Problem with password edition after sharing "Could not validate resource data"

System: CentOS 7
Web-server: nginx/1.20.1

Passbolt version: 3.2.1
Plagin version: 3.6.1
Database version: 5.5.68-MariaDB
PHP version: 7.3.30

Some time ago users get this error-message, when try to “Edit” some shared resources, even if they have permissions to.

Healthcheck


Healthcheck shell

Environment

[PASS] PHP version 7.3.30.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://pman.cyberhull.com
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 25 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/nginx/.gnupg.
[PASS] The directory /var/lib/nginx/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[FAIL] This installation is not up to date. Currently using 3.2.1 and it should be v3.6.0.
[HELP] See. Passbolt Help | Update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

[FAIL] 1 error(s) found. Hang in there!

Hi @Alexander_Lobanov :wave:

Maybe can you try to execute a cleanup:

sudo su -s /bin/bash -c "/var/www/passbolt/passbolt/bin/cake passbolt cleanup" nginx

Can you share its output ? And maybe clear the cache:

sudo su -s /bin/bash -c "/var/www/passbolt/passbolt/bin/cake cache clear_all" nginx

Can you also give us the output of this command:

sudo /var/www/passbolt/bin/status-report nginx

Cheers,

Placed output under spoiler, deleted IPs and prefix of # in shell

[spolier]

sudo su -s /bin/bash -c “/var/www/passbolt/bin/cake passbolt cleanup” nginx


Cleanup shell (fix mode)

No issue found, data looks squeaky clean!

sudo su -s /bin/bash -c “/var/www/passbolt/bin/cake cache clear_all” nginx

Clearing default
Cleared default cache
Clearing cake_core
Cleared cake_core cache
Clearing cake_model
Cleared cake_model cache

sudo /var/www/passbolt/bin/status-report nginx

 ____                  __          ____  
/ __ \____  _____ ____/ /_  ____  / / /_ 

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Passbolt CE 3.2.1
Cakephp 4.2.4
Linux pman.cyberhull.com 3.10.0-1160.41.1.el7.x86_64 #1 SMP Tue Aug 31 14:52:47 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
PHP 7.3.30 (cli) (built: Aug 24 2021 10:03:17) ( NTS )
mysql Ver 15.1 Distrib 5.5.68-MariaDB, for Linux (x86_64) using readline 5.1
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
ERROR: /var/www/passbolt/bin/utils.sh: line 64: composer: command not found

 ____                  __          ____  
/ __ \____  _____ ____/ /_  ____  / / /_ 

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 7.3.30.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 25 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/nginx/.gnupg.
[PASS] The directory /var/lib/nginx/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[FAIL] This installation is not up to date. Currently using 3.2.1 and it should be v3.6.0.
[HELP] See.
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

[FAIL] 1 error(s) found. Hang in there!

 ____                  __          ____  
/ __ \____  _____ ____/ /_  ____  / / /_ 

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Cleanup shell (dry-run)

No issue found, data looks squeaky clean!

 ____                  __          ____  
/ __ \____  _____ ____/ /_  ____  / / /_ 

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Data check shell
[PASS] Data integrity for AuthenticationTokens.
[PASS] Can validate: 4421/4421
[PASS] Data integrity for Comments.
[PASS] Can validate: 2/2
[PASS] Data integrity for Favorites.
[PASS] Can validate: 8/8
[PASS] Data integrity for Gpgkeys.
[PASS] Can encrypt: 88/88
[PASS] Can validate: 88/88
[PASS] Data integrity for Groups.
[PASS] Can validate: 21/21
[PASS] Data integrity for Profiles.
[PASS] Can validate: 126/126
[PASS] Data integrity for Resources.
[PASS] Can validate: 1185/1185
[PASS] Data integrity for Secrets.
[PASS] Can validate: 1310/1310
[PASS] Data integrity for Users.
[PASS] Can validate: 126/126
2022-06-03 12:44:35 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:44:36 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/” could not be found. in /var/www/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Client IP:

2022-06-03 12:46:06 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/” could not be found. in /var/www/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Client IP:

2022-06-03 12:47:36 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/” could not be found. in /var/www/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Client IP:

2022-06-03 12:48:03 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:48:04 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/password-generator/settings.json” could not be found. in /var/www/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /password-generator/settings.json?api-version=v2
Client IP:

2022-06-03 12:48:19 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:48:58 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:49:06 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/” could not be found. in /var/www/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Client IP:

2022-06-03 12:49:42 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:49:43 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:49:51 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:50:10 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:50:36 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/” could not be found. in /var/www/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Client IP:

2022-06-03 12:52:06 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/” could not be found. in /var/www/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Client IP:

2022-06-03 12:53:36 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/” could not be found. in /var/www/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Client IP:

2022-06-03 12:54:17 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:54:17 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP:

2022-06-03 12:55:02 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /var/www/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP:

2022-06-03 12:55:06 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/” could not be found. in /var/www/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Client IP: [/spoiler]

@Alexander_Lobanov Is it possible the db was modified manually for some reason? The error is because the resource modification during the edit action requires preparing it for all the users who have access to it… but the secret for a particular user is not available. The secret would be in the db already.

For the particular resources being edited that throws the error, can you tell if it is related to one particular user? It seems there is a user who was granted access to the resource and the app still sees they have access from a permissions standpoint, but their secret is missing.

Are any user accounts in general experiencing trouble with access? Any other issues that might be related to this?

Without getting into the db, I might create a new resource (password) and then share it with the same people as the one which is having a problem and see if that works. Then I would try to edit it. If I can, then I might use this one going forward and get rid of the one that’s not working as deleting a resource may not be problematic like when editing it. Trying things like this will help.

Depending on the number of resources and users you have this may not be a practical overall fix but would help to narrow down the issue and what to look for in the db if a manual fix is needed.

Well, different users got this problem. Sometimes it appears, sometimes - not. So issue isnt systematic. We didnt modify db manually, even didn`t update version of service since installation.

@Alexander_Lobanov If I understand correctly you are saying you are not able to consistently reproduce the problem, but it happens more randomly. How many people might be sharing the resource? How are the resources (ram, cpu) for the server? Are you having any other issues like timeouts?

Hi @Alexander_Lobanov

As additional infos, can you check if you have duplicated secrets in your database:

SELECT s.resource_id, s.user_id, min(s.modified) as min_modified
FROM secrets s
GROUP BY s.user_id, s.resource_id
HAVING count(*) > 1

Can you also check the permissions for deleted users ?

select *
from permissions p
where p.aro_foreign_key IN (
    select u.id
    from users u
    where u.deleted = 1
       OR u.active = 0
);

Best regards,

Database changed
MariaDB > SELECT s.resource_id, s.user_id, min(s.modified) as min_modified
→ ;
ERROR 1109 (42S02): Unknown table ‘s’ in field list
MariaDB > SELECT s.resource_id, s.user_id, min(s.modified) as min_modified
→ FROM secrets s
→ GROUP BY s.user_id, s.resource_id
→ HAVING count(*) > 1;
Empty set (0.02 sec)

MariaDB > select *
→ from permissions p
→ where p.aro_foreign_key IN (
→ select u.id
→ from users u
→ where u.deleted = 1
→ OR u.active = 0
→ );
Empty set (0.00 sec)

MariaDB >

No other serious issues at all. Resources are enough for working and no timeouts.
We have near 100 Users and any of them have about 4-5 passwords or near it
About sharing: i cant say exactly - how many people participate in sharing. Sometimes they are people, sometimes groups, I didnt look at this properly.