How to setup Gerrit without any authentication? - gerrit

I downloaded Gerrit, unpacked it and started the server with bin/gerrit.sh start. Then I noticed that I cannot log into the web frontend and looked for my options. Since all I would like to do is add a test project and play around with it to explore the features, I would actually like to avoid authentication at all.
Is there a way to get this going without openid or ldap. auth.type=http would be just right, but this again requires an apache in front. Or can I just configure jetty to do it. If so, how?

Related

How to use spring security rest grails plugin to authenticate form-based login

Preface: I created the following issue in GitHub of the plugin and Alvaro Sanchez, the author of the plugin, recommended me to ask here which is the dedicated discussion channel for it.
We are migrating our Grails-based application to Kubernetes to allow multiple instances running simultaneously. The inherent problem is that the application will ask users to re-login if the request is served by the other pod that is not the previously same pod. We want to replace session-based authentication with token-based authentication.
I have come across writing on medium explaining how to use this plugin come long the source code published on GitHub, however, this tutorial didn't show how to customise the form-based login or something along those lines.
The key point here is to verify the existence of the defined token in order to redirect the login URL. However, I don't actually understand how and where we could intervene LoginController spring security core to check both username and token.
Apart from that, I cannot find any tutorials as well as documentation relevant to our need, so then I have raised this problem which someone experienced users can share their solutions.
If you have any idea, helpful tutorials or source code, could you please share with us?
Thank you in advance!

Advice on User Authentication

We're looking for a simple open source software, that is easily containerised, that we can use as a single sign on machine inside our cloud development environment.
The servers that it will need to handle authentication for are
gitlab nexus jenkins sonarqube
So far I've looked at freeIPa
https://github.com/freeipa/freeipa-container
Having a few teething troubles getting this setup, and was hoping to get some other suggestions.
To be honest I'm not even certain freeIPA will work with all those software titles anyway, something I'll check now.
Any tips or advice more than welcome.
Here's a basic diagram of what we're trying to achieve

Jenkins and GitLab -- Gitlab Hook plugin is the right choice?

There are so many posts about this, and being inexperienced in Git doesn't help to get a good grip on this.
I just joined a new company that dont have CI at all, so jumped on the opportunity to create a proof of concept (using Jenkins locally on my Windows box for now, until I get a dedicated server for it). I've used and semi-configured Jenkins in the past, using SVN, and it was so simple and fast to get it working. In this company, they don't use SVN, only GitLab (I believe its private - we have our own site, not .gitlab.com), and nothing works for me.
I followed a few turorials, but mainly this seemed like the one that meets my needs. It didn't work (the reasons and symptoms are probably worth a post of its own).
When I look at Gitlab Hook plugin in Jenkins, I see a big red warning saying it is not safe ("Gitlab API token stored and displayed in plain text").
So my question, for this POC that i am working on, how serious is this warning? Should I avoid this plugin and then this method altogether because of this?
And while i'm at it, I might also throw an additional general question to open up my options here ... If I want Jenkins to work with Gitlab (meaning, I checkin something and it triggers a build), do I absolutely need to use the SSH method, or it could work with HTTPS as well?
Thank you.
This is indeed SECURITY-263 / CVE-2018-1000196
Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab. This can be used by users with master file system access to obtain GitHub credentials.
Additionally, the Gitlab API token round-trips in its plaintext form, and is displayed in a regular text field to users with Overall/Administer permission. This exposes the API token to people viewing a Jenkins administrator’s screen, browser extensions, cross-site scripting vulnerabilities, etc.
As of publication of this advisory, there is no fix.
So:
how serious is this warning?
Serious, but it does require access to the Jenkins server filesystem, or it requires Jenkins administration level. So that risk can be documented, acknowledged and, for now, set aside, provided mitigation steps are in place, ie.:
the access to the Jenkins server is properly monitored
the list of Jenkins admin account is properly and regularly reviewed.
do I absolutely need to use the SSH method, or it could work with HTTPS as well?
You can use https for accessing GitLab repositories in a Jenkins job.
But for the GitLab hook plugin, SSH remains the recommended way, considering you would use a token (instead of a user account name/password), that you can revoke at any time.

How to direct pf_auth.pf_authenticate request to on-premise Multi Factor Authentication Server

I've been beating my head for hours on this request.
I have an on-premise installation of an Azure MultiFactor Authentication Server. I'm building a new ASP.Net MVC 5 application that will do an LDAP lookup for users in Active Directory (also on-premise) with no ADFS configured.
I've gone through the sdk for MFA Server and can easily enable SMS requests to be sent. I get the otp code from calling pf_auth.pf_authenticate(authParams, out otp, out callStatus, out errorId);
This works for test. But I need to direct this request to my on-site MFA Server. I can't find anything that tells me where I can set this value.
I know that if I login to a machine on that domain it automatically sends the SMS text to my phone and I can enter it into the next screen to complete a login (the default user portals set up with MFA). I would assume that this would possibly work when I call ValidateCredentials on my application's newly created PrincipalContext. But how do I submit the sms code without some sort of RequestId to synch up the communication.
I'm sorry if this doesn't make much sense. It's just all the examples I can find are for using MFA with a local ADFS. I only have Active Directory which is causing me to do the custom LDAP lookup.
Any help or direction is greatly appreciated.
OK, sorry for the delay in responding to this post. After getting no responses I moved on but have recently noticed that there have been 45+ views since my post and thought I should update for others who might be experiencing a similar issue.
Turns out that when using MFA on premise you can point multiple applications to a single MFA server, like Remote Access, VPN, etc.
However if you are attempting to setup a Web Application hosted on IIS you need to install a copy of the MFA server on the IIS server hosting the application.
When installing you can point to the existing MFA setup so that both machines are in the same configuration. This local install also adds a custom IIS Plugin that does the request interception and directs it through the MFA pipeline. If everything looks good the request is then forwarded to your web application like normal.
This is really pretty straight forward but the documentation for MFA setup was sorely lacking. Hopefully in the future there will be a decent sample app provided by Microsoft that demos this process using local MFA and not just the Azure hosted solution.

Retrieve NTLM Active Directory user data to Rails w/o IIS

I believe that we can allow Firefox to sent NTLM data to SharePoint sites to do automatic authentication, and I think that this is doable with IIS.
I'd like to do the same thing with an internal Rails site.
Does anyone know of way that I could authenticate NTLM type user information through a Apache/mongrel setup (provided of course that it's already running on a Windows box inside of an Active Directory domain)?
I created tutorial on how to install patched mod_ntlm module for Apache on Linux and how to pass NTLM authenticated username to Rails and how create Rails session from that. So as a result you do not need Windows server for running Rails application.
There you can find also how to enable automatic NTLM authentication in Firefox — enter "about:config" in location field and then search for "network.automatic-ntlm-auth.trusted-uris". There you can enter servers for which you would like to use automatic NTLM authentication.
Bit of extra info in case anyone stumbles across this.
I wanted to do something which I thought should be pretty simple - extract the users windows username using NTLM from a Rails app running on Mongrel/Windows (InstantRails actually). Having written the basic code manage the various handshaking operations (using the great NTLMRuby library at http://rubyforge.org/projects/rubyntlm/) and having got it to work wonderfully in Firefox I was somewhat frustrated to find IE not working.
Mongrel doesn't support keep-alives during the type1/2/3 message exchange (at least natively, I believe there's a hack/fix for it), which IE demands and Firefox gets by without.
So authenticating a Rails server running on Windows against a remote NTLM service (e.g. Sharepoint or another web site) is reasonably straight forward, but authenticating an IE browser against a Rails server running on Windows not so much with Mongrel. IIS would be an option, as might be basic Apache with FastCGI. The former feels a bit clunky and the latter won't be as fast as Mongrel.
I'm assuming you've already worked out which HTTP headers you need to send in order to get firefox and IE to send back the NTLM authentication stuff, and are just needing to handle that on the server side?
You could use some of ruby's win32 libraries to access the underlying windows authentication functions which handle the NTLM.
I'd suggest the path of least resistance might be to see if there is a COM component which can do the authentication for you, and if so, to use it using the Win32OLE ruby library.
If there's no COM component, you might be able to find something in one of those other libraries which can invoke the native win32 methods for you.
If you can't find that, you'd have to write a ruby C extension. I've done this on linux, and extending ruby is pretty easy, but you may find the microsoft authentication API's a bit painful.
Hope that gets you started on the right track :-)
You could also use the Apache ntlm module, which should pass a header onwards to your application with the username of the authenticated user. That module looks a bit old, but suggests some other modules that may suit your needs.
Old question I know but I came across this looking for a similar answer.
you could use the methods described here (http://blog.rayapps.com/2008/12/02/ntlm-windows-domain-authentication-for-rails-application/). However mod_ntlm is for windows authentication on a UNIX/linux machine. mod_auth_sspi is what you'll need for winNT authentication from apache under windows.
This particular project looks promising and is looking for contributors:
Rack middleware for transparent authentication with NTLM.
I haven't yet tried this out. For the moment I plan on implementing Raimonds' solution as it appears to have a lot of success.
Check out Waffle. It provides SSO on Windows to Java servers using Win32 API. There're a number of implemented filters (servlet, tomcat valve, spring-security).

Resources