GitHub autentication with Gerrit

[Mike Worster]

I am trying to get a Gerrit server setup using the authentication from a local Enterprise GitHub server and I'm running into issues. I've read to do this I need a few plugins to get the OAuth setup, and also that I need to build these from source.

I've tried a number of different sites with slightly different information, but so far they've all ended up the same results... build failure. I've never set anything like this up before, only briefly used Apache, and never used maven or done any sort of web administration so there is a good chance I'm missing something obvious, but I just don't know what to look for.

The most recent tutorial I was trying to follow was here: https://www.packtpub.com/books/content/using-gerrit-github

The log of my efforts is attached, the instructions seemed pretty simple: clone, enter the directory, build. So I did:

mworster@npusdbnpbld01v:~/github$ git clone https://gerrit.googlesource.com/plugins/github
Cloning into 'github'...
remote: Total 3014 (delta 635), reused 3014 (delta 635)
Receiving objects: 100% (3014/3014), 1.01 MiB | 1.68 MiB/s, done.
Resolving deltas: 100% (635/635), done.
mworster@npusdbnpbld01v:~/github$ cd github/
mworster@npusdbnpbld01v:~/github/github$ mvn install

it downloaded a lot of packages, I noticed one checksum error:

Downloading: http://gerritforge.com/snapshot//com/google/gerrit/gerrit-plugin-api/2.12-SNAPSHOT/gerrit-plugin-api-2.12-SNAPSHOT.pom
1K downloaded  (gerrit-plugin-api-2.12-SNAPSHOT.pom)
[WARNING] *** CHECKSUM FAILED - Error retrieving checksum file for com/google/gerrit/gerrit-plugin-api/2.12-SNAPSHOT/gerrit-plugin-api-2.12-SNAPSHOT.pom - IGNORING

There were a couple of warnings thrown and a whole slew of errors. Some of them tied to the incorrectly downloaded plugins:

[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] error reading /home/mworster/.m2/repository/com/google/gerrit/gerrit-plugin-api/2.12-SNAPSHOT/gerrit-plugin-api-2.12-SNAPSHOT.jar; error in opening zip file
[ERROR] error reading /home/mworster/.m2/repository/com/google/gerrit/gerrit-plugin-api/2.12-SNAPSHOT/gerrit-plugin-api-2.12-SNAPSHOT.jar; error in opening zip file
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthGitFilter.java:[19,30] cannot find symbol
  symbol:   class MoreObjects
  location: package com.google.common.base
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthGitFilter.java:[23,40] package com.google.gerrit.server.account does not exist
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthProtocol.java:[7,23] package com.google.gson does not exist
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthProtocol.java:[40,47] package com.google.gerrit.extensions.auth.oauth does not exist
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthProtocol.java:[41,47] package com.google.gerrit.extensions.auth.oauth does not exist
...

I did some searching on various errors here, but there suggestions about having maven clean or manually cleaning the .m2 directory, both of which do nothing. Other suggestions I found suggested downloading the precompiled files, but I can't seem to find any.

I'm thinking my issue is the .pom file which didn't meet the checksum test, that doesn't seem kosher to me... but I could be off basis.

Does anyone with more experience have a better answer? Or a better set of instructions?

-Mike

mworster@npusdbnpbld01v:~/github/github$ java -version
java version "1.7.0_79"
OpenJDK Runtime Environment (IcedTea 2.5.6) (7u79-2.5.6-0ubuntu1.12.04.1)
OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
mworster@npusdbnpbld01v:~/github/github$ javac -version
javac 1.7.0_79
mworster@npusdbnpbld01v:~/github/github$ mvn -version
Apache Maven 2.2.1 (rdebian-8)
Java version: 1.7.0_79
Java home: /usr/lib/jvm/java-7-openjdk-amd64/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux" version: "3.13.0-32-generic" arch: "amd64" Family: "unix"

[Luca Milanesio]

Hi Mike,

the article you mentioned was based on Gerrit 2.7 … whilst you are building against Gerrit 2.12, but instructions are pretty much the same :-)

See my comments below.

On 18 Aug 2015, at 21:13, Mike Worster <mike.w...@gmail.com> wrote:

I am trying to get a Gerrit server setup using the authentication from a local Enterprise GitHub server and I'm running into issues. I've read to do this I need a few plugins to get the OAuth setup,

OK, you have two choices here:

- Gerrit GitHub plugin (https://gerrit.googlesource.com/plugins/github)

- Gerrit OAuth plugin (https://github.com/davido/gerrit-oauth-provider)

and also that I need to build these from source.

No problem, however you can get the pre-built plugin from:

https://ci.gerritforge.com/view/Plugins-master/job/Plugin_github_master/

I've tried a number of different sites with slightly different information, but so far they've all ended up the same results... build failure.

Which sites? Can you give us the URLs?

I've never set anything like this up before, only briefly used Apache, and never used maven or done any sort of web administration so there is a good chance I'm missing something obvious, but I just don't know what to look for.

This is a bit of a problem: if you are not familiar with Gerrit or plugins build, you are better to use a pre-built artifact IMHO :-)

The most recent tutorial I was trying to follow was here: https://www.packtpub.com/books/content/using-gerrit-github

That is the original one associated to Gerrit 2.7 (a bit old I would say).

The log of my efforts is attached, the instructions seemed pretty simple: clone, enter the directory, build. So I did:

mworster@npusdbnpbld01v:~/github$ git clone https://gerrit.googlesource.com/plugins/github
Cloning into 'github'...
remote: Total 3014 (delta 635), reused 3014 (delta 635)
Receiving objects: 100% (3014/3014), 1.01 MiB | 1.68 MiB/s, done.
Resolving deltas: 100% (635/635), done.
mworster@npusdbnpbld01v:~/github$ cd github/
mworster@npusdbnpbld01v:~/github/github$ mvn install


it downloaded a lot of packages, I noticed one checksum error:

Downloading: http://gerritforge.com/snapshot//com/google/gerrit/gerrit-plugin-api/2.12-SNAPSHOT/gerrit-plugin-api-2.12-SNAPSHOT.pom
1K downloaded  (gerrit-plugin-api-2.12-SNAPSHOT.pom)
[WARNING] *** CHECKSUM FAILED - Error retrieving checksum file for com/google/gerrit/gerrit-plugin-api/2.12-SNAPSHOT/gerrit-plugin-api-2.12-SNAPSHOT.pom - IGNORING



This is nothing major: the master branch points to Gerrit API “snapshot” and thus they don’t have a checksum file associated.

There were a couple of warnings thrown and a whole slew of errors. Some of them tied to the incorrectly downloaded plugins:

[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] error reading /home/mworster/.m2/repository/com/google/gerrit/gerrit-plugin-api/2.12-SNAPSHOT/gerrit-plugin-api-2.12-SNAPSHOT.jar; error in opening zip file
[ERROR] error reading /home/mworster/.m2/repository/com/google/gerrit/gerrit-plugin-api/2.12-SNAPSHOT/gerrit-plugin-api-2.12-SNAPSHOT.jar; error in opening zip file


This is very serious: your download actually failed :-(

Are you behind a firewall?

[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthGitFilter.java:[19,30] cannot find symbol
  symbol:   class MoreObjects
  location: package com.google.common.base
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthGitFilter.java:[23,40] package com.google.gerrit.server.account does not exist
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthProtocol.java:[7,23] package com.google.gson does not exist
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthProtocol.java:[40,47] package com.google.gerrit.extensions.auth.oauth does not exist
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthProtocol.java:[41,47] package com.google.gerrit.extensions.auth.oauth does not exist
...

If you failed to download the Gerrit plugin APIs … then obviously everything else will fail as well.

I did some searching on various errors here, but there suggestions about having maven clean or manually cleaning the .m2 directory, both of which do nothing. Other suggestions I found suggested downloading the precompiled files, but I can't seem to find any.

See the link I mentioned previously.

I'm thinking my issue is the .pom file which didn't meet the checksum test, that doesn't seem kosher to me... but I could be off basis.

Does anyone with more experience have a better answer? Or a better set of instructions?

-Mike

mworster@npusdbnpbld01v:~/github/github$ java -version
java version "1.7.0_79"
OpenJDK Runtime Environment (IcedTea 2.5.6) (7u79-2.5.6-0ubuntu1.12.04.1)
OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
mworster@npusdbnpbld01v:~/github/github$ javac -version
javac 1.7.0_79
mworster@npusdbnpbld01v:~/github/github$ mvn -version
Apache Maven 2.2.1 (rdebian-8)
Java version: 1.7.0_79
Java home: /usr/lib/jvm/java-7-openjdk-amd64/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux" version: "3.13.0-32-generic" arch: "amd64" Family: "unix"



--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<gerrit_git_api_log.txt>

[David Pursehouse]

It looks like you're building the master branch of the plugin and it's using an incompatible build of the API snapshot.

The quick solution would be to check out the stable-2.11 branch and build that, which will use the official released API artifacts.

If you intentionally built master because you've installed gerrit built from master,  then you'll have to locally build the API with 'buck build api_install' in the gerrit source tree.

[Luca Milanesio]

But actually the 2.12-SNAPSHOT he is downloading *IS* the result of ‘buck build api_install’ automatically exported to www.gerritforge.com/snapshot.

The problem is that the .jar file download failed in his case (firewall / proxy problem?) and thus the API dependencies have not being resolved.

Using a stable release as you suggested is even better though :-)

Luca.

[Mike Worster]

Luca,

    Looks like you're correct, firewall is the problem. That's fine, if I don't need to build them if I can just grab them prebuilt from the site. (Thanks for the link!)

    So I grabbed the .jar files and placed them in /lib and /plugin as per the tutorial I linked to earlier. Once that was done I stopped gerrit, ran the init with the new values, then attempted to start it again but then it came back with a failure:

mworster@npusdbnpbld01v:/opt/gerrit2/review_site$ sudo ./bin/gerrit.sh start
Starting Gerrit Code Review: FAILED

Checking the error log (attached) it appears something about the secret key wasn't liked:

Error injecting constructor, java.lang.NullPointerException: GitHub `clientSecret` must be provided

but when I check etc/secure.config it appears and is the same value as what is seen in GitHub:

mworster@npusdbnpbld01v:/opt/gerrit2/review_site/etc$ sudo cat secure.config
[auth]
        registerEmailPrivateKey = F9cqoYrb8....0mwsVTfHQLecSeo4A=
        restTokenPrivateKey = qbsDHSKk3E7b....DrdfJg/X9uuz8jjg=
[github]
        clientSecret = b82b6abb0f....111cb0982e

Any thoughts on why it's complaining?

Thanks.
-Mike

[David Pursehouse]

On 08/19/2015 07:06 AM, Luca Milanesio wrote:
> But actually the 2.12-SNAPSHOT he is downloading *IS* the result of
> ‘buck build api_install’ automatically exported to

> www.gerritforge.com/snapshot <http://www.gerritforge.com/snapshot>.

> The problem is that the .jar file download failed in his case (firewall
> / proxy problem?) and thus the API dependencies have not being resolved.
>

Yes, you're right. I missed that bit in the original mail and was
answering based on the "package does not exist" errors which usually
indicates building against an outdated API :)

> Using a stable release as you suggested is even better though :-)
>
> Luca.
>
>> On 18 Aug 2015, at 22:21, David Pursehouse
>> <david.pu...@sonymobile.com

>> <http://gerrit.googlesource.com/plugins/github>

>> <mailto:repo-discuss%2Bunsu...@googlegroups.com>

>> More info at http://groups.google.com/group/repo-discuss?hl=en
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "Repo and Gerrit Discussion" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to repo-discuss...@googlegroups.com

>> <mailto:repo-discuss...@googlegroups.com>.

>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>> --
>> To unsubscribe, email repo-discuss...@googlegroups.com

>> <mailto:repo-discuss...@googlegroups.com>

>> More info at http://groups.google.com/group/repo-discuss?hl=en
>>
>> ---
>> You received this message because you are subscribed to the Google
>> Groups "Repo and Gerrit Discussion" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an email to repo-discuss...@googlegroups.com

>> <mailto:repo-discuss...@googlegroups.com>.

>> For more options, visit https://groups.google.com/d/optout.
>
> --
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google
> Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to repo-discuss...@googlegroups.com

> <mailto:repo-discuss...@googlegroups.com>.

[Sébastien Douche]

On Tue, 18 Aug 2015, at 23:16, Luca Milanesio wrote:
> OK, you have two choices here:
> - Gerrit GitHub plugin (https://gerrit.googlesource.com/plugins/github)
> - Gerrit OAuth plugin (https://github.com/davido/gerrit-oauth-provider

> <https://github.com/davido/gerrit-oauth-provider>)

Hi Luca,
GitHub Entreprise OAuth seems deprecated and removed soon[1], that why
it's not activated on my GHE instance:

"Warning: Support for user authentication via GitHub OAuth will be
removed after November 2015. To prepare for this, you should plan to
implement a different authentication method. For more information, see
"Authenticating users to your GitHub Enterprise instance."

My GHE admin said to use oauth2 token (in header or in url as
parameters) or oauth2 client/secret. Is it possible with these plugins?

Thanks.


[1]
https://help.github.com/enterprise/2.3/admin/guides/user-management/using-github-oauth/

--
Sébastien Douche <s...@nmeos.net>
Twitter: @sdouche
http://douche.name

[Luca Milanesio]

Hi Sebastien,
I think you misread the GHE documentation: they say that the “GitHub OAuth” will be removed as GHE authentication SSO method … but NOT that GHE will stop being an OAuth 2.0 provider :-)

Luca.

[Sébastien Douche]

On Wed, 19 Aug 2015, at 10:06, Luca Milanesio wrote:
> Hi Sebastien,

Hi again

> I think you misread the GHE documentation: they say that the “GitHub
> OAuth” will be removed as GHE authentication SSO method … but NOT that
> GHE will stop being an OAuth 2.0 provider :-)

Sorry, I was not clear enough. I would say how to use GHE auth with
Oauth2 token or server/client? I tried w/o success. Can you paste a
correct gerrit.config?


Thanks.

[Luca Milanesio]

On 19 Aug 2015, at 09:20, Sébastien Douche <s...@nmeos.net> wrote:

On Wed, 19 Aug 2015, at 10:06, Luca Milanesio wrote:

Hi Sebastien, 

Hi again

I think you misread the GHE documentation: they say that the “GitHub
OAuth” will be removed as GHE authentication SSO method … but NOT that
GHE will stop being an OAuth 2.0 provider :-)

Sorry, I was not clear enough. I would say how to use GHE auth with
Oauth2 token or server/client? I tried w/o success. Can you paste a
correct gerrit.config?

You should simply follow the wizards steps during Gerrit init:

*** GitHub Integration

   *** 

   GitHub URL                     [https://mygithub.mydomain.com]: 

   GitHub API URL                 [https://api.mygithub.mydomain.com]: 

   NOTE: You might need to configure a proxy using http.proxy if you run Gerrit behind a firewall.

   *** GitHub OAuth registration and credentials

   *** 

   Register Gerrit as GitHub application on:

   https://mygithub.mydomain.com/settings/applications/new

   Settings (assumed Gerrit URL: http://localhost:8080/)

   * Application name: Gerrit Code Review

   * Homepage URL: http://localhost:8080/

   * Authorization callback URL: http://localhost:8080/oauth

   After registration is complete, enter the generated OAuth credentials:

   GitHub Client ID               [1ebea047915210179cf5]: 

   ClientSecret                   []: f82c3f9b3802666f2adcc4c8cacfb164295b0a99

   confirm password : 

   HTTP Authentication Header     [GITHUB_USER]: 

HTH

Luca.

Thanks.

-- 
Sébastien Douche <s...@nmeos.net>
Twitter: @sdouche
http://douche.name

[Sébastien Douche]

On Wed, 19 Aug 2015, at 10:29, Luca Milanesio wrote:
>
> You should simply follow the wizards steps during Gerrit init:

The generated configuration try to auth with GitHub.

gerrit.config:

[auth]
type = HTTP
httpHeader = GITHUB_USER
httpExternalIdHeader = GITHUB_OAUTH_TOKEN
loginUrl = /login
loginText = Sign-in with GitHub
registerPageUrl = "/#/register"

[github]
url = https://github.mycompany.com
apiUrl = https://github.mycompany.com/api/v3/
clientId = xxxxx

[httpd]
listenUrl = proxy-https://127.0.0.1:8080/
filterClass =
com.googlesource.gerrit.plugins.github.oauth.OAuthFilter

error_log:

[2015-08-19 10:45:56,102] INFO com.google.gerrit.sshd.SshDaemon :
Started Gerrit SSHD-CORE-0.14.0 on *:29418
[2015-08-19 10:45:56,106] INFO org.eclipse.jetty.server.Server :
jetty-9.2.9.v20150224
[2015-08-19 10:45:56,559] INFO
org.eclipse.jetty.server.handler.ContextHandler : Started
o.e.j.s.ServletContextHandler@2ff7ba3c{/,file:/var/gerrit/tmp/gerrit_24210250335
04077095_app/gerrit_war/,AVAILABLE}
[2015-08-19 10:45:56,563] INFO org.eclipse.jetty.server.ServerConnector
: Started ServerConnector@39a9d31e{HTTP/1.1}{127.0.0.1:8080}
[2015-08-19 10:45:56,564] INFO org.eclipse.jetty.server.Server :
Started @7048ms
[2015-08-19 10:45:56,565] INFO com.google.gerrit.pgm.Daemon : Gerrit
Code Review 2.11.2 ready
[2015-08-19 10:46:05,573] WARN
com.googlesource.gerrit.plugins.github.group.GitHubGroupsCache$OrganisationLoader
: Cannot login to GitHub on behalf of 'sebastien.douche'
[2015-08-19 10:46:55,102] WARN org.eclipse.jetty.servlet.ServletHandler
: /oauth
java.io.IOException: {"message":"Bad
credentials","documentation_url":"https://developer.github.com/v3"}
at
org.kohsuke.github.Requester.handleApiError(Requester.java:440)

[Luca Milanesio]

It seems to be a GitHub error (not Gerrit or GitHub plugin):

{"message":”Bad credentials","documentation_url":"https://developer.github.com/v3”}

Luca.

[Mike Worster]

Resolved my own issue with this thread: https://github.com/davido/gerrit-oauth-provider/issues/18

looks like "clientSecret" from secure.config has to be added to gerrit.config or it doesn't work.

-Mike

[Sébastien Douche]

On Wed, 19 Aug 2015, at 10:58, Luca Milanesio wrote:
> It seems to be a GitHub error (not Gerrit or GitHub plugin):
> {"message":”Bad
> credentials","documentation_url":"https://developer.github.com/v3”}

It's a github error 'cause GHE forward credentials to GitHub. That's why
I try to set Gerrit to use GHE auth with Oauth2 token or server/client,
w/o success.

For example, this command works:
curl -X GET
https://github.mycomapny.com/api/v3/orgs/test/repos?access_token=474827b6888166bccbf7b9b7390beeb1165789034

[Luca Milanesio]

Ah … you’re using the Gerrit OAuth provider and not the GitHub plugin :-)

With the GitHub plugin would have worked as I use the GerritServerConfig annotation, which includes the Secure config as well.

Luca.

[Luca Milanesio]

Hold on, I did not notice before this line:

[2015-08-19 10:46:05,573] WARN 
com.googlesource.gerrit.plugins.github.group.GitHubGroupsCache$OrganisationLoader
: Cannot login to GitHub on behalf of ‘sebastien.douche'

As you can see the “sebastien.douche” has been successfully authenticated :-) so it means that the plugin actually works!

The problem you see is the fetching of the GitHub Groups, which requires the Group Backend to have access to your GitHub organisation.

(read:org permission … A recent introduction on the GitHub APIs)

Have you tried adding READ_ORG to your authentication scope in gerrit.config?

Example:

[github]
        url = https://github.com
        scopes = USER_EMAIL,PUBLIC_REPO,READ_ORG

Additionally you need to make sure that the GitHub OAuth ID gets stored as extra external ID in Gerrit. Just add the following settings to your gerrit.config:

Example:

[auth]
        type = HTTP
        httpHeader = GITHUB_USER
        httpExternalIdHeader = GITHUB_OAUTH

HTH

Luca.

[Mike Worster]

Gottcha, I didn't know there would be a big difference between the two in the configuration. Once that plugin is in place and the secret key was copied over the gerrit page on my server now shows a "sign-in with GitHub" link at the top, but when I click it I get a page that says "Not Found"

The URL seems pretty clear that some URI is incorrect:

http://npusdbnpbld01v.emrsn.org:8081/oauth?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fenterprise%2F2.2%2Fv3%2Foauth%2F%23redirect-uri-mismatch&state=Li35afWwrQDIcmrx_f-ULG7J-_Y%3D%2C%2Flogin

But I'm not seeing where that might be. Here's my gerrit.config file:

[gerrit]
        basePath = git
        canonicalWebUrl = http://npusdbnpbld01v.emrsn.org/
[database]
        type = mysql
        hostname = localhost
        database = gerritdb
        username = gerrit2
[index]
        type = LUCENE
[auth]
        trustedOpenID = https://www.google.com/accounts/o8/id?id=

        type = HTTP
        httpHeader =

GITHUB_USER
        httpExternalIdHeader = GITHUB_OAUTH_TOKEN
        loginUrl = /login

        loginText = Sign-in with GitHub
        registerPageUrl = "/

#/register"
        logoutUrl = /oauth/reset
[sendemail]
        smtpServer = localhost
[container]
        user = gerrit2
        javaHome = /usr/lib/jvm/java-7-openjdk-amd64/jre
[sshd]
        listenAddress = *:29418
[httpd]
        listenUrl = proxy-http://*:8081/
        filterClass = com.googlesource.gerrit.plugins.github.oauth.OAuthFilter
[cache]
        directory = cache
[github]
        url = https://npusgithub.emrsn.org/
        apiUrl = https://api.npusgithub.emrsn.org/
        clientId = 7d72....a7d49
        clientSecret = b82b6....0982e

Enter code here...

The github url is the URL I use to directly access github, the apiURL is a text page of APIs. The canonicalWebUrl + the port number gets me to the Gerrit Page... so maybe it's just the loginURL/logoutURL but those came from the tutorial.

Any thoughts on why it's complaining?

-Mike

[Luca Milanesio]

Problem from GitHub: the URL you configured in GitHub Auth Application config does not match the Gerrit canonical URL.

Luca.

[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthGitFilter.java:[23,40] packagecom.google.gerrit.server.account does not exist
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthProtocol.java:[7,23] packagecom.google.gson does not exist
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthProtocol.java:[40,47] packagecom.google.gerrit.extensions.auth.oauth does not exist
[ERROR] /home/mworster/github/github/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthProtocol.java:[41,47] packagecom.google.gerrit.extensions.auth.oauth does not exist
...

[Sébastien Douche]

On Wed, 19 Aug 2015, at 15:27, Luca Milanesio wrote:
> Hold on, I did not notice before this line:

> The problem you see is the fetching of the GitHub Groups, which requires
> the Group Backend to have access to your GitHub organisation.
> (read:org permission … A recent introduction on the GitHub APIs)
>
> Have you tried adding READ_ORG to your authentication scope in
> gerrit.config?
>
> Example:
> [github]
> url = https://github.com
> scopes = USER_EMAIL,PUBLIC_REPO,READ_ORG

Again, I don't want to authenticate through GitHub, but only GHE. We
have not GitHub organization nor user accounts on GitHub.

[Luca Milanesio]

When I say “GitHub” I mean “your GitHub server”.
GHE and GitHub are the same piece of software … GHE is deployed “on premises” whilst GitHub is hosted on github.com.

That’s why a GHE plugin doesn’t exist and the GitHub plugin covers GHE as well.

Hope this clarifies.

Luca.

[Mike Worster]

Ok, better, better. :-)

Based on advice from the tutorial:

• Callback URL : The URL that GitHub should redirect to when the OAuth authentication is successfully completed, for example, https://myhost.mydomain:8443/oauth.

I had a port number and /oauth on the end of the call back in GitHub, once I removed that it now let me go to the "authorize" screen. Typed in user name and password and now it 404's on the way back:

http://npusdbnpbld01v.emrsn.org/oauth?code=ab3f3744a2cd2fab62ab&state=jN0j85Sd_gtW5YNi5oF4Iz5Lmh4%3D%2C%2Flogin


Not Found

The requested URL /oauth was not found on this server.

Looks like it's still looking for the /oauth page. I updated the call back URL so it's not present anymore, but should it be? Is there some step I'm missing? So close now!

-Mike

...

[Mike Worster]

I went through the init again and I found that it actually tells me to use the /oauth in there as well:

*** GitHub OAuth registration and credentials
***

Register Gerrit as GitHub application on:

https://npusgithub.emrsn.org//settings/applications/new

Settings (assumed Gerrit URL: http://npusdbnpbld01v.emrsn.org/)

* Application name: Gerrit Code Review

* Homepage URL: http://npusdbnpbld01v.emrsn.org/
* Authorization callback URL: http://npusdbnpbld01v.emrsn.org/oauth

After registration is complete, enter the generated OAuth credentials:

GitHub Client ID               [7d729dbab9b9a1ba7d49]:
Change GitHub Client Secret    [y/N]?
Gerrit OAuth implementation    [HTTP/?]:
HTTP Authentication Header     [GITHUB_USER]:

The settings exactly as they are don't seem to help the situation at all.

[Luca Milanesio]

I see you’re using a reverse proxy, maybe the problem is there with the 404 on the /oauth callback.

HTH

Luca.

[Mike Worster]

Thanks for the input, and please excuse my ignorance on this topic, but if I am using a reverse proxy, how does that change anything in the setup?

I assume you're saying I'm on a reverse proxy because I'm accessing GitHub (on a remote machine) via a call to Gerrit (on a different remote machine) from my (third separate) computer. The only information I've found so far about setting up any sort of "proxy" has been to make sure `proxy-http` is set in the gerrit.config, which I have here:

[httpd]
        listenUrl = proxy-http://*:8081/
        filterClass = com.googlesource.gerrit.plugins.github.oauth.OAuthFilter

Is there anything else I'm missing here?

-Mike

...

[Luca Milanesio]

Hi Mike,

a reverse proxy changes as it introduces one extra hop.

Imagine that the reverse proxy settings have some problem (e.g. the /oauth path is not proxied for whatever reason) … then the calls to /oauth would not even reach Gerrit, isn’t it?

I would suggest you to investigate where the HTTP GET to /oauth returning 404 is actually failing.

P.S. GerritHub.io actually uses a reverse proxy for HTTPS termination (correctly configured) and is working fine :-)

HTH.

Luca.