| P2 authentication upon target platform import [message #1144040] |
Fri, 18 October 2013 15:51  |
Eclipse User |
|
|
|
Hi everyone,
we recently started building p2 repositories for our own internal components, so our developers have target platforms definitions pointing to URLs in our intranet.
We are testing artifactory to publish these p2 sites. Artifactory offers user authentication to access this repositories. This works pretty well from the Eclipse IDE, as the target platform resolution interface pops up a dialog asking for authentication when trying to resolve these remote p2 sites. So far, so good.
We use these same target definitions in our Hudson/Jenkins builds. We command buckminster to import a target platform definition before building. This has worked flawlessly so far (despite some p2 site caching issues...). But as soon as we introduced authentication, bucky fails to resolve the target platform definition due to these authetication-required p2 sites.
So the question is... is there any way to specify credentials to bucky on an attempt to resolve these p2 sites? Any best practice for such thing?
Thanks in advance!
Víctor Roldán [Open Canarias]
|
|
|
|
|
| Re: P2 authentication upon target platform import [message #1176703 is a reply to message #1176270] |
Fri, 08 November 2013 13:56  |
| Eclipse User |
|
|
|
Thomas,
basic auth is not the ideal, but even though, that does not seem to work. Target platform definitions does not seem to allow such format:
java.lang.NumberFormatException: For input string: "<my_pass>@<our_host>"
at java.lang.NumberFormatException.forInputString(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at org.eclipse.ecf.provider.filetransfer.httpclient.HttpClientRetrieveFileTransfer.getPortFromURL(HttpClientRetrieveFileTransfer.java:844)
at org.eclipse.ecf.provider.filetransfer.httpclient.HttpClientFileSystemBrowser.setupAuthentication(HttpClientFileSystemBrowser.java:313)
at org.eclipse.ecf.provider.filetransfer.httpclient.HttpClientFileSystemBrowser.runRequest(HttpClientFileSystemBrowser.java:212)
at org.eclipse.ecf.provider.filetransfer.browse.AbstractFileSystemBrowser$DirectoryJob.run(AbstractFileSystemBrowser.java:69)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
This is defining a TP definition using Eclipse 3.8.2.
|
|
|
| Re: P2 authentication upon target platform import [message #1176712 is a reply to message #1176703] |
Fri, 08 November 2013 14:01 |
| Eclipse User |
|
|
|
Eclipse 4.3 does not work either:
org.eclipse.equinox.p2.core.ProvisionException: Authentication failed for https://<user>:<pass>@<host>.
at org.eclipse.equinox.internal.p2.repository.CacheManager.createCache(CacheManager.java:143)
at org.eclipse.equinox.internal.p2.metadata.repository.SimpleMetadataRepositoryFactory.getLocalFile(SimpleMetadataRepositoryFactory.java:66)
at org.eclipse.equinox.internal.p2.metadata.repository.SimpleMetadataRepositoryFactory.load(SimpleMetadataRepositoryFactory.java:88)
at org.eclipse.equinox.internal.p2.metadata.repository.MetadataRepositoryManager.factoryLoad(MetadataRepositoryManager.java:57)
at org.eclipse.equinox.internal.p2.repository.helpers.AbstractRepositoryManager.loadRepository(AbstractRepositoryManager.java:768)
at org.eclipse.equinox.internal.p2.repository.helpers.AbstractRepositoryManager.loadRepository(AbstractRepositoryManager.java:668)
at org.eclipse.equinox.internal.p2.metadata.repository.MetadataRepositoryManager.loadRepository(MetadataRepositoryManager.java:96)
at org.eclipse.equinox.internal.p2.metadata.repository.MetadataRepositoryManager.loadRepository(MetadataRepositoryManager.java:92)
at org.eclipse.equinox.p2.ui.ProvisioningUI.loadMetadataRepository(ProvisioningUI.java:439)
at org.eclipse.equinox.internal.p2.ui.model.MetadataRepositoryElement.getMetadataRepository(MetadataRepositoryElement.java:120)
at org.eclipse.equinox.internal.p2.ui.model.MetadataRepositoryElement.fetchChildren(MetadataRepositoryElement.java:70)
at org.eclipse.equinox.internal.p2.ui.model.RemoteQueriedElement.fetchDeferredChildren(RemoteQueriedElement.java:34)
at org.eclipse.ui.progress.DeferredTreeContentManager$1.run(DeferredTreeContentManager.java:235)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:53)
I tested it and this URL works on Firefox and Chrome. Apparently, Internet Explorer does not allow passing user/pass in the URL anymore.
|
|
|
| Re: P2 authentication upon target platform import [message #1202957 is a reply to message #1176712] |
Fri, 22 November 2013 12:02 |
| Eclipse User |
|
|
|
A deeper analysis showed us ECF (which implements the transport layer for P2 communication) does not actually support passing credentials through URL to an HTTP Server. We had to modify two classes to implement such feature.
We found a fixed issue (included in Kepler) https://bugs.eclipse.org/bugs/show_bug.cgi?id=307477
However, this only avoids the exception described above, but not passing the actual credentials to the server.
I assume this is more a P2/ECF issue, but it strikes me nobody complained about the lack of authentication capabilities of buckminster with P2 sites.
It also strikes the fact you're suggesting to have a target platform definition with credentials in plain text.
|
|
|
| Re: P2 authentication upon target platform import [message #1206135 is a reply to message #1202957] |
Sun, 24 November 2013 00:24 |
| Eclipse User |
|
|
|
On 2013-11-22 13:02, Victor Roldan Betancort wrote:
> A deeper analysis showed us ECF (which implements the transport layer for P2 communication) does not actually support
> passing credentials through URL to an HTTP Server. We had to modify two classes to implement such feature.
>
> We found a fixed issue (included in Kepler) https://bugs.eclipse.org/bugs/show_bug.cgi?id=307477
> However, this only avoids the exception described above, but not passing the actual credentials to the server.
>
> I assume this is more a P2/ECF issue, but it strikes me nobody complained about the lack of authentication capabilities
> of buckminster with P2 sites.
>
> It also strikes the fact you're suggesting to have a target platform definition with credentials in plain text.
In hindsight, that was a bad suggestion. I was just trying to help.
- thomas
|
|
|
|
| Re: P2 authentication upon target platform import [message #1211934 is a reply to message #1211485] |
Tue, 26 November 2013 17:40 |
| Eclipse User |
|
|
|
On 2013-26-11 14:08, Victor Roldan Betancort wrote:
> Aren't you aware of any other means to inject credentials? There may be
> a chance with P2 integration with Equinox Secure Storage, but there is
> no implementation for linux :(
>
> For anyone interested in the ECF issue:
> http://www.eclipse.org/forums/index.php/t/612418/
I worked on the UI support for p2 and credentials. Essentially (and if
IIRC) there is an extension point to enable getting credentials for a
repository URI. It is consulted up front, and if there is an
authentication error (the second because there may have been a
redirection to a location for which there are credentials that the
client side could not know about given the original URI alone).
The basic behavior is using Eclipse keystore. The extension is there to
allow the UI to prompt for password etc, and optionally save the
password in the keystore.
It seems possible to write a corresponding plugin to be used when using
p2 in headless fashion. This plugin would obtain the password through
some other means than asking the user, and it would not save it in the
keystore.
Another approach would be to populate the keystore / give it a keystore
that is pre-populated.
It was some time ago since I worked on this, so I do not immediately
recall the names of these, so you have to go on a digging expedition,
but should not be to hard to figure out.
Hope that helps.
- henrik
|
|
|
|
| Re: P2 authentication upon target platform import [message #1214860 is a reply to message #1214008] |
Wed, 27 November 2013 22:05 |
| Eclipse User |
|
|
|
On 2013-27-11 14:54, Victor Roldan Betancort wrote:
> Hi Henrik,
>
> your feedback is much appreciated. This should serve as entry point to
> continue with our exploration.
>
> I assume that extension point is found in a P2 bundle, rather than a
> buckminster bundle. Is that right?
>
> Best Regards!
> Víctor Roldán.
Yeah, this is all p2 - and I think it was a regular Eclipse extension point.
- henrik
|
|
|
|
| Re: P2 authentication upon target platform import [message #1235120 is a reply to message #1235026] |
Thu, 23 January 2014 16:11 |
| Eclipse User |
|
|
|
Adrian,
we workaround the P2 site with authentication issue my modifying ECF so it passes credentials from the URL. So, you'll have Target Platform definitions with credentials hardcoded within the URL. Not the best solution, but that was the quickest solution. I'll ask the engineer that implemented it and share here the patch. It affects some ECF bundles. I'm still waiting confirmation for making a contribution...
Also, there is the P2 credential injection via extension point, which I haven't analysed, but in the end, it would imply deploying a new bundle in our bucky installation in our server. Another issue would be: best way to pass credentials to such plugin? As you see, it is not trivial either...
Then, regarding the SVN authentication: thats a whole different story, not related with this. I believe its related with SSH keys in the machine executing bucky, you must guarantee you can actually establish an ssh connection with the SVN repository from that machine. I'd suggest you install the svn command (assuming your have a linux machine) and try to connect command line to the repository. Once you manage to do that, the next SVN command bucky executes will find the ssh key. Yet another dirty hack we used in the past was hardcoding the credentials in the rmap... not very fancy.
HTH,
Víctor Roldán [Open Canarias]
|
|
|
|
| Re: P2 authentication upon target platform import [message #1236951 is a reply to message #1235124] |
Tue, 28 January 2014 13:21 |
| Eclipse User |
|
|
|
Hi,
I will detail the workaround indicated by Víctor Roldán.
Problems:
1) The org.eclipse.ecf.provider.filetransfer.httpclient component in eclipse 3.8 (org.eclipse.ecf.provider.filetransfer.httpclient_4.0.200.v20120610-1946) returns an error when the url has the formar (user:pass @ host: port / ...) Failed to get port.
java.lang.NumberFormatException: For input string: "<my_pass>@<our_host>"
at java.lang.NumberFormatException.forInputString(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
2) This bug is solved in eclipse 4.2 (org.eclipse.ecf.provider.filetransfer.httpclient_4.0.300.v20130604-1622 and org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.300.v20130604-1622) But there is another error with the same URL format, the method getHostFromURL returns an incorrect value, the return value is the user in the url.
Changes to fix:
1) Get de hostname.
- Affected components:
* org.eclipse.ecf.provider.filetransfer.httpclient_4.0.300.v20130604-1622
* org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.300.v20130604-1622
- Changes in HttpClientRetrieveFileTransfer.java
protected static String getHostFromURL(String url) {
String result = url;
final int colonSlashSlash = url.indexOf("://"); //$NON-NLS-1$
if (colonSlashSlash < 0)
return ""; //$NON-NLS-1$
if (colonSlashSlash >= 0) {
result = url.substring(colonSlashSlash + 3);
}
/////////////// Start change ///////////////
int requestPath = result.indexOf('/');
final int user = result.indexOf('@');
if ( (requestPath > 0 && user > 0 && user < requestPath ) || (requestPath < 0 && user > 0)){
result = result.substring(user + 1);
requestPath = result.indexOf('/');
}
/////////////// End change ///////////////
final int colonPort = result.indexOf(':');
int substringEnd;
if (colonPort > 0 && requestPath > 0)
substringEnd = Math.min(colonPort, requestPath);
else if (colonPort > 0)
substringEnd = colonPort;
else if (requestPath > 0)
substringEnd = requestPath;
else
substringEnd = result.length();
return result.substring(0, substringEnd);
}
2) Get credentials from url (when not only exists in the context)
- Affected components:
* org.eclipse.ecf.provider.filetransfer.httpclient_4.0.300.v20130604-1622
* org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.300.v20130604-1622
- Changes in HttpClientRetrieveFileTransfer.java and HttpClientFileSystemBrowser.java (duplicate methods in both classes)
/* New method */
protected Credentials getFileRequestCredentials(String urlString) throws UnsupportedCallbackException, IOException {
Credentials credentials = getFileRequestCredentials();
if ( credentials != null )
return credentials;
if ( urlString.matches(".+://.+:.+@.+") ) {
String result = urlString.substring(urlString.indexOf("://") + 3); //$NON-NLS-1$
final int index1 = result.indexOf(":") ; //$NON-NLS-1$
username = result.substring(0,index1);
result = result.substring(index1 + 1);
password = result.substring(0, result.indexOf("@"));
return new UsernamePasswordCredentials(username, password);
}
return null;
}
...
protected void setupAuthentication(String urlString) throws UnsupportedCallbackException, IOException {
// code removed
// Credentials credentials = null;
// if (username == null) {
// credentials = getFileRequestCredentials();
// }
// Call the new method
Credentials credentials = getFileRequestCredentials(urlString);
...
}
Modified source code available in:
- For org.eclipse.ecf.provider.filetransfer.httpclient_4.0.300.v20130604-1622
* HttpClientFileSystemBrowser.java: pastebin.com/iE3fbecp
* HttpClientRetrieveFileTransfer.java: pastebin.com/KLSGX3rm
- For org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.300.v20130604-1622
* HttpClientFileSystemBrowser.java: pastebin.com/cxSyfudi
* HttpClientRetrieveFileTransfer.java: pastebin.com/Ye6J3NG7
|
|
|
|
| Re: P2 authentication upon target platform import [message #1239055 is a reply to message #1236972] |
Mon, 03 February 2014 08:25 |
| Eclipse User |
|
|
|
hi,
thanks for the detailed bug fix instructions.
unfortunately this won't cover our requirement because our apache, hosting the p2-repository, is getting his authorization credentials from a ldap-server.
so every user would have to specify his own credentials and this wouldn't work for rmaps resolved from the repository.
so we are going for another approach. we modified the class ComponentQuery in the org.eclipse.buckminster.core bundle.
in a special early-startup bundle, we are asking the user to enter username & password and keep them in memory during the eclipse session, alternatively the credential can be loaded from the eclipse.ini file (this also covers the eclipse-headless use case).
in the start method of the class CorePlugin from the org.eclipse.buckminster.core bundle, we initialize the two fields username and password from our user-input bundle and in the class ComponentQuery we populate the present, but unused field connectContext with a UsernamePasswordContext.
I am aware, that this only works if all involved p2-repositories requires the same credentials, but in our case that's exactly what we have in place.
regards, adrian
|
|
|
| Re: P2 authentication upon target platform import [message #1239486 is a reply to message #1239055] |
Tue, 04 February 2014 09:54 |
| Eclipse User |
|
|
|
Hello Adrian,
I see, this customization won't work for you, unless you set up an LDAP user only for Hudson/Jenkins (this is our case). We keep 2 target platform definitions, one for developer (so Eclipse prompts for credentials when the TP is loaded) and another one for Jenkins.
In your case, the P2 extension point for credential injection sounds like more convenient. I can't give more details, I just have been told there is such extension point...
Good luck!
VR
|
|
|
| Re: P2 authentication upon target platform import [message #1776497 is a reply to message #1239486] |
Fri, 17 November 2017 04:16 |
| Eclipse User |
|
|
|
OK in case anyone trying to do this in 2017 :-)
on product startup
get to
BundleContext bundleContext = Activator.getDefault().getBundle().getBundleContext();
ServiceReference<IProvisioningAgent> serviceReference = bundleContext
.getServiceReference(IProvisioningAgent.class);
IProvisioningAgent baseagent= bundleContext.getService(serviceReference);
if (baseagent== null) {
System.out.println(">> no agent loaded!");
return;
}
then
final UIServices adminUIService = (UIServices) baseagent.getService(UIServices.SERVICE_NAME);
baseagent.registerService(UIServices.SERVICE_NAME, new UIServices() {
@Override
public AuthenticationInfo getUsernamePassword(String location,
AuthenticationInfo previousInfo) {
return new AuthenticationInfo("USER base on LOCATION", "PASS", false);// change if need
}
@Override
public AuthenticationInfo getUsernamePassword(String location) {
return new AuthenticationInfo("USER base on LOCATION", "PASS", false);// change if need
}
@Override
public TrustInfo getTrustInfo(Certificate[][] untrustedChain, String[] unsignedDetail) {
return adminUIService.getTrustInfo(untrustedChain, unsignedDetail);
}
});
Note: this not working when you run from eclipse but when you build the product and running it works perfectly!
|
|
|
Powered by
FUDForum. Page generated in 0.05849 seconds
] 
Search
Help
Register
Login
Home
