[Buildbot-devel] slave connection over ssl possible?

Axel Hecht l10n.moz at googlemail.com
Wed Oct 14 07:02:34 UTC 2009 

Technical detail:

# The correct idiom to import this module is thus:

# try:
#    from twisted.internet import ssl
# except ImportError:
#    # happens the first time the interpreter tries to import it
#    ssl = None
# if ssl and not ssl.supported:
#    # happens second and later times
#    ssl = None

Just mentioning this because of the troubles I went through to get manhole
working, or rather python_crypto for it.

Axel

2009/10/13 Andy Howell <AndyHowell at austin.rr.com>

>
> >
> > I've had a couple of more security-minded folks complain about the
> > unencrypted slave connection, particularly because there's a password
> > involved. (telling them that the buildslave password is really there
> > just to discourage block-the-real-slave nuisances doesn't seem to
> > mollify them). I know people who've wanted to use the buildbot on
> > closed-source projects and send e.g. SVN username/password to the
> > buildslaves, but were worried about who might be able to see them. And I
> > can imagine closed-but-distributed projects that want to run buildslaves
> > outside of their secure LAN and not expose their code to anyone else,
> > who would be worried both about traffic on the wire and false slaves
> > pretending to be real ones to get access to repository information
> > and/or credentials.
>
> Brian & Jean-Paul,
>
> I'm one of those people :) That's what got me started on this topic. I've
> got a couple
> build machines at a remote site.
>
> I've hacked it to make it work over SSL, but a proper fix requires more
> thought.
> The master side works fine by specifying the port in the format defined in
> twisted.application.strports:
>
> c['slavePortnum'] = "ssl:9989:privateKey=mykey.pem:certKey=mycert.pem"
>
> To make the sendchange and the slaves work requires replacing the
> connectTCP and TCPClient
> calls to their SSL counterparts. The downside of the hack is that the slave
> and sendchange
> only work with SSL, and it wouldn't support certs on the slave side.
>
> It looks to me like the strport methods only work on the server side. I
> would need to make
> the equivalent mechanism for the client side.
>
> Ideally the master could listen on a regular TCP connection and an SSL one.
> Only
> connections over the internet would need SSL. The c['slavePortNum'] could
> be a list.
>
> Does this seem like a reasonable set of changes to make?
>
> Here are all the places that use connectTCP or TCPClient.
>
> connectTCP:
> clients.base.TextClient.startConnecting()
> clients.debug.DebugWidget.do_connect()
> clients.sendchange.Sender.send()        ( changed )
> scripts.tryclient.Try.deliverJob()
> scripts.tryclient.Try.getStatus()
> test.testweb.Logfile.test_logfile5()
> test.testweb.Logfile.test_logfile6()
>
> TCPClient:
>
> changes.freshcvs.FrehsCVSSourcNewcred.__init__
> changes.freshcvs.FrehsCVSSourcOldcred.__init__
> slave.bot.BuildSlave.__init__  ( changed )
> status.words.IRC.__init__   ??
> test.test_config.ConfigTest.TCPlients - new test for SSL?
>
>
> Terrible hack:
>
> diff -u buildbot/clients/sendchange.py.org buildbot/clients/sendchange.py
> --- buildbot/clients/sendchange.py.org  2009-10-12 23:56:13.000000000
> -0500
> +++ buildbot/clients/sendchange.py      2009-10-13 00:02:48.000000000 -0500
> @@ -2,6 +2,7 @@
>  from twisted.spread import pb
>  from twisted.cred import credentials
>  from twisted.internet import reactor
> +from twisted.internet.ssl import ClientContextFactory
>
>  class Sender:
>      def __init__(self, master, user=None):
> @@ -20,7 +21,8 @@
>
>          f = pb.PBClientFactory()
>          d = f.login(credentials.UsernamePassword("change", "changepw"))
> -        reactor.connectTCP(self.host, self.port, f)
> +        cf=ClientContextFactory()
> +        reactor.connectSSL(self.host, self.port, f, cf)
>          d.addCallback(self.addChange, change)
>          return d
>
> diff -u buildbot/slave/bot.py.org buildbot/slave/bot.py
> --- buildbot/slave/bot.py.org   2009-10-12 23:20:28.000000000 -0500
> +++ buildbot/slave/bot.py       2009-10-13 00:16:52.000000000 -0500
> @@ -8,6 +8,7 @@
>  from twisted.internet import reactor, defer
>  from twisted.application import service, internet
>  from twisted.cred import credentials
> +from twisted.internet.ssl import ClientContextFactory
>
>  from buildbot.util import now
>  from buildbot.pbutil import ReconnectingPBClientFactory
> @@ -483,7 +484,8 @@
>          self.umask = umask
>          bf = self.bf = BotFactory(keepalive, keepaliveTimeout, maxdelay)
>          bf.startLogin(credentials.UsernamePassword(name, passwd),
> client=bot)
> -        self.connection = c = internet.TCPClient(buildmaster_host, port,
> bf)
> +        cf=ClientContextFactory()
> +        self.connection = c = internet.SSLClient(buildmaster_host, port,
> bf, cf)
>          c.setServiceParent(self)
>
>      def waitUntilDisconnected(self):
>
> Thanks,
>
>        Andy
>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Buildbot-devel mailing list
> Buildbot-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/buildbot-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://buildbot.net/pipermail/devel/attachments/20091014/5770be42/attachment.html>

More information about the devel mailing list