Bazaar

Merge lp:~florian-dorn/bzr/Base64CredentialStore into lp:bzr

  1. Base64CredentialStore
  2. Merge into bzr.dev
Proposed by Florian Dorn
Status: Merged
Merged at revision: 6546
Proposed branch: lp:~florian-dorn/bzr/Base64CredentialStore
Merge into: lp:bzr
Diff against target: 147 lines (+112/-1)
4 files modified
bzrlib/plugins/base64_credential_store/__init__.py (+50/-0)
bzrlib/plugins/base64_credential_store/tests/__init__.py (+23/-0)
bzrlib/plugins/base64_credential_store/tests/test_base64.py (+37/-0)
doc/developers/authentication-ring.txt (+2/-1)
To merge this branch: bzr merge lp:~florian-dorn/bzr/Base64CredentialStore
Reviewer Review Type Date Requested Status
Martin Packman (community) Needs Fixing
Martin Pool Pending
Vincent Ladeuil Pending
Review via email: mp+100630@code.launchpad.net

This proposal supersedes a proposal from 2011-06-04.

Description of the change

Implements a base64 credential store (fixes bug #788015), for obfruscating passwords in authentication.conf

To post a comment you must log in.
Revision history for this message
Martin Pool (mbp) wrote : Posted in a previous version of this proposal

Hi, Florian, thanks for this contribution.

Could you please complete <http://www.canonical.com/contributors>?

[question] I wonder how people will discover they can use this. It seems to me we ought to update at least the developer docs that say this is not implemented; add it to news and whatsnew; also perhaps add it into the user guide about authentication. Perhaps this should even become the default?

+ __doc__ = """Base64 credential store for the authentication.conf file"""

[fix] A literal string occurring as the first thing in a class or other block is automatically the docstring in Python.

[tweak] Could you please mention here that the point of this class is to obfuscate the passwords stored in the file?

[fix] This ought to be tested; there is a test_decode_password and TestPlainTextCredentialStore in tests/test_config.py. If you're having trouble adding one just ask and we will help or do it.

I wonder how people are going to discover that this exists? I think

review: Needs Fixing
Revision history for this message
John A Meinel (jameinel) wrote : Posted in a previous version of this proposal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/6/2011 4:46 AM, Martin Pool wrote:
> Review: Needs Fixing
> Hi, Florian, thanks for this contribution.
>
> Could you please complete <http://www.canonical.com/contributors>?
>
> [question] I wonder how people will discover they can use this. It seems to me we ought to update at least the developer docs that say this is not implemented; add it to news and whatsnew; also perhaps add it into the user guide about authentication. Perhaps this should even become the default?
>
> + __doc__ = """Base64 credential store for the authentication.conf file"""

>
> [fix] A literal string occurring as the first thing in a class or other block is automatically the docstring in Python.

We use "__doc__" for Command classes because -OO doesn't strip it out.
We might be using it similarly here. If a doc string ends up in 'bzr
help' text, we want to use __doc__ = ...

>
> [tweak] Could you please mention here that the point of this class is to obfuscate the passwords stored in the file?
>
> [fix] This ought to be tested; there is a test_decode_password and TestPlainTextCredentialStore in tests/test_config.py. If you're having trouble adding one just ask and we will help or do it.
>
> I wonder how people are going to discover that this exists? I think

Would it show up under "bzr help authentication"? If not, it probably
should.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3s43YACgkQJdeBCYSNAAOKHACeN0ZHUveykAFo9dckb8e0tkMm
RP4AoNiJSYE7DR8dJx1zD+1QB+pGkKjb
=D6By
-----END PGP SIGNATURE-----

Revision history for this message
Vincent Ladeuil (vila) wrote : Posted in a previous version of this proposal

@Florian: Do you need help here ?

How do you use this store ? You put your encoded credentials into authentication.conf manually ?

review: Needs Information
Revision history for this message
Florian Dorn (florian-dorn) wrote : Posted in a previous version of this proposal

@Vincent:
the base64 encoded password can be generated with:
echo -n "secret" | base64
and put there manually

Revision history for this message
Martin Pool (mbp) wrote : Posted in a previous version of this proposal

On 7 June 2011 00:25, John Arbash Meinel <email address hidden> wrote:

>> [question] I wonder how people will discover they can use this.  It seems to me we ought to update at least the developer docs that say this is not implemented; add it to news and whatsnew; also perhaps add it into the user guide about authentication.  Perhaps this should even become the default?
>>
>> +    __doc__ = """Base64 credential store for the authentication.conf file"""
>
>
>>
>> [fix] A literal string occurring as the first thing in a class or other block is automatically the docstring in Python.
>
> We use "__doc__" for Command classes because -OO doesn't strip it out.
> We might be using it similarly here. If a doc string ends up in 'bzr
> help' text, we want to use __doc__ = ...

[aside] Right, but if this is going to be user documentation it ought
to be written in a different way, describing how to use it, not what
the class is. The parent AuthenticationConfig doesn't declare an
explicity __doc__. Perhaps we should move away from that to say
instead help="""..."""

[fix] At the moment there is "bzr help authentication" apparently
taken from a static file, and that ought to be updated to explain how
to use it.

Revision history for this message
Vincent Ladeuil (vila) wrote : Posted in a previous version of this proposal

> @Vincent:
> the base64 encoded password can be generated with:
> echo -n "secret" | base64
> and put there manually

Great, that's worth adding to the doc (you need to specify password_encoding=base64 too right ?).

I'll put the proposal in the 'Work In Progress' state. When you want it to be reviewed again, just push your new changes to lp and put the proposal back to the 'Needs Review' state.

Revision history for this message
Florian Dorn (florian-dorn) wrote :

@All:
I finally have added the test and updated the developer docs. Sorry for resubmitting the bug, I guess changing the status would have done the job.

Revision history for this message
Martin Packman (gz) wrote :

This is simple enough that it should just go in config rather than needing a plugin. I'll go ahead and so that when I get the chance.

review: Needs Fixing

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added directory 'bzrlib/plugins/base64_credential_store'
2=== added file 'bzrlib/plugins/base64_credential_store/__init__.py'
3--- bzrlib/plugins/base64_credential_store/__init__.py 1970-01-01 00:00:00 +0000
4+++ bzrlib/plugins/base64_credential_store/__init__.py 2012-04-12 12:57:23 +0000
5@@ -0,0 +1,50 @@
6+# Copyright (C) 2008-2011 Canonical Ltd
7+#
8+# This program is free software; you can redistribute it and/or modify
9+# it under the terms of the GNU General Public License as published by
10+# the Free Software Foundation; either version 2 of the License, or
11+# (at your option) any later version.
12+#
13+# This program is distributed in the hope that it will be useful,
14+# but WITHOUT ANY WARRANTY; without even the implied warranty of
15+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16+# GNU General Public License for more details.
17+#
18+# You should have received a copy of the GNU General Public License
19+# along with this program; if not, write to the Free Software
20+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21+
22+__doc__ = """Base64 credential store for the authentication.conf file"""
23+# Since we are a built-in plugin we share the bzrlib version
24+from bzrlib import version_info
25+
26+from bzrlib import (
27+ config,
28+ lazy_import,
29+ )
30+
31+lazy_import.lazy_import(globals(), """
32+import errno
33+import base64
34+from bzrlib import (
35+ errors,
36+ )
37+""")
38+
39+class Base64CredentialStore(config.CredentialStore):
40+
41+ def decode_password(self, credentials):
42+ """See CredentialStore.decode_password."""
43+ return base64.decodestring(credentials['password'])
44+
45+config.credential_store_registry.register_lazy('base64', __name__, 'Base64CredentialStore', help=__doc__)
46+
47+
48+
49+def load_tests(basic_tests, module, loader):
50+ testmod_names = [
51+ 'tests',
52+ ]
53+ basic_tests.addTest(loader.loadTestsFromModuleNames(
54+ ["%s.%s" % (__name__, tmn) for tmn in testmod_names]))
55+ return basic_tests
56
57=== added directory 'bzrlib/plugins/base64_credential_store/tests'
58=== added file 'bzrlib/plugins/base64_credential_store/tests/__init__.py'
59--- bzrlib/plugins/base64_credential_store/tests/__init__.py 1970-01-01 00:00:00 +0000
60+++ bzrlib/plugins/base64_credential_store/tests/__init__.py 2012-04-12 12:57:23 +0000
61@@ -0,0 +1,23 @@
62+# Copyright (C) 2008 by Canonical Ltd
63+#
64+# This program is free software; you can redistribute it and/or modify
65+# it under the terms of the GNU General Public License as published by
66+# the Free Software Foundation; either version 2 of the License, or
67+# (at your option) any later version.
68+#
69+# This program is distributed in the hope that it will be useful,
70+# but WITHOUT ANY WARRANTY; without even the implied warranty of
71+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
72+# GNU General Public License for more details.
73+#
74+# You should have received a copy of the GNU General Public License
75+# along with this program; if not, write to the Free Software
76+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
77+
78+def load_tests(basic_tests, module, loader):
79+ testmod_names = [
80+ 'test_base64',
81+ ]
82+ basic_tests.addTest(loader.loadTestsFromModuleNames(
83+ ["%s.%s" % (__name__, tmn) for tmn in testmod_names]))
84+ return basic_tests
85
86=== added file 'bzrlib/plugins/base64_credential_store/tests/test_base64.py'
87--- bzrlib/plugins/base64_credential_store/tests/test_base64.py 1970-01-01 00:00:00 +0000
88+++ bzrlib/plugins/base64_credential_store/tests/test_base64.py 2012-04-12 12:57:23 +0000
89@@ -0,0 +1,37 @@
90+# Copyright (C) 2008 Canonical Ltd
91+#
92+# This program is free software; you can redistribute it and/or modify
93+# it under the terms of the GNU General Public License as published by
94+# the Free Software Foundation; either version 2 of the License, or
95+# (at your option) any later version.
96+#
97+# This program is distributed in the hope that it will be useful,
98+# but WITHOUT ANY WARRANTY; without even the implied warranty of
99+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
100+# GNU General Public License for more details.
101+#
102+# You should have received a copy of the GNU General Public License
103+# along with this program; if not, write to the Free Software
104+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
105+
106+from cStringIO import StringIO
107+
108+from bzrlib import (
109+ config,
110+ errors,
111+ osutils,
112+ tests,
113+ )
114+
115+from bzrlib.plugins import base64_credential_store
116+
117+
118+class TestBase64CredentialStore(tests.TestCase):
119+
120+ def test_decode_password(self):
121+ import base64
122+ r = config.credential_store_registry
123+ plain_text = r.get_credential_store('base64')
124+ decoded = plain_text.decode_password(dict(password=base64.encodestring('secret-pass')))
125+ self.assertEquals('secret-pass', decoded)
126+
127
128=== modified file 'doc/developers/authentication-ring.txt'
129--- doc/developers/authentication-ring.txt 2010-11-12 22:46:28 +0000
130+++ doc/developers/authentication-ring.txt 2012-04-12 12:57:23 +0000
131@@ -158,7 +158,7 @@
132
133 Encoding passwords in ``base64``, while weak, provides protection against
134 accidental reading (if an administrator have to look into the file, he will not
135-see the passwords in clear).(Not implemented yet).
136+see the passwords in clear).
137
138 This specification intends to ease the authentication providing, not to secure
139 it in the best possible way.
140@@ -266,6 +266,7 @@
141 scheme=https
142 host=home.net
143 user=joe
144+ # Obtain the base64 encoded password by running 'echo -n "secret-pass" | base64'
145 password='c2VjcmV0LXBhc3M='
146 password_encoding=base64
147 verify_certificates=no # Still searching a free certificate provider