Sztabina Caches PAT and Does Not Refresh Credentials on Subsequent Operations (SZ-110)

rk@tigase.net opened 5 days ago

Summary

Sztabina caches repository authentication credentials (PAT) during initial clone/prepare operations and does not refresh the token on subsequent operations (e.g., merge, push).

If the PAT is updated in Sztab (backend/DB), Sztabina continues using the stale cached credentials, leading to authentication failures during push.

This causes merge operations to fail even after credentials are corrected in the database.

Environment

Version: 1.9.2
Component: Sztabina (LocalGitEngine / prepareRepo logic)
Scenario: External Git repository (GitHub/OneDev) using PAT

Steps to Reproduce

Configure Project with valid PAT.
Perform merge → works.
Update PAT in database (or token expires and is replaced).
Attempt another merge.
Observe push failure due to authentication error.
Check logs — Sztabina still uses old credentials.

Actual Behavior

Sztabina reuses cached clone in /tmp/sztabina/{repo-id}.
Remote URL / credentials are not refreshed.
Push attempts use stale PAT.
Operation fails with authentication error.

Expected Behavior

Each prepareRepo invocation must ensure:
- Remote URL is updated with current credentials.
- Cached repository does not retain stale authentication.
Credential updates in Sztab should take effect immediately without requiring:
- Container restart
- Manual cache deletion

Root Cause

Sztabina caches repository clone and does not reconfigure remote authentication on subsequent operations.

Credential state is effectively sticky inside cached clone.

Proposed Fix

In prepareRepo (or equivalent initialization logic):

Always update remote URL using current GitUsername and GitToken.
Avoid relying on previously configured remote state.
Ensure remote configuration reflects latest credentials before fetch/push.

Example conceptual change:

On every operation:
- git remote set-url origin <authenticated-url>

Impact

Expired or rotated PATs cause persistent merge failures.
Requires container restart or manual cache cleanup to recover.
Operationally fragile for short-lived tokens.

Blocks external Git workflows until manual intervention.

Estimated Fix Time

~30 minutes

Modify prepareRepo to reapply credentials
Manual verification (clone → merge → rotate PAT → merge again)
Basic regression validation

rk@tigase.net commented 5 days ago

Found as apart of regression test of 1.9.3 release. Fixing it directly on mainline (wolsonsc).

Fix in Sztabina Go service:

func (s *Service) prepareRepo(
    ctx context.Context,
    gitURL string,
    username string,
    token string,
) (string, error) {

    authURL, err := util.CreateAuthenticatedURL(gitURL, username, token)
    if err != nil {
        return "", err
    }

    // ... existing code ...

    // Check if repo already exists
    if _, err := os.Stat(repoDir); err == nil {
        // CRITICAL FIX: Update remote URL with new credentials
        engine, err := exec.NewLocalGitEngine(repoDir, &exec.OSRunner{})
        if err == nil {
            // Update the remote URL with current credentials
            engine.Git("remote", "set-url", "origin", authURL)
        }
        return s.refreshExistingRepo(repoDir)
    }

    // ... rest of existing code ...
}

rk@tigase.net changed state to 'In Progress' 5 days ago
Previous Value Current Value
Open

In Progress
rk@tigase.net commented 4 days ago

Fixed in 1.9.3
rk@tigase.net changed state to 'Closed' 4 days ago
Previous Value Current Value
In Progress

Closed
rk@tigase.net referenced from other issue 4 days ago

Release Engineering: Sztab 1.9.3 (SZ-112)

Closed
Login to comment

Previous Value	Current Value
Open	In Progress

Previous Value	Current Value
In Progress	Closed

Type	Bug
Priority	Major
Assignee	rk@tigase.net
Version	1.9.2
Sprints	n/a
Customer	n/a

Issue Votes (0)

Watchers (3)

Reference

SZ-110