Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33770

Setup wizard login trivial to circumvent

    Details

    • Similar Issues:

      Description

      The /securityRealm/firstUser is accessible and allows creating an account while the setup wizard is active, but nobody has logged in so far.

      Also, really weird UI brokenness since / is still the setup wizard.

        Attachments

          Issue Links

            Activity

            Hide
            kzantow Keith Zantow added a comment - - edited

            You're still required to enter a security token, yes?

            After entering the security token, you're logged in as an admin user. Navigating away is something we're not restricting, really (recall, it was... until the approach was changed significantly after the initial implementation).

            Show
            kzantow Keith Zantow added a comment - - edited You're still required to enter a security token, yes? After entering the security token, you're logged in as an admin user. Navigating away is something we're not restricting, really (recall, it was... until the approach was changed significantly after the initial implementation).
            Hide
            danielbeck Daniel Beck added a comment -

            You're still required to enter a security token, yes?

            No.

            In fact, I discovered this because some weird forward brought me right from "Jenkins is loading" to that page. Unfortunately I haven't been able to reproduce it since.

            Show
            danielbeck Daniel Beck added a comment - You're still required to enter a security token, yes? No. In fact, I discovered this because some weird forward brought me right from "Jenkins is loading" to that page. Unfortunately I haven't been able to reproduce it since.
            Hide
            gusreiber gus reiber added a comment -

            I am reproducing this bug testing 33828. Possibly you have a fix on a different branch, but if not, I can repro easily on the 33828 branch.

            Show
            gusreiber gus reiber added a comment - I am reproducing this bug testing 33828. Possibly you have a fix on a different branch, but if not, I can repro easily on the 33828 branch.
            Hide
            kzantow Keith Zantow added a comment -

            gus reiber I have different branches for each of these tickets, the fix for this is on branch: JENKINS-33770-security-token-not-always-required

            Show
            kzantow Keith Zantow added a comment - gus reiber I have different branches for each of these tickets, the fix for this is on branch: JENKINS-33770 -security-token-not-always-required
            Hide
            danielbeck Daniel Beck added a comment -

            gus reiber Please also note that the form is always available, the critical bit is whether a submission works.

            Show
            danielbeck Daniel Beck added a comment - gus reiber Please also note that the form is always available, the critical bit is whether a submission works.
            Hide
            teilo James Nord added a comment - - edited

            All URLs appear to be by-passable (after entering the password).

            For example I can very easily create a new job at view/All/newJob (only a FreeStyle project but still....)

            • you should intercept all URLs as the setup wizard until that is completed or dismissed IMO.
            Show
            teilo James Nord added a comment - - edited All URLs appear to be by-passable (after entering the password). For example I can very easily create a new job at view/All/newJob (only a FreeStyle project but still....) you should intercept all URLs as the setup wizard until that is completed or dismissed IMO.
            Hide
            teilo James Nord added a comment -

            FWIW reproduced creating a user without entering a password on 2.0-beta-1

            Show
            teilo James Nord added a comment - FWIW reproduced creating a user without entering a password on 2.0-beta-1
            Hide
            kzantow Keith Zantow added a comment -

            James Nord right, the fix hasn't been merged in beta-1, still only in the PR. I had originally forced the setup wizard for all URLs, but there was opposition to that approach. I don't really want to implement it again only to have to undo it again. If a user has verified access to Jenkins, and intentionally navigates away from the setup wizard, I don't really see that as a severe problem.

            Show
            kzantow Keith Zantow added a comment - James Nord right, the fix hasn't been merged in beta-1, still only in the PR. I had originally forced the setup wizard for all URLs, but there was opposition to that approach. I don't really want to implement it again only to have to undo it again . If a user has verified access to Jenkins, and intentionally navigates away from the setup wizard, I don't really see that as a severe problem.
            Hide
            danielbeck Daniel Beck added a comment -

            Yep – First approach had a different Stapler root object (no Jenkins), but that quickly became a mess as Jenkins was needed e.g. for integrating the security configuration into the initial setup.

            The comment thread on this starts around https://github.com/jenkinsci/jenkins/pull/2042#issuecomment-191396954 in the initial PR.

            Show
            danielbeck Daniel Beck added a comment - Yep – First approach had a different Stapler root object (no Jenkins), but that quickly became a mess as Jenkins was needed e.g. for integrating the security configuration into the initial setup. The comment thread on this starts around https://github.com/jenkinsci/jenkins/pull/2042#issuecomment-191396954 in the initial PR.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: kzantow
            Path:
            core/src/main/java/jenkins/install/SetupWizard.java
            http://jenkins-ci.org/commit/jenkins/2968285d9a2158747bfc5fc2c93b8217bfff7702
            Log:
            JENKINS-33770 - not all paths restricted during SetupWizard

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: core/src/main/java/jenkins/install/SetupWizard.java http://jenkins-ci.org/commit/jenkins/2968285d9a2158747bfc5fc2c93b8217bfff7702 Log: JENKINS-33770 - not all paths restricted during SetupWizard
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: kzantow
            Path:
            core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
            core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly
            war/src/main/js/api/securityConfig.js
            war/src/main/js/templates/firstUserPanel.hbs
            http://jenkins-ci.org/commit/jenkins/3cf8de04a9fae00dabcec4c3888903afda4336df
            Log:
            JENKINS-33770 - fix issue directly submitting firstUser page

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly war/src/main/js/api/securityConfig.js war/src/main/js/templates/firstUserPanel.hbs http://jenkins-ci.org/commit/jenkins/3cf8de04a9fae00dabcec4c3888903afda4336df Log: JENKINS-33770 - fix issue directly submitting firstUser page
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: kzantow
            Path:
            .mvn/jvm.config
            changelog.html
            core/pom.xml
            core/src/main/java/hudson/ExtensionFinder.java
            core/src/main/java/hudson/init/impl/InstallUncaughtExceptionHandler.java
            core/src/main/java/hudson/model/Fingerprint.java
            core/src/main/java/hudson/model/ItemGroupMixIn.java
            core/src/main/java/hudson/model/View.java
            core/src/main/java/hudson/model/ViewDescriptor.java
            core/src/main/java/jenkins/install/InstallUtil.java
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/model/AllView/noJob.jelly
            core/src/main/resources/hudson/tools/label.jelly
            core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
            core/src/main/resources/jenkins/install/UpgradeWizard/footer.jelly
            core/src/main/resources/jenkins/install/UpgradeWizard/footer.properties
            core/src/main/resources/jenkins/install/pluginSetupWizard.properties
            core/src/main/resources/lib/form/repeatableDeleteButton.jelly
            core/src/main/resources/lib/hudson/ballColorTd.jelly
            core/src/main/resources/lib/layout/html.jelly
            test/src/test/java/hudson/jobs/CreateItemTest.java
            test/src/test/java/hudson/model/ViewDescriptorTest.java
            test/src/test/java/hudson/model/ViewTest.java
            war/src/main/js/api/pluginManager.js
            war/src/main/js/pluginSetupWizardGui.js
            war/src/main/js/templates/errorPanel.hbs
            war/src/main/less/pluginSetupWizard.less
            war/src/main/webapp/css/style.css
            http://jenkins-ci.org/commit/jenkins/f06ee0fef4632c7f0994f8d5ebee086240348e80
            Log:
            Merge remote-tracking branch 'primary/2.0' into JENKINS-33770-security-token-not-always-required

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: .mvn/jvm.config changelog.html core/pom.xml core/src/main/java/hudson/ExtensionFinder.java core/src/main/java/hudson/init/impl/InstallUncaughtExceptionHandler.java core/src/main/java/hudson/model/Fingerprint.java core/src/main/java/hudson/model/ItemGroupMixIn.java core/src/main/java/hudson/model/View.java core/src/main/java/hudson/model/ViewDescriptor.java core/src/main/java/jenkins/install/InstallUtil.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/AllView/noJob.jelly core/src/main/resources/hudson/tools/label.jelly core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly core/src/main/resources/jenkins/install/UpgradeWizard/footer.jelly core/src/main/resources/jenkins/install/UpgradeWizard/footer.properties core/src/main/resources/jenkins/install/pluginSetupWizard.properties core/src/main/resources/lib/form/repeatableDeleteButton.jelly core/src/main/resources/lib/hudson/ballColorTd.jelly core/src/main/resources/lib/layout/html.jelly test/src/test/java/hudson/jobs/CreateItemTest.java test/src/test/java/hudson/model/ViewDescriptorTest.java test/src/test/java/hudson/model/ViewTest.java war/src/main/js/api/pluginManager.js war/src/main/js/pluginSetupWizardGui.js war/src/main/js/templates/errorPanel.hbs war/src/main/less/pluginSetupWizard.less war/src/main/webapp/css/style.css http://jenkins-ci.org/commit/jenkins/f06ee0fef4632c7f0994f8d5ebee086240348e80 Log: Merge remote-tracking branch 'primary/2.0' into JENKINS-33770 -security-token-not-always-required
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
            core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly
            war/src/main/js/api/securityConfig.js
            war/src/main/js/templates/firstUserPanel.hbs
            http://jenkins-ci.org/commit/jenkins/360cfcdcc87f8f10c9041e3fedfbee522fc035ed
            Log:
            Merge pull request #2170 from kzantow/JENKINS-33770-security-token-not-always-required

            [FIX JENKINS-33770] Prevent unauthenticated user registration

            Compare: https://github.com/jenkinsci/jenkins/compare/a9f12093debe...360cfcdcc87f

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly core/src/main/resources/jenkins/install/SetupWizard/setupWizardFirstUser.jelly war/src/main/js/api/securityConfig.js war/src/main/js/templates/firstUserPanel.hbs http://jenkins-ci.org/commit/jenkins/360cfcdcc87f8f10c9041e3fedfbee522fc035ed Log: Merge pull request #2170 from kzantow/ JENKINS-33770 -security-token-not-always-required [FIX JENKINS-33770] Prevent unauthenticated user registration Compare: https://github.com/jenkinsci/jenkins/compare/a9f12093debe...360cfcdcc87f

              People

              • Assignee:
                kzantow Keith Zantow
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: