Continuum
  1. Continuum
  2. CONTINUUM-2272

Able to add secured projects without credentials

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.2
    • Fix Version/s: 1.3.4 (Beta)
    • Component/s: Core system
    • Labels:
      None

      Description

      1. add a secured project without entering any credentials and do not click 'use scm credentials'
      2. click add button
      --> Will have an authorization error while trying to add the project

      3. Repeat steps above but this time with credentials
      --> Successfully added the project

      4. Repeat steps #1&2 but this time choose a different group (continuum does not allow adding the same project to the same group)
      --> Successfully added the project

      #4 should still show an authorization error instead of successfully adding the project.

        Issue Links

          Activity

          Hide
          Maria Catherine Tan added a comment -

          clear httpclient credentials when adding project

          fixed in:
          r786035 in 1.3.x branch
          r786036 in trunk

          Show
          Maria Catherine Tan added a comment - clear httpclient credentials when adding project fixed in: r786035 in 1.3.x branch r786036 in trunk
          Hide
          Wendy Smoak added a comment -

          Has the documentation been updated for this change?

          Also, I don't see that any tests were added/updated for this change?

          Show
          Wendy Smoak added a comment - Has the documentation been updated for this change? Also, I don't see that any tests were added/updated for this change?
          Hide
          Wendy Smoak added a comment -

          Reopening for more info and docs/tests.

          In step 1, where do you get the error?

          • when it tries to retrieve the pom?
          • when it tries to check out the source code?

          In step 2, what does Continuum do with the credentials? I think it

          • uses them for the HTTP GET to retrieve the pom
          • stores them in the database
          • uses them for the svn checkout
            ... and this will naturally cache the svn credentials for that svn repo for the user running Continuum. (This always happens unless you put --no-cache-credentials on the command line.)

          In step 4, what part succeeds that you think should fail?

          I am currently working through the 16 combinations of the following yes/no questions to define the requirements for Continuum's behavior wrt cached credentials:
          Q1. Were credentials provided when the project was added?
          Q2. Was 'Use cached credentials if available' checked when the project was added?
          Q3. Were there Subversion credentials cached for the user running Continuum prior to adding the project?
          Q4. Were credentials provided during release prepare?

          Show
          Wendy Smoak added a comment - Reopening for more info and docs/tests. In step 1, where do you get the error? when it tries to retrieve the pom? when it tries to check out the source code? In step 2, what does Continuum do with the credentials? I think it uses them for the HTTP GET to retrieve the pom stores them in the database uses them for the svn checkout ... and this will naturally cache the svn credentials for that svn repo for the user running Continuum. (This always happens unless you put --no-cache-credentials on the command line.) In step 4, what part succeeds that you think should fail? I am currently working through the 16 combinations of the following yes/no questions to define the requirements for Continuum's behavior wrt cached credentials: Q1. Were credentials provided when the project was added? Q2. Was 'Use cached credentials if available' checked when the project was added? Q3. Were there Subversion credentials cached for the user running Continuum prior to adding the project? Q4. Were credentials provided during release prepare?
          Hide
          Maria Catherine Tan added a comment -

          > In step1, where do you get the error
          when continuum tries to retrieve the pom.

          > In step 2, what does Continuum do with the credentials?
          just like you said, and store it in the database if not 'use scm credentials cache'

          > In step 4, what part succeeds that you think should fail?
          when it tries to retrieve the pom using HTTP GET

          In step 4
          Q1. No
          Q2. No
          Q3. No. I tried adding the same project using a newly created user.
          Q4. No (I don't think CONTINUUM-2251 is a bug)

          In my opinion, this is not related to subversion at all but to the HttpClient. When I restarted continuum, and do step 1 again, I will still get the authentication error when trying to add a project without credentials.

          So what I did is to clear the credentials from the HttpClient everytime we try to add a project, which does not affect svn credentials caching.

          Show
          Maria Catherine Tan added a comment - > In step1, where do you get the error when continuum tries to retrieve the pom. > In step 2, what does Continuum do with the credentials? just like you said, and store it in the database if not 'use scm credentials cache' > In step 4, what part succeeds that you think should fail? when it tries to retrieve the pom using HTTP GET In step 4 Q1. No Q2. No Q3. No. I tried adding the same project using a newly created user. Q4. No (I don't think CONTINUUM-2251 is a bug) In my opinion, this is not related to subversion at all but to the HttpClient. When I restarted continuum, and do step 1 again, I will still get the authentication error when trying to add a project without credentials. So what I did is to clear the credentials from the HttpClient everytime we try to add a project, which does not affect svn credentials caching.
          Hide
          Maria Catherine Tan added a comment -

          I think there is no need to update the documentation for this. There's already a line in addProject.apt that says "You can define username/password if the POM URL requires authentication".

          As for the test, do we happen to have a sample project that requires authentication when reading? There is a test that was disabled because it requires username/password that's why i did not create one for this for the mean time.

          Show
          Maria Catherine Tan added a comment - I think there is no need to update the documentation for this. There's already a line in addProject.apt that says "You can define username/password if the POM URL requires authentication". As for the test, do we happen to have a sample project that requires authentication when reading? There is a test that was disabled because it requires username/password that's why i did not create one for this for the mean time.
          Hide
          Wendy Smoak added a comment -

          I want to document the expected behavior for the various cases. It's not clear how the credentials you supply when adding a project are used later. (And [unrelated to this issue] I think it might be caching the credentials supplied during the release, which IMO it shouldn't.)

          Where is the disabled test you mentioned? Even if we can't automate it we can define the prerequisites and the steps to test it manually. I can work on that.

          Show
          Wendy Smoak added a comment - I want to document the expected behavior for the various cases. It's not clear how the credentials you supply when adding a project are used later. (And [unrelated to this issue] I think it might be caching the credentials supplied during the release, which IMO it shouldn't.) Where is the disabled test you mentioned? Even if we can't automate it we can define the prerequisites and the steps to test it manually. I can work on that.
          Hide
          Maria Catherine Tan added a comment -

          For this issue, I did not perform any build or release. Just try to add the same project without credentials.

          The disabled test is in AbstractContinuumProjectBuilderTest

          Show
          Maria Catherine Tan added a comment - For this issue, I did not perform any build or release. Just try to add the same project without credentials. The disabled test is in AbstractContinuumProjectBuilderTest
          Hide
          Wendy Smoak added a comment -

          Attaching work in progress - defining requirements for what Continuum does with the credentials you provide when you add a project. Because of the checkbox on the add project form, cached svn credentials also come into play.

          It's currently in a spreadsheet, so this is a pdf export. I want to get it into plain text, but I know working with a table in APT would be painful. Maybe xdoc will work better...

          Show
          Wendy Smoak added a comment - Attaching work in progress - defining requirements for what Continuum does with the credentials you provide when you add a project. Because of the checkbox on the add project form, cached svn credentials also come into play. It's currently in a spreadsheet, so this is a pdf export. I want to get it into plain text, but I know working with a table in APT would be painful. Maybe xdoc will work better...
          Hide
          Wendy Smoak added a comment -

          Added requirements doc in r787528. It should show up here shortly: http://continuum.apache.org/ref/1.4.0-SNAPSHOT/credentials.html

          Show
          Wendy Smoak added a comment - Added requirements doc in r787528. It should show up here shortly: http://continuum.apache.org/ref/1.4.0-SNAPSHOT/credentials.html
          Hide
          Wendy Smoak added a comment -

          Thanks for the additional info, Marica! I updated user docs in r787534 to clarify that the credentials are stored in plain text in the database and reused later for scm checkout and update.

          Show
          Wendy Smoak added a comment - Thanks for the additional info, Marica! I updated user docs in r787534 to clarify that the credentials are stored in plain text in the database and reused later for scm checkout and update.

            People

            • Assignee:
              Maria Catherine Tan
              Reporter:
              Maria Catherine Tan
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development