Fix compatibility with SonarQube 6.0

[julienlancelot]

The Active Directory plugin is not compatible with SonarQube 6.0, because it's using rails to authenticate (which is not part of the API), but now the authentication is done in Java (https://jira.sonarsource.com/browse/SONAR-7732).

In order to fix the compatibility, 2 solutions :

• Do not override /sessions/new and remove rails controllers (active_directory/validate and active_directory/logout) -> This will remove the SSO feature
• Use the BaseIdentityProvider API (https://github.com/SonarSource/sonarqube/blob/master/sonar-plugin-api/src/main/java/org/sonar/api/server/authentication/BaseIdentityProvider.java) -> It will allow SSO by creating a link in the login page

[jheier]

We are using SonarQube 6.0 and this plugin. It didn't work; see error message below. Not sure if the problem is in this plugin or in SonarQube. This is our SonarQube log (TRACE level):

TRACE web[sql] time=0ms | sql=SELECT t.* FROM (SELECT ROW_NUMBER() OVER(ORDER BY [groups].id) AS _row_num, * FROM [groups] WHERE ([groups].[name] = N'...')) AS t WHERE t._row_num BETWEEN 1 AND 1 TRACE web[sql] time=15ms | sql=UPDATE [users] SET [updated_at] = 1470426351864 WHERE [id] = N'3019' DEBUG web[o.s.s.u.NewUserNotifier] User created: xxxx@xxxx. Notifying NewUserHandler handlers... TRACE web[sql] time=0ms | sql=select u.login,u.name,u.email,u.active,u.scm_accounts,u.created_at,u.updated_at from users u where u.updated_at>? | params=1470426045520 TRACE web[es] ES refresh request on indices 'users' | time=94ms ERROR web[rails] cannot load Java class org.sonar.server.user.RubyUserSession DEBUG web[http] GET /active_directory/validate | time=2703ms TRACE web[sql] time=31ms | sql=select version from schema_migrations INFO app[o.s.p.m.Monitor] Process[ce] is up

[MagnusTim]

I have the same problem after upgradring to SonarQube 6.0, any news when this will be fixed?

[drocx]

We have the same problem after upgrading to SonarQube 6.0.

Login via Browser or TFS Build Agent (Sonarubq Endpoint) no longer works.

This is our SonarQube Log File:

2016.08.09 08:58:43 INFO web[w.s.NegotiateSecurityFilter] successfully logged in user: DOMAIN\user 2016.08.09 08:58:43 ERROR web[rails] cannot load Java class org.sonar.server.user.RubyUserSession 2016.08.09 08:58:49 ERROR web[o.s.s.a.RealmAuthenticator] Error during authentication org.sonar.api.server.authentication.UnauthorizedException: You can't sign up because email 'user@domain.xyz' is already used by an existing user. This means that you probably already registered with another account. at org.sonar.server.authentication.UserIdentityAuthenticator.registerNewUser(UserIdentityAuthenticator.java:87) ~[sonar-server-6.0.jar:na] at org.sonar.server.authentication.UserIdentityAuthenticator.register(UserIdentityAuthenticator.java:74) ~[sonar-server-6.0.jar:na] at org.sonar.server.authentication.UserIdentityAuthenticator.authenticate(UserIdentityAuthenticator.java:62) ~[sonar-server-6.0.jar:na] at org.sonar.server.authentication.RealmAuthenticator.synchronize(RealmAuthenticator.java:118) [sonar-server-6.0.jar:na] at org.sonar.server.authentication.RealmAuthenticator.doAuthenticate(RealmAuthenticator.java:98) [sonar-server-6.0.jar:na] at org.sonar.server.authentication.RealmAuthenticator.authenticate(RealmAuthenticator.java:83) [sonar-server-6.0.jar:na] at org.sonar.server.authentication.CredentialsAuthenticator.authenticate(CredentialsAuthenticator.java:56) [sonar-server-6.0.jar:na] at org.sonar.server.authentication.CredentialsAuthenticator.authenticate(CredentialsAuthenticator.java:45) [sonar-server-6.0.jar:na] at org.sonar.server.authentication.ws.LoginAction.authenticate(LoginAction.java:91) [sonar-server-6.0.jar:na] at org.sonar.server.authentication.ws.LoginAction.doFilter(LoginAction.java:76) [sonar-server-6.0.jar:na] at org.sonar.server.platform.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:125) [sonar-server-6.0.jar:na] at org.sonar.server.platform.MasterServletFilter.doFilter(MasterServletFilter.java:94) [sonar-server-6.0.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:56) [sonar-server-6.0.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.sonar.server.platform.RoutesFilter.doFilter(RoutesFilter.java:55) [sonar-server-6.0.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.sonar.server.platform.ProfilingFilter.doFilter(ProfilingFilter.java:84) [sonar-server-6.0.jar:na] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.32.jar:8.0.32] at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:191) [logback-access-1.1.3.jar:na] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-embed-core-8.0.32.jar:8.0.32] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-embed-core-8.0.32.jar:8.0.32] at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [na:1.8.0_91] at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [na:1.8.0_91] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.32.jar:8.0.32] at java.lang.Thread.run(Unknown Source) [na:1.8.0_91]

[jabbera]

Same issue here.

[Jeffrey-Kleppinger-Imprivata]

Same problem here.

[julienlancelot]

Hi guys,

I've created this ticket because this plugin is no more compatible with SonarQube 6.0, so you don't need to add comments to say it's not working ! This plugin is now managed by the community, but nobody has taken the lead of it for the moment.

As you all seems to use it, maybe one of you could could become the lead developer of it ? FYI, I will be happy to support you.

Regards

[jabbera]

@julienlancelot it's disappointing that this was portrayed as an officially supported product by the fact of being in the LDAP plugin. Then the decision was made to separate it out which I supported, but I didn't realize it was community supported. It's pretty sad considering all the work that's being done to support the Microsoft platform in general that it's official authentication mechanism is left out to dry.

Also, I believe the sonarsource team did the surgery to separate out this plugin. Why would they build it on a platform that they knew was going away? (You guys have been killing RoR for many versions now.)

[julienlancelot]

@jabbera This plugin is only about using Active Directory as SSO. The sonar-ldap is still supporting Active Directory feature (search for Active Directory in the documentation).

[drocx]

@julienlancelot and @hamenon: I am also very disappointed. This Microsoft Post is not even a year old: Support for Active Directory and Single Sign On (SSO) in the SonarQube LDAP Plugin

It would have been nice if there had been a clear warning of Breaking Changes in the Release 6.0. First, the collation in MS SQL no longer works because the database default collation will not be considered and now SSO does not work anymore.

Working without SSO is not an option if you are used to the workflow in conjunction with the Team Foundation Server for our Product Manager.

[Jeffrey-Kleppinger-Imprivata]

I apologize in advance if I should be opening a Support case... just thought I'd start here with an interested group.

In SonarQube 5.6, I was using the AD SSO plugin; was very simple and worked great. Upgrade to 6.0 broke it.

I have been unable to get the LDAP plugin (2.0) working in SonarQube 5.6.1 or 6.0. Looks like some AD functionality was ripped out of the LDAP plugin. I have partial success with the 1.5.1 version of the LDAP plugin - users have to log in with fully qualified name (user@company), but it works, with only these lines of config: sonar.security.realm=LDAP ldap.realm=company.com

Does anyone have any tips for getting this working in LDAP plugin 2.0? Seems like an LDAP bind is always required, and I can't get that to succeed (though I'm using settings that are working fine in another product... (ahem) Coverity...).

Thanks for any insight you can share!

[julienlancelot]

@jkleppinger You must write to the SonarQube Google group.

[McMatty]

Just want to confirm - this is no longer supported. Or its community supported with no one actively working on it? My own upgrade just went south with the collation issue & if this isn't being actively supported by the community I need to revert back to an older version

[jabbera]

My understanding is this is now a community plugin that is unsupported with no maintainer. Even once the issue is fixed by removing the ruby code, SSO will not be possible. Users will have to click a link at the bottom of the login page.

To get SSO back I think we will need: https://jira.sonarsource.com/browse/SONAR-5430?jql=text%20~%20%22Http%20header%22

(Notice this feature has been pushed every version since early 5 series. It's never made the cut)

We can then put IIS in front of sonar and be done with it. (I do this already for SSL so it's a small change for me thankfully)

[julienlancelot]

@jabbera Indeed this plugin is now under the community umbrella. Concerning SSO, you're absolutely right about https://jira.sonarsource.com/browse/SONAR-5430, it would allow you to authenticate to SonarQube without clicking on any link. And it's a good news to hear that you're already using such feature, so we'll do our best to implement it in 6.1.

[psyvision]

@julienlancelot that would be a good solution, like @jabbera we too are using IIS in front of SonarQube.

[jabbera]

I can't believe that https://jira.sonarsource.com/browse/SONAR-5430 was pushed to 6.2 and now the AD plugin is totally broken with 6.1-RC1. You've taken a product that was highly accessible to windows users and slowly destroyed the experience.

2016.09.22 08:13:44 ERROR web[][o.s.s.p.w.RootFilter] Processing of request /sessions/new?return_to=%2F failed java.lang.UnsupportedOperationException: Sessions are disabled so that web server is stateless at org.sonar.server.platform.web.RootFilter$ServletRequestWrapper.notSupported(RootFilter.java:159) ~[sonar-server-6.1-RC1.jar:na] at org.sonar.server.platform.web.RootFilter$ServletRequestWrapper.getSession(RootFilter.java:155) ~[sonar-server-6.1-RC1.jar:na] at org.sonar.plugins.activedirectory.windows.WindowsAuthenticationHelper.getWindowsPrincipal(WindowsAuthenticationHelper.java:86) ~[na:na] at org.sonar.plugins.activedirectory.windows.WindowsAuthenticationHelper.isUserSsoAuthenticated(WindowsAuthenticationHelper.java:75) ~[na:na]

[julienlancelot]

Hi Mike,

First thing, as this plugin was already not working in SonarQube 6.0, I don't see how it would have magically work in 6.1.... Then, for SONAR-5430, I said that we do our best to do it in 6.1 but unfortunately it was not possible, but it should be done in 6.2.

And just to be clear for every one : SONAR-5430 will make possible to use Active Directory by using a SSO, but this plugin will still not be usable, unless someone is taking the lead to fix it.

[jabbera]

It does work in 6.0, just not the way one would expect. I'm able to login manually by using mbarry@blah. That is what no longer works in 6.1. I totally understand the 5430 has nothing to do with this plugin working. I'll be more then happy to publish the code required to get SSO working with IIS once 5430 is available.

Mike

[dumians]

I can also confirm that was working with 6.0 an now not any longer.

Johannes

[jabbera]

I've gone back to the LDAP plugin. Removed the @domain from tables: users, groups, and user_tokens. Fixed casing of groups.

[trajano]

I've almost got my https://github.com/trajano/reverse-proxy-auth-sonar-plugin working with V6.1 (I presume it will still work with V6.0). There I have an SSO like implementation when the realm is enabled.

[julienlancelot]

FYI https://jira.sonarsource.com/browse/SONAR-5430 is "almost" done, it's on the latest build of SonarQube (https://github.com/SonarSource/sonarqube). If someone wants to have a try (building from sources), it would be great !

[trajano]

Cool then I can discontinue development of my plugin as soon as this is released. 

trajano.net

On Fri, Oct 28, 2016 at 12:09 PM -0400, "Julien Lancelot" notifications@github.com wrote:

FYI https://jira.sonarsource.com/browse/SONAR-5430 is "almost" done, it's on the latest build of SonarQube (https://github.com/SonarSource/sonarqube).

If someone wants to have a try (building from sources), it would be great !

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[jabbera]

While I don't have it in me to compile a non RC of sonarqube I've started a handler to solve this issue here:

https://github.com/jabbera/IisRemoteUserTokenAuthentication

[julienlancelot]

The SonarQube 6.2-RC1 is now available, please have a try of the new SSO feature : https://sonarsource.bintray.com/Distribution/sonarqube/sonarqube-6.2-RC1.zip.

[jabbera]

This is looking good so far. This biggest downside is needing to maintain 2 different "sites". One for token based auth and one for AD.

[julienlancelot]

Thanks @jabbera for your feedback, could you elaborate more about it by sending an email to https://groups.google.com/forum/#!forum/sonarqube ? Thanks

[jabbera]

Will do. I'm still working through some issues with ssl and sni on the forums but I'm optomistic that we'll get all this stuff sorted.

[jabbera]

@julienlancelot Posted.

[psyvision]

So 6.2 is out as stable now. What are we meant to do to get AD/SSO/LDAP/whatever working again? I would like my users to not have to have accounts created and to be able to visit the site and not have to enter a username/password.

[jabbera]

@psyvision you can try my IIS module. It works by using IIS as a reverse proxy.

https://github.com/jabbera/IisRemoteUserTokenAuthentication

[psyvision]

Thanks @jabbera I'll take a look into that. Unfortunately we have our environment already setup with IIS reverse proxy but it's one site/DNS name being used for the site and the scanners so this is going to get messy :(

[jabbera]

You can add my module to your site. The ordering is important. The scanner site doesn't need much if you look at the web.config. I just run it on a different port.

[trajano]

@psyvision isn't 6.2 supposed to get rid of the need for a separate plugin to do reverse proxy authentication? I haven't bothered trying out my https://github.com/trajano/reverse-proxy-auth-sonar-plugin on 6.2 yet and I presumed I don't need to continue developing it because of the proposed changes to have it part of 6.2 core.

[psyvision]

@trajano I wish I knew - it's as clear as mud at the moment with all of the documentation on the matter /sarcasm

[jabbera]

@trajano from my point of view there is no need for that plugin anymore.

[jabbera]

@psyvision I've found a way to get it down to a single site through some simple heuristics. Feel free to test v0.11. (https://github.com/jabbera/IisRemoteUserTokenAuthentication/releases/tag/v0.11)

[psyvision]

@jabbera Thank you for letting me know. I'll see if I can find some time in the coming days to give it a try and feedback to you!

[yanlee26]

same issue here...

[jabbera]

@yanlee26 feel free to try my iis module: https://github.com/jabbera/IisRemoteUserTokenAuthentication