Is it possible to use the Jenkins credentials set in the global credentials in the active choice plugin groovy script? I'm trying to make an api call that returns a list and display that as a choices for a parameter using the active choice plugin.
But for that I need auth headers w credentials. How do I handle credentials? Is there a way to access them if I have them set up in the Jenkins credentials?
(something like calling credentials(id) in the pipeline env)
Related
I am trying to use zap api scan in zap docker image. APIs are OIDC authenticated. Authentication is performed using "Graal.js" script and access token is set as global var using org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("accessToken",accessToken);
Access token is set as authorization header value using a httpSender script. In zap desktop, it is done using "Oracle Nashorn" engine. But in zap docker "Oracle Nashorn" engine is not available.
I have tried using Graal.js engine itself, but it fails with multi threading not allowed for JS engine.
What are the other ways to set the header ?
Why not just use the authentication env vars supported natively by ZAP?
ZAP_AUTH_HEADER_VALUE - if this is defined then its value will be added as a header to all of the requests
ZAP_AUTH_HEADER - if this is defined then its value will be used as the header name - if it is not defined then the standard Authorization header will be used
ZAP_AUTH_HEADER_SITE - if this is defined then the header will only be included in sites whose name includes its value
All documented on https://www.zaproxy.org/docs/authentication/handling-auth-yourself/
I need to configure Azure Active Directory SSO for Tableau Server gallery app as it is under MS documentation link programmatically. Are there useful powershell cmdlets / rest apis?
I create application from gallery using graph api from Step 1 on MS docs.
To get available templates:
GET https://graph.microsoft.com/beta/applicationTemplates
To create template app:
POST https://graph.microsoft.com/beta/applicationTemplates/{id}/instantiate
Now I need to configure SAML SSO from code and assign users. Is there an easy way to do that? I tried Set-AzureADApplication but it didn't do the job for me. The enterprise application is still not set.
Maybe it's not supported yet? I believe there can be some workaround. I would be grateful for any help.
Are there useful powershell cmdlets / rest apis?
Yes, but per my test, we need to do that into two parts.
1.Set the Sign-on URL, to do this, we need to call Microsoft Graph - Update serviceprincipal.
In the Graph Explorer, use the request below.
PATCH https://graph.microsoft.com/beta/servicePrincipals/<object-id of the service principal>
{
"loginUrl": "https://azure.signtest.link"
}
Note: In the request above, you need to use the object-id of the service principal(Enterprise application), not the AD App(App registeration). You can find it in the Azure AD in the portal -> Enterprise Application -> find your Tableau Server -> get the Object ID like below.
2.Set the Identifier and Reply URL, we could do this via Powershell Set-AzureADApplication.
Sample:
$Identifiers = #(
"http://www.tableau.com/products/server",
"https://azure.idtest.link"
)
$ReplyUrls = #(
"https://azure.rptest.link/wg/saml/SSO/index.html"
)
Set-AzureADApplication -ObjectId <object-id of the AD App> -IdentifierUris $Identifiers -ReplyUrls $ReplyUrls
For the object-id of the AD App, navigate to the Azure AD in the portal -> App registrations -> find your Tableau Server. After running the command, the settings will map to the enterprise application.
Check the result in the portal:
Update:
Not sure if it is a bug, if I create a new app without setting the Identifier and Reply URL manually in the portal, then just use the powershell above to set them, they will not map to the portal.
But if we check the service principal(enterprise application) directly via Microsoft Graph, we can see the powershell actually affected the service principal.
If we configure the settings manually in the portal first, then use the powershell to update them with other values, it works.
And it looks there is no way to set the Default Reply URL via powrshell or API, if we set the Reply URL which is different from the one set manually in the portal, it will have a prompt like below.
But if we look into it, actually the Default option is checked.
Update2:
Eventually, I find the trick, it is not a bug, we just need to set the preferredSingleSignOnMode for the service principal first via Microsoft Graph, then we won't need to configure that in the portal manually.
Sample:
PATCH https://graph.microsoft.com/beta/servicePrincipals/<object-id of the service principal>
{
"preferredSingleSignOnMode":"saml",
"loginUrl": "https://azure.signtest.link"
}
I need to automate the 'git-tfs pull' command in azure devops.
I have no problem executing this command with my user/pass from cmd window, but when it runs in Azure DevOps Build Agent it doesn't finish, sure it is an authentication problem.
Git-commands have the possibility to pass additional http-headers with the request. This is used by Azure DevOps build agent to pass OAuth token in an AUTHORIZATION: bearer-header when fetching the files.
Is it possible that git-tfs pull can pass the extra headers with the request?
Is it possible that git-tfs pull can pass the extra headers with the request?
No...
But... I haven't tried this and I'm guessing it won't work, since setting an OAuth credential tends to require a different object type in the TFVC Client Object Model, but this may do the trick:
git config --local tfs-remote.default.username .
git config --local tfs-remote.default.password $(SYSTEM.ACCESSTOKEN)
This will set the OAuth token in pipelines as the password to use for authentication. Make sure the pipeline has access to this special variable.
If the OAuth Token for the pipeline won't do the trick, you could try using a Personal Access Token instead.
My application has a microsoft authentication on it before logging into it & I have recorded script but when I am running it, it is showing me access denied error everytime.I have set authentication manager but still same error. See image attached.
I have tried HTTP Authentication Manager & provided login username & password.
Most probably your application uses OAuth therefore it is neither something you can really record and replay nor handle with the HTTP Authorization Manager.
Depending on your application setup you will either need:
To perform correlation of the query parameters
Or to pass the relevant Authorization Bearer token via HTTP Header Manager. The process of obtaining the token can be different depending on your application login chain implementation, check out How to Run Performance Tests on OAuth Secured Apps with JMeter article to get a couple of ideas regarding bypassing 3rd-party provider login challenge in JMeter tests.
Check if you can provide the auth credentials as parameter of the requests.
for example www.abc.com?username=abc&password=abc. Replicate the same with Jmeter
Use Fiddler (or you can get away with browser dev tools if you don't mind searching manually) and log in manually via your browser.
Check the request(s) that are submitted to Microsoft for tokens/GUIDs and search for where the browser got those strings from (it'll be in one of the previous requests' responses' bodies or redirect URLs. In Fiddler you can use the find function on responses, browser dev tools you'll have to find it manually).
You can then use a JMeter Regular Expression Extractor post-processor (or any of the other post processors you prefer) to extract that string from the earlier request into a variable.
In your login request you can then use the value of that variable (if you used regular expression post-processor with a capture group the first group's value will be ${variable_g1}
You'll probably have an anti-forgery value that you can extract from the HTML of the login page which needs to be submitted with the username and password and then in the response you'll get a cookie set and potentially JWT token in the response body/URL.
I'm tring to fetch the list of tenants using the identity (Keystone) API, V2, of OpenStack.
After I authenticate as user "admin" on the public port (5000).
I am able to make a /v2.0/tenants call to the identity API, also on port 5000, using the token I got from the authentication. However, it only returns a single result, while there are multiple tenants.
I tried many things to overcome this:
Used port 35357 - the /tenants call returned 401 unauthorized
Tried port 7777 with the admin token - got 401
The same call from the PostMan Chrome extension did work
tried to repeat the suggestion in this thread - my authentication call with tenant name failed on request format, and I couldn't find any example to how such a request should look
Some observations:
I added user "admin" as admin in multiple projects
The authentication response:
shows no roles for user admin
metadata shows is_admin=0
serviceCatalog appears empty
Any help will be appreciated
Yaron
The /tenants API returns the list of tenants that your user has access to. The admin user does not automatically have access to all tenants - it has permission to assign users to any tenant, though. So check again if your user actually has permissions to all of these tenants.
If you have access to the Openstack Horizon dashboard, login with your user and see the list of tenants that you can choose (usually available as a select-box in the top-left of the screen - depends on your openstack distro)
I recommend that you use the Openstack CLI with the --debug option - use the cli to list the tenants you have access to. The debug flag will output the Openstack API calls to the console screen.