Sonarqube 4.5 provisioning / authorization - sonarqube

We are using Sonhrqube 4.5 that is integrated into Google's oAuth sign-on. There are no issues with logging in (Authentication). Certain users have been provisioned with sonar-administrators role. But for some reason, the admin role keeps dropping for some users (leaves the user with sonar-users role). We have tried granting them admin access again, but it keeps happening. Also tried creating a brand new group and assigning that group to the user, but still same thing happens. Any thoughts? If you need any other information, let me know.
Just additional info, not sure if it matters - We are using the sonar-oauth-plugin from JCERTIFLab for integration with Google's signon/oauth. This plugin automatically creates users with default role - sonar-users.
Thanks in advance!

It turned out to be an issue with the Sonar plugin used for integration with google's Oauth. Every time a user is authenticated, permissions get overwritten. To overcome the problem temporarily, we predefined a list of users with admin access in the properties file.

Related

How to reduce the standard scope authorization requst spring boot sends to azure active directory

I want to use azure active directory as my authentication provider for my Spring boot application. Which seems to be quite easy as long as you've got either admin rights yourself or you know someone with admin rights who can give you permission for the tickbox "Directory.AccessAsUser.All". Unfortunatly I dont have that. I know due to other successful projetcs that azure itself gives the oppertunity to still act as an authentication provider even without given any permission to the API Call permission section.
When I start the Server and go on localhost:8080/home whilst tracking my network traffic I can see in the Autherization file the following scope: openid profile https://graph.microsoft.com/User.Read https://graph.microsoft.com/Directory.AccessAsUser.All
So My Idea of Handling this is to reducing the scope of the Authorization request spring is asking for, to meet the authorization scope which I allowed in azure. Which is all of them but the last one as mentioned before.
I tried to configure the scope in my application.propertie with the following: spring.security.oauth2.client.registration.azure.scope=openid
So what happens is after im trying to access my application online im redirected to the mircosoft login page. After putting in my details im getting this:
In order to be able to access resources in your organization, requires authorization that only an administrator can grant. Ask
an administrator to grant permission for this app so that you can use
the app.
Has anyone an Idea of how to handle this?
I'd be greatfull for any help!
I think you can only log in as an administrator, because you are using the SDK provided by Microsoft when you log in, so you cannot customize the scope of permissions in application.propertie.
When you log in to the application, it will require you to consent to all permissions. If you just log in as a user, you cannot consent to all permissions. So, at least in the login module, I think it cannot meet your requirements.
Usually we can customize the scope of permissions only when requesting an access token. For example, if you only need to read user permissions, you can set: scope: https://graph.microsoft.com/User.Read .
Login sample.
Ok, I found the Problem. In my application.property I had this line of code azure.activedirectory.user-group.allowed-groups=. That was reponsible for the bigger scope. After deleting it everything worked fine.

zapier magento2.1.11 authentication gets lost

I setup a user role that has (currently) simply all resources.
I setup a user that has this role.
I authenticate with the user credentials (user and password, no store code) in zapier to create a connected magento2 account.
After some time my zap does not work anymore because the connected account cannot access my magento anymore.
I can just hit reconnect in zapier enter the same credentials as above and it works again.
But after some time it again does not work.
Looking at the magento documentation this is because custom and admin accounts expire after 1 or 4 hours.
Reading the documentation I would need an integration to have unlimited access.
But in zapier I cannot enter tokens or anything.
So I really wonder how I would set this up. If it is possible.
Or is just zapiers integration borked?
What is strange though is that this behavior began after upgrading to Magento version 2.1.11.
Other 2.1.x versions before did not have this problem.
David here, from the Zapier Platform team.
That's a known bug on our end. In the meantime, you can override this via Configuration > Services > OAuth > Access Token Expiration

SonarQube plugin - users access management

I would like to develop a custom plugin restricting access to certain parts of SonarQube (Deletion of project, Modification of permissions etc) depending on their assignment to different groups.
I was able to implement a filter which will redirect a user in case he tries to access page which is restricted to him.
There are 2 problems I am facing.
I am not able to get the logged in user (I am able to get his ID via request session but I am not able to get any more information about him.).
I am not able to get information about groups the user belongs to.
There might be an api for this however I am not able to find any examples or the documentation that might help me.
SonarQube version: 5.6.6
Security Realm: Crowd
Thank you,
Jakub
Sorry, but it's not possible to customize pages access of SonarQube.

Google Apps Marketplace - changing scopes

We have an existing app that's registered in the Google Apps Marketplace. We now need to retire one scope that it uses and add another.
We are trying to decide whether we:
delete and add in one go; or
add the new one and then retire the other one at a later date.
I appreciate that adding a scope will require an admin to grant access to the App again, but can anybody confirm the impact of removing a scope? Does that also cause the admin to grant access again?
In short: does any change require admin intervention, or just scope additions?
Old scopes (that were requested and approved by user and you delete them from your marketplace SDK configuration page) that were approved by user at certain time will still remain approved for the user until he revokes the data access and re-grant it again.
New scopes as said by KENdi will not be approved until user approves (re-grant) access again, though all old scopes still will be available for you.
AFAIK you can add a new scope with the Google Apps Marketplace without deleting the old or unused scope. But take note note that your customer will still need to grant the access for the new scope/s in the ADMIN console.
Based on this FAQ, to update OAuth scopes, enable new extensions, and other application settings, go to Google API Console. Click APIs, then go to the Configuration tab under Google Apps Marketplace SDK.
For more information, check this documentation.

SonarQube readonly permissions

I don't find a way to allow authenticated user to only view the information in SonarQube but change nothing. Is it possible, at all?
The minimal role is "BROWSE: Access a project, browse its measures, and create/edit issues for it." which is too much unprotective.
I am using the latest version: 5.6.1.
You're right, there is currently no way to prevent an authenticated user to comment an issue for instance. The same way on Github there is no way to prevent an authenticated user to comment any issue.

Resources