Plugin can't work when SonarQube's "Force user authentication" option is set

[bellingard]

To easily reproduce:

• Install SQ and the Badge plugin
• Analyse project Foo
• Open the URL of the badge in a browser => you see the status of the SQ
• Set "Force user authentication" to true in "Administration > Security"
• Open the URL of the badge in a browser => you always see "server error"

The logs are clear:

2016.03.04 09:55:31 DEBUG web[c.q.p.s.s.i.QualityGateStatusRetriever] An error occurred while retrieving quality gate status for key 'org.sonarsource.sonarqube:sonarqube': {}
org.apache.http.client.ClientProtocolException: Unexpected response status: 401
    at com.qualinsight.plugins.sonarqube.status.internal.QualityGateStatusRetriever$1.handleResponse(QualityGateStatusRetriever.java:79) ~[qualinsight-sonarqube-status-1.1.1.jar:na]
    at com.qualinsight.plugins.sonarqube.status.internal.QualityGateStatusRetriever$1.handleResponse(QualityGateStatusRetriever.java:69) ~[qualinsight-sonarqube-status-1.1.1.jar:na]

This is because the WS of the plugin calls the server itself w/o passing credentials.

This limitation can be fixed when https://jira.sonarsource.com/browse/SONAR-6948 is implemented.

[pawlakm]

Thanks Fabrice. I'll wait for SONAR-6948 then.

Cheers,

[pawlakm]

SONAR-6948 is fixed, I'll try to use the new API.

[pawlakm]

Hi Fabrice,

I moved the SVG badges plugin to sonar-ws client 5.5-RC1 API. All in all it works fine, I got rid from internal HTTP based calls to SQ's web services. However I still have the problem you mentioned.

When SQ is configured to "Force user authentication" it seems that my WS cannot be reached. I get the following error :

<error>
<code>401</code>
<msg>Unauthorized</msg>
</error>

However,I see that some SQ web services can be reached when "force user authentication is set. For instance "api/system/status". What can I do to make my WS available even if the "force user authentication" option is set ?

Thanks in advance.

Michel

[PuKoren]

I think you can generate a user token in sonarqube and use it in request headers as basic authentication.

http://docs.sonarqube.org/display/SONAR/User+Token

when invoking web services: just pass the token instead of your login while doing the basic authentication.

(I'm also interested by this feature)

[bellingard]

@pawlakm If "Force user authentication is set", then there's no way someone should be able to call your WS anonymously - that'd be a security issue. So for me, everything looks good :+1:

[pawlakm]

@bellingard ok, thanks for your feedback @PuKoren I'll have a look at it, thanks !

[pawlakm]

@PuKoren I generated a token but it doesn't seem to work when provided directly in the url.

[PuKoren]

@pawlakm yes it wont work in URL, I tried that too, you have to put it in a http header named Autorisation with a value Basic base64("{token}:") (this is basic auth protocol, username is the token and password is blank).

Unfortunately this is not as simple as passing a parameter in the URL (I would have loved it) and may require more dev

[pawlakm]

@PuKoren an alternative would be to have the html img tag content populated using javascript / ajax. This way the HTTP header could be set, the svg image retrieved and badge displayed.

As it won't be possible to "fix" this behaviour directly in the plugin, I remove the milestone and change the issue type to "discussion".

[m-ruhl]

You can passing the api token in the URL like this: http(s)://apiToken>@<serverBaseURL/api/badges/gate?key=

[lifeofguenter]

thanks @michary that works actually pretty good! (except github actually does not allow passing a username to the image-url)

[emoshaya]

has anyone managed to get this working for Github?

[PuKoren]

Nope, had to make our own proxy :/

[emoshaya]

thanks @PuKoren I don't understand how anyone is using this plugin... Surely most companies will have the "Force user authentication" enabled

[avluis]

@PuKoren Apologies for reviving this old issue, but do you mind detailing your steps getting a proxy setup running?