[Buildbot-devel] Authentication (WAS: authenicated SVN checkouts..)

Charles Hardin chardin at 2wire.com
Wed Jun 28 22:20:36 UTC 2006 

Random musing stirred this up...

Say a system was created with buildbot that modified the "force build"
page to include a username/password for doing the build as part of an
audit trail for who started the builds...

Unfortunately, in this system the caching methods of svn would not be
too useful...

I only bring this up to the list to see if adding features for "hiding"
the username and password in the status page and logs have merit...

Btw, in this type of system adding an apache mod_proxy or stunnel to
front end of the web page is pretty trivial to keep the buildbot web
interface under ssl...

Charles 

> -----Original Message-----
> From: Stephen Davis [mailto:buildbot at soundgeek.org]
> Sent: Wednesday, June 28, 2006 11:38 AM
> To: Charles Hardin
> Cc: Julien Gilli; Michael March; buildbot-devel at lists.sourceforge.net
> Subject: Re: [Buildbot-devel] authenicated SVN checkouts..
> 
> As Charles says, any user/pass combo you pass on the command line
> will be shown on the status page.  It will also be shown in the
> master's logs and maybe in the slave's process listing.  If you're
> concerned about security, your best bet is to use subversion's local
> auth caching (On Windows XP, the auth cache files are encrypted. For
> subversion 1.4 on Mac OS X, the passwords will be stored in the
> Keychain).  Any other approach requires you to know every place where
> the build master or slave might store the patched user/pass in
> plaintext somewhere.
> 
> Using "--non-interactive" as a global option to the SVN step should
> make the build fail the first time, as you would want -- especially
> for first time users.
> 
> IMO, a patch to the SVN step to always pass "--non-interactive" is a
> better direction to take.  As noted, you can do this yourself in your
> build step right now.
> 
> stephen
> 
> On Jun 28, 2006, at 7:45 AM, Charles Hardin wrote:
> 
> > When passing the username and password, you might want to consider
> > adding a patch that doesn't display the full command line
> > arguements on the status page...
> >
> > The following patch is part of a more complex custom patch, so I
> > just included the parts for the header display - this hasn't been
> > tested as a standalone patch, so apologize if it doesn't work
> > correctly, but hopefully can be used as a base if you want to hide
> > the headers...
> >
> >
> > diff -Nuar buildbot-0.7.2-orig/buildbot/process/step.py
> > buildbot-0.7.2-p4/buildbot/process/step.py
> > --- buildbot-0.7.2-orig/buildbot/process/step.py        2006-06-19
> > 15:18:26.000000000 -0700
> > +++ buildbot-0.7.2-p4/buildbot/process/step.py  2006-06-19
> > 14:59:51.000000000 -0700
> > @@ -1,6 +1,7 @@
> >  # -*- test-case-name: buildbot.test.test_steps -*-
> >
> >  import time, random, types, re, warnings
> > +from types import ListType, StringType
> >  from email.Utils import formatdate
> >
> >  from twisted.internet import reactor, defer, error
> > @@ -267,6 +268,10 @@
> >          if update.has_key('stderr'):
> >              self.addStderr(update['stderr'])
> >          if update.has_key('header'):
> > +            if self.args.has_key('display'):
> > +                if self.args['display'] is False:
> > +                    log.msg("Filtered header: %s" %
update['header'])
> > +                    return
> >              self.addHeader(update['header'])
> >          if update.has_key('rc'):
> >              rc = self.rc = update['rc']
> > @@ -290,7 +295,7 @@
> >
> >      def __init__(self, workdir, command, env=None,
> >                   want_stdout=1, want_stderr=1,
> > -                 timeout=20*60, **kwargs):
> > +                 timeout=20*60, display=True, **kwargs):
> >          """
> >          @type  workdir: string
> >          @param workdir: directory where the command ought to run,
> > @@ -341,11 +346,19 @@
> >                  'want_stdout': want_stdout,
> >                  'want_stderr': want_stderr,
> >                  'timeout': timeout,
> > +                'display': display,
> >                  }
> >          LoggedRemoteCommand.__init__(self, "shell", args)
> >
> >      def start(self):
> > @@ -691,6 +704,7 @@
> >      descriptionDone = None # alternate description when the step
> > is complete
> >      command = None # set this to a command, or set in kwargs
> >      progressMetrics = ['output']
> > +    display = True
> >
> >      parms = BuildStep.parms + [
> >          'description',
> > diff -Nuar buildbot-0.7.2-orig/buildbot/test/test_steps.py
> > buildbot-0.7.2-p4/buildbot/test/test_steps.py
> > --- buildbot-0.7.2-orig/buildbot/test/test_steps.py     2005-10-26
> > 13:22:50.000000000 -0700
> > +++ buildbot-0.7.2-p4/buildbot/test/test_steps.py       2006-06-19
> > 15:13:34.000000000 -0700
> > @@ -114,12 +114,17 @@
> >          expectedEvents.append(["callRemote", "startCommand",
> >                                 (rc, "3",
> >                                 "shell",
> > -                                {'command': "argle bargle",
> > -                                 'workdir': "murkle",
> > -                                 'want_stdout': 1,
> > -                                 'want_stderr': 1,
> > -                                 'timeout': 10,
> > -                                 'env': None}) ] )
> > +                               {'display': True,
> > +                                'command': "argle bargle",
> > +                                'workdir': "murkle",
> > +                                'want_stdout': 1,
> > +                                'want_stderr': 1,
> > +                                'timeout': 10,
> > +                                'env': None}) ] )
> >          self.assertEqual(self.remote.events, expectedEvents)
> >
> >          # we could do self.remote.deferred.errback(UnknownCommand)
> > here. We
> >
> >
> >
> > -----Original Message-----
> > From: buildbot-devel-bounces at lists.sourceforge.net on behalf of
> > Julien Gilli
> > Sent: Wed 6/28/2006 7:27 AM
> > To: Michael March
> > Cc: buildbot-devel at lists.sourceforge.net
> > Subject: Re: [Buildbot-devel] authenicated SVN checkouts..
> >
> > Hello,
> >
> > On 6/28/06, Michael March <mmarch at gmail.com> wrote:
> >>
> >> I (and I think this list) would *love* to see the patch.
> >>
> >> Here it is. It should apply on buildbot 0.7.3 fine. It may
> >> contains some
> > indentations issues, and it has been generated on Windows. Please,
> > let me
> > know if you need anymore information.
> >
> > Best regards,
> > --
> > Julien Gilli
> >
> >
> > Using Tomcat but need to do more? Need to support web services,
> > security?
> > Get stuff done quickly with pre-integrated technology to make your
> > job easier
> > Download IBM WebSphere Application Server v.1.0.1 based on Apache
> > Geronimo
> > http://sel.as-us.falkag.net/sel?
> > cmd=lnk&kid=120709&bid=263057&dat=121642
> > _______________________________________________
> > Buildbot-devel mailing list
> > Buildbot-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/buildbot-devel

More information about the devel mailing list