[JENKINS-27026] Log/notify SSH CLI authentication - Jenkins Jira

XML

Word

Printable

Details

Type: New Feature
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: core
Labels:
- api
- cli
- logging
- security
- ssh

Similar Issues:

Show

Description

SecurityListener should be notified when SshCliAuthenticator approves or denies a CLI command.

Attachments

Issue Links

depends on

JENKINS-20999 Extension point for tracking login-related events

Resolved

relates to

JENKINS-41745 Remoting-free CLI

Resolved

links to

#22 (sshd)

#1202 (jenkins.io)

#3111 (jenkins)

Activity

Ascending order - Click to sort in descending order

Jesse Glick added a comment - 2017-05-01 13:43

More broadly, notify use of any SSH authentication in AsynchronousCommand.start.

Jesse Glick added a comment - 2017-05-01 13:43 More broadly, notify use of any SSH authentication in AsynchronousCommand.start .

Oleg Nenashev added a comment - 2017-10-12 12:28

Things to investigate:

Different authentication modes (User/Password/ API token, private key)
- login/logout - on the server side (not the command)
We don not investigate Remoting mode and its login/logout commands

Oleg Nenashev added a comment - 2017-10-12 12:28 Things to investigate: Different authentication modes (User/Password/ API token, private key) login/logout - on the server side (not the command) We don not investigate Remoting mode and its login/logout commands

SCM/JIRA link daemon added a comment - 2017-10-26 21:52

Code changed in jenkins
User: Wadeck Follonier
Path:
src/main/java/org/jenkinsci/main/modules/sshd/PublicKeyAuthenticatorImpl.java
http://jenkins-ci.org/commit/sshd-module/000dceefda3180522c625b011e94ef583058b3e6
Log:
~~JENKINS-27026~~ Fire authentication events when using SSH (#22)

~~JENKINS-27026~~ Fire authentication events when using SSH

- remove whitespace changes

- implement the user.impersonate as proposed by Jesse

also manage to create a UserDetails to notify the SecurityListener

- constructor of the inner class can even be private

- privatize the inner class to avoid API exposure

adjust log messages

- remove single quote in log

use getById instead of get

SCM/JIRA link daemon added a comment - 2017-10-26 21:52 Code changed in jenkins User: Wadeck Follonier Path: src/main/java/org/jenkinsci/main/modules/sshd/PublicKeyAuthenticatorImpl.java http://jenkins-ci.org/commit/sshd-module/000dceefda3180522c625b011e94ef583058b3e6 Log: JENKINS-27026 Fire authentication events when using SSH (#22) JENKINS-27026 Fire authentication events when using SSH - remove whitespace changes - implement the user.impersonate as proposed by Jesse also manage to create a UserDetails to notify the SecurityListener - constructor of the inner class can even be private - privatize the inner class to avoid API exposure adjust log messages - remove single quote in log use getById instead of get

SCM/JIRA link daemon added a comment - 2017-10-30 18:24

Code changed in jenkins
User: Wadeck Follonier
Path:
content/doc/book/managing/cli.adoc
http://jenkins-ci.org/commit/jenkins.io/c8d7a1a56d693df64539deafb192aefabd784692
Log:
~~JENKINS-27026~~ Add paragraphs about the CLI authentication

as pointed by Jesse, we add some new "features" in the authentication flow and so we need to document them

SCM/JIRA link daemon added a comment - 2017-10-30 18:24 Code changed in jenkins User: Wadeck Follonier Path: content/doc/book/managing/cli.adoc http://jenkins-ci.org/commit/jenkins.io/c8d7a1a56d693df64539deafb192aefabd784692 Log: JENKINS-27026 Add paragraphs about the CLI authentication as pointed by Jesse, we add some new "features" in the authentication flow and so we need to document them

SCM/JIRA link daemon added a comment - 2017-10-30 18:24

Code changed in jenkins
User: Liam Newman
Path:
content/doc/book/managing/cli.adoc
http://jenkins-ci.org/commit/jenkins.io/a84f9fc68a0002e2495c9e2b46229b8338576f1e
Log:
Merge pull request #1202 from Wadeck/~~JENKINS-27026~~_CLI_AUTHENTICATION

~~JENKINS-27026~~ Add paragraphs about the CLI authentication

Compare: https://github.com/jenkins-infra/jenkins.io/compare/f62f6fac0031...a84f9fc68a00

SCM/JIRA link daemon added a comment - 2017-10-30 18:24 Code changed in jenkins User: Liam Newman Path: content/doc/book/managing/cli.adoc http://jenkins-ci.org/commit/jenkins.io/a84f9fc68a0002e2495c9e2b46229b8338576f1e Log: Merge pull request #1202 from Wadeck/ JENKINS-27026 _CLI_AUTHENTICATION JENKINS-27026 Add paragraphs about the CLI authentication Compare: https://github.com/jenkins-infra/jenkins.io/compare/f62f6fac0031...a84f9fc68a00

SCM/JIRA link daemon added a comment - 2017-12-10 04:13

Code changed in jenkins
User: Oleg Nenashev
Path:
war/pom.xml
http://jenkins-ci.org/commit/jenkins/7dc9143ce20883b073c45385109c5b9bd73bf7ec
Log:
~~JENKINS-27026~~ - Update SSHD Module from 2.0 to 2.3 to pick the fix

SCM/JIRA link daemon added a comment - 2017-12-10 04:13 Code changed in jenkins User: Oleg Nenashev Path: war/pom.xml http://jenkins-ci.org/commit/jenkins/7dc9143ce20883b073c45385109c5b9bd73bf7ec Log: JENKINS-27026 - Update SSHD Module from 2.0 to 2.3 to pick the fix

SCM/JIRA link daemon added a comment - 2017-12-10 04:13

Code changed in jenkins
User: Oleg Nenashev
Path:
war/pom.xml
http://jenkins-ci.org/commit/jenkins/59b9658a56f71fcec1c28bc130f3e3bf08140552
Log:
Merge pull request #3111 from oleg-nenashev/feature/~~JENKINS-27026~~

~~JENKINS-27026~~ - Update SSHD Module from 2.0 to 2.3

Compare: https://github.com/jenkinsci/jenkins/compare/969ed923452c...59b9658a56f7

SCM/JIRA link daemon added a comment - 2017-12-10 04:13 Code changed in jenkins User: Oleg Nenashev Path: war/pom.xml http://jenkins-ci.org/commit/jenkins/59b9658a56f71fcec1c28bc130f3e3bf08140552 Log: Merge pull request #3111 from oleg-nenashev/feature/ JENKINS-27026 JENKINS-27026 - Update SSHD Module from 2.0 to 2.3 Compare: https://github.com/jenkinsci/jenkins/compare/969ed923452c...59b9658a56f7

SCM/JIRA link daemon added a comment - 2017-12-14 19:45

Code changed in jenkins
User: Wadeck Follonier
Path:
core/src/main/java/hudson/Functions.java
core/src/main/java/hudson/cli/CLICommand.java
core/src/main/java/hudson/cli/ClientAuthenticationCache.java
core/src/main/java/hudson/cli/LoginCommand.java
core/src/main/java/hudson/cli/LogoutCommand.java
core/src/main/java/hudson/model/User.java
core/src/main/java/hudson/security/ACL.java
core/src/main/java/hudson/security/BasicAuthenticationFilter.java
core/src/main/java/jenkins/security/BasicHeaderApiTokenAuthenticator.java
core/src/main/java/jenkins/security/SecurityListener.java
test/src/test/java/hudson/security/CliAuthenticationTest.java
test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java
test/src/test/java/jenkins/security/SpySecurityListener.java
http://jenkins-ci.org/commit/jenkins/b7f42b2e59b2081782d6e51da18b0c93808d98da
Log:
~~JENKINS-27027~~ Notify the SecurityListener on authentication (#3074)

~~JENKINS-27026~~ Notify the SecurityListener in case of Token based authentication success

due the current version of the method, the UserDetails required for the event was not accessible. In order to stay with the same API in SecurityListener, two "protected" methods were created to split the job and let the UserDetails accessible

- add test to ensure the SecurityListener is called for REST Token but also for regular basic auth

- remove the comment about the split, will be put in GitHub comment instead

- add check for anonymous call instead of just putting a comment

remove the constructor in the dummy
add link to PR from Daniel to simplify a call

- separate the before/after to save one clear and be more explicit

put more meaning in the assertLastEventIs method by explicitly say we will remove the last event

- add comment about why we do not fire the "failedToAuthenticated" in the case of an invalid token (tips: it's because it could be a valid password)

- also add the authenticated trigger on legacy filter as pointed by Ivan

- add support of event on CLI remoting authentication

adjust tests by moving the helper class used to spy on events

- as mentioned Yvan, the code had some problems with null checking, so the approach is changed in order to encapsulate all that internal mechanism

- add javadoc

open the getUserDetailsForImpersonation from the User (will let the SSHD module to retrieve UserDetails from that)

- remove single quote in log messages

- basic corrections requested by Jesse

- just another typo

- adjust the javadoc for SecurityListener events

- add the link to Jenkins#Anonymous

- add link (not using see)

- update comment on the isAnonymous as we (me + Oleg) do not find a best place at the moment

- put the new method isAnonymous in ACL instead of Functions

- little typo

add requirement about the SecurityContext authentication

SCM/JIRA link daemon added a comment - 2017-12-14 19:45 Code changed in jenkins User: Wadeck Follonier Path: core/src/main/java/hudson/Functions.java core/src/main/java/hudson/cli/CLICommand.java core/src/main/java/hudson/cli/ClientAuthenticationCache.java core/src/main/java/hudson/cli/LoginCommand.java core/src/main/java/hudson/cli/LogoutCommand.java core/src/main/java/hudson/model/User.java core/src/main/java/hudson/security/ACL.java core/src/main/java/hudson/security/BasicAuthenticationFilter.java core/src/main/java/jenkins/security/BasicHeaderApiTokenAuthenticator.java core/src/main/java/jenkins/security/SecurityListener.java test/src/test/java/hudson/security/CliAuthenticationTest.java test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java test/src/test/java/jenkins/security/SpySecurityListener.java http://jenkins-ci.org/commit/jenkins/b7f42b2e59b2081782d6e51da18b0c93808d98da Log: JENKINS-27027 Notify the SecurityListener on authentication (#3074) JENKINS-27026 Notify the SecurityListener in case of Token based authentication success due the current version of the method, the UserDetails required for the event was not accessible. In order to stay with the same API in SecurityListener, two "protected" methods were created to split the job and let the UserDetails accessible - add test to ensure the SecurityListener is called for REST Token but also for regular basic auth - remove the comment about the split, will be put in GitHub comment instead - add check for anonymous call instead of just putting a comment remove the constructor in the dummy add link to PR from Daniel to simplify a call - separate the before/after to save one clear and be more explicit put more meaning in the assertLastEventIs method by explicitly say we will remove the last event - add comment about why we do not fire the "failedToAuthenticated" in the case of an invalid token (tips: it's because it could be a valid password) - also add the authenticated trigger on legacy filter as pointed by Ivan - add support of event on CLI remoting authentication adjust tests by moving the helper class used to spy on events - as mentioned Yvan, the code had some problems with null checking, so the approach is changed in order to encapsulate all that internal mechanism - add javadoc open the getUserDetailsForImpersonation from the User (will let the SSHD module to retrieve UserDetails from that) - remove single quote in log messages - basic corrections requested by Jesse - just another typo - adjust the javadoc for SecurityListener events - add the link to Jenkins#Anonymous - add link (not using see) - update comment on the isAnonymous as we (me + Oleg) do not find a best place at the moment - put the new method isAnonymous in ACL instead of Functions - little typo add requirement about the SecurityContext authentication

People

Assignee:: Wadeck Follonier

Reporter:: Jesse Glick

Votes:: 2 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2015-02-19 14:36

Updated:: 2017-12-14 19:45

Resolved:: 2017-12-14 14:00