Credentials passed via the URL are not respected

Issue #55 resolved
Bastian Doetsch
created an issue

Example:

{{{ $ hg svnclone http://guest@subclipse.tigris.org/svn/subclipse/ Assuming destination subclipse-hg Auth realm: http://subclipse.tigris.org:80 CollabNet Subversion Repository Password for bastian: }}}

I would have expected hgsubversion to use a) the username and b) supply an empty password. This is necessary for non-interactive clients like MercurialEclipse. Alternatively, command options for supplying username and password would be perfect :).

Do I do something wrong, or is this a bug?

Comments (5)

  1. Augie Fackler repo owner

    In a perfect world, I'd like to patch Mercurial to have a cleaner password API so that one can use platform specific modules for password caching (OS X Keychain, Gnome Keyring, whatever the win32 equivalent is), and then tie in to that somehow.

    That said, we probably should pull usernames out of the URL since that's the expected behavior on svn, and for non-interactive use I can see the value in --username and --password parameters.

    Any chance you'd have time to work on these changes? I think it's two changes, one to handle username@ in URLs (and the user:pass@ syntax if Subversion supports it), and another to handle --username and --password storage.

  2. Bastian Doetsch reporter

    I'll see whether my python skills allow for this. The current status is near to non-existent :). I think the user:pass syntax should be supported non-regarding if svn supports it. HgSubversion is an extension to Mercurial, and everywhere in Mercurial (okay, the sign extension is an exception) this works for URLs.

    What do you mean with --username and --password storage? I wouldn't save those, as this might be insecure e.g. on group accessible repositories.

  3. Daniel T

    Actually, the user@url and user:pass@url syntax are both unsupported in Subversion. When you do it in the browser it works fine, but the svn command does not accept either syntax (it ignores it, like hgsubversion currently does). It only ignores it in HTTP URLs as well--if you attempt to pass credential arguments to svn+ssh, for example, it throws an error. Because of this, I don't really agree that this should be supported in hgsubversion. I don't feel very strongly about this at all, though, so I'm willing to submit a patch for it if needed.

    Attached is a patch to include --username and --password arguments. It also fixes the optional username argument to the SubversionRepo constructor. It does not store credentials right now. I agree that it may be insecure in a sense, but Subversion already caches passwords in plain text. It would probably be just passing another parameter to make Subversion cache the credentials, so it shouldn't be hard to change if needed.

  4. Augie Fackler repo owner

    Please don't submit patches via the issue tracker, I'm likely to forget about them. For single patches, email to the hgsubversion list is far and away the preferred answer.

  5. Log in to comment