Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12582

CVS-Plugin: Password file "${user.home}/.cvspass" is ignored under some conditions

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Component/s: cvs-plugin
    • Labels:
      None
    • Environment:
      Tomcat6 / RHEL5

      Description

      Jenkins' new Netbeans-based CVS-Plugin doesn't use the ".cvspass" file. Setting the password on every job isn't a suitable solution (huge number of jobs, security issues). The ".cvspass" file should be used instead.

        Activity

        Hide
        mc1arke Michael Clarke added a comment -

        I'm not sure that not using .cvspass is any less secure than using it (.cvspass is easy to decrypt whereas the Jenkins passwords are encoded according to a random system key). Any existing CVS passwords should have been read from .cvspass on upgrade, please update this defect is that didn't happen, but otherwise it would be reasonable to have users enter passwords as they create jobs (it's no different from requiring them to enter the cvsroot or module names).

        Show
        mc1arke Michael Clarke added a comment - I'm not sure that not using .cvspass is any less secure than using it (.cvspass is easy to decrypt whereas the Jenkins passwords are encoded according to a random system key). Any existing CVS passwords should have been read from .cvspass on upgrade, please update this defect is that didn't happen, but otherwise it would be reasonable to have users enter passwords as they create jobs (it's no different from requiring them to enter the cvsroot or module names).
        Hide
        alexlehm Alex Lehmann added a comment -

        most importantly .cvspass can be changed in one place while changing the password for all jobs is a terrible hassle (OTOH if different users are using different accounts, storing the password in the project is necessary) maybe you could add an option to choose between the cached password and a locally set password for each project/repository

        Show
        alexlehm Alex Lehmann added a comment - most importantly .cvspass can be changed in one place while changing the password for all jobs is a terrible hassle (OTOH if different users are using different accounts, storing the password in the project is necessary) maybe you could add an option to choose between the cached password and a locally set password for each project/repository
        Hide
        alexlehm Alex Lehmann added a comment - - edited

        I tried migrating a cvs test job from cvs-plugin 1.6 to 2.0, that didn't pick up the password from the .cvspass file.

        Are you sure that the migration method is called?

        Show
        alexlehm Alex Lehmann added a comment - - edited I tried migrating a cvs test job from cvs-plugin 1.6 to 2.0, that didn't pick up the password from the .cvspass file. Are you sure that the migration method is called?
        Hide
        mc1arke Michael Clarke added a comment -

        The method is definitely called, although it could fail to match a CVS root in the file and therefore not return a password.

        I'm still not a fan of requiring users use CVS pass files - it would be possible to store password as a global Jenkins configuration and add a paramater to each job's repository config to use this password. Would that suit you needs?

        Show
        mc1arke Michael Clarke added a comment - The method is definitely called, although it could fail to match a CVS root in the file and therefore not return a password. I'm still not a fan of requiring users use CVS pass files - it would be possible to store password as a global Jenkins configuration and add a paramater to each job's repository config to use this password. Would that suit you needs?
        Hide
        chrisabit chrisabit added a comment -

        A global configuration would fit perfectly since we are using technical users for our ~500 projects/jobs. thanks!

        Show
        chrisabit chrisabit added a comment - A global configuration would fit perfectly since we are using technical users for our ~500 projects/jobs. thanks!
        Hide
        alexlehm Alex Lehmann added a comment - - edited

        Storing a global password is a very good idea I think

        or global passwords if you have more than one cvsroot like in the .cvspass file

        Show
        alexlehm Alex Lehmann added a comment - - edited Storing a global password is a very good idea I think or global passwords if you have more than one cvsroot like in the .cvspass file
        Hide
        alexlehm Alex Lehmann added a comment -

        I think I found the reason why the password is not picked up in my jobs, the format for CVSROOT is a bit flexible, you can either user
        :pserver:user@host/path or :pserver:user@host:/path, most examples use the additional colon (i didn't notice that you could leave that out before today).

        The matching function for .cvspass entries removes the port including the colon so that only the version without colon is matched.

        That should be easy to fix, I will try to write something.

        Show
        alexlehm Alex Lehmann added a comment - I think I found the reason why the password is not picked up in my jobs, the format for CVSROOT is a bit flexible, you can either user :pserver:user@host/path or :pserver:user@host:/path, most examples use the additional colon (i didn't notice that you could leave that out before today). The matching function for .cvspass entries removes the port including the colon so that only the version without colon is matched. That should be easy to fix, I will try to write something.
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: Alex Lehmann
        Path:
        src/main/java/hudson/scm/LegacyConvertor.java
        src/test/java/hudson/scm/LegacyConvertorTest.java
        src/test/resources/hudson/scm/.cvspass
        http://jenkins-ci.org/commit/cvs-plugin/cb3913ee5803cd08e702ebffd9c737a0aff18351
        Log:
        JENKINS-12582 CVS-Plugin: Password file "$

        {user.home}

        /.cvspass" is ignored
        handle cvsroot with hostname:/path as well as hostname/path

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alex Lehmann Path: src/main/java/hudson/scm/LegacyConvertor.java src/test/java/hudson/scm/LegacyConvertorTest.java src/test/resources/hudson/scm/.cvspass http://jenkins-ci.org/commit/cvs-plugin/cb3913ee5803cd08e702ebffd9c737a0aff18351 Log: JENKINS-12582 CVS-Plugin: Password file "$ {user.home} /.cvspass" is ignored handle cvsroot with hostname:/path as well as hostname/path
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: Alexander Lehmann
        Path:
        src/main/java/hudson/scm/LegacyConvertor.java
        src/test/java/hudson/scm/LegacyConvertorTest.java
        src/test/resources/hudson/scm/.cvspass
        http://jenkins-ci.org/commit/cvs-plugin/c80a279d3a1b5ae82289e605d32bcf4177097ee7
        Log:
        Merge pull request #7 from alexlehm/master

        JENKINS-12582 CVS-Plugin: Password file "$

        {user.home}

        /.cvspass" is ignored

        Compare: https://github.com/jenkinsci/cvs-plugin/compare/a64d761...c80a279

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alexander Lehmann Path: src/main/java/hudson/scm/LegacyConvertor.java src/test/java/hudson/scm/LegacyConvertorTest.java src/test/resources/hudson/scm/.cvspass http://jenkins-ci.org/commit/cvs-plugin/c80a279d3a1b5ae82289e605d32bcf4177097ee7 Log: Merge pull request #7 from alexlehm/master JENKINS-12582 CVS-Plugin: Password file "$ {user.home} /.cvspass" is ignored Compare: https://github.com/jenkinsci/cvs-plugin/compare/a64d761...c80a279
        Hide
        alexlehm Alex Lehmann added a comment -

        doesn't build on ci.jenkins-ci.org right now due to another change before, but it should work once the other build issue is fixed

        Show
        alexlehm Alex Lehmann added a comment - doesn't build on ci.jenkins-ci.org right now due to another change before, but it should work once the other build issue is fixed
        Hide
        dogfood dogfood added a comment -

        Integrated in plugins_cvs #9

        Result = SUCCESS

        Show
        dogfood dogfood added a comment - Integrated in plugins_cvs #9 Result = SUCCESS
        Hide
        alexlehm Alex Lehmann added a comment -

        the fix is included in cvs-plugin 2.1

        Show
        alexlehm Alex Lehmann added a comment - the fix is included in cvs-plugin 2.1
        Hide
        mc1arke Michael Clarke added a comment -

        Reopening as the main issue (having to specify a password for every job) still needs resolved.

        Show
        mc1arke Michael Clarke added a comment - Reopening as the main issue (having to specify a password for every job) still needs resolved.
        Hide
        alexlehm Alex Lehmann added a comment -

        sorry, you're right, I missed the part about setting the cvs password for each job, changed the changelog entry accordingly

        Show
        alexlehm Alex Lehmann added a comment - sorry, you're right, I missed the part about setting the cvs password for each job, changed the changelog entry accordingly
        Hide
        sst_lfe_build Sandstone added a comment -

        We should also allow for CVS plugin to perform variable expansion on "Private Key Location" and "Known Hosts Location". This would be helpful while configuring slaves.

        Show
        sst_lfe_build Sandstone added a comment - We should also allow for CVS plugin to perform variable expansion on "Private Key Location" and "Known Hosts Location". This would be helpful while configuring slaves.
        Hide
        mc1arke Michael Clarke added a comment -

        Lowering priority as there is a workaround to this. There are plans to allow a global setting of passwords for a Jenkins instance but we need to clear functional issues first

        Show
        mc1arke Michael Clarke added a comment - Lowering priority as there is a workaround to this. There are plans to allow a global setting of passwords for a Jenkins instance but we need to clear functional issues first
        Hide
        metyl Maciej Matys added a comment - - edited

        Still not works in 2.3 after upgrade from 1.6.
        SCM tag w config.xml has changed, after manual change to:
        <scm ...>
        <cvsroot></cvsroot>
        <module></module>
        <canUseUpdate></canUseUpdate>
        <useHeadIfNotFound></useHeadIfNotFound>
        <flatten>true</flatten>
        <isTag>false</isTag>
        <excludedRegions></excludedRegions>
        </scm>
        pass is taken from ~.cvspass the problem with matching string still exists, in .cvspass we can have sth like /1 :pserver:and so on, this forma is not supported at all.

        Show
        metyl Maciej Matys added a comment - - edited Still not works in 2.3 after upgrade from 1.6. SCM tag w config.xml has changed, after manual change to: <scm ...> <cvsroot></cvsroot> <module></module> <canUseUpdate></canUseUpdate> <useHeadIfNotFound></useHeadIfNotFound> <flatten>true</flatten> <isTag>false</isTag> <excludedRegions></excludedRegions> </scm> pass is taken from ~.cvspass the problem with matching string still exists, in .cvspass we can have sth like /1 :pserver:and so on, this forma is not supported at all.
        Hide
        mc1arke Michael Clarke added a comment -

        Maciej: You'll have to give a bit more detail about what isn't matching - uploading your job config and cvspass files with your usernames, hostnames and port numbers obscured would be the most help (providing you obscure the values consitently between the config.xml and cvspass). Because CVSROOT takes so many formats, we need contributions to be able to resolve issues.

        Show
        mc1arke Michael Clarke added a comment - Maciej: You'll have to give a bit more detail about what isn't matching - uploading your job config and cvspass files with your usernames, hostnames and port numbers obscured would be the most help (providing you obscure the values consitently between the config.xml and cvspass). Because CVSROOT takes so many formats, we need contributions to be able to resolve issues.
        Hide
        scm_issue_link SCM/JIRA link daemon added a comment -

        Code changed in jenkins
        User: mc1arke
        Path:
        src/main/java/hudson/scm/AbstractCvs.java
        src/main/java/hudson/scm/CVSSCM.java
        src/main/java/hudson/scm/CvsAuthentication.java
        src/main/java/hudson/scm/CvsProjectset.java
        src/main/java/hudson/scm/ICvsDescriptor.java
        src/main/java/hudson/scm/cvstagging/CvsTagActionWorker.java
        src/main/java/hudson/scm/cvstagging/LegacyTagAction.java
        src/main/resources/hudson/scm/CVSSCM/global.jelly
        src/main/resources/hudson/scm/CvsProjectset/help-password.html
        src/main/resources/hudson/scm/CvsProjectset/help-username.html
        src/test/java/hudson/scm/CVSSCMTest.java
        http://jenkins-ci.org/commit/cvs-plugin/2aedd2fe0b32162669daa072bd60384ad22f193e
        Log:
        [FIXED JENKINS-12582] Adding CVS Authentication across projects

        Show
        scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: mc1arke Path: src/main/java/hudson/scm/AbstractCvs.java src/main/java/hudson/scm/CVSSCM.java src/main/java/hudson/scm/CvsAuthentication.java src/main/java/hudson/scm/CvsProjectset.java src/main/java/hudson/scm/ICvsDescriptor.java src/main/java/hudson/scm/cvstagging/CvsTagActionWorker.java src/main/java/hudson/scm/cvstagging/LegacyTagAction.java src/main/resources/hudson/scm/CVSSCM/global.jelly src/main/resources/hudson/scm/CvsProjectset/help-password.html src/main/resources/hudson/scm/CvsProjectset/help-username.html src/test/java/hudson/scm/CVSSCMTest.java http://jenkins-ci.org/commit/cvs-plugin/2aedd2fe0b32162669daa072bd60384ad22f193e Log: [FIXED JENKINS-12582] Adding CVS Authentication across projects

          People

          • Assignee:
            mc1arke Michael Clarke
            Reporter:
            chrisabit chrisabit
          • Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: