Skip to content

Any-berg/quickbuild

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Introduction

QuickBuild supports external authentication mainly through Active Directory and LDAP; Jira and TeamForge are available as options, yet there isn't any documentation for either.

protect

OpenID Connect (OIDC) authentication becomes possible when QuickBuild runs behind a Reverse Proxy that operates as a Relying Party protecting some part of the backend content. The need to preserve Anonymous Access and Internal Authentication places heavy restrictions on what can actually be protected.

Why Self-Register?

This implementation sacrifices the Self-Registering functionality to repurpose it as a protected authentication/callback URL, and to gain its UI links. Related requests are diverted to the chosen OIDC provider, and corresponding callbacks return with an authentication header that determines the user's Login Name for Single Sign-On.

unauthorize

The reverse proxy needs to ensure that all other requests coming to it are stripped of this authentication header; the authentication/callback URL is already protected from tampering.

Never Trust Localhost!

QuickBuild has to trust the authentication header from some specified IP address. Surprisingly, localhost cannot be trusted because of its potential for Privilege Escalation: already authenticated users can find out who the administrators are and thereby know their Login Names - and they don't even need RESTful API Accessible, Script Allowed or inherently dangerous permissions like EDIT_SETTINGS, CREATE_SCRIPT and RUN_BUILD, to authorize their RESTful API calls with the authentication header, from shell commands executed locally as the QuickBuild process user, via QuickBuild scripts that any user can insert even without any permissions. Since localhost requests bypass the reverse proxy, there is no way to strip them of the authentication header.

trust

Containerizing the reverse proxy gives it a distinct IP that can be trusted, and even a possible Binding Address for QuickBuild; that would force all requests, including RESTful API calls from the server build node, to go through the proxy. This wouldn't give any additional security, since localhost authentication headers are already not trusted.

Login Name Changes

My Setting normally allows users to change their Login Name. This causes problems for any external authenticator. Using Single Sign-On has forced the reverse proxy to disable Login Name changing as a security risk: it could be used to secretly initialize the accounts of still unregistered colleagues with preset passwords. If someone's Login Name still needs to be changed, administrators can do that from User Management.