support for reverse proxy HTTP-Header based authentication #98
Conversation
|
Might be a good idea to check if |
src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
Outdated
Show resolved
Hide resolved
src/main/java/hudson/plugins/active_directory/HttpHeaderFilter.java
Outdated
Show resolved
Hide resolved
src/main/java/hudson/plugins/active_directory/HttpHeaderFilter.java
Outdated
Show resolved
Hide resolved
|
This PR is looking decent. I think you might be better off adding the new constructor parameter in the |
src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
Outdated
Show resolved
Hide resolved
...es/hudson/plugins/active_directory/ActiveDirectorySecurityRealm/help-userFromHTTPHeader.html
Outdated
Show resolved
Hide resolved
.../resources/hudson/plugins/active_directory/ActiveDirectorySecurityRealm/configAdvanced.jelly
Outdated
Show resolved
Hide resolved
|
don't merge, yet. We've found a bug in the token based authentication. |
|
false alert. I just stumbled across this one: https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626 (new crumbIssuer behaviour) |
src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
personally I think this is the incorrect place for this. The upstream reverse proxy that is authenticating should be made to do the recursive lookup, or make the reverse proxy auth plugin support it even though it may not be as simple.
AD can already do this with a matching OID (matching rule in chain) and thus could just be a question of the correct configuration.
on the code itself, left a couple of comments
src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
Outdated
Show resolved
Hide resolved
src/main/java/hudson/plugins/active_directory/HttpHeaderFilter.java
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| private String getUserHeader() { | ||
| return activeDirectorySecurityRealm.userFromHttpHeader; |
There was a problem hiding this comment.
if this is the emtpy string how does HttpServletRequest request perform?
There was a problem hiding this comment.
If the request did not include a header of the specified name, this method returns null.
This case is covered in line 95
There was a problem hiding this comment.
I am not talking about the header not being present - I am talking about userFromHttpHeader = ""
thus what does HttpServletRequest.getHeader("") return?
it is certainly undefined at the javadoc level and would (from memory) be in violation of the HTTP spec - so could an implementation potentially throw an arbitrary RuntimeException here?
There was a problem hiding this comment.
The running implementation of HttpServletRequest.getHeader is interchangeable.
I've checked it in jetty-9.4.30.v20200611:
- https://github.com/eclipse/jetty.project/blob/jetty-9.4.30.v20200611/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java#L852
- https://github.com/eclipse/jetty.project/blob/jetty-9.4.30.v20200611/jetty-http/src/main/java/org/eclipse/jetty/http/HttpFields.java#L270-L279
I don't see the potential for a RuntimeException. Either there is a HTTP-Header that matches "" than it is returned or there is no match. That should yield null. Both cases are handled.
|
thanks for your comment @jtnord If it's a matter of configuration, would you please nudge me in the right direction? Did I mention? We're running this patch since almost 1 year live in production on ~120 Jenkins. |
the ticket could have been open that long because no one was interested enough to implement it there.
stable code :)
to retrieve all groups a user is a member of I don;t have my test setup anymore, but usign that you special OID you can the AD server to do the legwork. (if bob is a member of (in other words - don't add recursive code to the RP plugin (was probably a big mistake of mine to do that at all here), but ask it to get all the results from AD. |
|
I am not a maintainer here, sorry. |
|
@oleg-nenashev he was speaking about https://github.com/jenkinsci/reverse-proxy-auth-plugin which you are a maintainer of |
There was a problem hiding this comment.
Code looks ok - but I still think this should be done in the reverse-proxy plugin.
did you get anywhere with the filters?
https://github.com/jenkinsci/reverse-proxy-auth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealm.java#L214-L218
I think something like (member:1.2.840.113556.1.4.1941:={0}) may work - (I'm not sure how the RP plugin works and what filters you would want to use in the various places).
Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
* import settings * Jenkins.getAuthentication * DataBoundSetter and don't mess with the constructors Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
This adds a feature similar to what https://github.com/jenkinsci/reverse-proxy-auth-plugin already implements. I couldn't use that plugin however, because of https://issues.jenkins-ci.org/browse/JENKINS-29330
I turned out to be much simpler to add the reverse-proxy authentication into this plugin than to add the recursive group lookup into the reverse-proxy plugin.