Code Monkey home page Code Monkey logo

sonar-auth-openshift's Introduction

Build Status

Openshift Authentication Plugin for SonarQube

Description

This plugin enables user authentication and Single Sign-On via OpenShift. It is based on the code by Julien Lancelot. Tested on version 7 of Sonarqube and OCP 3.11. It is intended to run deployed in a pod on OpenShift.

This plugin is designed to work out of the box without configuration. During plugin deployment, it looks up oauth information from OpenShift's well-known information and takes advantage of information already on the running pod.

During deployment the plugin will:

  • Look up well-known oauth information at https://openshift.default.svc
  • Pull the service account client_id, secret and cert from the file system
  • Pull the OpenShift API location from the env variables of the pod
  • Get the ServiceAccount name from the API
  • Get the Route of the service that is coordinating sonarqube for callback. This relies on the service name being available in the configuration (via sonar.properties). As a fallback it will default to sonarqube

Installation

This plugin is currently hosted at rht-labs. The latest jar is here. You can build it locally and place this plugin on to the volume where Sonarqube reads plugins at startup if modifying it. Typically, this might be /opt/sonarqube/data/plugins.

The service account can be used as the oauth client in OpenShift. The service account that runs Sonarqube should have a redirect uri that references the route that Sonarqube is using. You must specify this service account in the DeploymentConfig.

- apiVersion: v1
  kind: ServiceAccount
  metadata:
    annotations:
      serviceaccounts.openshift.io/oauth-redirectreference.sonarqube: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"sonarqube"}}'
    name: sonarqube

The service account must have the ability to view routes in the project.

oc policy add-role-to-user view system:serviceaccount:sonarqube-project:sonarqube

The environment variable sonar.auth.openshift.isEnabled must be set to true. The preferred way is to place that value in the sonar.properties file during your container build:

sonar.auth.openshift.isEnabled=true

You may also enable it in the Administrative console

Configuration

This plugin will map OpenShift groups to Sonarqube roles. These values are set with the property

sonar.auth.openshift.sar.groups=ocp-admin=sonar-administrators,ocp-users=sonar-users

This shows that Sonarqube will allow OpenShift users who are in the group ocp-admin users to be administrators with the role of sonar-administrators. Ordinary users will be added as sonar-users if they are OpenShift users in the group ocp-users. These OpenShift groups do not exist by default.

The default mapping value is:

sonar.auth.openshift.sar.groups=sonar-administrators=sonar-administrators,sonar-users=sonar-users

To disable certificate validation (not recommended for production) configure the ignore.certs property

ignore.certs=true

The pod that sonarqube runs in should have a valid certificate to access the OpenShift/Kubernetes API. The Oauth server may have a different certificate. That certificate needs to be loaded into the keystore. To do so, place the certificate on the container's file system (via configmap, dockerfile, etc...). Then configure the sonar property to point the location on the file system

oauth.cert=/opt/sonarqube/conf/oauth.crt

You may choose the background color of the log in button with the property

sonar.auth.openshift.button.color=#666666

Set the kubernetes API. In the example the API is set automatically with environment variables

kubernetes.service=https://${env:KUBERNETES_SERVICE_HOST}:${env:KUBERNETES_SERVICE_PORT}/

See the example set up using the OpenShift Applier here

Configuration Table

Config Purpose
sonar.auth.openshift.sar.groups A map converting OpenShift groups to Sonarqube roles
sonar.auth.openshift.route.name The name of the route. Must also be defined in the service account (See example template)
oauth.cert File system location of the certificate
ignore.certs Option to ignore certificates. Not recommended for production
kubernetes.service The url of the api server with port if necessary
sonar.auth.openshift.isEnabled Ability to control whether to user this plugin
sonar.auth.openshift.button.color The hex color of the login button (#666666)

License

Licensed under the Apache License

sonar-auth-openshift's People

Contributors

andymiller96 avatar dependabot[bot] avatar jacobsee avatar mcanoy avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

infosec812 mcanoy soprasteria ungerts jacobsee andymiller96 ttaylor249 orangeji11 ljtian

sonar-auth-openshift's Issues

Work with SonarSource To Add This To The Marketplace

It's relatively easy to get SonarSource to host plugins in the marketplace. They have a list of requirements HERE. I can work with the team to get this integrated into CI and then submit the review request to the mailing list and get it added to the marketplace.

[FEATURE] Add a docker image to quay.io

Is your feature request related to a problem? Please describe.

would be nice not to have to build this image but instead pull it from quay.io. I'd image that the version would ideally line up with an associated tag.

Describe the solution you'd like

  1. An image in quay.io

  2. the example updated (or second added using the image).

  3. Update the sonar.properites to be configurable in the example template

sonar.auth.openshift.button.color=#000000
sonar.auth.openshift.sar.groups=sonarqube_admin=sonar-administrators,sonarqube_user=sonar-users
ignore.certs=false
#oauth.cert=/opt/sonarqube/conf/oauth.crt
sonar.search.javaAdditionalOpts=-Dnode.store.allow_mmapfs=false
#sonar.auth.openshift.route.name=customname

This file would be on the docker image so making it more customizable in the template will give it a wider audience

Describe alternatives you've considered

Meh. Could just push an image to quay.io. Then a user could modify there own templates and crush the sonar file with a configmap (with subpath!)

[FEATURE] Allow OpenShift tokens to be used to authenticate to SonarQube

Is your feature request related to a problem? Please describe.
When running SonarQube inside of OpenShift and CI/CD, it would be great if the service account token in the pod could be used as the authentication token for SonarQube

Describe the solution you'd like
When running sonarqube scanner (from Maven for example), if the following worked I would be SUPER happy:

mvn sonar:sonar -Dsonar.login=$(oc whoami -t)

Describe alternatives you've considered
It is definitely possible to log in to SonarQube and create a token and use that token, but it requires extra setup.

Additional context
N/A

Add ability to deploy the plugin without using it

Currently the plugin will try to initialize itself with the OpenShift env when the plugin is loaded. There should be some ability to disable the plugin without crashing sonar at start up.

I'd suggest:

At start up - check the enabled property if it is not set or is false then do not try to load the init sequence ( check well known oauth info, find the OpenShift route, load SSL cert). Probably also log a message at load time. If enabled but one of those steps fails, throw an error and disa ble the plugin but don't crash the app.

Provide the ability to change at runtime?

[FEATURE] Clearer default group / role implementations

Is your feature request related to a problem? Please describe.
This may be a bug depending on your expectations.

Scenario:

  • use default groups-role mappings
  • do not add those groups to openshift
  • login with valid openshift user

Expectation

  • The user is not in a predefined role so the user should be denied access.

Actual

  • The user is add to the sonar-users group and allow to view projects

Describe the solution you'd like

I'm not against this behavior but I think the plugin should support a no group then no role implementation and that this new behavior should be the default

Describe alternatives you've considered
meh

Additional context
meh

Unable to build locally using Maven

Attempted to run mvn clean package and ended up with errors on the Unit Test related to SSL:

[ERROR] Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.583 s <<< FAILURE! - in com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest
[ERROR] failToInitWhenDisabled(com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest)  Time elapsed: 0.439 s  <<< ERROR!
java.lang.IllegalStateException: Problem setting up ssl
        at com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest.preTest(OpenShiftIdentityProviderTest.java:81)
Caused by: java.lang.NullPointerException
        at com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest.preTest(OpenShiftIdentityProviderTest.java:81)

[ERROR] init(com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest)  Time elapsed: 0.029 s  <<< ERROR!
java.lang.IllegalStateException: Problem setting up ssl
        at com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest.preTest(OpenShiftIdentityProviderTest.java:81)
Caused by: java.lang.NullPointerException
        at com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest.preTest(OpenShiftIdentityProviderTest.java:81)

[ERROR] checkFields(com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest)  Time elapsed: 0.03 s  <<< ERROR!
java.lang.IllegalStateException: Problem setting up ssl
        at com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest.preTest(OpenShiftIdentityProviderTest.java:81)
Caused by: java.lang.NullPointerException
        at com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest.preTest(OpenShiftIdentityProviderTest.java:81)

[ERROR] isEnabled(com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest)  Time elapsed: 0.028 s  <<< ERROR!
java.lang.IllegalStateException: Problem setting up ssl
        at com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest.preTest(OpenShiftIdentityProviderTest.java:81)
Caused by: java.lang.NullPointerException
        at com.rhc.sonarqube.auth.openshift.OpenShiftIdentityProviderTest.preTest(OpenShiftIdentityProviderTest.java:81)

[INFO] Running com.rhc.sonarqube.auth.openshift.AuthOpenShiftPluginTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.001 s - in com.rhc.sonarqube.auth.openshift.AuthOpenShiftPluginTest
[INFO] 
[INFO] Results:
[INFO] 
[ERROR] Errors: 
[ERROR]   OpenShiftIdentityProviderTest.preTest:81 » IllegalState Problem setting up ssl
[ERROR]   OpenShiftIdentityProviderTest.preTest:81 » IllegalState Problem setting up ssl
[ERROR]   OpenShiftIdentityProviderTest.preTest:81 » IllegalState Problem setting up ssl
[ERROR]   OpenShiftIdentityProviderTest.preTest:81 » IllegalState Problem setting up ssl
[INFO] 
[ERROR] Tests run: 5, Failures: 0, Errors: 4, Skipped: 0
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.984 s
[INFO] Finished at: 2019-09-01T10:04:02-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M3:test (default-test) on project sonar-auth-openshift-plugin: There are test failures.
[ERROR] 
[ERROR] Please refer to /home/dphillips/Documents/RedHat/Workspace/sonar-auth-openshift-1/target/surefire-reports for the individual test results.
[ERROR] Please refer to dump files (if any exist) [date].dump, [date]-jvmRun[N].dump and [date].dumpstream.
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

Are there extra instructions needed to successfully build and test? If so, we should add a "Building" section to the README.

[BUG] When a user belongs to both the "user" and "admin" OpenShift groups, only the user role is granted

Do your best

Describe the bug
I have SonarQube deployed on OCP 4.1. I have 2 groups mapped for users and admins. My user is member of both groups. When I log in using the OAuth plugin, only the "user" role is granted to my account within SonarQube.

Expected behavior
The greater privilege should be granted if both are present

Screenshots
N/A.

OpenShift Version

  • What version: 4.1
  • oc version: v4.1.10-201908061216+68e229c-dirty
  • where is OpenShift running? AWS/RHPDS

Additional context
Add any other context about the problem here.

Roles mapping doesn't work

When connecting with a user that has admin role on the related namespace I get empty roles array.
I think that it is related to the way findUserRoles works specifically the subject access review request.

This is the logs I get on DEBUG level

2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][c.r.s.a.o.OpenShiftConfiguration] API url: https://172.30.0.1:443/
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][c.r.s.a.o.OpenShiftIdentityProvider] SAR body {"kind":"SubjectAccessReview","apiVersion":"v1","namespace":"sonarqube","verb":"admin","resourceAPIGroup":"","resourceAPIVersion":"","resource":"sonarqube","resourceName":"","user":"","groups":[],"scopes":[]}
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@5a97ee1a8 pairs: {POST /oapi/v1/subjectaccessreviews HTTP/1.1: null}{Authorization: Bearer MASKED}{Content-Type: application/json}{User-Agent: Java/1.8.0_181}{Host: 172.30.0.1}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Content-Length: 208}
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@cc19f05 pairs: {null: HTTP/1.1 201 Created}{Cache-Control: no-store}{Content-Type: application/json}{Date: Mon, 23 Sep 2019 17:03:54 GMT}{Content-Length: 198}
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][c.r.s.a.o.OpenShiftIdentityProvider] SAR body {"kind":"SubjectAccessReview","apiVersion":"v1","namespace":"sonarqube","verb":"edit","resourceAPIGroup":"","resourceAPIVersion":"","resource":"sonarqube","resourceName":"","user":"","groups":[],"scopes":[]}
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@78af83a88 pairs: {POST /oapi/v1/subjectaccessreviews HTTP/1.1: null}{Authorization: Bearer MASKED}{Content-Type: application/json}{User-Agent: Java/1.8.0_181}{Host: 172.30.0.1}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Content-Length: 207}
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@18cc16d45 pairs: {null: HTTP/1.1 201 Created}{Cache-Control: no-store}{Content-Type: application/json}{Date: Mon, 23 Sep 2019 17:03:54 GMT}{Content-Length: 197}
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][c.r.s.a.o.OpenShiftIdentityProvider] SAR body {"kind":"SubjectAccessReview","apiVersion":"v1","namespace":"sonarqube","verb":"view","resourceAPIGroup":"","resourceAPIVersion":"","resource":"sonarqube","resourceName":"","user":"","groups":[],"scopes":[]}
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@482dce7b8 pairs: {POST /oapi/v1/subjectaccessreviews HTTP/1.1: null}{Authorization: Bearer MASKED}{Content-Type: application/json}{User-Agent: Java/1.8.0_181}{Host: 172.30.0.1}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Content-Length: 207}
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@4c9bb6155 pairs: {null: HTTP/1.1 201 Created}{Cache-Control: no-store}{Content-Type: application/json}{Date: Mon, 23 Sep 2019 17:03:54 GMT}{Content-Length: 197}
2019.09.23 17:03:54 DEBUG web[AW1e/gXPPr9iPlvgAAGW][c.r.s.a.o.OpenShiftIdentityProvider] Roles []

When I tried to post the SAR json from the logs using postman I get this response:

{
  "kind": "SubjectAccessReviewResponse",
  "apiVersion": "v1",
  "namespace": "sonarqube",
  "allowed": false,
  "reason": "User \"developer\" cannot \"admin\" \"sonarqube\" with name \"\" in project \"sonarqube\""
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.