Cannot assign deploy key to repository with 4.0.0

[Alexey-I]

Hi!

I'm Running redmine on CentOS 8 with the following components:

Environment:
  Redmine version                4.1.0.stable
  Ruby version                   2.5.3-p105 (2018-10-18) [x86_64-linux]
  Rails version                  5.2.4.1
  Environment                    production
  Database adapter               Mysql2
  Mailer queue                   ActiveJob::QueueAdapters::AsyncAdapter
  Mailer delivery                smtp
SCM:
  Git                            2.18.1
  Filesystem                     
  Xitolite                       2.18.1
Redmine plugins:
  additionals                    2.0.23-master
  redmine_git_hosting            4.0.0

All the 'Config test' tab is green, all Rugged features are compiled, libgit2 version is 0.28.4.
Gitolite is v3.6.9-0-g144d8a2.

Problem

Go to Repository settings => Add Deployment Credentials, click 'Add Deployment Credential', choose deploy key and access mode, click 'Save'.
Redmine shows a generic error page with the following text: "Error 422 Invalid authencity token".

Error logged:

==> log/production.log <==                                                                                                                                                                     
Started POST "/repositories/5/deployment_credentials" for ip at 2020-01-13 11:42:05 +0000                                                                                          
Processing by RepositoryDeploymentCredentialsController#create as HTML                                                                                                                         
  Parameters: {"utf8"=>"✓", "repository_deployment_credential"=>{"gitolite_public_key_id"=>"43", "perm"=>"RW+"}, "repository_id"=>"5"}                                                         
Can't verify CSRF token authenticity.                                                                                                                                                          
  Rendering common/error.html.erb within layouts/base                                                                                                                                          
  Rendered common/error.html.erb within layouts/base (0.7ms)                                                                                                                                   
  Rendered plugins/redmine_wysiwyg_editor/app/views/redmine_wysiwyg_editor/_redmine_wysiwyg_editor_partial.html.erb (0.4ms)                                                                    
  Rendered plugins/redmineup_tags/app/views/tags/_additional_assets.html.erb (0.9ms)                                                                                                           
  Rendered plugins/additionals/app/views/additionals/_html_head.html.slim (4.5ms)                                                                                                              
  Rendered plugins/redmine_hide_sidebar/app/views/sidebar/_hideButton_partial.html.erb (0.6ms)                                                                                                 
  Rendered plugins/additionals/app/views/additionals/_content.html.slim (0.3ms)                                                                                                                
  Rendered plugins/redmine_drawio/app/views/redmine_drawio/_macro_dialog.html.erb (0.4ms)                                                                                                      
  Rendered plugins/redmineup_tags/app/views/tags/_select2_transformation_rules.html.erb (0.5ms)                                                                                                
  Rendered plugins/additionals/app/views/additionals/_body_bottom.html.slim (0.3ms)                                                                                                            
Filter chain halted as :verify_authenticity_token rendered or redirected                                                                                                                       
Completed 422 Unprocessable Entity in 45ms (Views: 30.2ms | ActiveRecord: 11.9ms)                                                                                                              

I'm not Ruby developer but kind of adventurous. Spent some time reading Ruby docs and got an impression (it is probably incorrect) that plugin does not utilize RequestForgeryProtection methods. So I tried this:

diff --git a/app/controllers/repository_deployment_credentials_controller.rb b/app/controllers/repository_deployment_credentials_controller.rb
index 13b98ade..fe97fa8a 100644
--- a/app/controllers/repository_deployment_credentials_controller.rb
+++ b/app/controllers/repository_deployment_credentials_controller.rb
@@ -1,6 +1,8 @@
 class RepositoryDeploymentCredentialsController < RedmineGitHostingController
   include RedmineGitHosting::GitoliteAccessor::Methods
 
+  skip_before_action :verify_authenticity_token
+
   before_action :check_xitolite_permissions
   before_action :find_deployment_credential, only: %i[edit update destroy]
   before_action :find_key,                   only: %i[edit update destroy]

It helps to proceed a bit.

Deploy key gets assigned to repository. I see it both on UI (after a page refresh) and in gitolite.conf but the first thing I see after clicking "Save" is a white empty page and an error:

==> log/production.log <==                                                                                                                                                                     
Completed 406 Not Acceptable in 2397ms (ActiveRecord: 283.1ms)                                                                                                                                 
                                               
ActionController::UnknownFormat (ActionController::UnknownFormat):
                                               
plugins/redmine_git_hosting/app/controllers/redmine_git_hosting_controller.rb:55:in `render_js_redirect'
plugins/redmine_git_hosting/app/controllers/redmine_git_hosting_controller.rb:67:in `call_use_case_and_redirect'
plugins/redmine_git_hosting/app/controllers/repository_deployment_credentials_controller.rb:33:in `create'
plugins/redmine_per_project_formatting/lib/redmine_per_project_formatting/application_controller_patch.rb:24:in `block in change_text_formatting'
plugins/redmine_per_project_formatting/lib/redmine_per_project_formatting/setting_patch.rb:19:in `within_text_formatting'
plugins/redmine_per_project_formatting/lib/redmine_per_project_formatting/application_controller_patch.rb:23:in `change_text_formatting'
lib/redmine/sudo_mode.rb:65:in `sudo_mode'

Hope I didn't do something incorrectly and this report is actually of use.

[Alexey-I]

Similar error happens when I try to set up protected branches. Redmine does not allow the request to get through and with the following (probably stupid) patch:

diff --git a/app/controllers/repository_protected_branches_controller.rb b/app/controllers/repository_protected_branches_controller.rb
index 23e2365c..5b0573a4 100644
--- a/app/controllers/repository_protected_branches_controller.rb
+++ b/app/controllers/repository_protected_branches_controller.rb
@@ -1,6 +1,8 @@
 class RepositoryProtectedBranchesController < RedmineGitHostingController
   include RedmineGitHosting::GitoliteAccessor::Methods
 
+  skip_before_action :verify_authenticity_token
+
   before_action :check_xitolite_permissions
   before_action :find_repository_protected_branch, except: %i[index new create sort]

request fails:

Started POST "/repositories/9/protected_branches" for 188.186.226.70 at 2020-01-14 09:34:34 +0000                                                                                              
Processing by RepositoryProtectedBranchesController#create as HTML                                                                                                                             
  Parameters: {"utf8"=>"✓", "repository_protected_branche"=>{"path"=>"master", "permissions"=>"RW+"}, "user_ids"=>["", "2", "3"], "group_ids"=>[""], "repository_id"=>"4"}                     
  Current user: me (id=2)                                                                                                                                                                 
Completed 406 Not Acceptable in 2436ms (ActiveRecord: 230.3ms)                                                                                                                                 
                                                                                                                                                                                               
ActionController::UnknownFormat (ActionController::UnknownFormat):                                                                                                                             
                                                                                                                                                                                               
plugins/redmine_git_hosting/app/controllers/redmine_git_hosting_controller.rb:55:in `render_js_redirect'                                                                                       
plugins/redmine_git_hosting/app/controllers/redmine_git_hosting_controller.rb:67:in `call_use_case_and_redirect'                                                                               
plugins/redmine_git_hosting/app/controllers/repository_protected_branches_controller.rb:27:in `create'                                                                                         
plugins/redmine_per_project_formatting/lib/redmine_per_project_formatting/application_controller_patch.rb:24:in `block in change_text_formatting'                                              
plugins/redmine_per_project_formatting/lib/redmine_per_project_formatting/setting_patch.rb:19:in `within_text_formatting'                                                                      
plugins/redmine_per_project_formatting/lib/redmine_per_project_formatting/application_controller_patch.rb:23:in `change_text_formatting'                                                       
lib/redmine/sudo_mode.rb:65:in `sudo_mode'                                                                                                                                                     

No changes happen to gitolite.conf this time.

I would be happy to keep debugging and provide all info I can.

[steinarer]

I had the same issue as @Alexey-I - I found a "simple" fix for this without circumventing the CSRF mechanism.

Environment:
  Redmine version                4.1.0.stable
  Ruby version                   2.5.5-p157 (2019-03-15) [x86_64-linux]
  Rails version                  5.2.4.1
  Environment                    development
  Database adapter               PostgreSQL
  Mailer queue                   ActiveJob::QueueAdapters::AsyncAdapter
  Mailer delivery                smtp
SCM:
  Git                            2.11.0
  Filesystem                     
  Xitolite                       2.11.0
Redmine plugins:
  additionals                    2.0.23
  redmine_bootstrap_kit          0.2.5
  redmine_git_hosting            4.0.0

I made the following changes. First adding the token to the form:

--- a/app/views/repository_deployment_credentials/new.html.slim
+++ b/app/views/repository_deployment_credentials/new.html.slim
@@ -1,9 +1,9 @@
 = labelled_form_for :repository_deployment_credential, @credential,
-                    url: repository_deployment_credentials_path(@repository),
+                    url: repository_deployment_credentials_path(@repository), authenticity_token: form_authenticity_token,
                     html: { method: :post, class: 'tabular', remote: true } do |f|

   .flash-messages= error_messages_for 'credential'

Then a fix for whatever happens after the form submission causing the ActionController::UnknownFormat error:

--- a/app/controllers/redmine_git_hosting_controller.rb
+++ b/app/controllers/redmine_git_hosting_controller.rb
@@ -54,6 +54,9 @@ class RedmineGitHostingController < ApplicationController
   def render_js_redirect
     respond_to do |format|
       format.js { render js: "window.location = #{success_url.to_json};" }
+      format.html do
+       redirect_to success_url
+      end
     end
   end

I did the same for the other modal form templates (new and edit) in the respective locations within app/views/repository_***

Not knowing if this is caused by different versions of Ruby or Redmine, I have not submitted a PR. Hope this is useful still.

[mnencia]

It would be useful if you could prepare a pull request, so other people impacted by the isseu can take the patch.

[n-rodriguez]

It seems to be a bug is jQuery/Rails UJS :

 = labelled_form_for :repository_deployment_credential, @credential,
                    url: repository_deployment_credentials_path(@repository),
                    html: { method: :post, class: 'tabular', remote: true } do |f|

remote is true so it's handled by an Ajax request made by jQuery/Rails UJS.
jQuery/Rails UJS is reponsible of adding CSRF token in the Ajax request. (https://github.com/rails/jquery-ujs/blob/master/src/rails.js#L72)

[madc]

We just updated and are suffering from the same issue. Any change, #759 gets merged anytime soon?

[PowerKiKi]

Solved in #759