-
Improvement
-
Resolution: Fixed
-
Major
-
None
It's not clear how to configure the mercurial-hudson plugin to work with repositories that require authentication without exposing a plaintext password on disk.
- is blocking
-
JENKINS-13717 Mercurial URL hook for triggering polling doesn't work with user/pass set in the repository URL
-
- Resolved
-
- is related to
-
-
- Resolved
-
-
-
- Resolved
-
[JENKINS-7351] Secure repository authentication
cowwoc
added a comment - I'm not sure I understand the whole SSL certificate approach. I was under the impression "support for SSL server certificates" simply meant that a client can verify that a Mercurial server really is who it claims to be. How did you think SSL server certificates would help a client cache its authentication credentials?
cowwoc
added a comment - I'm not sure I understand the whole SSL certificate approach. I was under the impression "support for SSL server certificates" simply meant that a client can verify that a Mercurial server really is who it claims to be. How did you think SSL server certificates would help a client cache its authentication credentials? Maybe it doesn't; maybe I am confusing that with support for SSL client certificates. As I said I have never tried using this new feature. But check http://mercurial.selenic.com/bts/issue643 which might have been an independent feature.
cowwoc
added a comment - That's exactly what I'm looking for! I spent some time looking for official documentation on this feature but I couldn't find any. I can't even tell which version of Mercurial this ended up in. Any ideas?
cowwoc
added a comment - That's exactly what I'm looking for! I spent some time looking for official documentation on this feature but I couldn't find any. I can't even tell which version of Mercurial this ended up in. Any ideas? Let's see. The patch went into 1.3. There is documentation in the hgrc(5) man page; search for "cert". That's all I know about it.
If you manage to get it to work in a test environment, then I guess you should be able to come up with a patch to make the Hudson plugin's configuration set the right stuff (or at least instructions on how to recreate a working test environment). I presume some *.pem file (??) would need to be uploaded from the SCM config section into the job's config area, and then referred to from .hg/hgrc whenever cloning the workspace.
Note that even without any help from Hudson, you could set up auth sections in the global ~/.hgrc or /etc/mercurial/hgrc, pointing perhaps to custom entries in /etc/ssl/certs. But this would need to be done on each node which might build your job, which could get unwieldy if you have a lot of slaves.
Looks like this page has some good details on use of SSL client certificates with Mercurial. I haven't played around with that yet personally, though.
http://hstuart.dk/2010/04/09/x-509-certificates-and-mercurial/
I was able to get the keyring extension working on my test Jenkins instance (TortoiseHg on Windows). I used the TortoiseHg GUI to enable the keyring extension system-wide, did a manual clone to a temp directory (so that the credentials could be saved in the keyring), and then removed the temporary clone. After that, Jenkins was able to authenticate to the server without any other configuration. Note that for this to work, the repository URL must include the username (https://USER@bitbucket.org/deepdiff/deepdiff, for example).
If the only concern is exposing plaintext passwords on disk, I believe the way that this has been approached before in Jenkins is using hudson.util.Secret, which persists an encrypted version of the password. The f:password Jelly tag uses this approach automatically.
Code changed in jenkins
User: Jesse Glick
Path:
pom.xml
src/main/java/hudson/plugins/mercurial/Cache.java
src/main/java/hudson/plugins/mercurial/HgExe.java
src/main/java/hudson/plugins/mercurial/MercurialSCM.java
src/main/resources/hudson/plugins/mercurial/MercurialSCM/config.jelly
src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-credentialsId.html
src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-source.html
src/test/java/hudson/plugins/mercurial/CacheTest.java
http://jenkins-ci.org/commit/mercurial-plugin/6a6076323bcd11745c3eec1a2cf4371e4601e41d
Log:
[FIXED JENKINS-7351] Add support for HTTP(S) username/password credentials.
Not yet implemented: SSL client certificates, SSH private keys.
cowwoc
added a comment - Jesse,
Can you please elaborate on your fix? How are we supposed to supply the authentication information? Do we configure it from a job's Mercurial configuration? Meaning, did you add new UI fields?
cowwoc
added a comment - Jesse,
Can you please elaborate on your fix? How are we supposed to supply the authentication information? Do we configure it from a job's Mercurial configuration? Meaning, did you add new UI fields? Yes, you select credentials from a pulldown in the job configuration. The actual credentials are defined either in the global Manage Credentials screen (if you are an admin), or in your user configuration page. It supports domain restrictions, so if you have categorized credentials according to server name, only the relevant ones will be offered. This means it works exactly like upcoming versions of the Git and Subversion plugins.
If you know how to tweak a Mercurial command line to specify either SSL client certificates and/or SSH private keys, a pull request would be welcome to add support for those, though I suspect HTTP basic authentication suffices for many users. Tested with BitBucket.
That would be useful if you can run e.g. Gnome Keyring on the Hudson server. I think you would prefer to use SSL certificates from a headless build server, but I'm not sure.