Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      story #8608 access Subversion with username/token instead of username/password
    Actions
    Summary
    svn developer
    access Subversion with username/token instead of username/password
    I'm less concerned about leaving token un-encrypted on a disk

    Feature overview

    General behaviour

    • This feature is activated project by project (for progressive deployment)
    • Once activated for a project, by default, nothing should change for subversion users, they can still use their default authentication (DB, ldap, modperl)
    • But when they got a token (see after) they can use the token in addition to their default credential

    For the user

    • In user preferences, users can generate a new token for SVN use. They can generate as many token as needed
    • For each token, the owner can
      • See the date of generation
      • See the date of last usage
      • See from which IP it was used
      • Revoke the given token
      • Note: as the token is stored hashed in DB, there is no way to display the token after the generation
      • User can add a short description to the token for futur reference (for instance to know which token to invalidate). Default placeholder is "Token generated at <date> for <purpose>"
    • Users can see in which project they can use this token (needed for progressive deployment)
      • As the list of project can be long, limit to projects the user is member of or member of a user group
      • Note: on a given project one can see if the project accept Token in addition to std authentication
    • There is also an inline help on how to use this token
    • There is an entry in Tuleap Documentation to explain the feature behaviour.

    For the project

    • On project subversion service, users can see that project accept token in addition to std authentication

    For site admin

    • Site admin manage the list of projects that are authorized to use token based authentication.
    • This have an effect on codendi_svnroot.conf generation (ie. modperl instead of default mode)
    • Note: this progressive deployment is only possible when svn authentication is either modmysql or ldap. When site already use modperl, the token support will come "straight".

    For SVN usage

    • It's still basic auth authentication with username + token (instead of username + password).

    Technical concerns

    • Token should be treated as password, this means that they are stored properly hashed in DB.
    By Benjamin Dauton (bdauton_enalean)
    (1 MB)
    Svn tokens (user pref part).jpg
    New section in user prefs (like SSH keys)
    By Benjamin Dauton (bdauton_enalean)
    (650 kB)
    Svn tokens (service part).jpg
    SVN service homepage, add a "How to checkout using token" part
    Nouha Terzi (terzino), Salma MOAKHAR (moakhars), Denis PILAT (denis_pilat), Benjamin Dauton (bdauton_enalean)
    Status
    Empty
    Done
    Development
    • [ ] Does it involves User Interface? 
    • [ ] Are there any mockups?
    • [ ] Are permissions checked?
    • [ ] Does it need Javascript development?
    • [ ] Does it need a forge upgrade bucket?
    • [ ] Does it need to execute things in system events?
    • [ ] Does it impact project creation (templates)?
    • [ ] Is it exploratory?
    Empty
    Details
    #8608
    Manuel Vacelet (vaceletm)
    2016-01-07 14:32
    2015-11-17 10:34
    4677

    References
    Artifact links
    Empty
    Referencing story #8608

    Artifact Tracker v5

    story #8618 apache module to manage token
    rel #8596 8.10

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/02/4902/10' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD dccfc56717
    User avatar Thomas Gerbet (tgerbet) , 2015-12-24 13:49
    story #8608: User can manage his own svn tokens 978ee60250
    User avatar Benjamin Dauton (bdauton_enalean) , 2015-12-24 13:34
    Define projects that can use SVN tokens f58496cedc
    User avatar Yannis ROSSETTO (rossettoy) , 2015-12-30 13:43
    Site admin can revoke project using SVN tokens 41e0d5fdf5
    User avatar Yannis ROSSETTO (rossettoy) , 2015-12-30 15:33
    Remove some technical debt e085beddc4
    User avatar Yannis ROSSETTO (rossettoy) , 2015-12-31 10:03
    SVN service homepage display a specific message if svn tokens are allowed e8b23914d5
    User avatar Yannis ROSSETTO (rossettoy) , 2015-12-31 15:28
    Handle SVN tokens using LDAP 148cf31b35
    User avatar Yannis ROSSETTO (rossettoy) , 2016-01-06 14:56
    Display settings

    Follow-ups

    User avatar
    Manuel Vacelet (vaceletm)2016-01-07 14:32
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from On going to Done
    • Category set to
    User avatar
    Manuel Vacelet (vaceletm)2015-11-24 11:04
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Benjamin Dauton (bdauton_enalean)2015-11-23 10:09
    last edited by: Benjamin Dauton (bdauton_enalean) 2015-11-23 10:45

    Added two mockups:

    • User prefs part (token management): it's a new section in the user prefs, just like the SSH keys section, where all user's tokens are listed. There is a link on top of the table which opens a modal listing all projects which accept tokens.
    • Service part (token usage): currently, in the SVN service homepage, there's a quick help "how to checkout the repository". There will be a new section "how to checkout the repository using token"
    • Tuleap administration (not in the uploaded mockups): there will be a new page in the Tuleap administration part with the same UI/UX as the "Restrict plugin" page. By default, all projects don't offer the feature and it's possible to whitelist some projects.