:46:26.204237 git.c:463 trace: built-in: git config --null --type=path http.https://intra.company.com.cookieFile 09:46:26.226451 git.c:463 trace: built-in: git config --null --type=path http.intra.company.com.cookieFile 09:46:26.254623 git.c:463 trace: built-in: git config --null --type=path http.https://company.com.cookieFile 09:46:26.276332 git.c:463 trace: built-in: git config --null --type=path http.company.com.cookieFile 09:46:26.299723 git.c:463 trace: built-in: git config --null --type=path http.cookieFile 09:46:26.421213 ...bucketRestApi.cs:104 trace: [GetAuthenticationMethodsAsync] HTTP: Response 404 [NotFound] 09:46:26.422319 ...tbucketRestApi.cs:78 trace: [IsOAuthInstalledAsync] HTTP: GET https://git.company.com/rest/oauth2/1.0/client 09:46:26.432216 ...tbucketRestApi.cs:81 trace: [IsOAuthInstalledAsync] HTTP: Response 401 [Unauthorized] 09:46:26.432396 ...tHostProvider.cs:299 trace: [GetSupportedAuthenticationModesAsync] Bitbucket DC/Server instance supports authentication schemes: OAuth 09:46:26.433245 ...tHostProvider.cs:103 trace: [GetStoredCredentials] Look for existing credentials under https://git.company.com ... 09:46:26.453349 ...tHostProvider.cs:113 trace: [GetStoredCredentials] Found stored credentials: username1234/******** 09:46:26.454131 ...tHostProvider.cs:402 trace: [ValidateCredentialsWork] Validate credentials (username1234/) are fresh for https://git.company.com/ ... 09:46:26.455274 ...tbucketRestApi.cs:53 trace: [GetUserInformationAsync] HTTP: GET https://git.company.com/rest/api/1.0/users 09:46:26.466937 ...tbucketRestApi.cs:56 trace: [GetUserInformationAsync] HTTP: Response 401 [Unauthorized] 09:46:26.467620 ...tHostProvider.cs:417 trace: [ValidateCredentialsWork] Failed to validate existing credentials using OAuth 09:46:26.467716 ...tHostProvider.cs:418 trace: [ValidateCredentialsWork] ! error: 'Failed to resolve username. HTTP: Unauthorized'. 09:46:26.467790 ...nds/GetCommand.cs:39 trace: [ExecuteInternalAsync] Writing credentials to output: 09:46:26.467827 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] protocol=https 09:46:26.467833 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] host=git.company.com 09:46:26.467837 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] username=username1234 09:46:26.467843 ...nds/GetCommand.cs:40 trace: [ExecuteInternalAsync] password= 09:46:26.468068 ...GitCommandBase.cs:53 trace: [ExecuteAsync] End 'get' command... 09:46:27.114658 run-command.c:659 trace: run_command: '/usr/local/share/gcm-core/git-credential-manager store' 09:46:27.224372 git.c:463 trace: built-in: git config --null --list 09:46:27.255698 ...e/Application.cs:106 trace: [RunInternalAsync] Version: 2.3.2.0 09:46:27.256333 ...e/Application.cs:107 trace: [RunInternalAsync] Runtime: .NET 7.0.9 09:46:27.256342 ...e/Application.cs:108 trace: [RunInternalAsync] Platform: macOS (ARM64) 09:46:27.256345 ...e/Application.cs:109 trace: [RunInternalAsync] OSVersion: 13.5.1 09:46:27.256353 ...e/Application.cs:110 trace: [RunInternalAsync] AppPath: /usr/local/share/gcm-core/git-credential-manager 09:46:27.256377 ...e/Application.cs:111 trace: [RunInternalAsync] InstallDir: /usr/local/share/gcm-core/ 09:46:27.256389 ...e/Application.cs:112 trace: [RunInternalAsync] Arguments: store 09:46:27.266553 ...GitCommandBase.cs:32 trace: [ExecuteAsync] Start 'store' command... 09:46:27.270813 ...GitCommandBase.cs:46 trace: [ExecuteAsync] Detecting host provider for input: 09:46:27.271491 ...GitCommandBase.cs:47 trace: [ExecuteAsync] protocol=https 09:46:27.271507 ...GitCommandBase.cs:47 trace: [ExecuteAsync] host=git.company.com 09:46:27.271511 ...GitCommandBase.cs:47 trace: [ExecuteAsync] username=username1234 09:46:27.271531 ...GitCommandBase.cs:47 trace: [ExecuteAsync] password=******** 09:46:27.273529 ...oviderRegistry.cs:99 trace: [GetProviderAsync] Host provider override was set id='bitbucket' 09:46:27.274304 ...GitCommandBase.cs:49 trace: [ExecuteAsync] Host provider 'Bitbucket' was selected. 09:46:27.274527 ...tHostProvider.cs:326 trace: [StoreCredentialAsync] Storing credential... 09:46:27.295895 ...tHostProvider.cs:328 trace: [StoreCredentialAsync] Credential was successfully stored. 09:46:27.295937 ...GitCommandBase.cs:53 trace: [ExecuteAsync] End 'store' command... 09:46:27.777536 run-command.c:659 trace: run_command: git rev-list --objects --stdin --not --exclude-hidden=fetch --all --quiet --alternate-refs

originx avatar Sep 07 '23 17:09 originx