Status: Resolved (View Workflow)
It's not clear how to configure the mercurial-hudson plugin to work with repositories that require authentication without exposing a plaintext password on disk.
- is blocking
JENKINS-13717 Mercurial URL hook for triggering polling doesn't work with user/pass set in the repository URL
- is related to
JENKINS-15722 Do not echo HTTPS password when cloning
JENKINS-16138 mercurial SCM always clones (instead of pulling) when using https
Looks like this page has some good details on use of SSL client certificates with Mercurial. I haven't played around with that yet personally, though.
I was able to get the keyring extension working on my test Jenkins instance (TortoiseHg on Windows). I used the TortoiseHg GUI to enable the keyring extension system-wide, did a manual clone to a temp directory (so that the credentials could be saved in the keyring), and then removed the temporary clone. After that, Jenkins was able to authenticate to the server without any other configuration. Note that for this to work, the repository URL must include the username (https://USER@bitbucket.org/deepdiff/deepdiff, for example).
If the only concern is exposing plaintext passwords on disk, I believe the way that this has been approached before in Jenkins is using hudson.util.Secret, which persists an encrypted version of the password. The f:password Jelly tag uses this approach automatically.
Code changed in jenkins
User: Jesse Glick
[FIXED JENKINS-7351] Add support for HTTP(S) username/password credentials.
Not yet implemented: SSL client certificates, SSH private keys.
Can you please elaborate on your fix? How are we supposed to supply the authentication information? Do we configure it from a job's Mercurial configuration? Meaning, did you add new UI fields?
Yes, you select credentials from a pulldown in the job configuration. The actual credentials are defined either in the global Manage Credentials screen (if you are an admin), or in your user configuration page. It supports domain restrictions, so if you have categorized credentials according to server name, only the relevant ones will be offered. This means it works exactly like upcoming versions of the Git and Subversion plugins.
If you know how to tweak a Mercurial command line to specify either SSL client certificates and/or SSH private keys, a pull request would be welcome to add support for those, though I suspect HTTP basic authentication suffices for many users. Tested with BitBucket.
Note that even without any help from Hudson, you could set up auth sections in the global ~/.hgrc or /etc/mercurial/hgrc, pointing perhaps to custom entries in /etc/ssl/certs. But this would need to be done on each node which might build your job, which could get unwieldy if you have a lot of slaves.