Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-7351

Secure repository authentication

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      It's not clear how to configure the mercurial-hudson plugin to work with repositories that require authentication without exposing a plaintext password on disk.

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            What sort of authentication - SSH or HTTPS? These have different mechanisms of persisting authorization. If I understand correctly, both can be done independently of Hudson. But I have no repositories which require authentication to pull so I am not personally about to work on it; patches welcome.

            Show
            jglick Jesse Glick added a comment - What sort of authentication - SSH or HTTPS? These have different mechanisms of persisting authorization. If I understand correctly, both can be done independently of Hudson. But I have no repositories which require authentication to pull so I am not personally about to work on it; patches welcome.
            Hide
            cowwoc cowwoc added a comment -

            HTTPS authentication. I found http://stackoverflow.com/questions/2799460/using-sudo-with-mercurial-and-ssh-authentication for SSH but I've yet to find anything for HTTPS.

            Show
            cowwoc cowwoc added a comment - HTTPS authentication. I found http://stackoverflow.com/questions/2799460/using-sudo-with-mercurial-and-ssh-authentication for SSH but I've yet to find anything for HTTPS.
            Hide
            jglick Jesse Glick added a comment -

            http://mercurial.selenic.com/wiki/WhatsNew#Core-3 claims to have added "support for SSL server certificates..." but I have not yet tried it.

            Show
            jglick Jesse Glick added a comment - http://mercurial.selenic.com/wiki/WhatsNew#Core-3 claims to have added "support for SSL server certificates..." but I have not yet tried it.
            Hide
            cowwoc cowwoc added a comment -

            I asked on Stackoverflow and got an excellent answer: http://stackoverflow.com/questions/3818383/mercurial-authentication-caching/3818387#3818387

            I'm going to try this and let you know if it works with hudson.

            Show
            cowwoc cowwoc added a comment - I asked on Stackoverflow and got an excellent answer: http://stackoverflow.com/questions/3818383/mercurial-authentication-caching/3818387#3818387 I'm going to try this and let you know if it works with hudson.
            Hide
            jglick Jesse Glick added a comment -

            That would be useful if you can run e.g. Gnome Keyring on the Hudson server. I think you would prefer to use SSL certificates from a headless build server, but I'm not sure.

            Show
            jglick Jesse Glick added a comment - That would be useful if you can run e.g. Gnome Keyring on the Hudson server. I think you would prefer to use SSL certificates from a headless build server, but I'm not sure.
            Hide
            cowwoc cowwoc added a comment -

            I'm not sure I understand the whole SSL certificate approach. I was under the impression "support for SSL server certificates" simply meant that a client can verify that a Mercurial server really is who it claims to be. How did you think SSL server certificates would help a client cache its authentication credentials?

            Show
            cowwoc cowwoc added a comment - I'm not sure I understand the whole SSL certificate approach. I was under the impression "support for SSL server certificates" simply meant that a client can verify that a Mercurial server really is who it claims to be. How did you think SSL server certificates would help a client cache its authentication credentials?
            Hide
            jglick Jesse Glick added a comment -

            Maybe it doesn't; maybe I am confusing that with support for SSL client certificates. As I said I have never tried using this new feature. But check http://mercurial.selenic.com/bts/issue643 which might have been an independent feature.

            Show
            jglick Jesse Glick added a comment - Maybe it doesn't; maybe I am confusing that with support for SSL client certificates. As I said I have never tried using this new feature. But check http://mercurial.selenic.com/bts/issue643 which might have been an independent feature.
            Hide
            cowwoc cowwoc added a comment -

            That's exactly what I'm looking for! I spent some time looking for official documentation on this feature but I couldn't find any. I can't even tell which version of Mercurial this ended up in. Any ideas?

            Show
            cowwoc cowwoc added a comment - That's exactly what I'm looking for! I spent some time looking for official documentation on this feature but I couldn't find any. I can't even tell which version of Mercurial this ended up in. Any ideas?
            Hide
            jglick Jesse Glick added a comment -

            Let's see. The patch went into 1.3. There is documentation in the hgrc(5) man page; search for "cert". That's all I know about it.

            If you manage to get it to work in a test environment, then I guess you should be able to come up with a patch to make the Hudson plugin's configuration set the right stuff (or at least instructions on how to recreate a working test environment). I presume some *.pem file (??) would need to be uploaded from the SCM config section into the job's config area, and then referred to from .hg/hgrc whenever cloning the workspace.

            Show
            jglick Jesse Glick added a comment - Let's see. The patch went into 1.3. There is documentation in the hgrc(5) man page; search for "cert". That's all I know about it. If you manage to get it to work in a test environment, then I guess you should be able to come up with a patch to make the Hudson plugin's configuration set the right stuff (or at least instructions on how to recreate a working test environment). I presume some *.pem file (??) would need to be uploaded from the SCM config section into the job's config area, and then referred to from .hg/hgrc whenever cloning the workspace.
            Hide
            jglick Jesse Glick added a comment -

            Note that even without any help from Hudson, you could set up auth sections in the global ~/.hgrc or /etc/mercurial/hgrc, pointing perhaps to custom entries in /etc/ssl/certs. But this would need to be done on each node which might build your job, which could get unwieldy if you have a lot of slaves.

            Show
            jglick Jesse Glick added a comment - Note that even without any help from Hudson, you could set up auth sections in the global ~/.hgrc or /etc/mercurial/hgrc, pointing perhaps to custom entries in /etc/ssl/certs. But this would need to be done on each node which might build your job, which could get unwieldy if you have a lot of slaves.
            Hide
            davidmc24 davidmc24 added a comment -

            Looks like this page has some good details on use of SSL client certificates with Mercurial. I haven't played around with that yet personally, though.

            http://hstuart.dk/2010/04/09/x-509-certificates-and-mercurial/

            I was able to get the keyring extension working on my test Jenkins instance (TortoiseHg on Windows). I used the TortoiseHg GUI to enable the keyring extension system-wide, did a manual clone to a temp directory (so that the credentials could be saved in the keyring), and then removed the temporary clone. After that, Jenkins was able to authenticate to the server without any other configuration. Note that for this to work, the repository URL must include the username (https://USER@bitbucket.org/deepdiff/deepdiff, for example).

            If the only concern is exposing plaintext passwords on disk, I believe the way that this has been approached before in Jenkins is using hudson.util.Secret, which persists an encrypted version of the password. The f:password Jelly tag uses this approach automatically.

            Show
            davidmc24 davidmc24 added a comment - Looks like this page has some good details on use of SSL client certificates with Mercurial. I haven't played around with that yet personally, though. http://hstuart.dk/2010/04/09/x-509-certificates-and-mercurial/ I was able to get the keyring extension working on my test Jenkins instance (TortoiseHg on Windows). I used the TortoiseHg GUI to enable the keyring extension system-wide, did a manual clone to a temp directory (so that the credentials could be saved in the keyring), and then removed the temporary clone. After that, Jenkins was able to authenticate to the server without any other configuration. Note that for this to work, the repository URL must include the username ( https://USER@bitbucket.org/deepdiff/deepdiff , for example). If the only concern is exposing plaintext passwords on disk, I believe the way that this has been approached before in Jenkins is using hudson.util.Secret, which persists an encrypted version of the password. The f:password Jelly tag uses this approach automatically.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/hudson/plugins/mercurial/Cache.java
            src/main/java/hudson/plugins/mercurial/HgExe.java
            src/main/java/hudson/plugins/mercurial/MercurialSCM.java
            src/main/resources/hudson/plugins/mercurial/MercurialSCM/config.jelly
            src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-credentialsId.html
            src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-source.html
            src/test/java/hudson/plugins/mercurial/CacheTest.java
            http://jenkins-ci.org/commit/mercurial-plugin/6a6076323bcd11745c3eec1a2cf4371e4601e41d
            Log:
            [FIXED JENKINS-7351] Add support for HTTP(S) username/password credentials.
            Not yet implemented: SSL client certificates, SSH private keys.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/hudson/plugins/mercurial/Cache.java src/main/java/hudson/plugins/mercurial/HgExe.java src/main/java/hudson/plugins/mercurial/MercurialSCM.java src/main/resources/hudson/plugins/mercurial/MercurialSCM/config.jelly src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-credentialsId.html src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-source.html src/test/java/hudson/plugins/mercurial/CacheTest.java http://jenkins-ci.org/commit/mercurial-plugin/6a6076323bcd11745c3eec1a2cf4371e4601e41d Log: [FIXED JENKINS-7351] Add support for HTTP(S) username/password credentials. Not yet implemented: SSL client certificates, SSH private keys.
            Hide
            cowwoc cowwoc added a comment -

            Jesse,

            Can you please elaborate on your fix? How are we supposed to supply the authentication information? Do we configure it from a job's Mercurial configuration? Meaning, did you add new UI fields?

            Show
            cowwoc cowwoc added a comment - Jesse, Can you please elaborate on your fix? How are we supposed to supply the authentication information? Do we configure it from a job's Mercurial configuration? Meaning, did you add new UI fields?
            Hide
            jglick Jesse Glick added a comment -

            Yes, you select credentials from a pulldown in the job configuration. The actual credentials are defined either in the global Manage Credentials screen (if you are an admin), or in your user configuration page. It supports domain restrictions, so if you have categorized credentials according to server name, only the relevant ones will be offered. This means it works exactly like upcoming versions of the Git and Subversion plugins.

            If you know how to tweak a Mercurial command line to specify either SSL client certificates and/or SSH private keys, a pull request would be welcome to add support for those, though I suspect HTTP basic authentication suffices for many users. Tested with BitBucket.

            Show
            jglick Jesse Glick added a comment - Yes, you select credentials from a pulldown in the job configuration. The actual credentials are defined either in the global Manage Credentials screen (if you are an admin), or in your user configuration page. It supports domain restrictions, so if you have categorized credentials according to server name, only the relevant ones will be offered. This means it works exactly like upcoming versions of the Git and Subversion plugins. If you know how to tweak a Mercurial command line to specify either SSL client certificates and/or SSH private keys, a pull request would be welcome to add support for those, though I suspect HTTP basic authentication suffices for many users. Tested with BitBucket.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                cowwoc cowwoc
              • Votes:
                3 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: