[Buildbot-commits] [Buildbot] #1748: Allow obfuscating passwords, etc. on the master

Buildbot trac trac at buildbot.net
Fri Jul 19 18:58:28 UTC 2013 

#1748: Allow obfuscating passwords, etc. on the master
------------------------+--------------------
Reporter:  GreYFoX      |       Owner:
    Type:  enhancement  |      Status:  new
Priority:  minor        |   Milestone:  0.8.+
 Version:  0.8.3        |  Resolution:
Keywords:  sprint       |
------------------------+--------------------

Comment (by rutsky):

 Let me add some notes about how I planned to implement this feature.

 Commands started on buildslave from master side using
 `buildbot.process.buildstep.RemoteCommand` and it's subclasses.
 `RemoteCommand` allows to start commands registered in slave's
 `buildslave.commands.registry` module.
 In registry there are utility commands such as `"uploadFile"`, `"mkdir"`;
 custom shell command `"shell"`, and (I think) obsolete source commands
 like `"svn"`, `"git"`.
 I think only "shell" command arguments, implemented on slave in
 `buildslave.commands.shell.SlaveShellCommand`, requires obfuscation
 (since source commands like `"svn"`, `"git"` shouldn't be used).
 `buildslave.commands.shell.SlaveShellCommand` uses
 `buildslave.runprocess.RunProcess` to actually run commands, and it
 already supports in some way obfuscation using
 `buildslave.util.Obfuscated`: if one of arguments to
 `buildslave.commands.shell.SlaveShellCommand` is `Obfuscated` instance
 it's being obfuscated. This obfuscation is available only from slave
 side steps, because it's not possible to pass `Obfuscated` instance
 from master side.

 My plan was to:

 1. Create class `Obfuscated` for wrapping command arguments for
 obfuscating in buildbot.process.buildstep:

     {{{
     class Obfuscated:
         def __init__(self, real, fake="*" * 8):
             ...
     }}}

 2. Extend `buildbot.process.buildstep.RemoteCommand` and
    `buildbot.process.buildstep.RemoteShellCommand` command arguments
    semantics so that it will accept instances of newly created
    `Obfuscated` class:

    {{{
    cmd = buildstep.RemoteShellCommand(self.workdir, ['some_cmd',
    '--password', Obfuscated(self.password, "*" * 8), ...)
    }}}

    `Obfuscated` instances should be expanded to tuples with escaping
    semantics such as ('obfuscated', 'password', 'fake') as discussed in
    bug report and transferred to slave.

 3. Support tuples with escape semantics on slave side either in
    `buildslave.runprocess.RunProcess` or in `buildslave.util.Obfuscated`.

 Working Proof-of-Concept implementation for these changes (without
 Obfuscated class on master side and with disabled arguments
 flattening) available in this branch
 https://github.com/vrutsky/buildbot/commits/POC_obfuscate_slave_side.

-- 
Ticket URL: <http://trac.buildbot.net/ticket/1748#comment:20>
Buildbot <http://buildbot.net/>
Buildbot: build/test automation

More information about the Commits mailing list