how to get xGerritAuth from http response in 2.8.5
351 views
Skip to first unread message
Mike Watson
Mar 2, 2015, 11:36:16 AM3/2/15
to repo-d...@googlegroups.com
Hi,
I am a bit of a newbie when it comes to Gerrit.
I am using python scripts running from a shell to run commands against a gerrit server for testing purposes.
In gerrit 2.4 when getting a response from an http login request to Gerrit server, the xsrfToken would be returned with a value.
In gerrit 2.8.5 (and other versions > 2.4), the xsrfToken was replaced by xGerritAuth...from what I can tell.
However, when sending http login requests to gerrit 2.8.5 server,the response not include the xGerritAuth key/value pair. In the Gerrit UI (2.8.5), I can see the xGerritAuth key/value pair (view source code of UI).
Can anyone tell me if there is a way to get this value in the response?
thx
-mike
Shawn Pearce
Mar 2, 2015, 12:00:55 PM3/2/15
to Mike Watson, repo-discuss
For automation you shouldn't need the xGerritAuth or xsrfToken.
Instead use HTTP digest authentication with the HTTP password for the account by prefixing all REST APIs with "/a/", e.g. "/a/changes/". The server will accept digest authentication instead of requiring the XSRF protection token.
xGerritAuth/xsrfToken is only required when using cookies that might be from an interactive browser session. Its there to prevent rogue JavaScript on the web blindly submitting forms to your Gerrit server hoping to cause a state change with the browser's credentials.
Mike Watson
Mar 2, 2015, 12:06:15 PM3/2/15
to repo-d...@googlegroups.com, mike.a...@gmail.com
Thanks a lot Shawn!
-mike
Mike Watson
Mar 2, 2015, 2:02:39 PM3/2/15
to repo-d...@googlegroups.com, mike.a...@gmail.com
Hi Shawn,
Thanks again for taking the time to help me.
A quick background on what I am doing....I am trying to port some load testing scripts that worked with 2.4 to work with 2.8.5. The original developer was getting the xsrf token to pass into subsequent RPC calls to do actions on the gerrit server as a user. From what I can tell, the passing in of the token was done to mimic the user experience in the UI (i.e. the user doesn't log in before every operation in the UI).
Our gerrit.config file has AUTH set for LDAP.
I set the http password in my settings on the target gerrit server.
I tried to use curl to list projects...using the digest authentication "/a"...
The command I used was curl -v --user "name:password" http://<gerrit-server</a/projects/
But I get an "HTTP/1.1 401Unauthorized" error. Not sure if that is because the gerrit.config has AUTH set for LDAP? Or something else I don't have configured properly?
I appreciate any help you can offer.
thx
-mike
Shawn Pearce
Mar 2, 2015, 5:00:47 PM3/2/15
to Mike Watson, repo-discuss
On Mon, Mar 2, 2015 at 11:02 AM, Mike Watson <mike.a...@gmail.com> wrote:
> Hi Shawn,
>
> Thanks again for taking the time to help me.
> A quick background on what I am doing....I am trying to port some load
> testing scripts that worked with 2.4 to work with 2.8.5. The original
> developer was getting the xsrf token to pass into subsequent RPC calls to do
> actions on the gerrit server as a user. From what I can tell, the passing
> in of the token was done to mimic the user experience in the UI (i.e. the
> user doesn't log in before every operation in the UI).
OK. I think the load test will produce the same results, but it is
> Hi Shawn,
>
> Thanks again for taking the time to help me.
> A quick background on what I am doing....I am trying to port some load
> testing scripts that worked with 2.4 to work with 2.8.5. The original
> developer was getting the xsrf token to pass into subsequent RPC calls to do
> actions on the gerrit server as a user. From what I can tell, the passing
> in of the token was done to mimic the user experience in the UI (i.e. the
> user doesn't log in before every operation in the UI).
different code paths.
The cookie path is doing user authentication based on an in-memory
cache of known good cookies associated to user accounts.
Authentication is just looking that up and then comparing the XSRF
token from a special HTTP header also matches up.
Digest password based authentication requires an extra HTTP round trip
to bootstrap the authentication string that appears in the
Authorization header. The string is checked against a database record
that is cached in memory.
As for pulling the XSRF token out of the page, you have to load "/"
using a valid cookie and then pull out the <script> block and parse
the token from it. You need a regex against the HTML like:
/gerrit_hostpagedata\.xGerritAuth="(.*?)"/
> Our gerrit.config file has AUTH set for LDAP.
>
> I set the http password in my settings on the target gerrit server.
>
> I tried to use curl to list projects...using the digest authentication
> "/a"...
>
> The command I used was curl -v --user "name:password"
> http://<gerrit-server</a/projects/
>
> But I get an "HTTP/1.1 401Unauthorized" error. Not sure if that is because
> the gerrit.config has AUTH set for LDAP? Or something else I don't have
> configured properly?
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Mike Watson
Mar 3, 2015, 1:05:05 PM3/3/15
to Shawn Pearce, repo-discuss
Okay, thanks again Shawn. I still have some figuring out to do....changing the login call in the python class from using /gerrit/rpc/UserPassAuthService to use just /login/.
I didnt have a lot of luck trying to get curl to work with the --anyauth switch. I get a 403 forbidden error...which docs indicate is a permissions issue...unless the 403 forbidden catches more than just permissions issues? I have admin privileges....so i am not sure why it is complaining. I am just doing a simple list projects call using curl....only getting the anonymous projects...it is like it doesn't take my --user values (username and http password as set in gerrit settings in UI).
If you think of anything else that might be helpful, I would appreciate it. When I get this figured out, I will let you know what I found out.
thx
-mike
Edwin Kempin
Mar 5, 2015, 10:35:44 AM3/5/15
to Mike Watson, Shawn Pearce, repo-discuss
2015-03-03 19:04 GMT+01:00 Mike Watson <mike.a...@gmail.com>:
Okay, thanks again Shawn. I still have some figuring out to do....changing the login call in the python class from using /gerrit/rpc/UserPassAuthService to use just /login/.I didnt have a lot of luck trying to get curl to work with the --anyauth switch. I get a 403 forbidden error...which docs indicate is a permissions issue...unless the 403 forbidden catches more than just permissions issues? I have admin privileges....so i am not sure why it is complaining.
I am just doing a simple list projects call using curl....only getting the anonymous projects...
Is this a call against the REST API?
If yes, does your URL contain the '/a/' path as described in [1]?
[1] https://gerrit-review.googlesource.com/Documentation/rest-api.html#authentication
[1] https://gerrit-review.googlesource.com/Documentation/rest-api.html#authentication
Mike Watson
Mar 5, 2015, 11:20:29 AM3/5/15
to Edwin Kempin, Shawn Pearce, repo-discuss
I finally got it working...that is, using cURL to list projects using --digest switch. The issue was with the version of cURL I was using..the same curl command ran fine on a different curl version and returned all the projects. Thanks!
Reply all
Reply to author
Forward
0 new messages