[JENKINS-33770] Setup wizard login trivial to circumvent

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: core
Labels:
- 2.0
- 2.0-beta
- 2.0-planned

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
Bits in 2.0 RC Downloads

The /securityRealm/firstUser is accessible and allows creating an account while the setup wizard is active, but nobody has logged in so far.

Also, really weird UI brokenness since / is still the setup wizard.

links to

PR 2170

Keith Zantow added a comment - 2016-03-29 19:21

gusreiber I have different branches for each of these tickets, the fix for this is on branch: ~~JENKINS-33770~~-security-token-not-always-required

Keith Zantow added a comment - 2016-03-29 19:21 gusreiber I have different branches for each of these tickets, the fix for this is on branch: JENKINS-33770 -security-token-not-always-required

Daniel Beck added a comment - 2016-03-29 19:58

gusreiber Please also note that the form is always available, the critical bit is whether a submission works.

Daniel Beck added a comment - 2016-03-29 19:58 gusreiber Please also note that the form is always available, the critical bit is whether a submission works.

James Nord added a comment - 2016-03-31 12:54 - edited

All URLs appear to be by-passable (after entering the password).

For example I can very easily create a new job at view/All/newJob (only a FreeStyle project but still....)

you should intercept all URLs as the setup wizard until that is completed or dismissed IMO.

James Nord added a comment - 2016-03-31 12:54 - edited All URLs appear to be by-passable (after entering the password). For example I can very easily create a new job at view/All/newJob (only a FreeStyle project but still....) you should intercept all URLs as the setup wizard until that is completed or dismissed IMO.

James Nord added a comment - 2016-03-31 12:56

FWIW reproduced creating a user without entering a password on 2.0-beta-1

James Nord added a comment - 2016-03-31 12:56 FWIW reproduced creating a user without entering a password on 2.0-beta-1

Keith Zantow added a comment - 2016-03-31 13:12

teilo right, the fix hasn't been merged in beta-1, still only in the PR. I had originally forced the setup wizard for all URLs, but there was opposition to that approach. I don't really want to implement it again only to have to undo it again. If a user has verified access to Jenkins, and intentionally navigates away from the setup wizard, I don't really see that as a severe problem.

Keith Zantow added a comment - 2016-03-31 13:12 teilo right, the fix hasn't been merged in beta-1, still only in the PR. I had originally forced the setup wizard for all URLs, but there was opposition to that approach. I don't really want to implement it again only to have to undo it again . If a user has verified access to Jenkins, and intentionally navigates away from the setup wizard, I don't really see that as a severe problem.

Daniel Beck added a comment - 2016-03-31 13:42

Yep – First approach had a different Stapler root object (no Jenkins), but that quickly became a mess as Jenkins was needed e.g. for integrating the security configuration into the initial setup.

The comment thread on this starts around https://github.com/jenkinsci/jenkins/pull/2042#issuecomment-191396954 in the initial PR.

Daniel Beck added a comment - 2016-03-31 13:42 Yep – First approach had a different Stapler root object (no Jenkins), but that quickly became a mess as Jenkins was needed e.g. for integrating the security configuration into the initial setup. The comment thread on this starts around https://github.com/jenkinsci/jenkins/pull/2042#issuecomment-191396954 in the initial PR.

SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Code changed in jenkins
User: kzantow
Path:
core/src/main/java/jenkins/install/SetupWizard.java
http://jenkins-ci.org/commit/jenkins/2968285d9a2158747bfc5fc2c93b8217bfff7702
Log:
~~JENKINS-33770~~ - not all paths restricted during SetupWizard

SCM/JIRA link daemon added a comment - 2016-03-31 14:01 Code changed in jenkins User: kzantow Path: core/src/main/java/jenkins/install/SetupWizard.java http://jenkins-ci.org/commit/jenkins/2968285d9a2158747bfc5fc2c93b8217bfff7702 Log: JENKINS-33770 - not all paths restricted during SetupWizard

SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Code changed in jenkins
User: kzantow
Path:
core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
core/src/main/java/jenkins/install/SetupWizard.java
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly
war/src/main/js/api/securityConfig.js
war/src/main/js/templates/firstUserPanel.hbs
http://jenkins-ci.org/commit/jenkins/3cf8de04a9fae00dabcec4c3888903afda4336df
Log:
~~JENKINS-33770~~ - fix issue directly submitting firstUser page

SCM/JIRA link daemon added a comment - 2016-03-31 14:01 Code changed in jenkins User: kzantow Path: core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly war/src/main/js/api/securityConfig.js war/src/main/js/templates/firstUserPanel.hbs http://jenkins-ci.org/commit/jenkins/3cf8de04a9fae00dabcec4c3888903afda4336df Log: JENKINS-33770 - fix issue directly submitting firstUser page

SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Code changed in jenkins
User: kzantow
Path:
.mvn/jvm.config
changelog.html
core/pom.xml
core/src/main/java/hudson/ExtensionFinder.java
core/src/main/java/hudson/init/impl/InstallUncaughtExceptionHandler.java
core/src/main/java/hudson/model/Fingerprint.java
core/src/main/java/hudson/model/ItemGroupMixIn.java
core/src/main/java/hudson/model/View.java
core/src/main/java/hudson/model/ViewDescriptor.java
core/src/main/java/jenkins/install/InstallUtil.java
core/src/main/java/jenkins/install/SetupWizard.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/resources/hudson/model/AllView/noJob.jelly
core/src/main/resources/hudson/tools/label.jelly
core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
core/src/main/resources/jenkins/install/UpgradeWizard/footer.jelly
core/src/main/resources/jenkins/install/UpgradeWizard/footer.properties
core/src/main/resources/jenkins/install/pluginSetupWizard.properties
core/src/main/resources/lib/form/repeatableDeleteButton.jelly
core/src/main/resources/lib/hudson/ballColorTd.jelly
core/src/main/resources/lib/layout/html.jelly
test/src/test/java/hudson/jobs/CreateItemTest.java
test/src/test/java/hudson/model/ViewDescriptorTest.java
test/src/test/java/hudson/model/ViewTest.java
war/src/main/js/api/pluginManager.js
war/src/main/js/pluginSetupWizardGui.js
war/src/main/js/templates/errorPanel.hbs
war/src/main/less/pluginSetupWizard.less
war/src/main/webapp/css/style.css
http://jenkins-ci.org/commit/jenkins/f06ee0fef4632c7f0994f8d5ebee086240348e80
Log:
Merge remote-tracking branch 'primary/2.0' into ~~JENKINS-33770~~-security-token-not-always-required

SCM/JIRA link daemon added a comment - 2016-03-31 14:01 Code changed in jenkins User: kzantow Path: .mvn/jvm.config changelog.html core/pom.xml core/src/main/java/hudson/ExtensionFinder.java core/src/main/java/hudson/init/impl/InstallUncaughtExceptionHandler.java core/src/main/java/hudson/model/Fingerprint.java core/src/main/java/hudson/model/ItemGroupMixIn.java core/src/main/java/hudson/model/View.java core/src/main/java/hudson/model/ViewDescriptor.java core/src/main/java/jenkins/install/InstallUtil.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/tools/label.jelly core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly core/src/main/resources/jenkins/install/UpgradeWizard/footer.jelly core/src/main/resources/jenkins/install/UpgradeWizard/footer.properties core/src/main/resources/jenkins/install/pluginSetupWizard.properties core/src/main/resources/lib/form/repeatableDeleteButton.jelly core/src/main/resources/lib/hudson/ballColorTd.jelly core/src/main/resources/lib/layout/html.jelly test/src/test/java/hudson/jobs/CreateItemTest.java test/src/test/java/hudson/model/ViewDescriptorTest.java test/src/test/java/hudson/model/ViewTest.java war/src/main/js/api/pluginManager.js war/src/main/js/pluginSetupWizardGui.js war/src/main/js/templates/errorPanel.hbs war/src/main/less/pluginSetupWizard.less war/src/main/webapp/css/style.css http://jenkins-ci.org/commit/jenkins/f06ee0fef4632c7f0994f8d5ebee086240348e80 Log: Merge remote-tracking branch 'primary/2.0' into JENKINS-33770 -security-token-not-always-required

SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Code changed in jenkins
User: Daniel Beck
Path:
core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
core/src/main/java/jenkins/install/SetupWizard.java
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly
war/src/main/js/api/securityConfig.js
war/src/main/js/templates/firstUserPanel.hbs
http://jenkins-ci.org/commit/jenkins/360cfcdcc87f8f10c9041e3fedfbee522fc035ed
Log:
Merge pull request #2170 from kzantow/~~JENKINS-33770~~-security-token-not-always-required

[FIX JENKINS-33770] Prevent unauthenticated user registration

Compare: https://github.com/jenkinsci/jenkins/compare/a9f12093debe...360cfcdcc87f

SCM/JIRA link daemon added a comment - 2016-03-31 14:01 Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly war/src/main/js/api/securityConfig.js war/src/main/js/templates/firstUserPanel.hbs http://jenkins-ci.org/commit/jenkins/360cfcdcc87f8f10c9041e3fedfbee522fc035ed Log: Merge pull request #2170 from kzantow/ JENKINS-33770 -security-token-not-always-required [FIX JENKINS-33770] Prevent unauthenticated user registration Compare: https://github.com/jenkinsci/jenkins/compare/a9f12093debe...360cfcdcc87f

Assignee:: Keith Zantow

Reporter:: Daniel Beck

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2016-03-24 03:06

Updated:: 2016-03-31 14:01

Resolved:: 2016-03-31 14:01

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Keith Zantow added a comment - 2016-03-29 19:21

Expand comment: Keith Zantow added a comment - 2016-03-29 19:21

Collapse comment: Daniel Beck added a comment - 2016-03-29 19:58

Expand comment: Daniel Beck added a comment - 2016-03-29 19:58

Collapse comment: James Nord added a comment - 2016-03-31 12:54, Edited by James Nord - 2016-03-31 12:55

Expand comment: James Nord added a comment - 2016-03-31 12:54, Edited by James Nord - 2016-03-31 12:55

Collapse comment: James Nord added a comment - 2016-03-31 12:56

Expand comment: James Nord added a comment - 2016-03-31 12:56

Collapse comment: Keith Zantow added a comment - 2016-03-31 13:12

Expand comment: Keith Zantow added a comment - 2016-03-31 13:12

Collapse comment: Daniel Beck added a comment - 2016-03-31 13:42

Expand comment: Daniel Beck added a comment - 2016-03-31 13:42

Collapse comment: SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Expand comment: SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Collapse comment: SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Expand comment: SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Collapse comment: SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Expand comment: SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Collapse comment: SCM/JIRA link daemon added a comment - 2016-03-31 14:01

Expand comment: SCM/JIRA link daemon added a comment - 2016-03-31 14:01

People

Dates