SonarQube delegate authentication to GitLab fail [404 not found] - oauth-2.0

Context:
Sonarqube: 9.2.4.50792 --> https://sonar.dev.mycompany.com/
Gitlab: 13.4.3-ee --> http://git.mycomany.com/
What I am trying to achieve:
I try to delegate SonarQube authentication to Gitlab Self-Hosted.
What I've done:
Following the official SonarQube documentation, I've created a "GitLab OAuth app":
Went to http://git.mycompany.com/admin/applications
New Application:
Name: SonarQube
Redirect URI: https://sonar.dev.mycompany.com/oauth2/callback/gitlab
Trusted: Checked
Confidential: Checked
Scopes: all checked, to be sure my issue was not an access issue. (I'll tune it later)
I have copied both Application ID and Secret to use later.
Went to https://sonar.dev.mycompany.com/admin/settings?alm=gitlab&category=almintegration
GitLab Authentication:
Enabled: Yes, of course
GitLab URL: http://git.mycompany.com/users/auth/gitlab/callback
Application ID: The one given by GitLab during step 2
Secret: The one given by GitLab during step 2
Allow users to sign-up: Enabled
Synchronize user groups: Enabled
Disconnected to my admin account
The new Log in with GitLab is well shown:
When I clicked on this new button, I was well redirected to my GitLab instance (URL: http://git.mycompany.com/users/sign_in).
I was using my GitLab credentials then clicked on "Sign in"
I've got a GitLab 404 error page:
The URL was:
http://git.mycompany.com/users/auth/gitlab/callback/oauth/authorize?response_type=code&client_id=<MY_APPLICATION_ID>&redirect_uri=http%3A%2F%2Fsonar.dev.mycompany.com%3A9000%2Foauth2%2Fcallback%2Fgitlab&scope=api&state=ai1rq82joi504ggv3nc1qa0h29
The redirect_uri seems to be constructed with my sonar.properties informations (html_encoded):
"http://" + sonar.web.host + ":" sonar.web.port + "oauth2/callback/gitlab"
Investigation:
While I'm reproducing this error, I'm following (tail -f) some log files:
root#sonar.dev.mycompany.com: tail -f /var/log/httpd/*_log /var/log/message /home/sonar/sonarqube/logs/*.log
As expected, there is no information regarding the error 404 on GitLab.
On my GitLab server :
root#git.mycompany.com: tail -f /var/log/httpd/*_log /var/log/message /var/log/gitlab/*/current
And a message appears:
==> /var/log/gitlab/gitlab-workhorse/current <==
{
"correlation_id":"ZUVztnRFFe9",
"duration_ms":62,
"host":"git.mycompany.com",
"level":"info",
"method":"GET",
"msg":"access",
"proto":"HTTP/1.1",
"referrer":"",
"remote_addr":"127.0.0.1:0",
"remote_ip":"127.0.0.1",
"status":404,
"system":"http",
"time":"2022-01-19T18:06:47+01:00",
"uri":"/users/auth/gitlab/callback/oauth/authorize?response_type=code\u0026client_id=<MY_APPLICATION_ID>\u0026redirect_uri=http%3A%2F%2Fsonar.dev.mycompany.com%3A9000%2Foauth2%2Fcallback%2Fgitlab\u0026scope=api\u0026state=16r2cvc196v4fj8k0rv7oprs6h",
"user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.62",
"written_bytes":28281
}
Is there anyone who can help me?

Your Redirect URL is http and your sonarqube https... I hope you get the problem

Related

How can I see all of the endpoint from swagger?

I was installed this library, I am working with sails.js
npm install sails-hook-swagger-generator --save
from their main website https://github.com/theoomoregbee/sails-hook-swagger-generator
I have created this file ./swagger/swagger.json
I want to see the swagger from the browser, how can I see the endpoints?
I have in routes something like that
'GET /api/v1/information': { action: 'actions/getinformation' },
I can not see nothing from the browser, what is the problem?
EDIT 1
from their answer https://github.com/theoomoregbee/sails-hook-swagger-generator/issues/27
you can simply change the directory you want to place the generated
swagger json may be assets, then clone
https://github.com/swagger-api/swagger-ui following the instructions
here
Just simply extract the dist folder (which is needed for just the
swagger ui) and update this line
https://github.com/swagger-api/swagger-ui/blob/1a95b9e9c972b95227a2976553fea988e58d7ff2/dist/index.html#L44
to be the path to the generated swagger json within your assets folder
i dont know what should i put in that line, i am putting the path of my file swagger.json
/disk/team/work/proyect/swagger
but when i try this url in the browser
http://127.0.0.1:8080/
i am getting this [2020-09-01T19:39:35.791Z] "GET /" Error (404): "Not found"
[2020-09-01T19:39:35.961Z] "GET /" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36"
[2020-09-01T19:39:35.963Z] "GET /" Error (404): "Not found"

Quarkus web app cannnot authorize with JWT and Keycloak

I am trying to authorize a user using code grant flow in Keycloak to a Quarkus application.
Here is the Quarkus configuration
# OIDC Configuration
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=web-application
quarkus.oidc.credentials.secret=ca21b304-XXX-XXX-XXX-51d38ef5da02
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=email
The client configuration for "web-application" has only Standard Flow enabled (for Code Grant Flow)
I access http://localhost:8080/
I'm redirected to Keycloak (url looks good with scope=openid+email&response_type=code&client_id=web-application
I log in with sample user account
I'm redirected back with the code
Then I get an exception in Quarkus
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 401 / Unauthorized / Response from server: {"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at org.keycloak.authorization.client.util.TokenCallable.obtainAccessToken(TokenCallable.java:121)
at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:57)
at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:276)
at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:205)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:202)
at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:210)
The error in Keycloak is:
09:58:25,420 WARN [org.keycloak.events] (default task-30) type=CLIENT_LOGIN_ERROR, realmId=quarkus, clientId=web-application, userId=null, ipAddress=172.17.0.1, error=invalid_client, grant_type=client_credentials, client_auth_method=client-secret
Question:
Why Quarkus tries to use "grant_type=client_credentials"? It should use the grant type = "authorization_code". This looks like a bug in Quarkus, but maybe there is a flag.
"Service Account Enabled" is off. Enabling it should fix the issue.
Could you try:
quarkus.oidc.client-type=web-app
instead of:
quarkus.oidc.application-type=web-app
Source: https://quarkus.io/guides/security-openid-connect-web-authentication

Windows Etsy: Peer certificate cannot be authenticated with given CA certificates

In an effort to be OAuth'd with Etsy, I have tried countless solutions in C# to at least start the authentication process (ie get the login URL):
eg
mashery.com, http://term.ie/oauth/example/client.php and question #8321034
but the response is always the same:
oauth_problem=signature_invalid&debug_sbs=GET&https%3A%2F%2Fopenapi.etsy.com%2Fv2%2Foauth%2Frequest_token&oauth_consumer_key%3D...my-consumer-key...%26oauth_nonce%3D2de91e1361d1906bbae04b15f42ab38d%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1502362164%26oauth_version%3D1.0%26scope%3Dlistings_w%2520listings_r
and so I'm resorting to the dreaded world of PHP...
On my machine, I've installed the following (Windows 10):
XAMPP (xampp-win32-7.1.7-0-VC14-installer) with default options
JDK (jdk-8u144-windows-i586)
JRE (jre-8u144-windows-i586)
php_oauth.dll ([php_oauth-2.0.2-7.1-ts-vc14-x86.zip][4]) and copying it to C:\xampp\php\ext
[cacert.pem][4], (dated Jun 7 03:12:05 2017) and coping it to the following directories:
C:\xampp\perl\vendor\lib\Mozilla\CA
C:\xampp\phpMyAdmin\vendor\guzzle\guzzle\src\Guzzle\Http\Resources
Apache and Tomcat would not run to begin with from XAMPP because it said that ports 443 and 80 were being used/blocked and so I duly changed these to 444 and 122 in
C:\xampp\apache\conf\extra\httpd-ssl.conf
C:\xampp\apache\conf\httpd.conf
All good so far but when I run the following script in my browser (http://localhost:444/dashboard/etsy.php):
<?php
$base_uri = 'https://openapi.etsy.com';
$api_key = 'my-etsy-api-key';
$secret = 'my-etsy-api-secret';
$oauth = new OAuth($api_key, $secret, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI);
$req_token = $oauth->getRequestToken($base_uri .= "/v2/oauth/request_token?scope=listings_w%20transactions_r", 'oob');
$login_url = $req_token['login_url'];
print "Please log in and allow access: $login_url \n\n";
$verifier = readline("Please enter verifier: ");
$verifier = trim($verifier);
$oauth->setToken($req_token['oauth_token'], $req_token['oauth_token_secret']);
$acc_token = $oauth->getAccessToken($base_uri .= "/v2/oauth/access_token", null, $verifier);
$oauth_token = $acc_token['oauth_token'];
$oauth_token_secret = $acc_token['oauth_token_secret'];
$oauth->setToken($oauth_token, $oauth_token_secret);
print "Token: $oauth_token \n\n";
print "Secret: $oauth_token_secret \n\n";
?>
I get the following error message:
Fatal error: Uncaught OAuthException: making the request failed (Peer
certificate cannot be authenticated with given CA certificates) in
C:\xampp\htdocs\dashboard\etsy.php:8 Stack trace: #0
C:\xampp\htdocs\dashboard\etsy.php(8):
OAuth->getRequestToken('https://openapi...', 'oob') #1 {main} thrown
in C:\xampp\htdocs\dashboard\etsy.php on line 8
I've tried running the script with each thread safe, x86 version of OAuth (http://windows.php.net/downloads/pecl/releases) - stop, restart Apache) but no luck.
I'm at my wits end.
How to I resolve this Peer certificate problem?
Simply disable the SSL on local.
$oauth->disableSSLChecks()
Oauth by default using CURL SSL Certificate. The simple way for local apache server is to disable it. Either configure the SSL for the CURL. It will also resolve the issue for oauth.
as per php documentation
we can set the certificate path simply.
$oauth->setCAPath("F:\xampp\php\extras\ssl\cacert.pem");
print_r($oauth->getCAPath());
You can also set the request engine to curl or php stream if the ssl is already configured.
Official PHP documentation

File upload not working with Rails 4 in development using Pow and Nginx

I am using Pow and Nginx to serve my Rails 4 app in development. A simple file upload is returning 500 error and the request is not reaching the Rails controller. I assume this is the case because there is no mention of the request in the Rails log. Without any mention of the error, I am not sure what is going wrong here.
I started with an Ajax file upload but replaced it with a simple form which is also not working.
Tried this
and then went to this
Current avatar.html.erb
<%= form_for #user, html: { multipart: true }, method: "post", url: '/settings/avatar/update', class: "", id: "update_avatar" do |f| %>
<%= f.file_field :avatar, class: 'js-upload-photo-button js-change-avatar-btn', accept: 'image/png,image/gif,image/jpeg,image/jpg' %>
<%= f.submit "Upload" %>
<% end %>
Request headers in Chrome
Expanded Request Headers section
nginx.log
127.0.0.1 - - [01/Feb/2014:11:28:26 +0530] "POST /settings/avatar/update HTTP/1.1" 500 643 "https://allotrop.dev/settings/avatar" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"
pow access.log
[Sat Feb 01 2014 11:28:26 GMT+0530 (IST)] INFO [127.0.0.1] GET allotrop.dev /500.html
There are other questions here about Rails returning 500 error with no mention in log rails 500 error no production log entry
, Rails 3.2.13, 500 error in development with no log
and How to properly diagnose a 500 error (Rails, Passenger, Nginx, Postgres)
But these are one-off errors and do not seem related to the problem I am facing. It would be great if anyone can point me in the right direction.
Update 1
Relevant line from routes.rb
post '/settings/avatar/update', to: 'settings#update_avatar'
Update 2
Found my nginx error log. BTW, if you are using Homebrew, it is at /usr/local/Cellar/nginx/1.4.0/logs/error.log
nginx/error.log
2014/02/01 13:05:54 [crit] 8787#0: *85813 open() "/usr/local/var/run/nginx/client_body_temp/0000000010" failed (13: Permission denied), client: 127.0.0.1, server: *.dev, request: "POST /settings/avatar/update HTTP/1.1", host: "allotrop.dev", referrer: "https://allotrop.dev/settings/avatar"
The problem is not with Rails but with Nginx which is pretty evident from the nginx error.log. This question helped me understand what I was dealing with - Rails 3 + carrierwave + nginx = permission denied.
Nginx uses the client_body_temp_path directive to specify the location where it will temporarily store the uploaded files from the user request. Homebrew had set it by default to /usr/local/var/run/nginx. This folder also contains fastcgi_temp, proxy_temp, scgi_temp and uwsgi_temp for me. Nginx worker processes run with user nobody and they were not able to access these folders. I chowned all these folders to the nobody user, but that did not help.
Finally, I did
client_body_temp_path /tmp/nginx/; inside the HTTP module of my nginx.conf to make it work.
Doing a ls -l shows
drwx------ 2 nobody wheel 68 Feb 1 14:44 nginx
I am not sure why this worked inside /tmp and not inside the original /var/run/nginx. I belive I will face similar issue when I use other temp folders or in production. Will update this thread if and when that happens.
I recommend symlinking the other relevant logs like the nginx access and error log, pow access and app log to the /log directory of your Rails app. It helps in looking up errors in one of these when you face a tricky bug.

Jenkins-Testlink integration - HTTP server returned unexpected status: Found

I’m trying to connect Jenkins (1.482) with TestLink (1.9.4) thru Jenkins configuration in order to retrieve tests, but while running the job in Jenkins I get the below error in the console log.
Please note that Jenkins is hosted on tomcat (linux) on network“gnb” and Testlink is hosted on php (linux) on another network “<company network name>”. It works well when both are on my localhost (in windows)
but this integration does not work when both Jenkins and TestLink are on separate networks/hosts.
I get the below error on the console while running the job:
Preparing TestLink client API.
Using TestLink URL: http://<hostname>/mr61_php5/testlink/lib/api/xmlrpc.php
FATAL: Error verifying developer key: HTTP server returned unexpected status: Found
br.eti.kinoshita.testlinkjavaapi.util.TestLinkAPIException: Error verifying developer key: HTTP server returned unexpected status: Found
at br.eti.kinoshita.testlinkjavaapi.MiscService.checkDevKey(MiscService.java:66)
at br.eti.kinoshita.testlinkjavaapi.TestLinkAPI.(TestLinkAPI.java:162)
at hudson.plugins.testlink.TestLinkBuilder.getTestLinkSite(TestLinkBuilder.java:244)
at hudson.plugins.testlink.TestLinkBuilder.perform(TestLinkBuilder.java:134)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:19)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:717)
at hudson.model.Build$BuildExecution.build(Build.java:199)
at hudson.model.Build$BuildExecution.doRun(Build.java:160)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:499)
at hudson.model.Run.execute(Run.java:1502)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:236)
Caused by: org.apache.xmlrpc.client.XmlRpcHttpTransportException: HTTP server returned unexpected status: Found
at org.apache.xmlrpc.client.XmlRpcSunHttpTransport.getInputStream(XmlRpcSunHttpTransport.java:94)
at org.apache.xmlrpc.client.XmlRpcStreamTransport.sendRequest(XmlRpcStreamTransport.java:152)
at org.apache.xmlrpc.client.XmlRpcHttpTransport.sendRequest(XmlRpcHttpTransport.java:143)
at org.apache.xmlrpc.client.XmlRpcSunHttpTransport.sendRequest(XmlRpcSunHttpTransport.java:69)
at org.apache.xmlrpc.client.XmlRpcClientWorker.execute(XmlRpcClientWorker.java:56)
at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:167)
at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:158)
at org.apache.xmlrpc.client.XmlRpcClient.execute(XmlRpcClient.java:147)
at br.eti.kinoshita.testlinkjavaapi.BaseService.executeXmlRpcCall(BaseService.java:90)
at br.eti.kinoshita.testlinkjavaapi.MiscService.checkDevKey(MiscService.java:62)
... 12 more
ERROR: Error communicating with TestLink. Check your TestLink configuration.
I have below settings in my Jenkins’s global configuration for Testlink installation
Name: testlink
URL: http://<host name>/mr61_php5/testlink/lib/api/xmlrpc.php
Developer key: generated from Testlink (Settings->Generate a new key)
Can you please point me if I miss something?
Usually in the Testlink folder structure, the path that you have mentioned, does not contain the xmlrpc.php file
Probabaly worng URL: URL: http:///mr61_php5/testlink/lib/api/
The correct URL is usually of this format
.../testlink/lib/api/xmlrpc//xmlrpc.php
Kindly check the correct URL, or try opening the xmlrpc.php page, so that you can get the correct path of the file. As per my assumption it should be somewhat like this:
http:///mr61_php5/testlink/lib/api/xmlrpc/xmlrpc.php
Good answer In my case it is as below...
http://IP:PORT/testlink/lib/api/xmlrpc/v1/xmlrpc.php in 1.9.11 version of testlink

Resources