Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-7351

Secure repository authentication

    Details

    • Similar Issues:

      Description

      It's not clear how to configure the mercurial-hudson plugin to work with repositories that require authentication without exposing a plaintext password on disk.

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            Yes, you select credentials from a pulldown in the job configuration. The actual credentials are defined either in the global Manage Credentials screen (if you are an admin), or in your user configuration page. It supports domain restrictions, so if you have categorized credentials according to server name, only the relevant ones will be offered. This means it works exactly like upcoming versions of the Git and Subversion plugins.

            If you know how to tweak a Mercurial command line to specify either SSL client certificates and/or SSH private keys, a pull request would be welcome to add support for those, though I suspect HTTP basic authentication suffices for many users. Tested with BitBucket.

            Show
            jglick Jesse Glick added a comment - Yes, you select credentials from a pulldown in the job configuration. The actual credentials are defined either in the global Manage Credentials screen (if you are an admin), or in your user configuration page. It supports domain restrictions, so if you have categorized credentials according to server name, only the relevant ones will be offered. This means it works exactly like upcoming versions of the Git and Subversion plugins. If you know how to tweak a Mercurial command line to specify either SSL client certificates and/or SSH private keys, a pull request would be welcome to add support for those, though I suspect HTTP basic authentication suffices for many users. Tested with BitBucket.
            Hide
            cowwoc cowwoc added a comment -

            Jesse,

            Can you please elaborate on your fix? How are we supposed to supply the authentication information? Do we configure it from a job's Mercurial configuration? Meaning, did you add new UI fields?

            Show
            cowwoc cowwoc added a comment - Jesse, Can you please elaborate on your fix? How are we supposed to supply the authentication information? Do we configure it from a job's Mercurial configuration? Meaning, did you add new UI fields?
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/hudson/plugins/mercurial/Cache.java
            src/main/java/hudson/plugins/mercurial/HgExe.java
            src/main/java/hudson/plugins/mercurial/MercurialSCM.java
            src/main/resources/hudson/plugins/mercurial/MercurialSCM/config.jelly
            src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-credentialsId.html
            src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-source.html
            src/test/java/hudson/plugins/mercurial/CacheTest.java
            http://jenkins-ci.org/commit/mercurial-plugin/6a6076323bcd11745c3eec1a2cf4371e4601e41d
            Log:
            [FIXED JENKINS-7351] Add support for HTTP(S) username/password credentials.
            Not yet implemented: SSL client certificates, SSH private keys.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/hudson/plugins/mercurial/Cache.java src/main/java/hudson/plugins/mercurial/HgExe.java src/main/java/hudson/plugins/mercurial/MercurialSCM.java src/main/resources/hudson/plugins/mercurial/MercurialSCM/config.jelly src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-credentialsId.html src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-source.html src/test/java/hudson/plugins/mercurial/CacheTest.java http://jenkins-ci.org/commit/mercurial-plugin/6a6076323bcd11745c3eec1a2cf4371e4601e41d Log: [FIXED JENKINS-7351] Add support for HTTP(S) username/password credentials. Not yet implemented: SSL client certificates, SSH private keys.
            Hide
            davidmc24 davidmc24 added a comment -

            Looks like this page has some good details on use of SSL client certificates with Mercurial. I haven't played around with that yet personally, though.

            http://hstuart.dk/2010/04/09/x-509-certificates-and-mercurial/

            I was able to get the keyring extension working on my test Jenkins instance (TortoiseHg on Windows). I used the TortoiseHg GUI to enable the keyring extension system-wide, did a manual clone to a temp directory (so that the credentials could be saved in the keyring), and then removed the temporary clone. After that, Jenkins was able to authenticate to the server without any other configuration. Note that for this to work, the repository URL must include the username (https://USER@bitbucket.org/deepdiff/deepdiff, for example).

            If the only concern is exposing plaintext passwords on disk, I believe the way that this has been approached before in Jenkins is using hudson.util.Secret, which persists an encrypted version of the password. The f:password Jelly tag uses this approach automatically.

            Show
            davidmc24 davidmc24 added a comment - Looks like this page has some good details on use of SSL client certificates with Mercurial. I haven't played around with that yet personally, though. http://hstuart.dk/2010/04/09/x-509-certificates-and-mercurial/ I was able to get the keyring extension working on my test Jenkins instance (TortoiseHg on Windows). I used the TortoiseHg GUI to enable the keyring extension system-wide, did a manual clone to a temp directory (so that the credentials could be saved in the keyring), and then removed the temporary clone. After that, Jenkins was able to authenticate to the server without any other configuration. Note that for this to work, the repository URL must include the username ( https://USER@bitbucket.org/deepdiff/deepdiff , for example). If the only concern is exposing plaintext passwords on disk, I believe the way that this has been approached before in Jenkins is using hudson.util.Secret, which persists an encrypted version of the password. The f:password Jelly tag uses this approach automatically.
            Hide
            jglick Jesse Glick added a comment -

            Note that even without any help from Hudson, you could set up auth sections in the global ~/.hgrc or /etc/mercurial/hgrc, pointing perhaps to custom entries in /etc/ssl/certs. But this would need to be done on each node which might build your job, which could get unwieldy if you have a lot of slaves.

            Show
            jglick Jesse Glick added a comment - Note that even without any help from Hudson, you could set up auth sections in the global ~/.hgrc or /etc/mercurial/hgrc, pointing perhaps to custom entries in /etc/ssl/certs. But this would need to be done on each node which might build your job, which could get unwieldy if you have a lot of slaves.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                cowwoc cowwoc
              • Votes:
                3 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: