active-directory-plugin icon indicating copy to clipboard operation
active-directory-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

support for reverse proxy HTTP-Header based authentication

Open MichaelSp opened this issue 6 years ago • 9 comments

This adds a feature similar to what https://github.com/jenkinsci/reverse-proxy-auth-plugin already implements. I couldn't use that plugin however, because of https://issues.jenkins-ci.org/browse/JENKINS-29330 I turned out to be much simpler to add the reverse-proxy authentication into this plugin than to add the recursive group lookup into the reverse-proxy plugin.

MichaelSp avatar Sep 02 '19 13:09 MichaelSp

Might be a good idea to check if x-forwarded-proto is set. What do you think?

MichaelSp avatar Sep 02 '19 13:09 MichaelSp

This PR is looking decent. I think you might be better off adding the new constructor parameter in the @DataBoundConstructor as a setter method with @DataBoundSetter to avoid having to break backward compatibility with all the constructors you changed. Otherwise, make sure to not delete any old constructors and instead mark them @Deprecated.

jvz avatar Sep 03 '19 19:09 jvz

don't merge, yet. We've found a bug in the token based authentication.

MichaelSp avatar Sep 23 '19 08:09 MichaelSp

false alert. I just stumbled across this one: https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626 (new crumbIssuer behaviour)

MichaelSp avatar Sep 23 '19 13:09 MichaelSp

@Wadeck @jtnord thoughts on this?

jvz avatar Jul 13 '20 14:07 jvz

thanks for your comment @jtnord I'm not quite sure how to go on from here. Since the mentioned ticket in reverse proxy auth is open since 5 years and 3 days and the last commit happened 3 years ago, it doesn't seem very plausible to be addressed there.

If it's a matter of configuration, would you please nudge me in the right direction?

Did I mention? We're running this patch since almost 1 year live in production on ~120 Jenkins.

MichaelSp avatar Jul 13 '20 16:07 MichaelSp

I'm not quite sure how to go on from here. Since the mentioned ticket in reverse proxy auth is open since 5 years and 3 days

the ticket could have been open that long because no one was interested enough to implement it there.

and the last commit happened 3 years ago, it doesn't seem very plausible to be addressed there.

stable code :)
pinging @oleg-nenashev as he is the mainainer there (IIUC)

If it's a matter of configuration, would you please nudge me in the right direction?

to retrieve all groups a user is a member of (member:1.2.840.113556.1.4.1941:=cn=myuser,cn=users,DC=foo)

I don;t have my test setup anymore, but usign that you special OID you can the AD server to do the legwork. (if bob is a member of cheese and cheese is a meber of food then the query will return both cheese and food when using the OID

(in other words - don't add recursive code to the RP plugin (was probably a big mistake of mine to do that at all here), but ask it to get all the results from AD.

jtnord avatar Jul 13 '20 16:07 jtnord

I am not a maintainer here, sorry.

oleg-nenashev avatar Jul 13 '20 16:07 oleg-nenashev

@oleg-nenashev he was speaking about https://github.com/jenkinsci/reverse-proxy-auth-plugin which you are a maintainer of

jvz avatar Jul 13 '20 17:07 jvz