search

jenkinsci / gitlab-plugin

A Jenkins plugin for interfacing with GitLab
https://plugins.jenkins.io/gitlab-plugin/
GNU General Public License v2.0
1.43k stars 612 forks source link

Multibranch pipeline project auth #695

Open Azarko opened 6 years ago

Azarko commented 6 years ago

Issue

Context

Problem description

I have Role-Based authorization Strategy at my jenkins server and users without special permissions can't start any job. I'm install gitlab plugin; at jenkins configuration check Enable authentication for '/project' end-point. I'm not install any access tokens or something else, just install plugin and set enable authentication. On gitlab project I create push-webhook to jenkins multibranch pipeline project, like http://jenkins_url:8080/project/test_webhooks/ without secret token.

Then I press Test button and recieve Hook executed successfully: HTTP 200, but expected Error 403

Also I check it for freestyle project. If I not set secret token at job and webhook settings, after Test I recieve: 

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 anonymous is missing the Job/Build permission</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /project/test_webhooks/. Reason:
<pre>    anonymous is missing the Job/Build permission</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/>

</body>
</html>

If I set secret token at jenkins freestyle project and not set at webhook settings:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 401 Invalid token</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /project/test_webhooks/. Reason:
<pre>    Invalid token</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/>

</body>
</html>

So, how can I set authorization for multibranch pipeline projects like on freestyle projects?

omehegan commented 6 years ago

The token (which can be set per-job) and the 'Enable authentication for /project endpoint' feature are two different things. You don't need to use both.

Does your Multibranch Pipeline project actually trigger in this case? Or do you just get a 200 back when you test? If it triggers, that is a bug; if not, the 200 response is maybe not ideal, but probably happens due to the unique way that Multibranch triggering works.

omehegan commented 6 years ago

By the way, see https://github.com/jenkinsci/gitlab-plugin/issues/418#issuecomment-247464294 for a clue about how to configure endpoint authentication.

Azarko commented 6 years ago

Hm, now I don't quite understand how this should work.

  1. Enable authentication for /project endpoint is on
  2. I have gitlab repo https://my_gitlab.com/jenkins_sandbox/user-webhook-test.
  3. Next I create Multibranch project at my jenkins: http://my_jenkins.com:8008/job/test_webhooks_project/. In project configuration I add git source specified above.
  4. After that, I add webhook to gitlab repo (without any jenkins user or api key): http://my_jenkins.com:8080/project/test_webhooks_project/
  5. Test button return status 200, but not trigger jenkins project; any push to repo also return 200, but jenkins project is triggered and started.

So authorization doesn't required. Or I did something wrong?

Thank you.

P.S. Maybe it is ok: I don't found any way to trigger project by webhook in repo that not speficied in project's settings. I mean that if my jenkins project uses gitlab_repo_1, and I set up webhook to this project in gitlab_repo_2, then project not triggers. So if project can be runned just by repos specified in project config, then I think this is enough for security (unauthorized users can't create and modify projects).

omehegan commented 6 years ago

This sounds like a bug. Can you test something else please? Create a regular Pipeline job, not a Multibranch Pipeline, and attempt to trigger it with the webhook test and a push to the repo. It should not trigger the build. If that's correct, then this is just broken for Multibranch jobs, and I have a theory as to why.

As for your last question, I am not sure that the plugin will behave that way, and I would not want you to rely on that for security. We should fix this auth issue.

Azarko commented 6 years ago

Ok. I create new Pipeline project: http://my_jenkins.com:8080/job/pipeline_test. At job settings: enable Build when a change is pushed to GitLab (if this option isn't enabled - project not triggers in any case).

  1. I set up webhook: http://my_jenkins.com:8080/project/pipeline_test/. Test button and push to repo return 403: Error 403 anonymous is missing the Job/Build permission. Job not triggered.
  2. I add username and apitoken to webhook url: http://username:apitoken@my_jenkins.com:8080/project/pipeline_test/. Test button and push to repo return 200 and job triggered successfully.

So authorization works on Pipeline projects.

omehegan commented 6 years ago

@Azarko OK, I think this is a bug in our support of Multibranch. Unlike the other project types, triggering a Multibranch job just tells Jenkins to reindex branches, and Jenkins decides whether to start a build or not. I guess the auth of the /project end point happens after that. Thanks, this is a bug.

Goodsmileduck commented 5 years ago

hi, any update?