Modify

Opened 5 years ago

Closed 4 years ago

#6332 closed enhancement (fixed)

Different HTTP authentication method on Debian-like system

Reported by: mpiwowarczyk@… Owned by: roadrunner
Priority: normal Component: HudsonTracPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

Hi,

I was struggling with getting things to work on my Ubuntu based server since everytime I tried to connect to hudson which is on different server, I was getting "403: Forbidden" HTTP error. Then I stumbled upon this comment on Hudson forum http://wiki.hudson-ci.org/display/HUDSON/Authenticating+scripted+clients

Note that Hudson (at least when installed on a Debian server with apt-get) does not do any authorization negotiation. Ie. it immediately returns a 403 (Forbidden) response instead of a 401 (Unauthorized) response, so make sure to send the authentication information from the first request.

So I decided to contribute some of my spare time and modified HudsonTracPlugin.py to make things to work. Attached you will find modified source code.

Hope that anyone could find this useful

Thanks,
MP

Attachments (0)

Change History (6)

comment:1 follow-up: Changed 5 years ago by anonymous

  • Type changed from defect to enhancement

Cannot add attachment due to a HTML link in HudsonTracPlugin.py. Email me instead

comment:2 in reply to: ↑ 1 ; follow-up: Changed 5 years ago by roadrunner

Replying to anonymous:

Cannot add attachment due to a HTML link in HudsonTracPlugin.py. Email me instead

Could you attach the diffs instead, please? TIA.

comment:3 in reply to: ↑ 2 ; follow-up: Changed 5 years ago by mpiwowarczyk@…

Replying to roadrunner:

Replying to anonymous:

Cannot add attachment due to a HTML link in HudsonTracPlugin.py. Email me instead

Could you attach the diffs instead, please? TIA.

Here you go

--- c:\Temp\HudsonTracPlugin.py	2009-10-13 05:08:02.000000000 +0200
+++ new\HudsonTrac/HudsonTracPlugin.py	2009-12-14 22:20:37.221148900 +0100
@@ -5,6 +5,7 @@
 
 import time
 import urllib2
+import base64
 from xml.dom import minidom
 from datetime import datetime
 from trac.core import *
@@ -17,6 +18,21 @@
 except ImportError:
     from trac.Timeline import ITimelineEventProvider
 
+class HTTPOpenHandlerBasicAuthNoChallenge(urllib2.AbstractBasicAuthHandler, urllib2.BaseHandler):
+
+    auth_header = 'Authorization'
+
+    def add_parent(self, parent):
+        self.parent = parent
+
+    def default_open(self, req):
+        host = req.get_full_url()
+        user, pw = self.passwd.find_user_password(None, host)
+        if pw is not None:
+           raw = "%s:%s" % (user, pw)
+           auth = 'Basic %s' % base64.b64encode(raw).strip()
+           req.add_header(self.auth_header, auth)
+
 class HudsonTracPlugin(Component):
     implements(INavigationContributor, ITimelineEventProvider, ITemplateProvider,
                IPermissionRequestor)
@@ -48,6 +64,9 @@
                           'Whether to display the build descriptions for ' +
                           'each build instead of the canned "Build finished ' +
                           'successfully" etc messages.')
+    no_chal = BoolOption('hudson', 'Use "No Challenge" authentication method', 'false',
+                         'Use no challenge authentication method that in some ' +
+                         'cases Hudson requires (e.g. on Debian-like systems)')
 
     def __init__(self):
         api_url = self.job_url
@@ -58,10 +77,15 @@
         pwdMgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
         pwdMgr.add_password(None, api_url, self.username, self.password)
 
-        bAuth = urllib2.HTTPBasicAuthHandler(pwdMgr)
-        dAuth = urllib2.HTTPDigestAuthHandler(pwdMgr)
-
-        self.url_opener = urllib2.build_opener(bAuth, dAuth)
+        if self.no_chal:
+           bAuth = HTTPOpenHandlerBasicAuthNoChallenge(pwdMgr)
+           bHndl = urllib2.BaseHandler()
+           self.url_opener = urllib2.build_opener(bHndl)
+           self.url_opener.add_handler(bAuth)
+        else:
+           bAuth = urllib2.HTTPBasicAuthHandler(pwdMgr)
+           dAuth = urllib2.HTTPDigestAuthHandler(pwdMgr)
+           self.url_opener = urllib2.build_opener(bAuth, dAuth)
 
         self.env.log.debug("registered auth-handler for '%s', username='%s'" %
                            (api_url, self.username))

comment:4 in reply to: ↑ 3 Changed 5 years ago by roadrunner

Replying to mpiwowarczyk@mppcon.com:

Replying to roadrunner:

Could you attach the diffs instead, please? TIA.

Here you go

Thanks! This looks good, though I have one question:

+class HTTPOpenHandlerBasicAuthNoChallenge(urllib2.AbstractBasicAuthHandler, urllib2.BaseHandler):
[snip]
+        if self.no_chal:
+           bAuth = HTTPOpenHandlerBasicAuthNoChallenge(pwdMgr)
+           bHndl = urllib2.BaseHandler()
+           self.url_opener = urllib2.build_opener(bHndl)
+           self.url_opener.add_handler(bAuth)

Why the bHndl - won't replacing the last 3 lines above with the
following work as well since you inherit from BaseHandler?

            self.url_opener = urllib2.build_opener(bAuth)

comment:5 Changed 4 years ago by chris@…

Could you commit the fix to the svn repository, or provide an egg file ?

comment:6 Changed 4 years ago by roadrunner

  • Resolution set to fixed
  • Status changed from new to closed

(In [7895]) Added support for hudson's form-based authentication.

This is based on a modified version of the patch submitted to #6332.
Instead of requiring the user to configure yet another option, Hudson's
403 response is used to trigger the pre-emptive sending of auth info.
This is only very slightly less secure than the config option, and only
so in scenarios where the authentication for Hudson was using Digest auth
but due to some config change Hudson is now returning a 403 - in this case
the plugin will start sending the (essentially cleartext) username and
password which could possibly now be snooped.

This closes #6332 and #6520.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.