Skip to content

Add email and display name header injection support #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add email and display name header injection support #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f76b4e3
Updates the plugin version on pom.xml
wilderrodrigues Jan 22, 2016
8aacee0
Add email and display name header injection support
Mar 22, 2017
3df110e
Update README.md with a httpd configuration example
Mar 22, 2017
9173e89
Indent
Mar 22, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 85 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Jenkins Reverse Proxy Authentication and Authorisation Plugin
# Jenkins Reverse Proxy Authentication and Authorisation Plugin

The Reverse Proxy Plugin providers developers the ability to have easy and simple Authentication and Authorisation using SSO techniques. The plugin expects that the user to have Jenkins authenticated agains will be informed via a HHTP header field.

Expand All @@ -7,8 +7,10 @@ When it comes to Authorisation, the plugin has been extended in order to offer t
The default values for the HTTP header fields are:

1. Header User Name: X-Forwarded-User
2. Header Groups Name: X-Forwarded-Groups
3. Header Groups Delimiter: |
2. Header User Mail: X-Forwarded-Mail
3. Header User Display Name: X-Forwarded-DisplayName
4. Header Groups Name: X-Forwarded-Groups
5. Header Groups Delimiter: |

The LDAP options can be displayed via the Advanced... button, located on the right side of the security settings.

Expand All @@ -18,3 +20,83 @@ If the username is not forwaded to Jenkins, the user will be authenticated as AN

However, once the LDAP is properly configured instead of groups on the HTTP header, there is guarantee that only the groups of a given user will be returned. There is no possibility to get groups injected via the header.


## Apache httpd configuration example

Here is a simple httpd configuration (apache.conf) made to proxypass 1 to 100 jenkins called ci00 to ci99.
Basic authentication uses an AuthUserFile and many AuthLDAP.
User, display name, mail and groups are injected as headers.
Injected groups are the ldap ones and the local httpd ones (in dbm format).

```
<Location /ci01>
AuthBasicProvider auth-file ldap-1 ldap-2
AuthType Basic
AuthName "Jenkins"

Require valid-user
Order deny,allow
Allow from all
</Location>

<Location /ci02>
AuthBasicProvider auth-file ldap-1 ldap-2
AuthType Basic
AuthName "Jenkins"

Require valid-user
Order deny,allow
Allow from all
</Location>


#Redirect jenkins (for headers)
RewriteRule ^/ci01$ /ci01/ [R]
RewriteRule ^/ci02$ /ci02/ [R]

ProxyPass /ci01 http://jenkins-1-real-address/ci01 nocanon
ProxyPassReverse /ci01 http://jenkins-1-real-address/ci01

ProxyPass /ci02 http://jenkins-2-real-address/ci02 nocanon
ProxyPassReverse /ci02 http://jenkins-2-real-address/ci02

RewriteMap jenkins-groups dbm:/path-to-jenkins-groups.dbm

#WARNING jenkins is not protected on direct access !
#Allow any jenkins from ci00 to ci99


#Keep the location match regex as simple as possible
#Otherwise we may send some internal js call without authentication.
<LocationMatch "^/ci\d\d">

# jenkins reverse proxy auth configuration
# prevent the client from setting this header
RequestHeader unset X-Forwarded-User
RequestHeader unset X-Forwarded-Groups
RequestHeader unset X-Forwarded-Mail
RequestHeader unset X-Forwarded-DisplayName

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

# Adds the X-Forwarded-User header that indicates the current user name.
# this portion came from http://old.nabble.com/Forcing-a-proxied-host-to-generate-REMOTE_USER-td2911573.html#a2914465
RewriteEngine On
# see the Apache documentation on why this has to be lookahead
RewriteCond %{LA-U:REMOTE_USER} (.+)
# this actually doesn't rewrite anything. what we do here is to set RU to the match above
# "NS" prevents flooding the error log
RewriteRule .* - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User %{RU}e

#inject mail & display name
RequestHeader set X-Forwarded-Mail %{AUTHENTICATE_MAIL}e
RequestHeader set X-Forwarded-DisplayName %{AUTHENTICATE_DISPLAYNAME}e

#inject groups
RewriteRule .* - [E=RG:${jenkins-groups:%{REMOTE_USER}}]
RequestHeader set X-Forwarded-Groups %{RG}e
</LocationMatch>

```
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
</parent>

<artifactId>reverse-proxy-auth-plugin</artifactId>
<version>1.4.1-SNAPSHOT</version>
<version>1.5</version>
<packaging>hpi</packaging>

<name>Jenkins Reverse Proxy Auth Plugin</name>
Expand Down
Loading