Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Buckminster » P2 authentication upon target platform import(How to specify credentials to p2-repositories requiring authentication?)
P2 authentication upon target platform import [message #1144040] Fri, 18 October 2013 15:51 Go to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
Hi everyone,

we recently started building p2 repositories for our own internal components, so our developers have target platforms definitions pointing to URLs in our intranet.

We are testing artifactory to publish these p2 sites. Artifactory offers user authentication to access this repositories. This works pretty well from the Eclipse IDE, as the target platform resolution interface pops up a dialog asking for authentication when trying to resolve these remote p2 sites. So far, so good.

We use these same target definitions in our Hudson/Jenkins builds. We command buckminster to import a target platform definition before building. This has worked flawlessly so far (despite some p2 site caching issues...). But as soon as we introduced authentication, bucky fails to resolve the target platform definition due to these authetication-required p2 sites.

So the question is... is there any way to specify credentials to bucky on an attempt to resolve these p2 sites? Any best practice for such thing?

Thanks in advance!
Víctor Roldán [Open Canarias]

Re: P2 authentication upon target platform import [message #1175337 is a reply to message #1144040] Thu, 07 November 2013 17:43 Go to previous messageGo to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
Is there anyone of the bucky team willing to give some kind of feedback on this?
Re: P2 authentication upon target platform import [message #1176270 is a reply to message #1175337] Fri, 08 November 2013 08:21 Go to previous messageGo to next message
Thomas Hallgren is currently offline Thomas HallgrenFriend
Messages: 3229
Registered: July 2009
Senior Member
On 2013-11-07 18:43, Victor Roldan Betancort wrote:
> Is there anyone of the bucky team willing to give some kind of feedback on this?

What kind of authentication is needed? Is basic authentication OK? If so, have you tried urls like
"http://${username}:${password}@example.com/..." ?

- thomas
Re: P2 authentication upon target platform import [message #1176703 is a reply to message #1176270] Fri, 08 November 2013 13:56 Go to previous messageGo to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
Thomas,

basic auth is not the ideal, but even though, that does not seem to work. Target platform definitions does not seem to allow such format:

java.lang.NumberFormatException: For input string: "<my_pass>@<our_host>"
at java.lang.NumberFormatException.forInputString(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at org.eclipse.ecf.provider.filetransfer.httpclient.HttpClientRetrieveFileTransfer.getPortFromURL(HttpClientRetrieveFileTransfer.java:844)
at org.eclipse.ecf.provider.filetransfer.httpclient.HttpClientFileSystemBrowser.setupAuthentication(HttpClientFileSystemBrowser.java:313)
at org.eclipse.ecf.provider.filetransfer.httpclient.HttpClientFileSystemBrowser.runRequest(HttpClientFileSystemBrowser.java:212)
at org.eclipse.ecf.provider.filetransfer.browse.AbstractFileSystemBrowser$DirectoryJob.run(AbstractFileSystemBrowser.java:69)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)

This is defining a TP definition using Eclipse 3.8.2.
Re: P2 authentication upon target platform import [message #1176712 is a reply to message #1176703] Fri, 08 November 2013 14:01 Go to previous messageGo to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
Eclipse 4.3 does not work either:

org.eclipse.equinox.p2.core.ProvisionException: Authentication failed for https://<user>:<pass>@<host>.
at org.eclipse.equinox.internal.p2.repository.CacheManager.createCache(CacheManager.java:143)
at org.eclipse.equinox.internal.p2.metadata.repository.SimpleMetadataRepositoryFactory.getLocalFile(SimpleMetadataRepositoryFactory.java:66)
at org.eclipse.equinox.internal.p2.metadata.repository.SimpleMetadataRepositoryFactory.load(SimpleMetadataRepositoryFactory.java:88)
at org.eclipse.equinox.internal.p2.metadata.repository.MetadataRepositoryManager.factoryLoad(MetadataRepositoryManager.java:57)
at org.eclipse.equinox.internal.p2.repository.helpers.AbstractRepositoryManager.loadRepository(AbstractRepositoryManager.java:768)
at org.eclipse.equinox.internal.p2.repository.helpers.AbstractRepositoryManager.loadRepository(AbstractRepositoryManager.java:668)
at org.eclipse.equinox.internal.p2.metadata.repository.MetadataRepositoryManager.loadRepository(MetadataRepositoryManager.java:96)
at org.eclipse.equinox.internal.p2.metadata.repository.MetadataRepositoryManager.loadRepository(MetadataRepositoryManager.java:92)
at org.eclipse.equinox.p2.ui.ProvisioningUI.loadMetadataRepository(ProvisioningUI.java:439)
at org.eclipse.equinox.internal.p2.ui.model.MetadataRepositoryElement.getMetadataRepository(MetadataRepositoryElement.java:120)
at org.eclipse.equinox.internal.p2.ui.model.MetadataRepositoryElement.fetchChildren(MetadataRepositoryElement.java:70)
at org.eclipse.equinox.internal.p2.ui.model.RemoteQueriedElement.fetchDeferredChildren(RemoteQueriedElement.java:34)
at org.eclipse.ui.progress.DeferredTreeContentManager$1.run(DeferredTreeContentManager.java:235)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:53)

I tested it and this URL works on Firefox and Chrome. Apparently, Internet Explorer does not allow passing user/pass in the URL anymore.
Re: P2 authentication upon target platform import [message #1202957 is a reply to message #1176712] Fri, 22 November 2013 12:02 Go to previous messageGo to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
A deeper analysis showed us ECF (which implements the transport layer for P2 communication) does not actually support passing credentials through URL to an HTTP Server. We had to modify two classes to implement such feature.

We found a fixed issue (included in Kepler) https://bugs.eclipse.org/bugs/show_bug.cgi?id=307477
However, this only avoids the exception described above, but not passing the actual credentials to the server.

I assume this is more a P2/ECF issue, but it strikes me nobody complained about the lack of authentication capabilities of buckminster with P2 sites.

It also strikes the fact you're suggesting to have a target platform definition with credentials in plain text.
Re: P2 authentication upon target platform import [message #1206135 is a reply to message #1202957] Sun, 24 November 2013 00:24 Go to previous messageGo to next message
Thomas Hallgren is currently offline Thomas HallgrenFriend
Messages: 3229
Registered: July 2009
Senior Member
On 2013-11-22 13:02, Victor Roldan Betancort wrote:
> A deeper analysis showed us ECF (which implements the transport layer for P2 communication) does not actually support
> passing credentials through URL to an HTTP Server. We had to modify two classes to implement such feature.
>
> We found a fixed issue (included in Kepler) https://bugs.eclipse.org/bugs/show_bug.cgi?id=307477
> However, this only avoids the exception described above, but not passing the actual credentials to the server.
>
> I assume this is more a P2/ECF issue, but it strikes me nobody complained about the lack of authentication capabilities
> of buckminster with P2 sites.
>
> It also strikes the fact you're suggesting to have a target platform definition with credentials in plain text.

In hindsight, that was a bad suggestion. I was just trying to help.

- thomas
Re: P2 authentication upon target platform import [message #1211485 is a reply to message #1144040] Tue, 26 November 2013 13:08 Go to previous messageGo to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
Aren't you aware of any other means to inject credentials? There may be a chance with P2 integration with Equinox Secure Storage, but there is no implementation for linux Sad

For anyone interested in the ECF issue:
http://www.eclipse.org/forums/index.php/t/612418/
Re: P2 authentication upon target platform import [message #1211934 is a reply to message #1211485] Tue, 26 November 2013 17:40 Go to previous messageGo to next message
Henrik Lindberg is currently offline Henrik LindbergFriend
Messages: 2500
Registered: July 2009
Senior Member
On 2013-26-11 14:08, Victor Roldan Betancort wrote:
> Aren't you aware of any other means to inject credentials? There may be
> a chance with P2 integration with Equinox Secure Storage, but there is
> no implementation for linux :(
>
> For anyone interested in the ECF issue:
> http://www.eclipse.org/forums/index.php/t/612418/

I worked on the UI support for p2 and credentials. Essentially (and if
IIRC) there is an extension point to enable getting credentials for a
repository URI. It is consulted up front, and if there is an
authentication error (the second because there may have been a
redirection to a location for which there are credentials that the
client side could not know about given the original URI alone).

The basic behavior is using Eclipse keystore. The extension is there to
allow the UI to prompt for password etc, and optionally save the
password in the keystore.

It seems possible to write a corresponding plugin to be used when using
p2 in headless fashion. This plugin would obtain the password through
some other means than asking the user, and it would not save it in the
keystore.

Another approach would be to populate the keystore / give it a keystore
that is pre-populated.

It was some time ago since I worked on this, so I do not immediately
recall the names of these, so you have to go on a digging expedition,
but should not be to hard to figure out.

Hope that helps.
- henrik
Re: P2 authentication upon target platform import [message #1214008 is a reply to message #1211934] Wed, 27 November 2013 13:54 Go to previous messageGo to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
Hi Henrik,

your feedback is much appreciated. This should serve as entry point to continue with our exploration.

I assume that extension point is found in a P2 bundle, rather than a buckminster bundle. Is that right?

Best Regards!
Víctor Roldán.
Re: P2 authentication upon target platform import [message #1214860 is a reply to message #1214008] Wed, 27 November 2013 22:05 Go to previous messageGo to next message
Henrik Lindberg is currently offline Henrik LindbergFriend
Messages: 2500
Registered: July 2009
Senior Member
On 2013-27-11 14:54, Victor Roldan Betancort wrote:
> Hi Henrik,
>
> your feedback is much appreciated. This should serve as entry point to
> continue with our exploration.
>
> I assume that extension point is found in a P2 bundle, rather than a
> buckminster bundle. Is that right?
>
> Best Regards!
> Víctor Roldán.

Yeah, this is all p2 - and I think it was a regular Eclipse extension point.

- henrik
Re: P2 authentication upon target platform import [message #1235026 is a reply to message #1214860] Thu, 23 January 2014 11:27 Go to previous messageGo to next message
Adrian Gaberell is currently offline Adrian GaberellFriend
Messages: 9
Registered: July 2011
Junior Member
hi victor,

i am facing the same problem. not only by resolving a target-platform from a p2 repository also when a rmap is located in a svn repository where public-read isn't allowed.

dif you got a solution where to start expanding p2/ecf?


thanks, adrian
Re: P2 authentication upon target platform import [message #1235120 is a reply to message #1235026] Thu, 23 January 2014 16:11 Go to previous messageGo to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
Adrian,

we workaround the P2 site with authentication issue my modifying ECF so it passes credentials from the URL. So, you'll have Target Platform definitions with credentials hardcoded within the URL. Not the best solution, but that was the quickest solution. I'll ask the engineer that implemented it and share here the patch. It affects some ECF bundles. I'm still waiting confirmation for making a contribution...

Also, there is the P2 credential injection via extension point, which I haven't analysed, but in the end, it would imply deploying a new bundle in our bucky installation in our server. Another issue would be: best way to pass credentials to such plugin? As you see, it is not trivial either...

Then, regarding the SVN authentication: thats a whole different story, not related with this. I believe its related with SSH keys in the machine executing bucky, you must guarantee you can actually establish an ssh connection with the SVN repository from that machine. I'd suggest you install the svn command (assuming your have a linux machine) and try to connect command line to the repository. Once you manage to do that, the next SVN command bucky executes will find the ssh key. Yet another dirty hack we used in the past was hardcoding the credentials in the rmap... not very fancy.

HTH,
Víctor Roldán [Open Canarias]
Re: P2 authentication upon target platform import [message #1235124 is a reply to message #1235026] Thu, 23 January 2014 16:16 Go to previous messageGo to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
You may find more help regarding the SVN issue at:

http://www.eclipse.org/forums/index.php/t/172012/
Re: P2 authentication upon target platform import [message #1236951 is a reply to message #1235124] Tue, 28 January 2014 13:21 Go to previous messageGo to next message
David Lutzardo is currently offline David LutzardoFriend
Messages: 1
Registered: January 2014
Junior Member
Hi,

I will detail the workaround indicated by Víctor Roldán.

Problems:

1) The org.eclipse.ecf.provider.filetransfer.httpclient component in eclipse 3.8 (org.eclipse.ecf.provider.filetransfer.httpclient_4.0.200.v20120610-1946) returns an error when the url has the formar (user:pass @ host: port / ...) Failed to get port.

java.lang.NumberFormatException: For input string: "<my_pass>@<our_host>"
at java.lang.NumberFormatException.forInputString(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)

2) This bug is solved in eclipse 4.2 (org.eclipse.ecf.provider.filetransfer.httpclient_4.0.300.v20130604-1622 and org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.300.v20130604-1622) But there is another error with the same URL format, the method getHostFromURL returns an incorrect value, the return value is the user in the url.

Changes to fix:

1) Get de hostname.

- Affected components:
* org.eclipse.ecf.provider.filetransfer.httpclient_4.0.300.v20130604-1622
* org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.300.v20130604-1622

- Changes in HttpClientRetrieveFileTransfer.java

protected static String getHostFromURL(String url) {
	String result = url;
	final int colonSlashSlash = url.indexOf("://"); //$NON-NLS-1$
	if (colonSlashSlash < 0)
		return ""; //$NON-NLS-1$
	if (colonSlashSlash >= 0) {
		result = url.substring(colonSlashSlash + 3);
	}
	/////////////// Start change ///////////////
	int requestPath = result.indexOf('/');
	final int user = result.indexOf('@');
	if ( (requestPath > 0 && user > 0 && user < requestPath ) || (requestPath < 0  && user > 0)){
		result = result.substring(user + 1);
		requestPath = result.indexOf('/');
	}
	/////////////// End change ///////////////
	final int colonPort = result.indexOf(':');
	
	int substringEnd;
		if (colonPort > 0 && requestPath > 0)
		substringEnd = Math.min(colonPort, requestPath);
	else if (colonPort > 0)
		substringEnd = colonPort;
	else if (requestPath > 0)
		substringEnd = requestPath;
	else
		substringEnd = result.length();
	return result.substring(0, substringEnd);
}


2) Get credentials from url (when not only exists in the context)

- Affected components:
* org.eclipse.ecf.provider.filetransfer.httpclient_4.0.300.v20130604-1622
* org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.300.v20130604-1622

- Changes in HttpClientRetrieveFileTransfer.java and HttpClientFileSystemBrowser.java (duplicate methods in both classes)

/
* New method */
protected Credentials getFileRequestCredentials(String urlString) throws UnsupportedCallbackException, IOException {
	Credentials credentials =  getFileRequestCredentials();
	if ( credentials != null )
		return credentials;
	if ( urlString.matches(".+://.+:.+@.+") ) {
		String result = urlString.substring(urlString.indexOf("://") + 3); //$NON-NLS-1$
		final int index1 = result.indexOf(":") ; //$NON-NLS-1$
		username = result.substring(0,index1);
		result = result.substring(index1 + 1);
		password = result.substring(0, result.indexOf("@"));
		return new UsernamePasswordCredentials(username, password);
	}
	return null;
}

...

protected void setupAuthentication(String urlString) throws UnsupportedCallbackException, IOException {
// code removed
//	Credentials credentials = null;
//	if (username == null) {
//		credentials = getFileRequestCredentials();
//	}
	// Call the new method 
	Credentials credentials = getFileRequestCredentials(urlString);
	...
}


Modified source code available in:

- For org.eclipse.ecf.provider.filetransfer.httpclient_4.0.300.v20130604-1622

* HttpClientFileSystemBrowser.java: pastebin.com/iE3fbecp
* HttpClientRetrieveFileTransfer.java: pastebin.com/KLSGX3rm

- For org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.300.v20130604-1622

* HttpClientFileSystemBrowser.java: pastebin.com/cxSyfudi
* HttpClientRetrieveFileTransfer.java: pastebin.com/Ye6J3NG7
Re: P2 authentication upon target platform import [message #1236972 is a reply to message #1236951] Tue, 28 January 2014 14:12 Go to previous messageGo to next message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
Thanks, David!
Re: P2 authentication upon target platform import [message #1239055 is a reply to message #1236972] Mon, 03 February 2014 08:25 Go to previous messageGo to next message
Adrian Gaberell is currently offline Adrian GaberellFriend
Messages: 9
Registered: July 2011
Junior Member
hi,

thanks for the detailed bug fix instructions.
unfortunately this won't cover our requirement because our apache, hosting the p2-repository, is getting his authorization credentials from a ldap-server.
so every user would have to specify his own credentials and this wouldn't work for rmaps resolved from the repository.
so we are going for another approach. we modified the class ComponentQuery in the org.eclipse.buckminster.core bundle.
in a special early-startup bundle, we are asking the user to enter username & password and keep them in memory during the eclipse session, alternatively the credential can be loaded from the eclipse.ini file (this also covers the eclipse-headless use case).
in the start method of the class CorePlugin from the org.eclipse.buckminster.core bundle, we initialize the two fields username and password from our user-input bundle and in the class ComponentQuery we populate the present, but unused field connectContext with a UsernamePasswordContext.
I am aware, that this only works if all involved p2-repositories requires the same credentials, but in our case that's exactly what we have in place.

regards, adrian
Re: P2 authentication upon target platform import [message #1239486 is a reply to message #1239055] Tue, 04 February 2014 09:54 Go to previous message
Victor Roldan Betancort is currently offline Victor Roldan BetancortFriend
Messages: 524
Registered: July 2009
Senior Member
Hello Adrian,

I see, this customization won't work for you, unless you set up an LDAP user only for Hudson/Jenkins (this is our case). We keep 2 target platform definitions, one for developer (so Eclipse prompts for credentials when the TP is loaded) and another one for Jenkins.

In your case, the P2 extension point for credential injection sounds like more convenient. I can't give more details, I just have been told there is such extension point...

Good luck!

VR
Previous Topic:Buckminster reporting skipped tests as failures?
Next Topic:Bundle .... cannot be resolved. Why?
Goto Forum:
  


Current Time: Wed Nov 26 22:05:17 GMT 2014

Powered by FUDForum. Page generated in 0.02082 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software