json datasource authentication about cyclotron HOT 10 CLOSED

Hi @atod, thanks for the question. I looked up the JIRA REST API documentation on authentication. I think basic authentication would be the easiest to get working: https://developer.atlassian.com/jiradev/jira-apis/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-basic-authentication

This would require you to create an Authorization header for a specific user, and hard-code that header into the JSON Data Source options in the dashboard. You can use the built-in Encryption to prevent anyone from seeing the actual password.

This approach wouldn't use the credentials of the user viewing the dashboard however—the data would be accessible to anyone opening the Cyclotron dashboard, because of the hard-coded credentials. Not sure if this approach works for you or not, due to the potential risk of exposing a user's credentials. Ideally you could use a service account.

AFAIK it's not possible to get the credentials of the user viewing the dashboard, or their JIRA cookie (due to browser security). Again I'm unclear on the certificate authentication you mention, but potentially that could be integrated into the Cyclotron-svc backend somehow.

Finally one more suggestion: Instead of hardcoding the Authorization header into the dashboard, you could add a new REST endpoint to the cyclotron-svc code, which makes authenticated requests JIRA (using a single user's credentials). Then the JSON Data Source could connect to that endpoint without authentication. As long as the cyclotron-svc backend is secure, this would avoid exposing any user credentials.

Hope this helps, let me know if there's anything I can clarify.

from cyclotron.

Hi @baumandm,
Thank you for providing detailed answer.
I would prefer to avoid the hardcoding of a user into JSON Data Source options. Also service account is not an option for us.

I would like to check with you if it is possible to use the credentials of the user viewing the dashboard by by implementing/extending Cyclotron front-end and back-end in the following way:

• When dashboard user is opening a dashboard he/she is requested to provide own credentials (user name and password) to the front-end. These credentials are stored only in the session (in memory)
• Then the dashboard runs Data Source which calls Cyclotron-svc beck-end service sending the credentials so that they can be used to gather the needed data from the respective system (like Jira).
  In that way the credentials will be hardcoded nowhere.

Thank you for your guidance in advance!
atod

from cyclotron.

Hi @atod, I understand what you're proposing and it is certainly possible to extend Cyclotron in this way. However, I don't believe this is to be a security best practice, and its not functionality we would want to provide out-of-the-box due to the inherent risk. That said, I'd be happy to help point you in the right direction if this is something you want to implement.

from cyclotron.

Hi @baumandm , as far as I understand the security vulnerability I think it can be mitigated by ensuring that local Cyclotron instances code can be updated only if the new code change is submitted in version control system (i.e. Git) and then synced and activated via automation (i.e. Jenkins job) for which the change owner need to be authenticated. The access to local Cyclotron instances hosts will be forbidden.

Thank you for offering help how to extend Cyclotron! Where is best to continue the discussion? Should we use this Git issue or we can connect via email for example?

from cyclotron.

Hi @baumandm , reading now my last comment it is hard even for me to understand what I tried to explain. :)
Wanted to say that the access to the code of a productive Cyclotron instance can be forbidden and in that way minimize the risk of security vulnerability.

Do you see a chance to discuss the potential extension?

from cyclotron.

Hi @atod, sorry for the delay in addressing this. I've implemented it pretty much as you described above, but with the additional step of encrypting the value before caching in the front-end. It uses the existing built-in encryption functionality, which only allows decryption when running a Data Source (and the decryption runs service-side so the user never sees the password)

I've added a new configuration setting in the website's configService.js, cacheEncryptedPassword: true. It's false by default, so you'll need to change it to true.

Once enabled, you should be able to reference the credentials of the current logged-in user like this: ${Cyclotron.currentUsername} and ${Cyclotron.currentUserPassword}. This is the inline JavaScript notation, so you can use it in the Data Source properties.

For example, if you wanted to authenticate to a web service with the current user's credentials, using the JSON Data Source:

{
    "options": {
        "auth": {
            "pass": "${Cyclotron.currentUserPassword}",
            "user": "${Cyclotron.currentUsername}"
        },
        "followAllRedirects": "${true}"
    },
    "type": "json",
    "url": "...."
}

Please review and let me know if you have any feedback. It's currently on the branch feature/cacheEncryptedPassword, as I haven't merged this feature to the master branch yet.

from cyclotron.

Hi @baumandm,
I apologize for my late replay. I just realized that you implemented this feature. Which is awesome!
Will test it in my environment and will return feedback.

Once again thanks a lot!

from cyclotron.

Hi @baumandm ,
I'm still working to validate the feature due to time constraints on my side. And once again thank you for implementing it.

It took time for me to configure the LDAP authentication. Now it works successfully. I'm able to login in my cyclotron instance with my user/password and define view/edit permissions per dashboard.

Currently trying to fetch data from Jira with json datasource. Here it is:
/strings in <> , i.e. <JIRA_HOSTNAME> are placeholders of the original strings /

{ "name": "jira_logged_work", "options": { "auth": { "pass": "${Cyclotron.currentUserPassword}", "user": "${Cyclotron.currentUsername}" }, "followAllRedirects": "${true}", "strictSSL": "${false}" }, "postProcessor": "pp = function (data) {\n console.log( \"JSON Data: \" + JSON.stringify(data) );\n return data.issues;\n}", "queryParameters": { "jql": "project=<JIRA_PROJECT> and worklogDate>=\"-7d\"", "maxResults": "1", "startAt": "0" }, "type": "json", "url": "https://<JIRA_HOSTNAME>/rest/api/2/search" }

Unfortunately it fails with:

POST http://ui5delivery.mo.sap.corp:8077/proxy 500 (Internal Server Error)

and proxyResponse object is undefined.

The first thing I noticed in proxyRequest object was that user is not part from auth object as shown bellow. Even after hardcoding it (for testing purposes only) it still failed in the same way.

{ "url":"https://<JIRA_HOSTNAME>/rest/api/2/search?jql=project%3D<JIRA_PROJECT>+and+worklogDate%3E%3D%22-7d%22&maxResults=1&startAt=0", "method":"GET", "json":true, "auth":{"pass":"<USER_PASSWORD>"}, "followAllRedirects":true, "strictSSL":false }

Any hints will be very much appreciated.

Thank you!
atod

from cyclotron.

Hi @atod, I think this is my mistake. I double-checked the code and my previous instructions were wrong. The correct username reference is "${Cyclotron.currentUser.name}". Can you try changing this to see if it resolves the issue?

from cyclotron.

Hi @baumandm,
this helped. Actually I had to use "${Cyclotron.currentUser.sAMAccountName}" for my use case. Now the user name is present into the proxyRequest. Still have issue to fetch data from Jira but it because of local host proxy configuration. As soon as I manage to fix will write back.

Thank you!

from cyclotron.