Custom auth
98 views
Skip to first unread message
Dmytro Rodionov
Apr 7, 2024, 7:08:41 PM4/7/24
to Repo and Gerrit Discussion
Good day, everyone
My company has a custom auth method that I wanted to implement in a Gerrit as a plugin. This method relies on external validation of a token.
My initial approach was to implement a Filter, that scans httpRequests for a certain header, passes it to external validation authority, and, upon success, "authorizes" this request.
But after initial tests I understood, that, although, Gerrit Web UI can use external auth (like SAML plugin), REST API calls are not a subject for such a thing.
Is there any way to tell to REST API that certain request is, in fact, authorized?
Thank you
My company has a custom auth method that I wanted to implement in a Gerrit as a plugin. This method relies on external validation of a token.
My initial approach was to implement a Filter, that scans httpRequests for a certain header, passes it to external validation authority, and, upon success, "authorizes" this request.
But after initial tests I understood, that, although, Gerrit Web UI can use external auth (like SAML plugin), REST API calls are not a subject for such a thing.
Is there any way to tell to REST API that certain request is, in fact, authorized?
Thank you
Dmytro Rodionov
Apr 8, 2024, 4:05:58 AM4/8/24
to Repo and Gerrit Discussion
And, maybe, a more specific follow up: is there a way to get current WebSession in a Filter?
понедельник, 8 апреля 2024 г. в 01:08:41 UTC+2, Dmytro Rodionov:
Sven Selberg
Apr 8, 2024, 4:24:28 AM4/8/24
to Repo and Gerrit Discussion
Haven't looked into it much myself, but my guess is that you would implement AuthBackend: https://cs.opensource.google/gerrit/gerrit/gerrit/+/master:java/com/google/gerrit/server/auth/AuthBackend.java
Compare how it's implemented for LDAP: https://cs.opensource.google/gerrit/gerrit/gerrit/+/master:java/com/google/gerrit/auth/ldap/LdapAuthBackend.java
/Sven
Compare how it's implemented for LDAP: https://cs.opensource.google/gerrit/gerrit/gerrit/+/master:java/com/google/gerrit/auth/ldap/LdapAuthBackend.java
/Sven
Thank you
Dmytro Rodionov
Apr 8, 2024, 5:22:38 AM4/8/24
to Repo and Gerrit Discussion
понедельник, 8 апреля 2024 г. в 10:24:28 UTC+2, Sven Selberg:
On Monday, April 8, 2024 at 10:05:58 AM UTC+2 Dmytro Rodionov wrote:And, maybe, a more specific follow up: is there a way to get current WebSession in a Filter?понедельник, 8 апреля 2024 г. в 01:08:41 UTC+2, Dmytro Rodionov:Good day, everyone
My company has a custom auth method that I wanted to implement in a Gerrit as a plugin. This method relies on external validation of a token.
My initial approach was to implement a Filter, that scans httpRequests for a certain header, passes it to external validation authority, and, upon success, "authorizes" this request.
But after initial tests I understood, that, although, Gerrit Web UI can use external auth (like SAML plugin), REST API calls are not a subject for such a thing.
Is there any way to tell to REST API that certain request is, in fact, authorized?Haven't looked into it much myself, but my guess is that you would implement AuthBackend: https://cs.opensource.google/gerrit/gerrit/gerrit/+/master:java/com/google/gerrit/server/auth/AuthBackend.java
Are plugins able to register custom AuthBackend?
Or the only way to do it is to modify gerrit itself?
Compare how it's implemented for LDAP: https://cs.opensource.google/gerrit/gerrit/gerrit/+/master:java/com/google/gerrit/auth/ldap/LdapAuthBackend.java
How does this class even work?
I don't see any usages of LdapAuthBackend anywhere in gerrit sources
/Sven
Thank you
Sven Selberg
Apr 8, 2024, 6:04:15 AM4/8/24
to Repo and Gerrit Discussion
On Monday, April 8, 2024 at 11:22:38 AM UTC+2 Dmytro Rodionov wrote:
понедельник, 8 апреля 2024 г. в 10:24:28 UTC+2, Sven Selberg:On Monday, April 8, 2024 at 10:05:58 AM UTC+2 Dmytro Rodionov wrote:And, maybe, a more specific follow up: is there a way to get current WebSession in a Filter?понедельник, 8 апреля 2024 г. в 01:08:41 UTC+2, Dmytro Rodionov:Good day, everyone
My company has a custom auth method that I wanted to implement in a Gerrit as a plugin. This method relies on external validation of a token.
My initial approach was to implement a Filter, that scans httpRequests for a certain header, passes it to external validation authority, and, upon success, "authorizes" this request.
But after initial tests I understood, that, although, Gerrit Web UI can use external auth (like SAML plugin), REST API calls are not a subject for such a thing.
Is there any way to tell to REST API that certain request is, in fact, authorized?Haven't looked into it much myself, but my guess is that you would implement AuthBackend: https://cs.opensource.google/gerrit/gerrit/gerrit/+/master:java/com/google/gerrit/server/auth/AuthBackend.java
Are plugins able to register custom AuthBackend?
I'm really not the right person to ask since I haven't written such a plugin but I believe so.
I think LDAP and Oauth implementations are part of Gerrit source simply because they are more common (correction?) and probably for historical reasons.
All that would be necessary (IIUC) is to bind the implementations for your auth-type. (as is done in AuthModule for the auth-types defined in core Gerrit's source ).
I think LDAP and Oauth implementations are part of Gerrit source simply because they are more common (correction?) and probably for historical reasons.
All that would be necessary (IIUC) is to bind the implementations for your auth-type. (as is done in AuthModule for the auth-types defined in core Gerrit's source ).
Or the only way to do it is to modify gerrit itself?
Compare how it's implemented for LDAP: https://cs.opensource.google/gerrit/gerrit/gerrit/+/master:java/com/google/gerrit/auth/ldap/LdapAuthBackend.java
How does this class even work?
I don't see any usages of LdapAuthBackend anywhere in gerrit sources
It is AuthModule that reads the configuration and binds the implementations based on which auth-type is configured.
/Sven
Thank you
Reply all
Reply to author
Forward
0 new messages