stable
Clone or download
request #16681: OIDC accounts must use SVN tokens
As the user used to connect as a restricted view on the DB tables a very basic check has been added to make sure that a GRANT is set on the tables used during the authentication process. Without that if the GRANT is not correctly deployed it might be considered the OIDC plugin is not present when it is and users with an OIDC account could still use credentials that are not tokens. GRANTs are expected to be always set even for optional plugins such as LDAP or OIDC client (it is already what the initial setup of a Tuleap instance does nowadays) so existing instances will need to update the privileges given to the dbauthuser. This can be done with: GRANT CREATE,SELECT ON plugin_ldap_user TO dbauthuser; GRANT CREATE,SELECT ON plugin_openidconnectclient_user_mapping TO dbauthuser; REVOKE CREATE ON plugin_ldap_user FROM dbauthuser; REVOKE CREATE ON plugin_openidconnectclient_user_mapping FROM dbauthuser; FLUSH PRIVILEGES; Deploying the new GRANT for the plugin_openidconnectclient_user_mapping cannot be automated as it requires a privileged access to the DB. When testing, remember that the Tuleap.pm file needs to be redeployed to /usr/share/perl5/vendor_perl/Apache/Tuleap.pm, that Apache needs to be restarted and that depending on your local setup you might have an authentication cache surviving Apache restarts so the change might not visible immediately. Change-Id: Ie391b2115f2f189e139edca2e551dcd4bfd6f6bf
Modified Files
Name | ||||
---|---|---|---|---|
M | src/tuleap-cfg/Command/SetupMysqlInitCommand.php | +1 | −0 | Go to diff View file |
M | src/utils/svn/Tuleap.pm | +82 | −1 | Go to diff View file |