[JIRA] [perforce-plugin] (JENKINS-28793) Allow option to disallow password entry in Perforce Plugin Configuration
Title: Message Title Brian Egge commented on JENKINS-28793 Re: Allow option to disallow password entry in Perforce Plugin Configuration Hi Rob, Would you agree Perforce has 'password' and 'ticket' authentication? For ticket authentication, the ticket is retrieved from the p4 login command at line 618 of AbstractLoginTemplate. One can see that when using ticket authentication, whatever is passed in via stdin is ignored. $ echo | p4 login -a -p A6A9E2785DE $ echo AnyPassword | p4 login -a -p A6A9E2785DE The ticket is returned for later use by the plugin. The above is exactly what's occurring at line 634. Most users leave the 'password' field blank, as they should, but some users enter their password. Both produce the same result, but the latter is a security concern which I'm wanting to address by removing the option to enter a password. Regards, Brian Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [perforce-plugin] (JENKINS-28793) Allow option to disallow password entry in Perforce Plugin Configuration
Title: Message Title Brian Egge commented on JENKINS-28793 Re: Allow option to disallow password entry in Perforce Plugin Configuration No, the user field is not required. It doesn't pose a security problem having the user field, but it doesn't serve any purpose. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [perforce-plugin] (JENKINS-28793) Allow option to disallow password entry in Perforce Plugin Configuration
Title: Message Title Brian Egge commented on JENKINS-28793 Re: Allow option to disallow password entry in Perforce Plugin Configuration I believe our environment has P4LOGINSSO set. http://www.perforce.com/perforce/r15.1/manuals/cmdref/P4LOGINSSO.html This allows 'p4 login' to work without the ticket being directly specified. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [perforce-plugin] (JENKINS-28793) Allow option to disallow password entry in Perforce Plugin Configuration
Title: Message Title Brian Egge commented on JENKINS-28793 Re: Allow option to disallow password entry in Perforce Plugin Configuration Hi Rob, We have thousands of projects using this plugin, none of which specify the tickets in the password field. As you can see from the command line snip-its I posted, it does not matter what is passed in to stdin, when using perforce with ticket based authentication. The option, as I proposed above, might not work in every environment, but would work in ours. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [perforce-plugin] (JENKINS-28793) Allow option to disallow password entry in Perforce Plugin Configuration
Title: Message Title
Brian Egge commented on JENKINS-28793
Re: Allow option to disallow password entry in Perforce Plugin Configuration
Rob,
You can see the code in the plugin which currently supports ticket based authentication: https://github.com/jenkinsci/perforce-plugin/blob/dbfe554cfb4006b22084ea37d207a54af0ff227c/src/main/java/com/tek42/perforce/parse/AbstractPerforceTemplate.java#L618
I'm not asking to change any of that. What needs to be done is adding something to global.jelly like:
f:entry title=$ {%Disable entering of username / passwords}
f:checkbox name=p4.passwordEntryDisabled checked=$ {descriptor.passwordEntryDisabled}
/ f:descriptionOption globally disallows entry of Perforce passwords/f:description /f:entry
And then in config.jelly, wrap the username / password fields in: j:if test=$ {not descriptor.passwordEntryDisabled}
... /j:if
Add Comment
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
--
You received this message because you are subscribed to the Google Groups Jenkins Issues group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] [perforce-plugin] (JENKINS-28793) Allow option to disallow password entry in Perforce Plugin Configuration
Title: Message Title Brian Egge commented on JENKINS-28793 Re: Allow option to disallow password entry in Perforce Plugin Configuration Hi Rob, We are using this plugin, along with the stock p4 client and kerberos tickets. p4 login is called, and the username / password is ignored (if provided). Unfortunately, many users are filling in the username / password fields, despite it having no effect. We'd like to prevent people from entering their password, as this is a security vulnerability. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [perforce-plugin] (JENKINS-28793) Allow option to disallow password entry in Perforce Plugin Configuration
Title: Message Title Brian Egge created an issue Jenkins / JENKINS-28793 Allow option to disallow password entry in Perforce Plugin Configuration Issue Type: Improvement Assignee: Rob Petti Components: perforce-plugin Created: 08/Jun/15 1:18 PM Labels: security Priority: Minor Reporter: Brian Egge For organizations which exclusively use Kerberos or non-password authentication, it would be useful to remove these fields from the configuration form. This would prevent users from accidentally entering their username / password credentials in an environment where they are not required. Add Comment
[JIRA] [mailer-plugin] (JENKINS-25089) Automated emails send from mailer-plugin should include headers identifying them as automated
Brian Egge created JENKINS-25089 Automated emails send from mailer-plugin should include headers identifying them as automated Issue Type: Bug Assignee: Unassigned Components: mailer-plugin Created: 10/Oct/14 2:22 PM Description: Emails, which are automated should include an Auto-submitted header. Mail servers are then required to NOT send automated responses in response to these emails. http://tools.ietf.org/html/rfc3834 Automatic responses SHOULD NOT be issued in response to any message which contains an Auto-Submitted header field (see below), where that field has any value other than "no". The proposed patch INCLUDES the 'Auto-Submitted' on all outbound emails created by the plugin. This header is defined as follows: 5. The Auto-Submitted header field The purpose of the Auto-Submitted header field is to indicate that the message was originated by an automatic process, or an automatic responder, rather than by a human; and to facilitate automatic filtering of messages from signal paths for which automatically generated messages and automatic responses are not desirable. ... The auto-generated keyword: SHOULD be used on messages generated by automatic (often periodic) processes (such as UNIX "cron jobs") which are not direct responses to other messages, The Jenkins mailer-plugin creates emails by an automatic process and therefore SHOULD contain this header. Project: Jenkins Labels: plugin Priority: Minor Reporter: Brian Egge This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [mailer-plugin] (JENKINS-25089) Automated emails send from mailer-plugin should include headers identifying them as automated
Brian Egge resolved JENKINS-25089 as Fixed Automated emails send from mailer-plugin should include headers identifying them as automated The fix has been merged into the trunk: https://github.com/jenkinsci/mailer-plugin/commit/11142e5f43e55d5bb0f5dd2c8297e737cf122307 Change By: Brian Egge (10/Oct/14 2:27 PM) Status: Open Resolved Resolution: Fixed This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [mail] (JENKINS-16106) Add Precedence: bulk header to notification emails
Brian Egge commented on JENKINS-16106 Add Precedence: bulk header to notification emails Additionally, one should have "Auto-Submitted: auto-generated" and "Return-Path: " http://tools.ietf.org/search/rfc3834 This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
