Bug: New authorization plugins never actually let me log in
264 views
Skip to first unread message
Chris Northwood
Jun 30, 2017, 12:16:23 PM6/30/17
to go-cd
Hi there,
I'm the maintainer of the GoCD TLS Auth plugin, and I'm looking at migrating it to the new Authorization API, but I'm having some issues. Upon further digging, I can't appear to even get the bundled password file plugin to work, so I was hoping for someone to point out what I'm doing wrong.
To reproduce, I've got a little Vagrant machine running a fresh install of GoCD (the current Vagrant images are 16.10, so authorization plugins aren't supported).
* Grab the repo at https://github.com/cnorthwood/gocd-tls-auth
* `vagrant up`
* Visit http://localhost:8153
* Go into the authorization security configuration, and add an instance of the password file plugin, using the password file `/vagrant/apache-config/htpasswd`
* You now get a basic auth prompt, but if you ignore that and go to the login page, try logging in with username "root" and password "correct horse battery staple".
* You get bounced back to the login screen with no indication of what's gone wrong.
If you look in the logs, the only message that appears is:
2017-06-30 16:00:27,792 INFO [qtp1177096266-29] PasswordFilePlugin:52 - [Authenticate] Authenticating User: root using auth_config: password
2017-06-30 16:00:27,797 INFO [qtp1177096266-29] PasswordFilePlugin:52 - [Authenticate] User `root` successfully authenticated using auth config: password
However, I don't appear to actually have authenticated successfully.
If anyone could try reproducing to check I'm not going mad, or point to if I've made a mistake in the workflow, I'd greatly appreciate it!
Thanks,
Chris Northwood
Aravind SV
Jun 30, 2017, 1:17:49 PM6/30/17
to go...@googlegroups.com
Hello Chris,
I tried it. It seems the password file is wrong.
root@ubuntu-xenial:/etc/go# htpasswd -n -s root
New password:
Re-type new password:
root:{SHA}q/eq1kOINtvlJqojGr3i0O73TUI=
Are you trying to use bcrypt? The password hash on this line seems to suggest that. Maybe something is broken in bcrypt support? I tried with the above line and it works.
I tried it. It seems the password file is wrong.
root@ubuntu-xenial:/etc/go# htpasswd -n -s root
New password:
Re-type new password:
root:{SHA}q/eq1kOINtvlJqojGr3i0O73TUI=
--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Aravind SV
Jun 30, 2017, 1:21:38 PM6/30/17
to go...@googlegroups.com
No. bcrypt works too. This line works for me:
root:$2y$05$BMLeYLDu4vNKZdSYGb57kOOkUubAONhCpUivfZdw7K.nE7dEFPk7W
root:$2y$05$BMLeYLDu4vNKZdSYGb57kOOkUubAONhCpUivfZdw7K.nE7dEFPk7W
Chris Northwood
Jun 30, 2017, 2:07:08 PM6/30/17
to go...@googlegroups.com
Hmm, using SHA1 I got an error telling me it was unsupported and to migrate to SHA-1.
I notice my symptoms are the same as described in https://groups.google.com/forum/m/#!topic/go-cd/Qe_tEdgQhTg. Do you get the same issue originally though? I generated my hash using htpasswd -B. I shall try further next week.
You received this message because you are subscribed to a topic in the Google Groups "go-cd" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-cd/la2lmt7C07U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-cd+unsubscribe@googlegroups.com.
Chris Northwood
Jun 30, 2017, 2:07:22 PM6/30/17
to go...@googlegroups.com
Sorry, I mean migrate to bcrypt.
Aravind SV
Jun 30, 2017, 2:20:30 PM6/30/17
to go...@googlegroups.com
I did use htpasswd -B too, inside the VM (vagrant ssh). I can try again next week too, if you want and if you're still facing this. Your setup is easy enough that I don't need to do much. :)
Chris Northwood
Jul 4, 2017, 9:47:30 AM7/4/17
to go-cd
Hi Aravind,
I'm still having issues using the Vagrant box, and getting it set up with 17.7. When I try to create a pipeline (before adding the authorization plugin), I get a CSRF error. If I add the authorization plugin, I can never get past the login screen (similar to https://groups.google.com/forum/m/#!topic/go-cd/Qe_tEdgQhTg). I'm curious if there's any obvious environment issues between us, as the Vagrant box should give us the same environment :/ Alternatively, could the gocd demo Vagrant box get updated to the latest version of GoCD, so I can use that as a base instead of rolling my own?
Thanks
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "go-cd" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-cd/la2lmt7C07U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-cd+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
Ketan Padegaonkar
Jul 5, 2017, 6:40:33 AM7/5/17
to go...@googlegroups.com
On Tue, Jul 4, 2017 at 7:17 PM Chris Northwood <cnort...@gmail.com> wrote:
Hi Aravind,I'm still having issues using the Vagrant box, and getting it set up with 17.7. When I try to create a pipeline (before adding the authorization plugin), I get a CSRF error.
That's usually an indication that you have another server running on the same host but different ports causing all sorts of weirdness. Could you confirm that you only have one server running on "localhost", or whatever you're using for development?
If I add the authorization plugin, I can never get past the login screen (similar to https://groups.google.com/forum/m/#!topic/go-cd/Qe_tEdgQhTg). I'm curious if there's any obvious environment issues between us, as the Vagrant box should give us the same environment :/ Alternatively, could the gocd demo Vagrant box get updated to the latest version of GoCD, so I can use that as a base instead of rolling my own?
What demo vagrant box are you referring to? We use the box built out of the Vagrantfile checked into the gocd repository. Alternatively:
docker run -it --rm -v $(pwd):/gocd -v $HOME/.gradle:/go/.gradle gocdcontrib/gocd-dev-build:v1.0.23 /bin/bash
The docker example is a lot easier to work with, since it involves not having to download and install stuff on a network. If you run that docker command in the directory containing your gocd sourcecode, it's mounted in `/gocd` inside the docker container.
Ketan Padegaonkar
Jul 5, 2017, 6:43:14 AM7/5/17
to go...@googlegroups.com
If all you want to do is quickly get a production like server up and running with least amount of fuss, I've provided an example here along with the config and password file.
Chris Northwood
Jul 5, 2017, 7:02:28 AM7/5/17
to go...@googlegroups.com
Hi Ketan,
I was previously using this one: https://app.vagrantup.com/gocd/boxes/gocd-demo which I originally got from https://www.gocd.org/2015/08/05/Go-Sample-Virtualbox/ - however that box is an older version of Ubuntu that can't run the latest GoCD due to the Java 8 dependency.
I should only be running a single instance:
ubuntu@ubuntu-xenial:~$ ps aux | grep go
go 1323 0.0 0.1 47296 4656 ? Ss 10:54 0:00 /lib/systemd/systemd --user
go 1327 0.0 0.0 63476 2124 ? S 10:54 0:00 (sd-pam)
go 1367 71.4 22.2 3735732 899732 ? Sl 10:54 0:45 java -server -Djava.security.egd=file:/dev/./urandom -Xms512m -Xmx1024m -XX:MaxMetaspaceSize=256m -Duser.language=en -Djruby.rack.request.size.threshold.bytes=30000000 -Duser.country=US -Dcruise.config.dir=/etc/go -Dcruise.config.file=/etc/go/cruise-config.xml -Dcruise.server.port=8153 -Dcruise.server.ssl.port=8154 -jar /usr/share/go-server/go.jar
go 1371 4.0 2.4 3440364 99820 ? Sl 10:54 0:02 java -jar /usr/share/go-agent/agent-bootstrapper.jar -serverUrl https://127.0.0.1:8154/go
go 1803 187 4.3 2449576 177712 ? Sl 10:55 0:01 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Dcruise.console.publish.interval=10 -Xms128m -Xmx256m -Djava.security.egd=file:/dev/./urandom -Dagent.plugins.md5=d972231b5a553fbf14f0939342257a59 -Dagent.binary.md5=PubINBE6cd1wLkXj8BvEcQ== -Dagent.launcher.md5=xt6jpMOq1AbvCqRWkaamCQ== -Dagent.tfs.md5=64stwdXndt019D6QtoWa6Q== -jar agent.jar -serverUrl https://127.0.0.1:8154/go -sslVerificationMode NONE
Confusingly, this never happens on prod, just the stripped down Vagrant box I'm using to try and create a minimal test case.
I'm not running the server on localhost, but on a Vagrant box, and then using the port forwarding feature, I'm unsure if that'll matter?
I note this issue also exists on GitHub issues: https://github.com/gocd/gocd/issues/3618 which suggests some environment issue to trigger this bug that we haven't figured out. Using incognito mode doesn't work for me, however...
--
You received this message because you are subscribed to a topic in the Google Groups "go-cd" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-cd/la2lmt7C07U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-cd+unsubscribe@googlegroups.com.
Aravind SV
Jul 5, 2017, 4:48:01 PM7/5/17
to go...@googlegroups.com
Hey Chris,
On Wed, Jul 5, 2017 at 7:02 AM, Chris Northwood <cnort...@gmail.com> wrote:
I'm not running the server on localhost, but on a Vagrant box, and then using the port forwarding feature, I'm unsure if that'll matter?
It's probably related to that, somehow. How can I reproduce this setup? Can you provide more information? Is it a remote box that you're somehow connecting to?
Cheers,
Aravind
Chris Northwood
Jul 5, 2017, 5:38:43 PM7/5/17
to go...@googlegroups.com
Hi Aravind,
It's the Vagrant box in this repo:
https://github.com/cnorthwood/gocd-tls-auth
You should just be able to vagrant up, and then hit http://localhost:8153
which is mapped through to the VM. I used the old gocd-demo Vagrantfile for
the config, but on top of Ubuntu Xenial to get Java 8 (there's some
additional stuff in there to get an Apache doing TLS client certificate
auth to support the dev of my plugin, but using port 8153 should bypass all
that).
Chris
It's the Vagrant box in this repo:
https://github.com/cnorthwood/gocd-tls-auth
You should just be able to vagrant up, and then hit http://localhost:8153
which is mapped through to the VM. I used the old gocd-demo Vagrantfile for
the config, but on top of Ubuntu Xenial to get Java 8 (there's some
additional stuff in there to get an Apache doing TLS client certificate
auth to support the dev of my plugin, but using port 8153 should bypass all
that).
Chris
On 5 July 2017 at 22:37, Chris Northwood <c...@cjn.me.uk> wrote:
Hi Aravind,It's the Vagrant box in this repo: https://github.com/cnorthwood/gocd-tls-authYou should just be able to vagrant up, and then hit http://localhost:8153 which is mapped through to the VM. I used the old gocd-demo Vagrantfile for the config, but on top of Ubuntu Xenial to get Java 8 (there's some additional stuff in there to get an Apache doing TLS client certificate auth to support the dev of my plugin, but using port 8153 should bypass all that).Chris
--
Aravind SV
Jul 5, 2017, 6:57:53 PM7/5/17
to go...@googlegroups.com
Hello Chris,
Ok. That's the same one I tried earlier. It still works for me. I've attached the full run log and all other logs, if it helps. What is the output of this command, for you?
$ curl -v 'http://localhost:8153/go/auth/security_check' -H 'Origin: http://localhost:8153' -H 'Content-Type: application/x-www-form-urlencoded' --data 'j_username=root&j_password=correct+horse+battery+staple'
* Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 8153 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8153 (#0)
> POST /go/auth/security_check HTTP/1.1
> Host: localhost:8153
> User-Agent: curl/7.51.0
> Accept: */*
> Origin: http://localhost:8153
> Content-Type: application/x-www-form-urlencoded
> Connection: keep-alive
> Content-Length: 55
>
* upload completely sent off: 55 out of 55 bytes
< HTTP/1.1 302 Found
< Date: Wed, 05 Jul 2017 22:54:47 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: JSESSIONID=11ull5sun5gyw1wn0ikfb1thvu;Path=/go;Expires=Wed, 19-Jul-2017 22:54:47 GMT;HttpOnly
< Location: http://localhost:8153/go/
< Content-Length: 0
<
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
and, this one:Ok. That's the same one I tried earlier. It still works for me. I've attached the full run log and all other logs, if it helps. What is the output of this command, for you?
$ curl -v 'http://localhost:8153/go/auth/security_check' -H 'Origin: http://localhost:8153' -H 'Content-Type: application/x-www-form-urlencoded' --data 'j_username=root&j_password=correct+horse+battery+staple'
* Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 8153 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8153 (#0)
> POST /go/auth/security_check HTTP/1.1
> Host: localhost:8153
> User-Agent: curl/7.51.0
> Accept: */*
> Origin: http://localhost:8153
> Content-Type: application/x-www-form-urlencoded
> Connection: keep-alive
> Content-Length: 55
>
* upload completely sent off: 55 out of 55 bytes
< HTTP/1.1 302 Found
< Date: Wed, 05 Jul 2017 22:54:47 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: JSESSIONID=11ull5sun5gyw1wn0ikfb1thvu;Path=/go;Expires=Wed, 19-Jul-2017 22:54:47 GMT;HttpOnly
< Location: http://localhost:8153/go/
< Content-Length: 0
<
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
$ curl -v 'http://localhost:8153/go/auth/security_check' -H 'Origin: http://localhost:8153' -H 'Content-Type: application/x-www-form-urlencoded' --data 'j_username=root&j_password=WRONG'
* Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 8153 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8153 (#0)
> POST /go/auth/security_check HTTP/1.1
> Host: localhost:8153
> User-Agent: curl/7.51.0
> Accept: */*
> Origin: http://localhost:8153
> Content-Type: application/x-www-form-urlencoded
> Connection: keep-alive
> Content-Length: 32
>
* upload completely sent off: 32 out of 32 bytes
< HTTP/1.1 302 Found
< Date: Wed, 05 Jul 2017 22:55:36 GMT
< Set-Cookie: JSESSIONID=1jd9v0tk1vz2b1ghkuanudcaep;Path=/go;Expires=Wed, 19-Jul-2017 22:55:36 GMT;HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://localhost:8153/go/auth/login?login_error=1
< Content-Length: 0
<
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
Cheers,
Aravind
--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+unsubscribe@googlegroups.com.
Chris Northwood
Jul 6, 2017, 6:27:26 AM7/6/17
to go...@googlegroups.com
Hi Aravind,
Running those curl commands give the same behaviour as you show above. What
I see in Chrome is that once hitting /go I get redirected back to the login
page immediately. Confusingly, using Curl is fine, which led me to do some
digging... I can log in fine using an alternative browser (Firefox), and it
turns out Chrome refuses to accept cookies set on localhost! I'm guessing
you've been using something other than Chrome for your testing?
Glad that mystery is solved
Chris
Running those curl commands give the same behaviour as you show above. What
I see in Chrome is that once hitting /go I get redirected back to the login
page immediately. Confusingly, using Curl is fine, which led me to do some
digging... I can log in fine using an alternative browser (Firefox), and it
turns out Chrome refuses to accept cookies set on localhost! I'm guessing
you've been using something other than Chrome for your testing?
Glad that mystery is solved
Chris
Aravind SV
Jul 7, 2017, 7:46:45 AM7/7/17
to go...@googlegroups.com
Hmm. I did use Chrome, though.
Reply all
Reply to author
Forward
0 new messages