Gerrit User Authentication

David Ostrovsky

Gerrit User Authentication

Gerrit is code review tool and not identity management system
Gerrit relies on external identity management providers
Different kinds of authentications in Gerrit:
- Gerrit UI (interactive) authentication
- Git authentication
- Gerrit Batch CLI authentication

Gerrit UI authentication

Built in
- LDAP
- OpenID (Google, Launchpad, Fedoraproject, …)
- OpenID SSO (pinned to one provider)
Third party
- HTTP (frontend reverse proxy)
- Custom (closed source) solutions
Pluggable authentication option?
- no
OAuth2?
- no (GitHub, Butbucket, … not supported)

Auth schemes used by open source projects

OpenStack: OpenID SSO (Launchpad)
LibreOffice: OpenID (Google, Launchpad, Fedoraproject, …)
Wikimedia: LDAP

Google shuts down the OpenID 2.0

Announced one year before the deadline: April 20, 2015

OpenID 2.0 for Google Accounts has gone

img/openid-for-google-accounts-has-gone.png

Adjust Gerrit to Google’s OpenID 2.0 shutdown

Replace one line in login form:
"Sign in with a Launchpad ID"
instead of
"Sign in with a Google"

Migration path from Google OpenID 2.0 to …

Migrate to Google OAuth2
Except that …
Gerrit doesn’t support OAuth2
Now what?

Options for Gerrit users

Migrate Gerrit site to LDAP
- Additional infra-task
- Self service application is needed
- Look at https://github.com/pwm-project/pwm
Ask users to switch to another OpenID provider
- Really?

Vote on the issue in issue tracker

img/gerrit-issue-openid-not-supported-by-google.png

So let’s add GitHub OAuth support to Gerrit core

Almost 1 year development / 57 patch sets
Endless reviews, suggestions, discussions

img/github-oauth-support-in-gerrit-core.png

Lessons learned?

OAuth2 provider implementation doesn’t fit in Gerrit core
Every single provider has
- application id and secret (unique per site)
- application callback URL (unique per site)
- different URL to authenticate user
- different URL and the API to retrieve user identity
- additional library dependencies may be introduced
- additional services may be provided:
  - SSH key, organizations, groups, …

Pluggable OAuth provider approach (1)

New authenticaton scheme: OAUTH
Only add extension point to Gerrit core
No provider code and dependencies in core
Code is implemented as plugin
One plugin can support multiple OAuth providers
SSO is given for granted when single provider used

Pluggable OAuth provider approach (2)

@ExtensionPoint
public interface OAuthServiceProvider {
  /**
   * Returns the URL where you should redirect your users to
   * authenticate your application.
   */
  String getAuthorizationUrl();

  /**
   * Retrieve the access token
   */
  OAuthToken getAccessToken(OAuthVerifier verifier);

   /**
   * After establishing of secure communication channel,
   * this method supossed to access the protected resoure
   * and retrieve the user infos.
   */
  OAuthUserInfo getUserInfo(OAuthToken token) throws IOException;
}

Pluggable OAuth provider approach (3)

img/gerrit-pluggable-oauth-provider-approach.png

Pluggable OAuth provider approach (4)

img/gerrit-oauth-provider-plugin.png

Pluggable OAuth provider approach (5)

img/gerrit-oauth-signin-multiple-providers.png

GitHub OAuth plugin

public class GitHubApi {

  private static final String AUTHORIZE_URL =
      "https://github.com/login/oauth/authorize?client_id=%s&redirect_uri=%s";

  @Override
  public String getAccessTokenEndpoint() {
    return "https://github.com/login/oauth/access_token";
  }
  [...]

Google OAuth plugin

public class GoogleApi {

  private static final String AUTHORIZE_URL =
      "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=%s&redirect_uri=%s&scope=%s";

  @Override
  public String getAccessTokenEndpoint() {
    return "https://accounts.google.com/o/oauth2/token?grant_type=authorization_code";
  }
  [...]

Job done

For new Gerrit site we can use plugin for:
- GitHub
- Google
- Bitbucket
- CloudFoundry User Account and Authentication (UAA)
But wait …
What is with existing Gerrit sites?

What is with existing Gerrit sites?

Migration path from OpenID to OAuth?
How to replace legacy OpenID providers:
- Launchpad, Fedoraproject, …
- that don’t support OAuth2 protocoll
- Ask users to switch to OAuth2 provider?
- Really?

Hybrid OpenID+OAuth auth scheme (1)

Preserve old authenticaton scheme: OPENID
Install one or more OAuth2 plugins
Gerrit core detects the plugins and OAuth2 providers
offered in addition to OpenID providers

Hybrid OpenID+OAuth auth scheme (2)

img/gerrit-oauth-openid-hybrid-auth-scheme.png

Hybrid OpenID+OAuth auth scheme (3)

In the wild: https://review.cyanogenmod.org/login

Linking between OpenID and OAuth

User Identity linking is supported in Gerrit
- OpenID → OpenID
- OpenID → OAuth
- OAuth → OpenID
- OAuth → OAuth

Resources

Questions

New and Noteworthy in Gerrit (1)

Further development of inline edit feature
Submit whole topic feature
Signed push support

New and Noteworthy in Gerrit (2)

Signed push support can be enabled by setting
receive.enableSignedPush to true.`
When a client pushes with git push --signed,
Gerrit ensures that the push certificate is valid and

signed with a valid public key stored in the

refs/gpg-keys branch of the All-Users repository.

New and Noteworthy in gerrit (3)

img/gerrit-import-gpg-key-view.png

New and Noteworthy in Gerrit (4)

img/gerrit-signed-push-confirmation.png

New and Noteworthy in Gerrit (5)

PolyGerrit: revamped UI based on Google JavaScript Polymer framework
Only supports very basic stuff
Already used by Google Chromium project for real review workflow
https://canary-chromium-review.googlesource.com/?polygerrit=1

New and Noteworthy in Gerrit (6)

Replace database with Git backend

New and Noteworthy in Gerrit (7)

Git Ketch multi master replication in JGit
Announcement on JGit mailing list:
- https://dev.eclipse.org/mhonarc/lists/jgit-dev/msg03073.html
Based on the Raft consesnus algorithm
- https://raft.github.io/
First commit was merged:
- https://git.eclipse.org/r/64206

Conclusion

New features to get excited about
Stay tuned
You can help by providing feedback

Thank you

David Ostrovsky

Maintainer, Gerrit Code Review