search

cloudogu / sonar-cas-plugin

CAS Authentication support for SonarQube
GNU Affero General Public License v3.0
14 stars 7 forks source link

Error on REST authentication with SonarQube LTS v8.9.x #30

Closed ppxl closed 3 years ago

ppxl commented 3 years ago

An error occurs when sonar-cas-plugin is used with a SonarQube instance of a version > v8.x:

2021.05.12 17:32:05 ERROR web[AXlhNIlBtn7nUNqpAAAB][o.s.p.c.CasIdentityProvider] authentication or logout failed
May 12 17:32:05 ces docker/sonar[1577]: org.sonar.server.authentication.event.AuthenticationException: Email 'email@address.com' is already used

The constellation:

I used Postman to create and send a basic auth request to https://192.168.x.y/sonar/api/plugins/installed

The logs show that CAS successfully authenticates the request because an CAS ticket validator assertion was sucessfully created along with the user attributes:

(reformatted by me)

DEBUG web[AXlhNIlBtn7nUNqpAAAB][o.j.c.c.v.Cas30ServiceTicketValidator] Server response: 

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>admin</cas:user>
            <cas:attributes>
                            <cas:mail>admin@admin.com</cas:mail>
                            <cas:surname>admin</cas:surname>
                            <cas:displayName>admin</cas:displayName>
                            <cas:givenName>admin</cas:givenName>
                                <cas:groups>manager-group</cas:groups>
                                <cas:groups>admin-group</cas:groups>
                            <cas:cn>admin</cas:cn>
                            <cas:username>admin</cas:username>
            </cas:attributes>
    </cas:authenticationSuccess>
</cas:serviceResponse>

May 12 17:32:05 ces docker/sonar[1577]: 2021.05.12 17:32:05 DEBUG web[AXlhNIlBtn7nUNqpAAAB][o.s.p.c.LoginHandler] Received assertion. Authenticating with user admin

SonarQube in turn drags its own identity provider into the database which results in false preconditions, ultimately failing the authentication process:

ERROR web[AXlhNIlBtn7nUNqpAAAB][o.s.p.c.CasIdentityProvider] authentication or logout failed
org.sonar.server.authentication.event.AuthenticationException: Email 'admin@admin.de' is already used
#011at org.sonar.server.authentication.event.AuthenticationException$Builder.build(AuthenticationException.java:103)
#011at org.sonar.server.authentication.UserRegistrarImpl.generateExistingEmailError(UserRegistrarImpl.java:242)
#011at org.sonar.server.authentication.UserRegistrarImpl.detectEmailUpdate(UserRegistrarImpl.java:148)
#011at org.sonar.server.authentication.UserRegistrarImpl.registerNewUser(UserRegistrarImpl.java:97)
#011at org.sonar.server.authentication.UserRegistrarImpl.register(UserRegistrarImpl.java:76)
#011at org.sonar.server.authentication.BaseContextFactory$ContextImpl.authenticate(BaseContextFactory.java:82)
...

Here is what SonarQube database says about the user being logged in (shortened):

select * from users;

Result: the column external_identitiy_provider ends up as sonarcube instead ofcas`.

uuid login name email active external_login external_identity_provider external_id is_root user_local onboarded
AXlhJX72pXPbeuJC0U79 admin admin admin@admin.com t admin sonarqube admin f f f

Leading SonarQube bug ticket

This bug ticket was opened at SonarQube's.