Google authentication for Gerrit and Jenkins

Update 2014/11/05: For those coming here the first place read on below. Thanks hans-zandbelt for the feedback. It is incorporated in the updated version. The setup now uses the suggested improvements and only uses mod_rewrite to redirect the gerrit logout url to the right place. Also note that instead of only using the non-domain part of the email the email is used unmodified. This means that if you happen to have an existing setup you need to change username mappings.

For Jenkins do the following:

• move ${jenkins_home}/users/youruser to ${jenkins_home}/users/youruser@yourdomain
• open ${jenkins_home}/config.xml search "youruser" and replace with youruser@yourdomain

For Gerrit:

either on the machine itself (change GERRIT_HOME to where it is on your machine):

• open the sql database with one of the two methods below:

  1. [Recommended] Either through the gerrit command available through ssh:

     ssh  gerrit.revault.ch gerrit  gsql

  2. OR on the machine itself (change GERRIT_HOME to where it is on your machine):

     export GERRIT_HOME=/var/gerrit_homepushd ${GERRIT_HOME}java -cp $(find . -name "h2*.jar") org.h2.tools.Shell -url "jdbc:h2:file:${GERRIT_HOME}/db/ReviewDB;IFEXISTS=TRUE"

• show external

  select * from ACCOUNT_EXTERNAL_IDS;

• the external ids map your account to different usernames, emails etc.

• the ones prefixed with username: e.g. username:test@example.com are for ssh / git login names
• the ones prefixed with gerrit: e.g. gerrit:test@example.com are used for the web interface

• for a given account_id you can just add new mappings for existing users using sql: e.g.

  insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'username:test@example.com');insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'gerrit:test@example.com');

Solution

You can use an Apache as a reverse proxy handling authentication for you:

Gerrit

Assuming you already have installed Gerrit and it is listening on address 10.10.10.10:8080.You will have to configure gerrit to use basic authentication, the [auth] section in your ${gerrit_installation}/etc/gerrit.config should look like this:

[gerrit]        basePath = git        canonicalWebUrl = http://gerrit.example.com[database]        type = h2        database = db/ReviewDB[index]        type = LUCENE[auth]        type = HTTP        emailFormat = {0}@example.com        httpHeader =  X-Forwarded-User[sendemail]        smtpServer = localhost[container]        user = gerrit        javaHome = /usr/lib/jvm/java-8-oracle/jre[sshd]        listenAddress = 10.10.10.10:2222[httpd]        listenUrl = http://10.10.10.10:8080/[cache]        directory = cache

The username will be in the header X-Forwarded-User. That's how Apache will forward the usernameto Gerrit.

On Apache we will use mod_auth_openidc which has support for oauth2. For further information andexample docs refer to https://github.com/pingidentity/mod_auth_openidc. On a recent Ubuntu the installationlooks like this:

sudo aptitude install libjansson-dev apache2 apache2-dev libcurl4-openssl-dev build-essential autoconf libhiredis-devgit clone https://github.com/pingidentity/mod_auth_openidc.gitcd mod_auth_openidc./autogen.sh ./configuremakesudo make installsudo a2enmod auth_openidcsudo a2enmod proxysudo a2enmod proxy_httpsudo a2enmod headerssudo a2enmod rewrite

You will need to add a site configuration e.g. gerrit.conf similar to the one below (you probably want TLS, too) to /etc/apache2/sites-available and activate it with:

sudo a2ensite gerrit.conf

The file /etc/apache2/sites-available/gerrit.conf looks like this:

<VirtualHost *:80>ServerName gerrit.example.comServerAdmin webmaster@localhostDocumentRoot /var/www/htmlErrorLog ${APACHE_LOG_DIR}/error.logCustomLog ${APACHE_LOG_DIR}/access.log combinedOIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configurationOIDCClientID <from api console>OIDCClientSecret <from api console>OIDCScope "openid email profile"OIDCRedirectURI http://gerrit.example.com/oauth2callbackOIDCCryptoPassphrase <generate long random passphrase here, no sure if used>OIDCSessionInactivityTimeout 600OIDCCookiePath /OIDCAuthRequestParams hd=example.comOIDCRemoteUserClaim emailOIDCAuthNHeader X-Forwarded-UserRewriteEngine On#LogLevel alert rewrite:trace2RewriteRule ^/logout$ /oauth2callback?logout=http://gerrit.example.com/ [R]ProxyPass /  http://gerrit.example.com:8080/ nocanonProxyPassReverse / http://gerrit.example.com:8080/ProxyRequests     OffAllowEncodedSlashes NoDecode<Proxy http://gerrit.example.com:8080/*># add rewrites here if necessary</Proxy><Location />   AuthType openid-connect   Require claim hd:example.com   Require valid-user</Location></VirtualHost>

In order to get the parameters OIDCClientID and OIDCClientSecret go to the api console under https://console.developers.google.com/project. The credentials are in the context of a project if you haven't one create a project first. E.g. example-it-authentication

On the project go to APIs & auth:

• Under APIs activate Google+ API.
• Under Credentials, OAuth create new Client ID.
• Fill in OIDCClientID and OIDCClientSecret in your apache config (e.g. gerrit.conf)
• Under Consent screen fill in email and product name (you will get an error if you don't)

service apache2 restart

You should be done!

Jenkins

Assuming you already have installed Jenkins and it is listening on 10.10.10.11:8080.

For Jenkins the configuration is almost identical. You will need to install and activate the Reverse Proxy Auth Plugin http://wiki.jenkins-ci.org/display/JENKINS/Reverse+Proxy+Auth+Plugin. Under Configure Global Security check the "HTTP Header by reverse proxy" radio.

The default values correspond to the configuration below. You will need to create credentials matching the jenkins hostname in the api console https://console.developers.google.com/project. Report them to your config as before (e.g. jenkins.conf). That should be all.

<VirtualHost *:80>ServerName jenkins.example.comServerAdmin webmaster@localhostDocumentRoot /var/www/htmlErrorLog ${APACHE_LOG_DIR}/error.logCustomLog ${APACHE_LOG_DIR}/access.log combinedOIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configurationOIDCClientID <from api console>OIDCClientSecret <from api console>OIDCScope "openid email profile"OIDCRedirectURI http://jenkins.example.com/oauth2callbackOIDCCryptoPassphrase <generate long random passphrase here, no sure if used>OIDCSessionInactivityTimeout 600OIDCCookiePath /OIDCAuthRequestParams hd=example.comOIDCRemoteUserClaim emailOIDCAuthNHeader X-Forwarded-UserProxyPass /  http://jenkins.example.com:8080/ nocanonProxyPassReverse / http://jenkins.example.com:8080/ProxyRequests     OffAllowEncodedSlashes NoDecode<Proxy http://jenkins.example.com:8080/*># add rewrites here if necessary</Proxy><Location />   AuthType openid-connect   Require claim hd:example.com   Require valid-user</Location><Location ~ "^/(cli|jnlpJars|subversion|whoAmI|computer/[^/]+/slave-agent.jnlp|tcpSlaveAgentListener)"> Satisfy Any Allow from all </Location></VirtualHost>

Currently there doesn't seem to be support for groups in mod_auth_openidc. If you need groups you can install an LDAP that stores them (but this probably isn't what you want since you are using Google auth) or wait until it is supported by mod_auth_openidc.

Google's OpenID 2.0 has been superseded by OpenID Connect. The Apache module mod_auth_openidc implements OpenID Connect so it can be used in a reverse proxy that fronts Gerrit/Jenkins as described by revau.lt.

However, be aware that relying on the non-domain part of an e-mail address as a unique identifier is insecure unless you restrict logins to a specific domain using the following two configuration settings:

OIDCAuthRequestParams hd=example.com

to skip Google's account chooser screen, and in the <Location> section:

Require claim hd:example.com

to restrict access to only users from the example.com Google domain. If your application is open to any Google account you should not use the e-mail prefix as the primary identifier because you run the collision risk that users in different domains have the same user prefix.

That is why it is better to rely on the full e-mail address, e.g.

OIDCRemoteUserClaim email

or the (opaque) primary identifier that Google uses in the sub claim, e.g.:

OIDCRemoteUserClaim sub

Furthermore, instead of rewriting claims in to headers you can just use:

OIDCAuthNHeader X-Forwarded-User

Migration from OpenID 2.0 to OpenID Connect (retaining OpenID 2.0 user identifiers) is possible to, as described here and here, so you'd use:

OIDCAuthRequestParams openid.realm=<urlencoded-realm-value>OIDCRemoteUserClaim openid_id

For an exhaustive overview of configuration primitives see: https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf

As I know the fastest way to login into Gerrit with Google account is:

1. Create Client ID in Google Developers Console
2. Download this release of Gerrit and Google-OAuth-provider plugin
3. Re-initialize Gerrit: java -jar gerrit-2.10.1-4-a83387b.war init -d gerrit_site_path
4. And restart it: gerrit_site_path/bin/gerrit.sh restart

To Jenkins is new Google-login plug-in.