segmentation fault in provider when artifactory is inaccessible

[cassandracomar]

Describe the bug

we get the following when artifactory is down or inaccessible

Warning: Error getting Artifactory version

  with provider["registry.terraform.io/jfrog/platform"],
  on providers.tf line 31, in provider "platform":
  31: provider "platform" {

The provider functionality might be affected by the absence of Artifactory
version in the context. failed to get Artifactory version. <html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx</center>
</body>
</html>

Stack trace from the terraform-provider-platform_v1.7.4 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x98 pc=0xa90a52]

this error condition should be handled more gracefully -- segfaults should not occur because of normal errors during the course of operation.

terraform provider configuration

terraform {
  required_providers {
    platform = {
      source  = "jfrog/platform"
      version = "1.7.4"
    }
  }
}

provider "platform" {
  # artifactory is sitting behind an ngnix vhost so the http request yields a 503
  url           = "https://foo.bar.com"
  check_license = false
}

versions

artifactory version: 7.77.11
terraform version: 1.6.6
terraform provider version: tested 1.6.0 and 1.7.4 -- same results

Requirements for and issue

• A description of the bug
• A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
• Your version of artifactory (you can curl it at $host/artifactory/api/system/version
• Your version of terraform
• Your version of terraform provider

we did not observe state corruption but someone should check that it's actually not possible.

Expected behavior
graceful error reporting and termination of the terraform plan command instead of a segfault. even if this issue is determined to not be harmful vis a vis terraform's state, memory safety violations should be fixed because they can result in security vulnerabilities.

Additional context
as I have not tested a simply bogus/non-existent artifactory URL at the various levels (DNS record missing, DNS pointing to a server that isn't up, etc.), and because our artifactory hosts are not available outside our network, I've used a fake hostname here.

[alexhung]

@cassandracomar Thanks for the report! I've added this to our sprint.

[alexhung]

@cassandracomar I haven't been able to reproduce the seg fault yet. Can you share the rest of the configuration, as I suspect the crash is from something else other than the provider configuration?

[dlorych]

Hi,

I'm also experiencing segmentation fault error.

In my case the terraform project is used to set up the platform instance access by managing ip allowlist through myjfrog APIs.

Interestingly, when the access is closed - the ip allowlist does not include the ip address of the host where terraform is executed, the platform provider is not initialized correctly - the configuration stops after failed attempt of getting the version of Artifactory and execution ends there (link to code), after raising a warning - myjfrogclient is not set up at all in this case, causing the problem in my case.

Once, I have manually restored the access, the provider got initialized correctly and segmentation fault is not there anymore.

For my particular use case, I don't see a need for neither:

• JFrog access token,
• Artifactory license check, nor
• getting Artifactory version
  But all three need to be there/pass in order to get code executed.

I haven't check the usage of the Artifactory version, my assumption is that it is being used for logging purposes only - I might be wrong here.

I would suggest to:

• consider criticality of getting Artifactory version, can the provider work without it? the quick fix is to continue the initialization of the provider in case of the error on this step
• consider splitting the provider into two seperate ones: platform and myjfrog.

[alexhung]

@dlorych

• Access token - required to access all REST APIs
• License check - we have plan to remove this
• Artifactory version - required for some resources to function correctly (e.g. permission resource is only available after v7.72.0).

Your original issue of provider not initialized correctly when version check fails is a bug and it is scheduled to be fixed soon.

[dlorych]

@alexhung the original comment was placed wrongly, it should have been put here - I opened this issue earlier today, haven't seen the comment and added the duplicate above.

Regarding the access token, just to be 100% clear, yes both need access token, but there are two types of REST APIs supported by the platform:

• Platform REST API, which requires access token in JFROG_ACCESS_TOKEN environment variable (or corresponding property)
• MyJFrog REST API, which requires access token in JFROG_MYJFROG_API_TOKEN environment variable (or corresponding property)

My expectation was that when I manage MyJFrog resources only (or vice-versa) I don't need another token.
Anyway, removing the license check, and allowing getting version to fail during initialization, should do the trick.

[alexhung]

@dlorych See PR #97

[alexhung]

@dlorych Please also see the new MyJFrog provider per suggestion in #99.