mercurial ssl access allow pull BUT require authentication for push - mercurial

I have set up a mercurial server through SSL. In the apache config file I have set up an authentication using a mysql database.
I would like everyone to be able to pull from the repository without credentials, but restrict the push right to authenticated users. The way it is done now either everyone is authenticated both for pull and push, or nobody is.
My apache configuration is this:
<Location /hg/repo>
AuthType Basic
AuthName "Repository Access"
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthMySQL_Authoritative On
AuthMySQL_Host localhost
AuthMySQL_DB repo
AuthMySQL_User repo
AuthMySQL_Password_Table users_auth_external
AuthMySQL_Group_Table users_auth_external
AuthMySQL_Username_Field username
AuthMySQL_Password_Field passwd
AuthMySQL_Group_Field groups
AuthMySQL_Encryption_Types SHA1Sum
Require group pink-image
<LimitExcept GET>
Require valid-user
</LimitExcept>
</Location>
hg also requires authentication for the ssl pull, Regardless on the LimitExcept switch.
Is there a way to limit the authentication only for pushing to the repository?
A simple http access would not be sufficient because if somebody is a developer she checks out the code through https.
SSH access is not possible because some of the developers have the ssh port forbidden by the firewall.
One of the solutions would be if hg would remember the https credentials.
Thank You for reading the question.

The authentication should be wrapped into the exception rule.
<Location /hg/repo>
<LimitExcept GET>
AuthType Basic
AuthName "Repository Access"
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthMySQL_Authoritative On
AuthMySQL_Host localhost
AuthMySQL_DB repo
AuthMySQL_User repo
AuthMySQL_Password_Table users_auth_external
AuthMySQL_Group_Table users_auth_external
AuthMySQL_Username_Field username
AuthMySQL_Password_Field passwd
AuthMySQL_Group_Field groups
AuthMySQL_Encryption_Types SHA1Sum
Require group pink-image
</LimitExcept>
</Location>

One of the solutions would be if hg would remember the https credentials.
It can remember the credentials for push and pull. Look under the auth section of hg help config if you don't mind adding the details to one of the config files (either user's config or the repository clone's hgrc)
This would mean putting the password in the config file which you might not like so you could use the Mercurial Keyring Extension instead which stores the password more securely.

It turns out automatic credentials are not enough. The repository aught to be accessible through the web interface. However the same config file pops up an authentication dialog in the browser which makes the web interface unusable.

Related

How to prevent people from accessing OpenShift web apps?

I just uploaded a Wildfly web application to my free OpenShift account so my team members can check it out. It's a work in progress so I don't want people to know and access it via the web. If I want someone to use it then I'll send them the URL "XXX-XXX.rhcloud.com"
Is there a way to prevent people from knowing and accessing my web application on OpenShift?
You can use Basic authentication in order to anyone provides login/password before access your contents.
In openshift there is a enviroment variable called $OPENSHIFT_REPO_DIR, is the path of your working directory i.e. /var/lib/openshift/myuserlongid/app-root/runtime/repo/
I create a new enviroment variable called SECURE wrapping the folder path.
rhc set-env SECURE=/var/lib/openshift/myuserlongid/app-root/data --app myappname
Finally I connect to my app with ssh
rhc ssh myappname
And create the .htpasswd file
htpasswd -c $SECURE/.htpasswd <username>
Note: The -c option to htpasswd creates a new file, overwriting any existing htpasswd file. If your intention is to add a new user to an existing htpasswd file, simply drop the -c option.
.htaccess file
AuthType Basic
AuthName "Authentication"
AuthUserFile ${SECURE}/.htpasswd
Require valid-user
I am not sure if you configure openshift so that url is private, however I am sure you can hack your way. Instead of hosting your app at "XXX-XXX.rhcloud.com", you can set root-url of your app to be "XXX-XXX.rhcloud.com/some_hash" (for ex: XXX-XXX.rhcloud.com/2d6541ff807c289fc686ad64f10509e0e74ba0be22b0462aa0ac3a7a54dd20073101ddd5843144b9a9ee83d0ba882f35d49527e3e762162f76cfd04d355411f1 )
When it comes people finding your website on search engines you can block crawlers with robot.txt or noindex meta tag. You can further read about them here and here

Mercurial subrepos and bitbucket accounts

I have a team set up on bitbucket with multiple users, and I'm using the keyring extension for mercurial. I need to set up a subrepo, and in the .hgsub file I need to provide the url for the subrepo.
If I use https://bitbucket.org/team/subrepo then the user needs to authenticate each time they try to pull.
If I use https://userX.bitbucket.org/team/subrepo then each user will need to authenticate with userX's password.
If I use https://team.bitbucket.org/team/subrepo then each user will need the team's password.
Is there a way I can set it up so that the authentication can be saved using the keyring extension, but still have separate credentials for each user, without using ssh?
Yes, you can enter your authentication information into your config file. The documentation for this is here.
In the auth section of each user's config file you can enter the following details:
[auth]
bb.schemes = http https
bb.prefix = bitbucket.org/team
bb.username = userX
The bb part is just a tag to group the settings together - you can use what you like and you can have more than one set if you have more than one Mercurial server that you use.
The example settings say that all repositories that start http://bitbucket.org/team or https://bitbucket.org/team should use the username of userX. The keyring extension will take care of the password after that.

Configuration for using Mercurial with Bitbucket from behind a certificate rewriting proxy?

I'm trying to access BitBucket from work. The only access to the Internet is via an authenticating HTTP proxy which proxies http on port 8080 and SSL on port 8070. This proxy conducts a man-in-the-middle attack on SSL connections, browsers are able to create HTTPS connections to the Internet only due to the installation of a fake Websense certificate on all clients.
I am able to connect to BitBucket using Git but not using Mercurial. I'm using Mercurial version 2.0.2.
With Git I use the following config in .gitconfig
[user]
name = Firstname Lastname
email = firstname_lastname#domain.co.uk
[http]
proxy = http://name:password#nnn.nnn.nnn.nnn:8080
And can clone a repository with the following command
D:\MercurialTesting>git clone http://Firstname_Lastname#bitbucket.org/Firstname_Lastname/bb102repo.git test1
Cloning into 'test1'...
Password for 'bitbucket.org':
remote: Counting objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
D:\MercurialTesting>
With the addition of this config setting
[http]
sslverify = false
I can also clone the repository via the https url https://Firstname_Lastname#bitbucket.org/Firstname_Lastname/bb102repo.git
Using Mercurial though it's a different story. Using the following config in mercurial.ini
[http_proxy]
host = nnn.nnn.nnn.nnn:8080
user = firstname_lastname#domain.co.uk
passwd = password
Mercurial will access my own Mercurial server at home no problem.
D:\MercurialTesting>hg --debug clone http://nnn.nnn.nnn.nnn/hg/Workspaces/Test1
using http://nnn.nnn.nnn.nnn/hg/Workspaces/Test1
proxying through http://nnn.nnn.nnn.nnn:8080
sending capabilities command
http authorization required
realm: Mercurial Repositories
user: username
password:
http auth: user username, password *******
destination directory: Test1
query 1; heads
sending batch command
http auth: user username, password *******
requesting all changes
sending getbundle command
http auth: user username, password *******
adding changesets
changesets: 1 chunks
add changeset 711ff2c6f5b2
changesets: 2 chunks
add changeset 9034b963b4c1
. . .
Using the exact same configuration and trying to access BitBucket through Mercurial just hangs.
D:\MercurialTesting>hg --debug clone http://bitbucket.org/Firstname_Lastname/bb101repo
using http://bitbucket.org/Firstname_Lastname/bb101repo
proxying through http://nnn.nnn.nnn.nnn:8080
sending capabilities command
abort: error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
D:\MercurialTesting>
Using the same configuration with SSL via the url https://bitbucket.org/Firstname_Lastname/bb101repo Mercurial hangs in exactly the same way. During this process Wireshark detects no network activity at all.
Changing the settings in Mercurial.ini to match the port which the proxy serves SSL through has no effect. Setting the environment variable http_proxy makes no difference, but setting the environment variable https_proxy changes the output completely. Setting https_proxy and adding --insecure to the hg command invocation results in:
D:\MercurialTesting>hg --debug clone http://bitbucket.org/Firstname_Lastname/bb101repo --insecure
using http://bitbucket.org/Firstname_Lastname/bb101repo
proxying through http://nnn.nnn.nnn.nnn:8080
sending capabilities command
warning: bitbucket.org certificate with fingerprint 79:ce:0d:30:b0:17:29:6a:d1:9f:dd:d3:62:80:70:28:5e:9f:c2:e3 not verified (check hostfingerprints or web.cacerts config setting)
http authorization required
realm: Bitbucket.org HTTP
user: Firstname_Lastname
password:
http auth: user Firstname_Lastname, password ***
warning: bitbucket.org certificate with fingerprint 79:ce:0d:30:b0:17:29:6a:d1:9f:dd:d3:62:80:70:28:5e:9f:c2:e3 not verified (check hostfingerprints or web.cacerts config setting)
abort: HTTP Error 502: Success
D:\MercurialTesting>
And now Wireshark does detect an exchange taking place between my workstation and the proxy server. What I find most confusing though is that it doesn't make the slightest difference what I set https_proxy to, hg always uses the http proxy setting from Mercurial.ini and produces the same output above irrespective of whether I set https_proxy to the correct details for the SSL proxy or to complete garbage. The only difference is that if the environment variable https_proxy isn't set at all then hg just hangs as described above.
The formats for https_proxy I've tried include all variations of:
https_proxy=ip.ip.ip.ip:8070
https_proxy=ip.ip.ip.ip:8080
https_proxy=username:password#ip.ip.ip.ip:8070
https_proxy=username:password#ip.ip.ip.ip:8080
https_proxy=http://ip.ip.ip.ip:8070
https_proxy=http://ip.ip.ip.ip:8080
https_proxy=http://username:password#ip.ip.ip.ip:8070
https_proxy=http://username:password#ip.ip.ip.ip:8080
The results are the same no matter what I set it to.
So the questions I could really use some help with are:
How come I can access my Mercurial repositories at home but not at BitBucket?
How come I can access BitBucket with Git but not with Mercurial using the same configuration?
Does anyone have any ideas of how I can get this to work or what I can test next?
I am also connecting via proxy to bitbucket. As my settings didn't work as expected I found this SO entry.
I noticed that if I use command line parameters then everything works.
hg --config http_proxy.host=192.168.1.1:8080 --config http_proxy.user=Vad1mo --config http_proxy.passwd=secret clone https://bitbucket.org/Vadimo/test
On the other hand same entries in Mercurial.ini didn't work.
[http_proxy]
host = 192.168.1.1
port = 8080
user = Vad1mo
passwd = internet
By accident I found out the tiny difference between CMD and ini. In CMD the port is postfixed to the host. In ini file it is a new entry.
Changing mercurial.ini to postfix the port to host like on command line solved the problem.
[http_proxy]
host = 192.168.1.1:8080
;port = 8080
user = Vad1mo
passwd = internet
Maybe this also will help you.
btw. my hg version is 2.6.3
I ran into a similar problem with my work's proxy- actually, almost identical.
I've gotten around the problem so far by setting the http_proxy in mercurial.ini and then connecting to BitBucket via their HTTP address hg.io.
For example, my repository at https://bitbucket.org/mattgwagner/mattgwagner.com can be accessed via http://hg.io/mattgwagner/mattgwagner.com . Of course, this will send your password and connection in plaintext, but at least it let me connect.
This came in more use for me when pulling in open source projects hosted on BitBucket for my use.
Mercurial.ini
[http_proxy]
host = 192.168.1.155:8080
no =
user = domainUsername
passwd = pass
Are you able to ssh out? Bitbucket supports ssh access and your proxy won't muck w/ that if it's allowed.

Can't seem to get ACL to work with hgweb.wsgi

I have hgweb.wsgi setup on an ubuntu server under apache2. Furthermore I have basic authing using the apache2 htpasswd approach. This all works nicely. However, we want to control what each user have access to and ACL seems to be the best approach. So inside the repos .hg folder I've created a hgrc and modified it according to the documentation for getting ACL up and running ( I've also enabled the extension ). The problem is I get no indication that the hgrc is used at all. If I add [ui] debug = true I still get nothing from the remote client. Sadly I'm not quite sure how to go about debugging this so any help would be much appreciated.
To make sure that a .hg/hgrc file in a repository is being consulted add something noticable to the [web] section like:
[web]
description = Got this from the hgrc
style = coal
name = RENAMED
If you don't see those in the web interface your .hg/hgrc isn't being consulted, and the most common reason for that is -- permissions. Remember that the .hg/hgrc has to owned by a user or group that is trusted by the webserver user (usually apache or www-data or similar). If apache is running under the user apache then chown the .hg/hgrc file over to apache for ownership -- root won't do and htpasswd user is irrelevant.
If that file is being consulted then you need to start poking around in the apache error logs. Turning on debug and verbose will put more messages into the apache error log, not into the remote client's output.

Disabling HTTPS host authentication in TortoiseHG for internal self-signed certificates

How do you disable HTTPS host authentication in TortoiseHG for internal self-signed certificates. For internal servers HTTPS is primarily used for encryption.
The TortoiseHG documentation says that it is possible to disable host verification (i.e. verification against the Certificate Authority chain) here but I can't seem to find the option.
Its supposed to be an option when cloning a remote repository. I am using the latest TortoiseHG 2.0.5
In the TortoiseHG Workbench, in the Sync tab (or in the Sync screen), if you have a remote path selected, you should see a button with a lock icon on it:
That will bring up the Security window, where you can select the option No host validation, but still encrypted, among other settings. When you turn that on, it adds something like this to your mercurial.ini:
[insecurehosts]
bitbucket.org = 1
That's machine-level config for TortoiseHg, but it doesn't seem to affect the Clone window.
On the command-line, you can use --insecure to skip verifying certificates:
hg clone --insecure https://hostname.org/user/repository repository-clone
This will spit out a number of warnings about not verifying the certificate, and will also show you the host fingerprint in each message, like the example warning below (formatted from the original for readability):
warning: bitbucket.org certificate with fingerprint
24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified
(check hostfingerprints or web.cacerts config setting)
A better option, however, is host fingerprints, which are used by both hg and TortoiseHg. In TortoiseHg's Security window, above No host validation is the option Verify with stored host fingerprint. The Query button retrieves the fingerprint of the host's certificate and stores it in mercurial.ini:
[hostfingerprints]
bitbucket.org = 81:2b:08:90:dc:d3:71:ee:e0:7c:b4:75:ce:9b:6c:48:94:56:a1:fe
This should skip actual verification of the certificate because you are declaring that you already trust the certificate.
This documentation on certificates may help, as well.
In the Clone Repository window expand options and check "Do not verify host certificate" check box.