Plugin does not work in master branch with oauth.type=OAUTH #84

hundt · 2017-03-01T20:03:05Z

It appears that choosing this auth type means that Gerrit now expects a plugin to include an OAuthLoginProvider to be used for logging in. Since gerrit-oauth-provider does not include this, the plugin no longer works.

I was still able to get the plugin to work by using the OPENID_SSO auth type, but the plugin docs say not to do that so I'm concerned that it is not a good workaround.

edit: looking into it more, I guess the issue is that on the master branch of gerrit the logic in GitOverHttpModule.java is different: it sets authFilter = ProjectOAuthFilter.class whenever the auth type is OAUTH, whereas in the release branch it requires basic auth to be enabled as well. This was done in commit 84d830b5b350fdbae7c075473bceea9ec619b3c9

The text was updated successfully, but these errors were encountered:

davido · 2017-03-02T05:56:37Z

I'm seeing this exception too on most recent gerrit master (cd0c6ba34a7c681ab022263fd82fd83b499af79a), investigating.

[2017-03-02 07:48:19,262] [main] ERROR com.google.gerrit.pgm.Daemon : Unable to start daemon
java.lang.IllegalStateException: Cannot start HTTP daemon
	at com.google.gerrit.pgm.http.jetty.JettyServer$Lifecycle.start(JettyServer.java:106)
	at com.google.gerrit.lifecycle.LifecycleManager.start(LifecycleManager.java:92)
	at com.google.gerrit.pgm.Daemon.start(Daemon.java:320)
	at com.google.gerrit.pgm.Daemon.run(Daemon.java:229)
	at com.google.gerrit.pgm.util.AbstractProgram.main(AbstractProgram.java:61)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.google.gerrit.launcher.GerritLauncher.invokeProgram(GerritLauncher.java:203)
	at com.google.gerrit.launcher.GerritLauncher.mainImpl(GerritLauncher.java:108)
	at com.google.gerrit.launcher.GerritLauncher.main(GerritLauncher.java:63)
	at Main.main(Main.java:24)
Caused by: javax.servlet.ServletException: No OAuth login provider installed
	at com.google.gerrit.httpd.ProjectOAuthFilter.pickOnlyProvider(ProjectOAuthFilter.java:196)
	at com.google.gerrit.httpd.ProjectOAuthFilter.init(ProjectOAuthFilter.java:100)
	at com.google.inject.servlet.FilterDefinition.init(FilterDefinition.java:111)
	at com.google.inject.servlet.ManagedFilterPipeline.initPipeline(ManagedFilterPipeline.java:99)
	at com.google.inject.servlet.GuiceFilter.init(GuiceFilter.java:226)
	at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:139)
	at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:873)
	at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:349)
	at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:778)
	at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
	at org.eclipse.jetty.server.Server.start(Server.java:422)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
	at org.eclipse.jetty.server.Server.doStart(Server.java:389)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at com.google.gerrit.pgm.http.jetty.JettyServer$Lifecycle.start(JettyServer.java:92)
	... 12 more

davido · 2017-03-02T08:31:38Z

Fixed in: [1].

[1] https://gerrit-review.googlesource.com/98997

hundt · 2017-03-02T12:54:29Z

Yes, the problem was that gerrit wouldn't start. Sorry for the unclear report.

davido · 2017-03-02T12:58:24Z

Thanks for the report. Should be fixed now. I will merge the fix in this repository, once it's accepted on Gerrit-review.

hundt · 2017-03-02T13:20:24Z

Thanks!

Since [1] OAuthLoginProvider is required for oauth provider plugin to work. [1] https://gerrit-review.googlesource.com/96370 Bug: davido/gerrit-oauth-provider#84 Change-Id: I487858d40d489a8b4e55665aa33a0df89d1150b6

orian · 2017-10-25T11:20:03Z

I've setup gerrit 2.15-rc1 yesterday and added gerrit-oauth-provider.jar v2.14.3. It was throwing an error with oauth.type=OAUTH. Works fine with OPENID_SSO as described above.

davido · 2017-10-25T13:27:44Z

It was throwing an error with oauth.type=OAUTH

What error?

orian · 2017-10-26T09:06:45Z

The exception from comment:
#84 (comment)

davido · 2017-10-26T18:27:05Z

Are you sure it's exactly the same exception? The root cause was fixed. Can you paste the exception you are seeing with latest plugin version? Can it be that you are using the old plugin version?

paultung · 2017-11-03T09:29:58Z

I also got the same error in Gerrit 2.4.15.1-1, the plugin version I used is 2.14.3 got from:
https://github.com/davido/gerrit-oauth-provider/releases/tag/v2.14.3

The error message I got: (same as @orian mention)

[2017-11-03 17:14:06,346] [main] INFO  com.google.gerrit.server.plugins.PluginLoader : Loaded plugin download-commands, version v2.14.5.1
[2017-11-03 17:14:06,452] [main] INFO  com.google.gerrit.server.plugins.PluginLoader : Loaded plugin gerrit-oauth-provider, version bcbc144
...(skip)
[2017-11-03 17:14:09,532] [main] ERROR com.google.gerrit.pgm.Daemon : Unable to start daemon
java.lang.IllegalStateException: Cannot start HTTP daemon
        at com.google.gerrit.pgm.http.jetty.JettyServer$Lifecycle.start(JettyServer.java:106)
        at com.google.gerrit.lifecycle.LifecycleManager.start(LifecycleManager.java:92)
        at com.google.gerrit.pgm.Daemon.start(Daemon.java:323)
        at com.google.gerrit.pgm.Daemon.run(Daemon.java:232)
        at com.google.gerrit.pgm.util.AbstractProgram.main(AbstractProgram.java:61)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at com.google.gerrit.launcher.GerritLauncher.invokeProgram(GerritLauncher.java:204)
        at com.google.gerrit.launcher.GerritLauncher.mainImpl(GerritLauncher.java:108)
        at com.google.gerrit.launcher.GerritLauncher.main(GerritLauncher.java:63)
        at Main.main(Main.java:24)
Caused by: javax.servlet.ServletException: No OAuth login provider installed
        at com.google.gerrit.httpd.ProjectOAuthFilter.pickOnlyProvider(ProjectOAuthFilter.java:196)
        at com.google.gerrit.httpd.ProjectOAuthFilter.init(ProjectOAuthFilter.java:100)
        at com.google.inject.servlet.FilterDefinition.init(FilterDefinition.java:111)
        at com.google.inject.servlet.ManagedFilterPipeline.initPipeline(ManagedFilterPipeline.java:99)
        at com.google.inject.servlet.GuiceFilter.init(GuiceFilter.java:226)
        at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:139)
        at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:873)
        at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:349)
        at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:778)
        at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
        at org.eclipse.jetty.server.Server.start(Server.java:422)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
        at org.eclipse.jetty.server.Server.doStart(Server.java:389)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
        at com.google.gerrit.pgm.http.jetty.JettyServer$Lifecycle.start(JettyServer.java:92)
        ... 12 more

mwebber · 2017-11-03T10:01:12Z

Can the folks who are getting the exception post the relevant part of their Gerrit config (masking any secrets, obviously)? I'm thinking that the [auth] section, and anything mentioning oauth.

paultung · 2017-11-03T10:08:56Z

It's okay to me and here is my 'gerrit.config':

[gerrit]
        basePath = git
        serverId = 4d7ad83a-f75d-40bb-9e69-35a05e880d08
        canonicalWebUrl = https://gerrit-devops.example.com:8080
[database]
        type = h2
        database = db/ReviewDB
[index]
        type = LUCENE
[auth]
        type = OAUTH
[sendemail]
        smtpServer = localhost
[sshd]
        listenAddress = *:29418
[httpd]
        listenUrl = https://*:8080/
        filterClass = com.googlesource.gerrit.plugins.ootb.FirstTimeRedirect
        firstTimeRedirectUrl = /login/%23%2F?account_id=1000000
[cache]
        directory = cache
[plugins]
        allowRemoteAdmin = true
[receive]
        enableSignedPush = false
[container]
        user = gerrit
        javaHome = /usr/java/jre1.8.0_152
[plugin "gerrit-oauth-provider-google-oauth"]
        client-id = 0000000000-xxxxxxxxxxxxxxxxxxxxxxpiqb.apps.googleusercontent.com
        fix-legacy-user-id = false

davido · 2017-11-03T18:21:24Z

Ah right, the configuration is invalid. We should document it more prominently.

See this change and particularly the default: [1] auth.gitBasicAuthPolicy is configured as:

By default this is set to `LDAP` when link:#auth.type[`auth.type`] is `LDAP`
and `OAUTH` when link:#auth.type[`auth.type`] is `OAUTH`.
Otherwise, the default value is `HTTP`.

So, that in case of auth.type == OAUTH, auth.gitBasicAuthPolicy is initialized to OAUTH. However the gerrit-provider-plugin currently doesn't implement that policy, so that it cannot work.

Solution: overload that policy with HTTP:

[auth]
        type = OAUTH
        gitBasicAuthPolicy = HTTP

and this should fix it.

[1] https://gerrit-review.googlesource.com/#/c/gerrit/+/99079/5/Documentation/config-gerrit.txt@495

paultung · 2017-11-06T01:49:36Z

Yes!! That's my root cause, it fixed my problem and working fine now.

So sorry for my careless and many thanks for your great help!

davido · 2017-11-08T13:13:02Z

We should document it more prominently.

I added documentation to https://github.com/davido/gerrit-oauth-provider/wiki/FAQ.

davido added the bug label Mar 2, 2017

davido closed this as completed Mar 2, 2017

davido mentioned this issue Apr 19, 2017

HTTP Authentication no longer works after enabling oauth #88

Closed

ghost mentioned this issue Feb 9, 2023

Invalid Response SanderRonde/VSCode-Gerrit#37

Closed

rohanj1 mentioned this issue Jun 21, 2024

Support OAuth for Git-over-HTTP #173

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Plugin does not work in master branch with oauth.type=OAUTH #84

Plugin does not work in master branch with oauth.type=OAUTH #84

hundt commented Mar 1, 2017 •

edited

Loading

davido commented Mar 2, 2017 •

edited

Loading

davido commented Mar 2, 2017

hundt commented Mar 2, 2017

davido commented Mar 2, 2017

hundt commented Mar 2, 2017

orian commented Oct 25, 2017

davido commented Oct 25, 2017

orian commented Oct 26, 2017

davido commented Oct 26, 2017 •

edited

Loading

paultung commented Nov 3, 2017

mwebber commented Nov 3, 2017

paultung commented Nov 3, 2017 •

edited

Loading

davido commented Nov 3, 2017 •

edited

Loading

paultung commented Nov 6, 2017 •

edited

Loading

davido commented Nov 8, 2017 •

edited

Loading

Plugin does not work in master branch with oauth.type=OAUTH #84

Plugin does not work in master branch with oauth.type=OAUTH #84

Comments

hundt commented Mar 1, 2017 • edited Loading

davido commented Mar 2, 2017 • edited Loading

davido commented Mar 2, 2017

hundt commented Mar 2, 2017

davido commented Mar 2, 2017

hundt commented Mar 2, 2017

orian commented Oct 25, 2017

davido commented Oct 25, 2017

orian commented Oct 26, 2017

davido commented Oct 26, 2017 • edited Loading

paultung commented Nov 3, 2017

mwebber commented Nov 3, 2017

paultung commented Nov 3, 2017 • edited Loading

davido commented Nov 3, 2017 • edited Loading

paultung commented Nov 6, 2017 • edited Loading

davido commented Nov 8, 2017 • edited Loading

hundt commented Mar 1, 2017 •

edited

Loading

davido commented Mar 2, 2017 •

edited

Loading

davido commented Oct 26, 2017 •

edited

Loading

paultung commented Nov 3, 2017 •

edited

Loading

davido commented Nov 3, 2017 •

edited

Loading

paultung commented Nov 6, 2017 •

edited

Loading

davido commented Nov 8, 2017 •

edited

Loading