Modifying an externally-hosted repository's URL/path can unintentionally change the credentials
Closed, DuplicatePublic
Actions

Assigned To

None

Authored By

	cspeckmim
	Jan 29 2016, 5:56 PM

Description

Reproducing

As User A, configure an externally-hosted repository to use Passphrase K1 (ssh key, only accessible to User A)
Import repository successfully
As User B, reconfigure the externally-hosted repository to update a new path where located.
See that importing will fail

In this scenario both User A and User B can manage the repository, however because Passphrase K1 can not be shared/used by any other user, when User B changed the path it appears that the K1 selection was removed from the configuration to pull.

I had already re-configured the affected repository so I could not confirm through db/local config whether a null credential was configured - only based on observation.

Workaround

Have User A reconfigure the externally-hosted repository to re-select K1 credentials and save. Schedule an update from web interface if necessary (it took a few weeks for us to realize it was not updated so the update frequency dropped significantly).

Logs

/var/tmp/phd/log/daemons.log

[29-Jan-2016 12:07:26 America/New_York] [2016-01-29 12:07:26] EXCEPTION: (PhutilProxyException) Error while updating the "rSFST" repository. {>} (CommandException) Command failed with error #255!
COMMAND
'/usr/local/phacility/phabricator/bin/repository' update  -- 'rSFST'

STDOUT
(empty)

STDERR
[2016-01-29 12:07:26] EXCEPTION: (Exception) Command failed with error #255!
COMMAND
hg --config ui.ssh='/usr/local/phacility/phabricator/bin/ssh-connect' pull -u -- 'xxxxx'

STDOUT
remote: Warning: Permanently added 'codehost.company.com,10.0.0.1' (RSA) to the list of known hosts.
remote: Permission denied, please try again.
remote: Permission denied, please try again.
remote: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).


STDERR
abort: no suitable response from remote hg!
 at [<phabricator>/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php:464]
arcanist(head=stable, ref.master=d54cb072facd, ref.stable=2412c31346ad), phabricator(head=stable, ref.master=7cc8a73d1efd, ref.stable=864d3984ebdb, custom=2), phutil(head=stable, ref.master=83f09f6c5a03, ref.stable=9c472e7c9b64)
  #0 PhabricatorRepositoryPullEngine::executeMercurialUpdate() called at [<phabricator>/src/applications/repository/engine/PhabricatorRepositoryPullEngine.php:93]
  ... (567 more bytes) ... at [<phutil>/src/future/exec/ExecFuture.php:416]
[29-Jan-2016 12:07:26 America/New_York] arcanist(head=stable, ref.master=d54cb072facd, ref.stable=2412c31346ad), phabricator(head=stable, ref.master=7cc8a73d1efd, ref.stable=864d3984ebdb, custom=2), phutil(head=stable, ref.master=83f09f6c5a03, ref.stable=9c472e7c9b64)
[29-Jan-2016 12:07:26 America/New_York]   #0 <#3> ExecFuture::resolvex() called at [<phabricator>/src/applications/repository/daemon/PhabricatorRepositoryPullLocalDaemon.php:374]
[29-Jan-2016 12:07:26 America/New_York]   #1 phlog(PhutilProxyException) called at [<phabricator>/src/applications/repository/daemon/PhabricatorRepositoryPullLocalDaemon.php:381]
[29-Jan-2016 12:07:26 America/New_York]   #2 PhabricatorRepositoryPullLocalDaemon::resolveUpdateFuture(PhabricatorRepository, ExecFuture, integer) called at [<phabricator>/src/applications/repository/daemon/PhabricatorRepositoryPullLocalDaemon.php:201]
[29-Jan-2016 12:07:26 America/New_York]   #3 PhabricatorRepositoryPullLocalDaemon::run() called at [<phutil>/src/daemon/PhutilDaemon.php:183]
[29-Jan-2016 12:07:26 America/New_York]   #4 PhutilDaemon::execute() called at [<phutil>/scripts/daemon/exec/exec_daemon.php:125]

Install

libphutil	9c472e7c9b64395424c6cd25734bf239cb3c113d
arcanist	2412c31346add8be2a6acf18ebf812632b678f41
phabricator	864d3984ebdb42b9a2670103ca3607342e46b7dc

Revisions and Commits

rP Phabricator
	D15829	rP99718b61d8f3 Fill in new URI credential edit web UI interfaces

Related Objects

Mentioned In: T10748: Implement `diffusion.repository.edit`, for creating and editing repositories via the API
Q357: Diffusion - Create New Credential
Mentioned Here: T10748: Implement `diffusion.repository.edit`, for creating and editing repositories via the API
D15829: Fill in new URI credential edit web UI interfaces
rARC2412c31346ad: (stable) Promote 2016 Week 3
rP864d3984ebdb: (stable) Promote 2016 Week 4
rPHU9c472e7c9b64: (stable) Promote 2016 Week 4

Event Timeline

cspeckmim created this task.Jan 29 2016, 5:56 PM

cspeckmim updated the task description. (Show Details)

epriestley awarded a token.Jan 29 2016, 6:00 PM

cspeckmim mentioned this in Q357: Diffusion - Create New Credential .Apr 7 2016, 6:09 AM

epriestley mentioned this in T10748: Implement `diffusion.repository.edit`, for creating and editing repositories via the API.Apr 7 2016, 11:01 PM

epriestley added a revision: D15829: Fill in new URI credential edit web UI interfaces.May 1 2016, 4:38 PM

I'm going to merge this into T10748. It should technically be fixed by D15829 on its own, but will be fixed even harder once we cut over to the changes in T10748.

epriestley closed this task as a duplicate of T10748: Implement `diffusion.repository.edit`, for creating and editing repositories via the API.May 1 2016, 4:42 PM

epriestley added a commit: rP99718b61d8f3: Fill in new URI credential edit web UI interfaces.May 2 2016, 11:26 AM

Modifying an externally-hosted repository's URL/path can unintentionally change the credentialsClosed, DuplicatePublicActions