Different HTTP authentication method on Debian-like system

[mpiwowarczyk@…]

Hi,

I was struggling with getting things to work on my Ubuntu based server since everytime I tried to connect to hudson which is on different server, I was getting "403: Forbidden" HTTP error. Then I stumbled upon this comment on Hudson forum ​http://wiki.hudson-ci.org/display/HUDSON/Authenticating+scripted+clients

Note that Hudson (at least when installed on a Debian server with apt-get) does not do any authorization negotiation. Ie. it immediately returns a 403 (Forbidden) response instead of a 401 (Unauthorized) response, so make sure to send the authentication information from the first request.

So I decided to contribute some of my spare time and modified HudsonTracPlugin.py to make things to work. Attached you will find modified source code.

Hope that anyone could find this useful

Thanks, MP

[anonymous]

Cannot add attachment due to a HTML link in HudsonTracPlugin.py. Email me instead

[roadrunner]

Replying to anonymous:

Cannot add attachment due to a HTML link in HudsonTracPlugin.py. Email me instead

Could you attach the diffs instead, please? TIA.

[mpiwowarczyk@…]

Replying to roadrunner:

Replying to anonymous:

Cannot add attachment due to a HTML link in HudsonTracPlugin.py. Email me instead

Could you attach the diffs instead, please? TIA.

Here you go

--- c:\Temp\HudsonTracPlugin.py	2009-10-13 05:08:02.000000000 +0200
+++ new\HudsonTrac/HudsonTracPlugin.py	2009-12-14 22:20:37.221148900 +0100
@@ -5,6 +5,7 @@
 
 import time
 import urllib2
+import base64
 from xml.dom import minidom
 from datetime import datetime
 from trac.core import *
@@ -17,6 +18,21 @@
 except ImportError:
     from trac.Timeline import ITimelineEventProvider
 
+class HTTPOpenHandlerBasicAuthNoChallenge(urllib2.AbstractBasicAuthHandler, urllib2.BaseHandler):
+
+    auth_header = 'Authorization'
+
+    def add_parent(self, parent):
+        self.parent = parent
+
+    def default_open(self, req):
+        host = req.get_full_url()
+        user, pw = self.passwd.find_user_password(None, host)
+        if pw is not None:
+           raw = "%s:%s" % (user, pw)
+           auth = 'Basic %s' % base64.b64encode(raw).strip()
+           req.add_header(self.auth_header, auth)
+
 class HudsonTracPlugin(Component):
     implements(INavigationContributor, ITimelineEventProvider, ITemplateProvider,
                IPermissionRequestor)
@@ -48,6 +64,9 @@
                           'Whether to display the build descriptions for ' +
                           'each build instead of the canned "Build finished ' +
                           'successfully" etc messages.')
+    no_chal = BoolOption('hudson', 'Use "No Challenge" authentication method', 'false',
+                         'Use no challenge authentication method that in some ' +
+                         'cases Hudson requires (e.g. on Debian-like systems)')
 
     def __init__(self):
         api_url = self.job_url
@@ -58,10 +77,15 @@
         pwdMgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
         pwdMgr.add_password(None, api_url, self.username, self.password)
 
-        bAuth = urllib2.HTTPBasicAuthHandler(pwdMgr)
-        dAuth = urllib2.HTTPDigestAuthHandler(pwdMgr)
-
-        self.url_opener = urllib2.build_opener(bAuth, dAuth)
+        if self.no_chal:
+           bAuth = HTTPOpenHandlerBasicAuthNoChallenge(pwdMgr)
+           bHndl = urllib2.BaseHandler()
+           self.url_opener = urllib2.build_opener(bHndl)
+           self.url_opener.add_handler(bAuth)
+        else:
+           bAuth = urllib2.HTTPBasicAuthHandler(pwdMgr)
+           dAuth = urllib2.HTTPDigestAuthHandler(pwdMgr)
+           self.url_opener = urllib2.build_opener(bAuth, dAuth)
 
         self.env.log.debug("registered auth-handler for '%s', username='%s'" %
                            (api_url, self.username))

[roadrunner]

Replying to mpiwowarczyk@mppcon.com:

Replying to roadrunner:

Could you attach the diffs instead, please? TIA.

Here you go

Thanks! This looks good, though I have one question:

+class HTTPOpenHandlerBasicAuthNoChallenge(urllib2.AbstractBasicAuthHandler, urllib2.BaseHandler):
[snip]
+        if self.no_chal:
+           bAuth = HTTPOpenHandlerBasicAuthNoChallenge(pwdMgr)
+           bHndl = urllib2.BaseHandler()
+           self.url_opener = urllib2.build_opener(bHndl)
+           self.url_opener.add_handler(bAuth)

Why the bHndl - won't replacing the last 3 lines above with the following work as well since you inherit from BaseHandler?

            self.url_opener = urllib2.build_opener(bAuth)

[chris@…]

Could you commit the fix to the svn repository, or provide an egg file ?

[roadrunner]

(In [7895]) Added support for hudson's form-based authentication.

This is based on a modified version of the patch submitted to #6332. Instead of requiring the user to configure yet another option, Hudson's 403 response is used to trigger the pre-emptive sending of auth info. This is only very slightly less secure than the config option, and only so in scenarios where the authentication for Hudson was using Digest auth but due to some config change Hudson is now returning a 403 - in this case the plugin will start sending the (essentially cleartext) username and password which could possibly now be snooped.

This closes #6332 and #6520.