Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-7351

Secure repository authentication

    XMLWordPrintable

Details

    Description

      It's not clear how to configure the mercurial-hudson plugin to work with repositories that require authentication without exposing a plaintext password on disk.

      Attachments

        Issue Links

          Activity

            jglick Jesse Glick added a comment -

            What sort of authentication - SSH or HTTPS? These have different mechanisms of persisting authorization. If I understand correctly, both can be done independently of Hudson. But I have no repositories which require authentication to pull so I am not personally about to work on it; patches welcome.

            jglick Jesse Glick added a comment - What sort of authentication - SSH or HTTPS? These have different mechanisms of persisting authorization. If I understand correctly, both can be done independently of Hudson. But I have no repositories which require authentication to pull so I am not personally about to work on it; patches welcome.
            cowwoc cowwoc added a comment -

            HTTPS authentication. I found http://stackoverflow.com/questions/2799460/using-sudo-with-mercurial-and-ssh-authentication for SSH but I've yet to find anything for HTTPS.

            cowwoc cowwoc added a comment - HTTPS authentication. I found http://stackoverflow.com/questions/2799460/using-sudo-with-mercurial-and-ssh-authentication for SSH but I've yet to find anything for HTTPS.
            jglick Jesse Glick added a comment -

            http://mercurial.selenic.com/wiki/WhatsNew#Core-3 claims to have added "support for SSL server certificates..." but I have not yet tried it.

            jglick Jesse Glick added a comment - http://mercurial.selenic.com/wiki/WhatsNew#Core-3 claims to have added "support for SSL server certificates..." but I have not yet tried it.
            cowwoc cowwoc added a comment -

            I asked on Stackoverflow and got an excellent answer: http://stackoverflow.com/questions/3818383/mercurial-authentication-caching/3818387#3818387

            I'm going to try this and let you know if it works with hudson.

            cowwoc cowwoc added a comment - I asked on Stackoverflow and got an excellent answer: http://stackoverflow.com/questions/3818383/mercurial-authentication-caching/3818387#3818387 I'm going to try this and let you know if it works with hudson.
            jglick Jesse Glick added a comment -

            That would be useful if you can run e.g. Gnome Keyring on the Hudson server. I think you would prefer to use SSL certificates from a headless build server, but I'm not sure.

            jglick Jesse Glick added a comment - That would be useful if you can run e.g. Gnome Keyring on the Hudson server. I think you would prefer to use SSL certificates from a headless build server, but I'm not sure.
            cowwoc cowwoc added a comment -

            I'm not sure I understand the whole SSL certificate approach. I was under the impression "support for SSL server certificates" simply meant that a client can verify that a Mercurial server really is who it claims to be. How did you think SSL server certificates would help a client cache its authentication credentials?

            cowwoc cowwoc added a comment - I'm not sure I understand the whole SSL certificate approach. I was under the impression "support for SSL server certificates" simply meant that a client can verify that a Mercurial server really is who it claims to be. How did you think SSL server certificates would help a client cache its authentication credentials?
            jglick Jesse Glick added a comment -

            Maybe it doesn't; maybe I am confusing that with support for SSL client certificates. As I said I have never tried using this new feature. But check http://mercurial.selenic.com/bts/issue643 which might have been an independent feature.

            jglick Jesse Glick added a comment - Maybe it doesn't; maybe I am confusing that with support for SSL client certificates. As I said I have never tried using this new feature. But check http://mercurial.selenic.com/bts/issue643 which might have been an independent feature.
            cowwoc cowwoc added a comment -

            That's exactly what I'm looking for! I spent some time looking for official documentation on this feature but I couldn't find any. I can't even tell which version of Mercurial this ended up in. Any ideas?

            cowwoc cowwoc added a comment - That's exactly what I'm looking for! I spent some time looking for official documentation on this feature but I couldn't find any. I can't even tell which version of Mercurial this ended up in. Any ideas?
            jglick Jesse Glick added a comment -

            Let's see. The patch went into 1.3. There is documentation in the hgrc(5) man page; search for "cert". That's all I know about it.

            If you manage to get it to work in a test environment, then I guess you should be able to come up with a patch to make the Hudson plugin's configuration set the right stuff (or at least instructions on how to recreate a working test environment). I presume some *.pem file (??) would need to be uploaded from the SCM config section into the job's config area, and then referred to from .hg/hgrc whenever cloning the workspace.

            jglick Jesse Glick added a comment - Let's see. The patch went into 1.3. There is documentation in the hgrc(5) man page; search for "cert". That's all I know about it. If you manage to get it to work in a test environment, then I guess you should be able to come up with a patch to make the Hudson plugin's configuration set the right stuff (or at least instructions on how to recreate a working test environment). I presume some *.pem file (??) would need to be uploaded from the SCM config section into the job's config area, and then referred to from .hg/hgrc whenever cloning the workspace.
            jglick Jesse Glick added a comment -

            Note that even without any help from Hudson, you could set up auth sections in the global ~/.hgrc or /etc/mercurial/hgrc, pointing perhaps to custom entries in /etc/ssl/certs. But this would need to be done on each node which might build your job, which could get unwieldy if you have a lot of slaves.

            jglick Jesse Glick added a comment - Note that even without any help from Hudson, you could set up auth sections in the global ~/.hgrc or /etc/mercurial/hgrc, pointing perhaps to custom entries in /etc/ssl/certs. But this would need to be done on each node which might build your job, which could get unwieldy if you have a lot of slaves.
            davidmc24 davidmc24 added a comment -

            Looks like this page has some good details on use of SSL client certificates with Mercurial. I haven't played around with that yet personally, though.

            http://hstuart.dk/2010/04/09/x-509-certificates-and-mercurial/

            I was able to get the keyring extension working on my test Jenkins instance (TortoiseHg on Windows). I used the TortoiseHg GUI to enable the keyring extension system-wide, did a manual clone to a temp directory (so that the credentials could be saved in the keyring), and then removed the temporary clone. After that, Jenkins was able to authenticate to the server without any other configuration. Note that for this to work, the repository URL must include the username (https://USER@bitbucket.org/deepdiff/deepdiff, for example).

            If the only concern is exposing plaintext passwords on disk, I believe the way that this has been approached before in Jenkins is using hudson.util.Secret, which persists an encrypted version of the password. The f:password Jelly tag uses this approach automatically.

            davidmc24 davidmc24 added a comment - Looks like this page has some good details on use of SSL client certificates with Mercurial. I haven't played around with that yet personally, though. http://hstuart.dk/2010/04/09/x-509-certificates-and-mercurial/ I was able to get the keyring extension working on my test Jenkins instance (TortoiseHg on Windows). I used the TortoiseHg GUI to enable the keyring extension system-wide, did a manual clone to a temp directory (so that the credentials could be saved in the keyring), and then removed the temporary clone. After that, Jenkins was able to authenticate to the server without any other configuration. Note that for this to work, the repository URL must include the username ( https://USER@bitbucket.org/deepdiff/deepdiff , for example). If the only concern is exposing plaintext passwords on disk, I believe the way that this has been approached before in Jenkins is using hudson.util.Secret, which persists an encrypted version of the password. The f:password Jelly tag uses this approach automatically.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            pom.xml
            src/main/java/hudson/plugins/mercurial/Cache.java
            src/main/java/hudson/plugins/mercurial/HgExe.java
            src/main/java/hudson/plugins/mercurial/MercurialSCM.java
            src/main/resources/hudson/plugins/mercurial/MercurialSCM/config.jelly
            src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-credentialsId.html
            src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-source.html
            src/test/java/hudson/plugins/mercurial/CacheTest.java
            http://jenkins-ci.org/commit/mercurial-plugin/6a6076323bcd11745c3eec1a2cf4371e4601e41d
            Log:
            [FIXED JENKINS-7351] Add support for HTTP(S) username/password credentials.
            Not yet implemented: SSL client certificates, SSH private keys.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: pom.xml src/main/java/hudson/plugins/mercurial/Cache.java src/main/java/hudson/plugins/mercurial/HgExe.java src/main/java/hudson/plugins/mercurial/MercurialSCM.java src/main/resources/hudson/plugins/mercurial/MercurialSCM/config.jelly src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-credentialsId.html src/main/resources/hudson/plugins/mercurial/MercurialSCM/help-source.html src/test/java/hudson/plugins/mercurial/CacheTest.java http://jenkins-ci.org/commit/mercurial-plugin/6a6076323bcd11745c3eec1a2cf4371e4601e41d Log: [FIXED JENKINS-7351] Add support for HTTP(S) username/password credentials. Not yet implemented: SSL client certificates, SSH private keys.
            cowwoc cowwoc added a comment -

            Jesse,

            Can you please elaborate on your fix? How are we supposed to supply the authentication information? Do we configure it from a job's Mercurial configuration? Meaning, did you add new UI fields?

            cowwoc cowwoc added a comment - Jesse, Can you please elaborate on your fix? How are we supposed to supply the authentication information? Do we configure it from a job's Mercurial configuration? Meaning, did you add new UI fields?
            jglick Jesse Glick added a comment -

            Yes, you select credentials from a pulldown in the job configuration. The actual credentials are defined either in the global Manage Credentials screen (if you are an admin), or in your user configuration page. It supports domain restrictions, so if you have categorized credentials according to server name, only the relevant ones will be offered. This means it works exactly like upcoming versions of the Git and Subversion plugins.

            If you know how to tweak a Mercurial command line to specify either SSL client certificates and/or SSH private keys, a pull request would be welcome to add support for those, though I suspect HTTP basic authentication suffices for many users. Tested with BitBucket.

            jglick Jesse Glick added a comment - Yes, you select credentials from a pulldown in the job configuration. The actual credentials are defined either in the global Manage Credentials screen (if you are an admin), or in your user configuration page. It supports domain restrictions, so if you have categorized credentials according to server name, only the relevant ones will be offered. This means it works exactly like upcoming versions of the Git and Subversion plugins. If you know how to tweak a Mercurial command line to specify either SSL client certificates and/or SSH private keys, a pull request would be welcome to add support for those, though I suspect HTTP basic authentication suffices for many users. Tested with BitBucket.

            People

              jglick Jesse Glick
              cowwoc cowwoc
              Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: