Commit Status Publisher - 403 Forbidden
I'm seeing '403 Forbidden' on a commit status publisher error. I don't understand what could be causing that. I've added the GitLab SSL cert to our trusted SSL certs for TeamCity. Here's what I'm seeing in the commit status pub log:
[2022-09-30 10:54:47,007] DEBUG - ains.buildServer.COMMIT_STATUS - Commit Status Publisher HTTP request has failed. Publisher: gitlabStatusPublisher(https://git.owlpds.local/api/v4/projects/fpga%2Fdiode-concentrator%2Fdcmonitor/statuses/f05f53624339afd7ac5223e777d99eba8f4b6322).. Build: #57 {build id=30842, buildTypeId=Xde_XdMatrix_BuildDcMonitor}
jetbrains.buildServer.commitPublisher.HttpPublisherException: HTTP response error: {"message":"403 Forbidden"}, response code: 403, reason: Forbidden
at jetbrains.buildServer.commitPublisher.gitlab.GitlabPublisher.processResponse(GitlabPublisher.java:171)
at jetbrains.buildServer.commitPublisher.HttpHelper.call(HttpHelper.java:107)
at jetbrains.buildServer.commitPublisher.HttpHelper.http(HttpHelper.java:129)
at jetbrains.buildServer.commitPublisher.HttpHelper.post(HttpHelper.java:115)
at jetbrains.buildServer.commitPublisher.HttpBasedCommitStatusPublisher.lambda$postJson$0(HttpBasedCommitStatusPublisher.java:50)
at jetbrains.buildServer.serverSide.impl.BaseAccessChecker.runWithDisabledChecks(BaseAccessChecker.java:31)
at jetbrains.buildServer.serverSide.impl.SecondaryNodeSecurityManager.executeSafe(SecondaryNodeSecurityManager.java:27)
at jetbrains.buildServer.serverSide.IOGuardInitializer$IOGuardDelegateImpl.allowNetworkCall(IOGuardInitializer.java:4)
at jetbrains.buildServer.serverSide.IOGuard.allowNetworkCall(IOGuard.java:69)
at jetbrains.buildServer.commitPublisher.HttpBasedCommitStatusPublisher.postJson(HttpBasedCommitStatusPublisher.java:50)
at jetbrains.buildServer.commitPublisher.gitlab.GitlabPublisher.publish(GitlabPublisher.java:159)
at jetbrains.buildServer.commitPublisher.gitlab.GitlabPublisher.publish(GitlabPublisher.java:149)
at jetbrains.buildServer.commitPublisher.gitlab.GitlabPublisher.publish(GitlabPublisher.java:120)
at jetbrains.buildServer.commitPublisher.gitlab.GitlabPublisher.buildFinished(GitlabPublisher.java:90)
at jetbrains.buildServer.commitPublisher.CommitStatusPublisherListener$3.run(CommitStatusPublisherListener.java:113)
at jetbrains.buildServer.commitPublisher.CommitStatusPublisherListener$BuildPublisherTaskConsumer.doRunTask(CommitStatusPublisherListener.java:532)
at jetbrains.buildServer.commitPublisher.CommitStatusPublisherListener$BuildPublisherTaskConsumer.doRunTask(CommitStatusPublisherListener.java:462)
at jetbrains.buildServer.commitPublisher.CommitStatusPublisherListener$PublisherTaskConsumer.runTask(CommitStatusPublisherListener.java:684)
at jetbrains.buildServer.commitPublisher.CommitStatusPublisherListener$BuildPublisherTaskConsumer.runForEveryPublisher(CommitStatusPublisherListener.java:559)
at jetbrains.buildServer.commitPublisher.CommitStatusPublisherListener$BuildPublisherTaskConsumer.lambda$accept$0(CommitStatusPublisherListener.java:512)
at java.base/java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1736)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
|
Please sign in to leave a comment.
Did you solve it?
I'm not the OP, and don't know if they solved it, but if you are encountering a similar problem, could you provide more details so I can help? What is the error you see and what repository type you are using? Please also confirm the version of TeamCity you have.
Best regards,
Anton
Hi, we did solve this. We're using GitLab for our VCS root. We figured out that the credentials you enter into the ‘commit status publisher’ build feature dialog, must be a GitLat user who has at least a ‘maintainer’ role in the repo, otherwise, it's forbidden that the user publishes the commit status. I guess this makes sense because the commit status is an API endpoint, and if I'm a bad actor, I could send an authenticated API request to simply publish a successful commit status, perhaps allowing a malicious merge request through.