Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30116

NegSecFilter should not secure notifyCommit URLs

    Details

    • Similar Issues:

      Description

      Once this plugin is configured, I am no longer able to hit the notifyCommit URLs. Instead I get "This request requires HTTP authentication."

      Based on the git plugin documentation, these URLs should not be secured:

      this URL doesn't require authentication even for secured Jenkins, because the server doesn't directly use anything that the client is sending. It runs polling to verify that there is a change, before it actually starts a build.

      source: https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin#GitPlugin-Pushnotificationfromrepository

      I believe both svn and mercurial also support push notifications. I'm not aware of any other Jenkins URLs that need to be excluded from the security filter, but others may exist.

        Attachments

          Activity

          Hide
          farmgeek4life Bryson Gibbons added a comment -

          Going to do a path check for "/notifyCommit" in the request URL, since that seems to be the easiest way to do it:

          Git: <jenkins root>/git/notifyCommit?... (https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin)
          Mercurial: <jenkins root>/mercurial/notifyCommit?... (https://wiki.jenkins-ci.org/display/JENKINS/Mercurial+Plugin)
          Subversion: <jenkins root>/subversion/<repo UUID>/notifyCommit?... (https://wiki.jenkins-ci.org/display/JENKINS/Subversion+Plugin)

          I would prefer a solid "Path must look/start like this", but the only way to do that with the subversion path is with a regular expression, and those can become hard to maintain...

          Show
          farmgeek4life Bryson Gibbons added a comment - Going to do a path check for "/notifyCommit" in the request URL, since that seems to be the easiest way to do it: Git: <jenkins root>/git/notifyCommit?... ( https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin ) Mercurial: <jenkins root>/mercurial/notifyCommit?... ( https://wiki.jenkins-ci.org/display/JENKINS/Mercurial+Plugin ) Subversion: <jenkins root>/subversion/<repo UUID>/notifyCommit?... ( https://wiki.jenkins-ci.org/display/JENKINS/Subversion+Plugin ) I would prefer a solid "Path must look/start like this", but the only way to do that with the subversion path is with a regular expression, and those can become hard to maintain...
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: FarmGeek4Life
          Path:
          src/main/java/com/github/farmgeek4life/jenkins/negotiatesso/NegSecFilter.java
          http://jenkins-ci.org/commit/negotiate-sso-plugin/fc41c77b51e842c1a635815db93970e0ca9cc2e0
          Log:
          [Fix JENKINS-30116] NegSecFilter should not secure notifyCommit URLs

          git, mercurial, and subversion all support push notifications to trigger
          polling and builds. These are not supposed to be secured, so make the
          filter bypass authentication when "/notifyCommit" is in the requested URL.
          https://issues.jenkins-ci.org/browse/JENKINS-30116

          Compare: https://github.com/jenkinsci/negotiate-sso-plugin/compare/b0ffaa33361f...fc41c77b51e8

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: FarmGeek4Life Path: src/main/java/com/github/farmgeek4life/jenkins/negotiatesso/NegSecFilter.java http://jenkins-ci.org/commit/negotiate-sso-plugin/fc41c77b51e842c1a635815db93970e0ca9cc2e0 Log: [Fix JENKINS-30116] NegSecFilter should not secure notifyCommit URLs git, mercurial, and subversion all support push notifications to trigger polling and builds. These are not supposed to be secured, so make the filter bypass authentication when "/notifyCommit" is in the requested URL. https://issues.jenkins-ci.org/browse/JENKINS-30116 Compare: https://github.com/jenkinsci/negotiate-sso-plugin/compare/b0ffaa33361f...fc41c77b51e8
          Hide
          farmgeek4life Bryson Gibbons added a comment - - edited

          Fix will be present in 1.1; if you otherwise want to test it sooner, you can download a snapshot here:
          https://jenkins.ci.cloudbees.com/job/plugins/job/negotiate-sso-plugin/7/org.jenkins-ci.plugins$NegotiateSSO/

          Still need to investigate the Jenkins version dependency problem, 1.1 will be released when I get that done, which will probably be around Sept. 5

          Show
          farmgeek4life Bryson Gibbons added a comment - - edited Fix will be present in 1.1; if you otherwise want to test it sooner, you can download a snapshot here: https://jenkins.ci.cloudbees.com/job/plugins/job/negotiate-sso-plugin/7/org.jenkins-ci.plugins$NegotiateSSO/ Still need to investigate the Jenkins version dependency problem, 1.1 will be released when I get that done, which will probably be around Sept. 5
          Hide
          pmv pmv added a comment -

          Before you release - we also use the cli to issue commands to Jenkins. Do you happen to know if that will work with your filter, or will it have the same problem? I should be able to get this tested before the 5th, but just wanted to give you a heads up.

          Show
          pmv pmv added a comment - Before you release - we also use the cli to issue commands to Jenkins. Do you happen to know if that will work with your filter, or will it have the same problem? I should be able to get this tested before the 5th, but just wanted to give you a heads up.
          Hide
          pmv pmv added a comment -

          FYI - I tested this and the cli commands do work, so no worries there.

          Show
          pmv pmv added a comment - FYI - I tested this and the cli commands do work, so no worries there.

            People

            • Assignee:
              farmgeek4life Bryson Gibbons
              Reporter:
              pmv pmv
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: