Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only store password in config for GitHub Enterprise (due to Enterprise limitations) #79

Merged
merged 2 commits into from
Nov 6, 2016
Merged

Only store password in config for GitHub Enterprise (due to Enterprise limitations) #79

merged 2 commits into from
Nov 6, 2016

Conversation

nttibbetts
Copy link
Contributor

Generally not a good idea to store passwords in cleartext, even moreso when a token is generated immediately after authenticating that makes storing the password unnecessary.

Please let me know if there's anything I missed or didn't think of when removing this.

@codecov-io
Copy link

codecov-io commented Oct 19, 2016
edited
Loading

Current coverage is 95.27% (diff: 100%)

Merging #79 into master will increase coverage by 0.08%

@@             master        #79   diff @@
==========================================
  Files            34         34          
  Lines          2076       2094    +18   
  Methods           0          0          
  Messages          0          0          
  Branches          0          0          
==========================================
+ Hits           1976       1995    +19   
+ Misses          100         99     -1   
  Partials          0          0

Powered by Codecov. Last update 699e6a9...2c30940

@donnemartin
Copy link
Owner

Hi @nttibbetts, gitsome should not be storing the password in the config, see 98596fa.

Are you seeing otherwise?

I think the docstrings could be updated and it seems I missed removing some dead code.

@donnemartin
Copy link
Owner

Hmm, actually I think you're right, seems I missed a code path. Reviewing...

@nttibbetts
Copy link
Contributor Author

Sadly, yes, I am still seeing this. It seems it would only happen when using gitsome for the first time and letting it create the access token for you.

It seems you might have caused a regression when adding enterprise support db8e5d7

@donnemartin
Copy link
Owner

I think this might be a little more complicated. Enterprise doesn't seem to allow exchanging the password for a token:

https://github.com/donnemartin/gitsome/blob/master/gitsome/config.py#L293-L294

I'll have to fire up my sandbox Enterprise instance and do some more testing tomorrow.

@donnemartin
Copy link
Owner

donnemartin commented Oct 19, 2016
edited
Loading

I think the following diff might be the most straightforward way to address this issue. If you agree, could you please update the PR?

--- a/gitsome/config.py
+++ b/gitsome/config.py
@@ -91,6 +91,9 @@ class Config(object):

     :type user_pass: str
     :param user_pass: The user's pass in ~/.gitsomeconfig.
+        This is only stored for GitHub Enterprise if the user supplies a
+        password instead of a token.  Exchanging a password for a personal
+        access token does not seem to be supported for GitHub Enterprise.

     :type user_token: str
     :param user_token: The user's token in ~/.gitsomeconfig.
@@ -616,10 +619,6 @@ class Config(object):
             parser.set(self.CONFIG_SECTION,
                        self.CONFIG_USER_LOGIN,
                        self.user_login)
-            if self.user_pass is not None:
-                parser.set(self.CONFIG_SECTION,
-                           self.CONFIG_USER_PASS,
-                           self.user_pass)
             if self.user_token is not None:
                 parser.set(self.CONFIG_SECTION,
                            self.CONFIG_USER_TOKEN,
@@ -632,6 +631,10 @@ class Config(object):
                 parser.set(self.CONFIG_SECTION,
                            self.CONFIG_ENTERPRISE_URL,
                            self.enterprise_url)
+                if self.user_pass is not None:
+                    parser.set(self.CONFIG_SECTION,
+                               self.CONFIG_USER_PASS,
+                               self.user_pass)
             parser.set(self.CONFIG_SECTION,
                        self.CONFIG_VERIFY_SSL,
                        self.verify_ssl)

[Edit] Change summary:

  • Update the docstring for user_pass
  • Move the parser.set call for CONFIG_USER_PASS to within the if self.enterprise_url is not None check in def save_config(self)

@donnemartin donnemartin changed the title stops storing passwords in cleartext in config Only store password in config for GitHub Enterprise (due to Enterprise limitations) Oct 19, 2016
@nttibbetts
Copy link
Contributor Author

Only tweak I would suggest is keeping the remove_option call if it's not an enterprise user so as to clean up any cases that have already occurred.

I'll make changes and throw in a couple of tests for this.

@donnemartin
Copy link
Owner

Sounds good, thanks!

@donnemartin
Copy link
Owner

@nttibbetts looks like you're updating the PR, please let me know when it's ready for another review.

@nttibbetts
Copy link
Contributor Author

@donnemartin it's all set for another review.

@donnemartin
Copy link
Owner

Nice job @nttibbetts, thanks for making the changes.

Do any GitHub Enterprise users want to do a sanity test on this change?

@donnemartin
Copy link
Owner

Tested this on GitHub Enterprise, looks good 👍

@donnemartin donnemartin merged commit 5a24a9b into donnemartin:master Nov 6, 2016
donnemartin pushed a commit that referenced this pull request Nov 12, 2016
@nttibbetts @donnemartin
Only store password in config for GitHub Enterprise (due to Enterpris…
e156d08 
…e limitations) (#79)

* stops storing passwords in cleartext in config
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nttibbetts @codecov-io @donnemartin