Continuum
  1. Continuum
  2. CONTINUUM-2632

Secure working copies of Continuum build agents

    Details

      Description

      When CONTINUUM-2545 (Add WebDAV interface to continuum build agent for displaying the working copies) was implemented, there was no security implemented so anyone can access the working copies via webdav.

        Issue Links

          Activity

          Maria Odea Ching created issue -
          Maria Odea Ching made changes -
          Field Original Value New Value
          Link This issue is related to CONTINUUM-2545 [ CONTINUUM-2545 ]
          Maria Odea Ching made changes -
          Fix Version/s 1.4.1 (Beta) [ 15104 ]
          Show
          Maria Odea Ching added a comment - Related discussions in the dev list for this issue: http://old.nabble.com/Added-WebDAV-interface-for-displaying-the-working-copies-from-build--agent-td29202005.html http://old.nabble.com/Build-agent-security-td30547566.html http://old.nabble.com/How-can-an-agent-be-sure-that-a-request-comes-from-its-master--td21546892.html
          Maria Odea Ching made changes -
          Link This issue is related to CONTINUUM-2044 [ CONTINUUM-2044 ]
          Maria Odea Ching made changes -
          Assignee Maria Odea Ching [ oching ]
          Hide
          Maria Odea Ching added a comment -

          Fix committed to trunk -r1140480.

          With the committed implementation, it is no longer possible to browse the working copies in the build agent directly. Only the build agent's master is allowed to access it. I made use of the shared secret key/password to verify that the request came from the master. If the password attached to the request matches the sharedSecretPassword configured in the build agent, the request would be allowed. Otherwise, a 401 error will be returned.

          Show
          Maria Odea Ching added a comment - Fix committed to trunk -r1140480 . With the committed implementation, it is no longer possible to browse the working copies in the build agent directly. Only the build agent's master is allowed to access it. I made use of the shared secret key/password to verify that the request came from the master. If the password attached to the request matches the sharedSecretPassword configured in the build agent, the request would be allowed. Otherwise, a 401 error will be returned.
          Maria Odea Ching made changes -
          Status Open [ 1 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          Mark Thomas made changes -
          Project Import Sun Apr 05 08:36:01 UTC 2015 [ 1428222961749 ]
          Mark Thomas made changes -
          Workflow jira [ 12711275 ] Default workflow, editable Closed status [ 12738655 ]
          Mark Thomas made changes -
          Project Import Sun Apr 05 21:12:18 UTC 2015 [ 1428268338676 ]
          Mark Thomas made changes -
          Workflow jira [ 12946338 ] Default workflow, editable Closed status [ 12984305 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Closed Closed
          28d 1h 40m 1 Maria Odea Ching 28/Jun/11 04:37

            People

            • Assignee:
              Maria Odea Ching
              Reporter:
              Maria Odea Ching
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development