Initial implementation of authentication bypass for scanners

Author: jabbera

README.md

@@ -4,9 +4,46 @@ A Custom Http Handler that implements RUTA for: https://jira.sonarsource.com/bro
 
 [![Build status](https://ci.appveyor.com/api/projects/status/n3cgxias5t3mfybr?svg=true)](https://ci.appveyor.com/project/jabbera/iisremoteusertokenauthentication)
 
-# Installation
+# Administrivia
 
-SonarQube scanners DO NOT support anything other then basic\token based authentication. Because of that you will need to setup 2 websites. The first is for the browser and supports single sign on. [WWWROOT_USER] You will also need an unauthenticated one for supporting scanners [WWWROOT_SCANNER]. Please setup these websites ahead of time (ssl required) and make sure you can access index.html. DO NOT USE AN SNI based website for WWWROOT_SCANNER. Run it on a different port then 443. There is a bug that makes it unsupported. 
+SonarQube scanners DO NOT support anything other then basic\token based authentication. I've created a module that attempts to detect when the connecting application is a scanner or includes a token. When a scanner is detected the module will then bypass the windows authentication process. Right now the bypass conditions are:
+*  If there is an Authorization header with Basic auth
+    * this indicates a token is present
+*  If the user agent of the request starts with any of the agent strings listed in the web.config setting: PassThruAgents
+    *  Initial configuration: sonar.scanner.app, SonarQubeScanner
+
+I've only tested this with the MsBuild scanner so the agent list may need to be expanded. 
+
+Previously the only way to enable single sign on was to have 2 websites, one for windows authentication, and one for token based authentication. The bypass module SHOULD remove the need for that second site. Until there is more exhaustive testing I will still include the multi-site installation instructions and artifacts. My plan is to remove those once the single site method is proven stable. 
+
+
+
+# Installation (Single Site)
+
+These are the prefered installation directions. 
+
+`Note: This configuration assumes sonarqube is running on the same server as IIS on port 9000. If this is not correct you will need to edit the reverse proxy rules in the web.config file to match your configuration.`
+
+1) Configure sonarqube for RUTA per: https://jira.sonarsource.com/browse/SONAR-5430 (If default settings are used all you should need to do is add: sonar.web.sso.enable=true to the sonar.properties file and restart sonarqube.)
+
+2) Download the current release and extract to [EXTRACT_FOLDER]
+
+3) Run: ConfigureServer.ps1
+`Note: This installs the following windows features: IIS-HttpRedirect, IIS-ASPNET45, IIS-WebServerManagementTools, IIS-HttpTracing, IIS-WindowsAuthentication, IIS-NetFxExtensibility45, IIS-ApplicationDevelopment. It unlocks the IIS module ordering system wide as well as the authentication module configuration. It also installs ARR and UrlRewrite server wide.`
+
+4) Create a website [WWWROOT], ssl required, pointing to a directory [WWWROOT_DIRECTORY] with a test file in it. Make sure you can browse to that file via your browser.
+
+5) Copy: [EXTRACT_FOLDER]\inetpub-user to: [WWWROOT_DIRECTORY]
+
+6) Browse to https://[WWWROOT] You should hopefully be signed in.
+
+7) Test a scanner run with the url https://[WWWROOT]
+
+# Installation (Multi Site)
+
+These directions are only if you run into trouble with the single site method.
+
+The first site is for the browser and supports single sign on. [WWWROOT_USER] You will also need an unauthenticated one for supporting scanners [WWWROOT_SCANNER]. Please setup these websites ahead of time (ssl required) and make sure you can access index.html. DO NOT USE AN SNI based website for WWWROOT_SCANNER. Run it on a different port then 443. There is a bug that makes it unsupported. 
 
 1) Configure sonarqube for RUTA per: https://jira.sonarsource.com/browse/SONAR-5430 (If default settings are used all you should need to do is add: sonar.web.sso.enable=true to the sonar.properties file and restart sonarqube.)
 
@@ -17,13 +54,15 @@ SonarQube scanners DO NOT support anything other then basic\token based authenti
 
 4) Copy: [EXTRACT_FOLDER]\inetpub-user to: [WWWROOT_USER]
 
-5) Browse to https://[WWWROOT_USER_URL] You should hopefully be signed in.
+5) Remove the line: <add name="SonarAuthPassthroughModule" type="RutaHttpModule.SonarAuthPassthroughModule" preCondition="runtimeVersionv4.0" /> from the web.config file.
+
+6) Browse to https://[WWWROOT_USER_URL] You should hopefully be signed in.
 
 `Note: This configuration assumes sonarqube is running on the same server as IIS on port 9000. If this is not correct you will need to edit the reverse proxy rules in the web.config file to match your configuration.`
 
-6) Once you have the SSO working the only thing left is to configure the reverse proxy on [WWWROOT_SCANNER].
+7) Once you have the SSO working the only thing left is to configure the reverse proxy on [WWWROOT_SCANNER].
 
-7) Copy:[EXTRACT_FOLDER]\inetpub-scanner  to: [WWWROOT_SCANNER]
+8) Copy:[EXTRACT_FOLDER]\inetpub-scanner  to: [WWWROOT_SCANNER]
 
 8) You should now be able to run a scanner configured to point at: https://[WWWROOT_SCANNER_URL] with token based authentication.
 
@@ -43,5 +82,7 @@ While this should work fine out of the box there are a few options that can be u
 
 6) AdGroupBaseDsn - For users, only return groups that are in the following OU.
 
+7) PassThruAgents - If you discover new user agent strings that are not bypassing windows authentication add them to this list. (Please open an issue or pull request also.)
+
 Note: For large AD trees setting AdUserBaseDsn and AdGroupBaseDsn can greatly improve performance.
 

RutaHttpModule/IRutaHttpContext.cs

@@ -2,6 +2,7 @@
 {
     internal interface IRutaHttpContext
     {
+        bool IsWindowsUser { get; }
         bool IsAuthenticated { get; }
         string DomainUserName { get; }
         void RemoveRequestHeader(string header);

RutaHttpModule/ISettings.cs

@@ -11,5 +11,6 @@ internal interface ISettings
         string AppendString { get; }
         string AdUserBaseDn { get; }
         string AdGroupBaseDn { get; }
+        string[] PassThruUserAgents { get; }
     }
 }

RutaHttpModule/ISonarAuthPassthroughHttpContext.cs

@@ -0,0 +1,12 @@
+namespace RutaHttpModule
+{
+    using System.Security.Principal;
+
+    internal interface ISonarAuthPassthroughHttpContext
+    {
+        IPrincipal User { get; set; }
+        bool HasTokenHeader { get; }
+        string UserAgent { get; }
+        bool SkipAuthorization { get; set; }
+    }
+}

RutaHttpModule/Properties/Settings.Designer.cs

@@ -29,5 +29,12 @@
     <Setting Name="AppendString" Type="System.String" Scope="Application">
       <Value Profile="(Default)" />
     </Setting>
+    <Setting Name="PassThruAgents" Type="System.Collections.Specialized.StringCollection" Scope="Application">
+      <Value Profile="(Default)">&lt;?xml version="1.0" encoding="utf-16"?&gt;
+&lt;ArrayOfString xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"&gt;
+  &lt;string&gt;sonar.scanner.app&lt;/string&gt;
+  &lt;string&gt;SonarQubeScanner&lt;/string&gt;
+&lt;/ArrayOfString&gt;</Value>
+    </Setting>
   </Settings>
 </SettingsFile>

RutaHttpModule/Properties/Settings.settings

@@ -1,16 +1,18 @@
-using System;
-using System.Diagnostics.CodeAnalysis;
-using System.Web;
-
-namespace RutaHttpModule
+namespace RutaHttpModule
 {
+    using System;
+    using System.Diagnostics.CodeAnalysis;
+    using System.Security.Principal;
+    using System.Web;
+
     [ExcludeFromCodeCoverage]
     internal class RutaHttpContext : IRutaHttpContext
     {
         private readonly HttpContext httpContext;
 
         internal RutaHttpContext(HttpContext httpContext) => this.httpContext = httpContext ?? throw new ArgumentNullException(nameof(httpContext));
 
+        public bool IsWindowsUser => this.httpContext.User is WindowsPrincipal;
         public string DomainUserName => this.httpContext.User?.Identity?.Name;
         public bool IsAuthenticated => this.httpContext.User?.Identity?.IsAuthenticated ?? false;
 

RutaHttpModule/RutaHttpContext.cs

@@ -56,6 +56,7 @@
     <Compile Include="IAdInteraction.cs" />
     <Compile Include="IRutaHttpContext.cs" />
     <Compile Include="ISettings.cs" />
+    <Compile Include="ISonarAuthPassthroughHttpContext.cs" />
     <Compile Include="ITraceSource.cs" />
     <Compile Include="LdapExtensions.cs" />
     <Compile Include="Properties\Settings.Designer.cs">
@@ -68,6 +69,8 @@
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="RutaTraceSource.cs" />
     <Compile Include="SettingsWrapper.cs" />
+    <Compile Include="SonarAuthPassthroughModule.cs" />
+    <Compile Include="SonarAuthPassthroughHttpContext.cs" />
   </ItemGroup>
   <ItemGroup>
     <None Include="app.config" />

RutaHttpModule/RutaHttpModule.csproj

@@ -28,7 +28,7 @@ public sealed class RutaModule : IHttpModule
         /// <summary>
         /// Reference to the tracing object.
         /// </summary>
-        private ITraceSource traceSource;
+        private readonly ITraceSource traceSource;
 
         /// <summary>
         /// Initializes a new instance of the a <see cref="RutaModule"/> object
@@ -49,13 +49,13 @@ internal RutaModule(IAdInteraction adInteraction, ISettings settings, ITraceSour
         {
             this.adInteraction = adInteraction ?? throw new ArgumentNullException(nameof(adInteraction));
             this.settings = settings ?? throw new ArgumentNullException(nameof(settings));
-            this.traceSource = traceSource ?? throw new ArgumentException(nameof(traceSource));
+            this.traceSource = traceSource ?? throw new ArgumentNullException(nameof(traceSource));
         }
 
         /// <summary>
         /// The name of the module
         /// </summary>
-        public string ModuleName => "RutaModule";
+        public string ModuleName => nameof(RutaModule);
 
         /// <summary>
         /// Initializes a module and prepares it to handle requests (part of the <see cref="IHttpHandler"/> interface).
@@ -123,6 +123,12 @@ private void HandleAuthorizeRequestInternal(IRutaHttpContext context)
                 return;
             }
 
+            if (!context.IsWindowsUser)
+            {
+                traceSource.TraceEvent(TraceEventType.Information, 0, "Not a windows user");
+                return;
+            }
+
             string userName = context.DomainUserName;
             if (string.IsNullOrWhiteSpace(userName))
             {

RutaHttpModule/RutaModule.cs

@@ -1,10 +1,14 @@
-using System.Diagnostics.CodeAnalysis;
-
-namespace RutaHttpModule
+namespace RutaHttpModule
 {
+    using System.Diagnostics.CodeAnalysis;
+    using System.Linq;
+
     [ExcludeFromCodeCoverage]
     internal class SettingsWrapper : ISettings
     {
+        private readonly string[] passThruUserAgents = Properties.Settings.Default.PassThruAgents.Cast<string>().ToArray();
+
+
         public string AdGroupBaseDn => Properties.Settings.Default.AdGroupBaseDn;
         public string AdUserBaseDn => Properties.Settings.Default.AdUserBaseDn;
         public bool DowncaseUsers => Properties.Settings.Default.DowncaseUsers;
@@ -14,5 +18,6 @@ internal class SettingsWrapper : ISettings
         public string LoginHeader => Properties.Settings.Default.LoginHeader;
         public string NameHeader => Properties.Settings.Default.NameHeader;
         public string AppendString => Properties.Settings.Default.AppendString;
+        public string[] PassThruUserAgents => passThruUserAgents;
     }
 }