Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12582

CVS-Plugin: Password file "${user.home}/.cvspass" is ignored under some conditions

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Component/s: cvs-plugin
    • Labels:
      None
    • Environment:
      Tomcat6 / RHEL5
    • Similar Issues:
      Show 5 results

      Description

      Jenkins' new Netbeans-based CVS-Plugin doesn't use the ".cvspass" file. Setting the password on every job isn't a suitable solution (huge number of jobs, security issues). The ".cvspass" file should be used instead.

        Attachments

          Activity

          Hide
          mc1arke Michael Clarke added a comment -

          I'm not sure that not using .cvspass is any less secure than using it (.cvspass is easy to decrypt whereas the Jenkins passwords are encoded according to a random system key). Any existing CVS passwords should have been read from .cvspass on upgrade, please update this defect is that didn't happen, but otherwise it would be reasonable to have users enter passwords as they create jobs (it's no different from requiring them to enter the cvsroot or module names).

          Show
          mc1arke Michael Clarke added a comment - I'm not sure that not using .cvspass is any less secure than using it (.cvspass is easy to decrypt whereas the Jenkins passwords are encoded according to a random system key). Any existing CVS passwords should have been read from .cvspass on upgrade, please update this defect is that didn't happen, but otherwise it would be reasonable to have users enter passwords as they create jobs (it's no different from requiring them to enter the cvsroot or module names).
          Hide
          alexlehm Alex Lehmann added a comment -

          most importantly .cvspass can be changed in one place while changing the password for all jobs is a terrible hassle (OTOH if different users are using different accounts, storing the password in the project is necessary) maybe you could add an option to choose between the cached password and a locally set password for each project/repository

          Show
          alexlehm Alex Lehmann added a comment - most importantly .cvspass can be changed in one place while changing the password for all jobs is a terrible hassle (OTOH if different users are using different accounts, storing the password in the project is necessary) maybe you could add an option to choose between the cached password and a locally set password for each project/repository
          Hide
          alexlehm Alex Lehmann added a comment - - edited

          I tried migrating a cvs test job from cvs-plugin 1.6 to 2.0, that didn't pick up the password from the .cvspass file.

          Are you sure that the migration method is called?

          Show
          alexlehm Alex Lehmann added a comment - - edited I tried migrating a cvs test job from cvs-plugin 1.6 to 2.0, that didn't pick up the password from the .cvspass file. Are you sure that the migration method is called?
          Hide
          mc1arke Michael Clarke added a comment -

          The method is definitely called, although it could fail to match a CVS root in the file and therefore not return a password.

          I'm still not a fan of requiring users use CVS pass files - it would be possible to store password as a global Jenkins configuration and add a paramater to each job's repository config to use this password. Would that suit you needs?

          Show
          mc1arke Michael Clarke added a comment - The method is definitely called, although it could fail to match a CVS root in the file and therefore not return a password. I'm still not a fan of requiring users use CVS pass files - it would be possible to store password as a global Jenkins configuration and add a paramater to each job's repository config to use this password. Would that suit you needs?
          Hide
          chrisabit chrisabit added a comment -

          A global configuration would fit perfectly since we are using technical users for our ~500 projects/jobs. thanks!

          Show
          chrisabit chrisabit added a comment - A global configuration would fit perfectly since we are using technical users for our ~500 projects/jobs. thanks!
          Hide
          alexlehm Alex Lehmann added a comment - - edited

          Storing a global password is a very good idea I think

          or global passwords if you have more than one cvsroot like in the .cvspass file

          Show
          alexlehm Alex Lehmann added a comment - - edited Storing a global password is a very good idea I think or global passwords if you have more than one cvsroot like in the .cvspass file
          Hide
          alexlehm Alex Lehmann added a comment -

          I think I found the reason why the password is not picked up in my jobs, the format for CVSROOT is a bit flexible, you can either user
          :pserver:user@host/path or :pserver:user@host:/path, most examples use the additional colon (i didn't notice that you could leave that out before today).

          The matching function for .cvspass entries removes the port including the colon so that only the version without colon is matched.

          That should be easy to fix, I will try to write something.

          Show
          alexlehm Alex Lehmann added a comment - I think I found the reason why the password is not picked up in my jobs, the format for CVSROOT is a bit flexible, you can either user :pserver:user@host/path or :pserver:user@host:/path, most examples use the additional colon (i didn't notice that you could leave that out before today). The matching function for .cvspass entries removes the port including the colon so that only the version without colon is matched. That should be easy to fix, I will try to write something.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Alex Lehmann
          Path:
          src/main/java/hudson/scm/LegacyConvertor.java
          src/test/java/hudson/scm/LegacyConvertorTest.java
          src/test/resources/hudson/scm/.cvspass
          http://jenkins-ci.org/commit/cvs-plugin/cb3913ee5803cd08e702ebffd9c737a0aff18351
          Log:
          JENKINS-12582 CVS-Plugin: Password file "$

          {user.home}

          /.cvspass" is ignored
          handle cvsroot with hostname:/path as well as hostname/path

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alex Lehmann Path: src/main/java/hudson/scm/LegacyConvertor.java src/test/java/hudson/scm/LegacyConvertorTest.java src/test/resources/hudson/scm/.cvspass http://jenkins-ci.org/commit/cvs-plugin/cb3913ee5803cd08e702ebffd9c737a0aff18351 Log: JENKINS-12582 CVS-Plugin: Password file "$ {user.home} /.cvspass" is ignored handle cvsroot with hostname:/path as well as hostname/path
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Alexander Lehmann
          Path:
          src/main/java/hudson/scm/LegacyConvertor.java
          src/test/java/hudson/scm/LegacyConvertorTest.java
          src/test/resources/hudson/scm/.cvspass
          http://jenkins-ci.org/commit/cvs-plugin/c80a279d3a1b5ae82289e605d32bcf4177097ee7
          Log:
          Merge pull request #7 from alexlehm/master

          JENKINS-12582 CVS-Plugin: Password file "$

          {user.home}

          /.cvspass" is ignored

          Compare: https://github.com/jenkinsci/cvs-plugin/compare/a64d761...c80a279

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Alexander Lehmann Path: src/main/java/hudson/scm/LegacyConvertor.java src/test/java/hudson/scm/LegacyConvertorTest.java src/test/resources/hudson/scm/.cvspass http://jenkins-ci.org/commit/cvs-plugin/c80a279d3a1b5ae82289e605d32bcf4177097ee7 Log: Merge pull request #7 from alexlehm/master JENKINS-12582 CVS-Plugin: Password file "$ {user.home} /.cvspass" is ignored Compare: https://github.com/jenkinsci/cvs-plugin/compare/a64d761...c80a279
          Hide
          alexlehm Alex Lehmann added a comment -

          doesn't build on ci.jenkins-ci.org right now due to another change before, but it should work once the other build issue is fixed

          Show
          alexlehm Alex Lehmann added a comment - doesn't build on ci.jenkins-ci.org right now due to another change before, but it should work once the other build issue is fixed
          Hide
          dogfood dogfood added a comment -

          Integrated in plugins_cvs #9

          Result = SUCCESS

          Show
          dogfood dogfood added a comment - Integrated in plugins_cvs #9 Result = SUCCESS
          Hide
          alexlehm Alex Lehmann added a comment -

          the fix is included in cvs-plugin 2.1

          Show
          alexlehm Alex Lehmann added a comment - the fix is included in cvs-plugin 2.1
          Hide
          mc1arke Michael Clarke added a comment -

          Reopening as the main issue (having to specify a password for every job) still needs resolved.

          Show
          mc1arke Michael Clarke added a comment - Reopening as the main issue (having to specify a password for every job) still needs resolved.
          Hide
          alexlehm Alex Lehmann added a comment -

          sorry, you're right, I missed the part about setting the cvs password for each job, changed the changelog entry accordingly

          Show
          alexlehm Alex Lehmann added a comment - sorry, you're right, I missed the part about setting the cvs password for each job, changed the changelog entry accordingly
          Hide
          sst_lfe_build Sandstone added a comment -

          We should also allow for CVS plugin to perform variable expansion on "Private Key Location" and "Known Hosts Location". This would be helpful while configuring slaves.

          Show
          sst_lfe_build Sandstone added a comment - We should also allow for CVS plugin to perform variable expansion on "Private Key Location" and "Known Hosts Location". This would be helpful while configuring slaves.
          Hide
          mc1arke Michael Clarke added a comment -

          Lowering priority as there is a workaround to this. There are plans to allow a global setting of passwords for a Jenkins instance but we need to clear functional issues first

          Show
          mc1arke Michael Clarke added a comment - Lowering priority as there is a workaround to this. There are plans to allow a global setting of passwords for a Jenkins instance but we need to clear functional issues first
          Hide
          metyl Maciej Matys added a comment - - edited

          Still not works in 2.3 after upgrade from 1.6.
          SCM tag w config.xml has changed, after manual change to:
          <scm ...>
          <cvsroot></cvsroot>
          <module></module>
          <canUseUpdate></canUseUpdate>
          <useHeadIfNotFound></useHeadIfNotFound>
          <flatten>true</flatten>
          <isTag>false</isTag>
          <excludedRegions></excludedRegions>
          </scm>
          pass is taken from ~.cvspass the problem with matching string still exists, in .cvspass we can have sth like /1 :pserver:and so on, this forma is not supported at all.

          Show
          metyl Maciej Matys added a comment - - edited Still not works in 2.3 after upgrade from 1.6. SCM tag w config.xml has changed, after manual change to: <scm ...> <cvsroot></cvsroot> <module></module> <canUseUpdate></canUseUpdate> <useHeadIfNotFound></useHeadIfNotFound> <flatten>true</flatten> <isTag>false</isTag> <excludedRegions></excludedRegions> </scm> pass is taken from ~.cvspass the problem with matching string still exists, in .cvspass we can have sth like /1 :pserver:and so on, this forma is not supported at all.
          Hide
          mc1arke Michael Clarke added a comment -

          Maciej: You'll have to give a bit more detail about what isn't matching - uploading your job config and cvspass files with your usernames, hostnames and port numbers obscured would be the most help (providing you obscure the values consitently between the config.xml and cvspass). Because CVSROOT takes so many formats, we need contributions to be able to resolve issues.

          Show
          mc1arke Michael Clarke added a comment - Maciej: You'll have to give a bit more detail about what isn't matching - uploading your job config and cvspass files with your usernames, hostnames and port numbers obscured would be the most help (providing you obscure the values consitently between the config.xml and cvspass). Because CVSROOT takes so many formats, we need contributions to be able to resolve issues.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: mc1arke
          Path:
          src/main/java/hudson/scm/AbstractCvs.java
          src/main/java/hudson/scm/CVSSCM.java
          src/main/java/hudson/scm/CvsAuthentication.java
          src/main/java/hudson/scm/CvsProjectset.java
          src/main/java/hudson/scm/ICvsDescriptor.java
          src/main/java/hudson/scm/cvstagging/CvsTagActionWorker.java
          src/main/java/hudson/scm/cvstagging/LegacyTagAction.java
          src/main/resources/hudson/scm/CVSSCM/global.jelly
          src/main/resources/hudson/scm/CvsProjectset/help-password.html
          src/main/resources/hudson/scm/CvsProjectset/help-username.html
          src/test/java/hudson/scm/CVSSCMTest.java
          http://jenkins-ci.org/commit/cvs-plugin/2aedd2fe0b32162669daa072bd60384ad22f193e
          Log:
          [FIXED JENKINS-12582] Adding CVS Authentication across projects

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: mc1arke Path: src/main/java/hudson/scm/AbstractCvs.java src/main/java/hudson/scm/CVSSCM.java src/main/java/hudson/scm/CvsAuthentication.java src/main/java/hudson/scm/CvsProjectset.java src/main/java/hudson/scm/ICvsDescriptor.java src/main/java/hudson/scm/cvstagging/CvsTagActionWorker.java src/main/java/hudson/scm/cvstagging/LegacyTagAction.java src/main/resources/hudson/scm/CVSSCM/global.jelly src/main/resources/hudson/scm/CvsProjectset/help-password.html src/main/resources/hudson/scm/CvsProjectset/help-username.html src/test/java/hudson/scm/CVSSCMTest.java http://jenkins-ci.org/commit/cvs-plugin/2aedd2fe0b32162669daa072bd60384ad22f193e Log: [FIXED JENKINS-12582] Adding CVS Authentication across projects

            People

            • Assignee:
              mc1arke Michael Clarke
              Reporter:
              chrisabit chrisabit
            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: