I'm using SonarQube (ver4.3.2) and I'm trying to get project list that the API caller user is allowed to see. I found a following API which can get project list:
http://nemo.sonarsource.org/api/resources
When I call this API, then I get all SonarQube's projects though the API caller user doesn't have brows permission for some projects. The API caller a user means user which is authorized by http basic authentication. I want to get only project list which the API caller user can see.
Is it possible?
Regards,
Michael
When calling the "/api/resources" WS, you will get only the projects you are allowed to see - which indeed means projects for which the user has the "Browse" permission.
If you get all the projects of your SonarQube instance when calling this WS, this means that your permissions allow this and you should review them. For instance, maybe the group "anyone" is set on the "Browse" permission of each project? (which is the default configuration of SonarQube by the way).
Related
I would like to develop a custom plugin restricting access to certain parts of SonarQube (Deletion of project, Modification of permissions etc) depending on their assignment to different groups.
I was able to implement a filter which will redirect a user in case he tries to access page which is restricted to him.
There are 2 problems I am facing.
I am not able to get the logged in user (I am able to get his ID via request session but I am not able to get any more information about him.).
I am not able to get information about groups the user belongs to.
There might be an api for this however I am not able to find any examples or the documentation that might help me.
SonarQube version: 5.6.6
Security Realm: Crowd
Thank you,
Jakub
Sorry, but it's not possible to customize pages access of SonarQube.
I received this error when trying to authorize my app with my own account:
Your project is trying to access scopes that need to go through the verification process.
{invalid=https://www.googleapis.com/auth/contacts}
If you need to use one of these scopes, submit a verification request. Learn More
When I use a different account, the error message is different:
This app hasn’t been verified to access:
{invalid=https://www.googleapis.com/auth/contacts}
Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again.
If not, contact the developer for help.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
UPDATE: Corrected broken link to form.
I need to create a service reference to the Magento 2 SOAP API in my Visual Studio project. So I've created an Integration in the Magento backend, gave it All access and activated it.
But when I try to access the WSDL for (ie. the customer API) at http://my.magento/soap/default?wsdl&services=customerCustomerRepositoryV1, I get the exception:
Consumer is not authorized to access %resources
Ok, I get it. I need my access token to access these specific 'admin' API's. Because public API's like 'quoteGuestCartRepositoryV1' do work. When I get the full API list at http://my.magento/soap/default?wsdl_list=1 it also only lists public/guest API's.
No problem so far, but when I try to add the 'customerCustomerRepositoryV1' as a service reference in Visual Studio, of course the authorized exception is thrown. But I have no way of actually adding the access token to the header there.
Is there a way to get access to all WSDL's anonymously? Magento 1.x used to allow this.
Yes, it is a Magento error. The WSDL is not available anonymous anymore since a recent Magento release. I think it's a stupid decision by the devs.
https://github.com/magento/magento2/issues/5330#issuecomment-255222166
And for the 'solution': https://community.magento.com/t5/Programming-Questions/Magento-2-C-APIs-SOAP-problem/m-p/49677#M1206
Since approx 5:30 UTC we are receiving only this response for this api call
https://www.googleapis.com/appsmarket/v2/customerLicense/{appId}/{customer}
{"error":{"errors":[{"domain":"global","reason":"forbidden","message":"Not authorized to access the application ID"}],"code":403,"message":"Not authorized to access the application ID"}}
but there has not been any previous development or changes on our side and this affects all of our marketplace applications.
Any ideas what is going on and how to fix/workaround this issue?
This issue should now be fixed by Google.
If you are still experiencing 403 Forbidden on marketplace API calls make sure you are following these guidelines
Access to these APIs is restricted: only project members of the
Developer Console project associated with your application may use the
API. Specifically, these project members must be in Can Edit or Is
Owner roles. You may also access UserLicense and CustomerLicense as
the logged in user to your app. Refer to
https://cloud.google.com/compute/docs/access/add-remove-change-permissions-for-team-members to learn how to
add members to your project.
For example by doing the API requests using a service account in the Google Cloud Platform Project for you application without using any impersonation/delegation.
Background
I have a Web API registered in Azure AD and secured using WindowsAzureActiveDirectoryBearerAuthentication (OAuth2 bearer token). This is a B2B-type scenario where there are no interactive users - the applications calling the API are daemon-like background apps. As such, I don't need any consent experience - I just want trusted applications to be able to call the API, and other applications - even if they present a valid OAuth token - to be denied.
What I've tried
This sample seemed to describe my scenario almost exactly. However, the way it determines if a caller is a trusted app or not is by comparing the clientID presented via a claim by the caller to a hard-coded value. Obviously you could store the list of trusted clientIDs externally instead of hardcoding, but it seems like I should be able to accomplish this via configuration in the AAD portal so that a) I don't have to maintain a list of clientIDs, and b) I don't have to write my own authorization logic.
It seems like I should be able to define a permission for my API, grant that permission to each calling app in AAD (or a one-time admin consent), and then in my API just check for the presence of that permission in the scp claim.
From looking at the portal it seems like this is what Application Permissions are intended for:
I can create a permission just fine via the application manifest. Unfortunately, I can't figure out how to specify that it's an Application Permission, not a Delegated Permission! I tried changing the type from User to Admin as described on MSDN, but that seemed to have no effect.
"oauth2Permissions": [
{
...
"type": "Admin",
...
}
Question
Am I correct that Application Permissions are the best solution for my scenario? If so, how do I configure it? Or, as I fear, is this yet another feature that is On The Roadmap™ but not currently functional?
Ben, Application Permissions are declared in the appRoles section of the manifest. Indeed, if you declare an appRole called say 'trusted' in your resource application's (storage broker demo) manifest - it will show up in the Application Permissions drop down there. Then, when you assign that Application Permission to the client app - the access token that the client app will receive using the client credentials OAuth flow will contain a roles claim with value 'trusted'. Other apps in the tenant will also be able to get an access token for your resource app - but they wont have the 'trusted' roles claim. See this blog post for details: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Finally, the above way to assign an application permission to a client app only works when both the resource and client application are declared in the same directory - if however these apps are multi-tenant and a customer will install these apps separately - a global admin from customer's directory will need to consent to the client app - which will result in the application permission getting assigned to the instance of client app in the customer's tenant. (my blog post covers this too)
Hope this helps.
ps: if you're stuck - feel free to ping me on the contact page of http://www.dushyantgill.com/blog