how to encrypt passwords in secure.config please

[crazysp...@gmail.com]

how to encrypt passwords in secure.config please

[Luca Milanesio]

You need to define the gerrit.secureStoreClass in your gerrit.config (see [1]).

HTH.

Luca

[1] https://gerrit-documentation.storage.googleapis.com/Documentation/2.13.2/config-gerrit.html#gerrit.secureStoreClass

On 31 Oct 2016, at 11:39, crazysp...@gmail.com wrote:

how to encrypt passwords in secure.config please

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Crazy Spirit]

Could you please help in clarifying the below

do i have to edit gerrrit.config and add

[secureStoreClass]

what else and do i have to reinstall Gerrit

On Mon, Oct 31, 2016 at 1:47 PM, Luca Milanesio <luca.mi...@gmail.com> wrote:

You need to define the gerrit.secureStoreClass in your gerrit.config (see [1]).

HTH.

Luca

[1] https://gerrit-documentation.storage.googleapis.com/Documentation/2.13.2/config-gerrit.html#gerrit.secureStoreClass

On 31 Oct 2016, at 11:39, crazysp...@gmail.com wrote:

how to encrypt passwords in secure.config please

--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.

[Luca Milanesio]

You need to provide an implementation of a SecureStore, which is compliant with [2].

Then you put the jar of your SecureStore implementation in $GERRIT_SITE/lib and  specify the class on gerrit.config.

In other words, you need to do some coding ...

HTH.

Luca.

[2] https://gerrit.googlesource.com/gerrit/+/master/gerrit-server/src/main/java/com/google/gerrit/server/securestore/SecureStore.java

[Björn Pedersen]

And googling [1] will happily find some working and example implementations ;)

[1] https://www.google.de/search?q=gerrit+SecureStore

Am Montag, 31. Oktober 2016 13:21:29 UTC+1 schrieb lucamilanesio:

You need to provide an implementation of a SecureStore, which is compliant with [2].

Then you put the jar of your SecureStore implementation in $GERRIT_SITE/lib and  specify the class on gerrit.config.

In other words, you need to do some coding ...

HTH.

Luca.

[2] https://gerrit.googlesource.com/gerrit/+/master/gerrit-server/src/main/java/com/google/gerrit/server/securestore/SecureStore.java

On 31 Oct 2016, at 11:58, Crazy Spirit <crazysp...@gmail.com> wrote:

Could you please help in clarifying the below

do i have to edit gerrrit.config and add

[secureStoreClass]

what else and do i have to reinstall Gerrit

On Mon, Oct 31, 2016 at 1:47 PM, Luca Milanesio <luca.mi...@gmail.com> wrote:

You need to define the gerrit.secureStoreClass in your gerrit.config (see [1]).

HTH.

Luca

[1] https://gerrit-documentation.storage.googleapis.com/Documentation/2.13.2/config-gerrit.html#gerrit.secureStoreClass

On 31 Oct 2016, at 11:39, crazysp...@gmail.com wrote:

how to encrypt passwords in secure.config please

--
--
To unsubscribe, email repo-discuss...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

[Luca Milanesio]

@Gerrit maintainers: can we create a Gerrit plugin project for this so that next people wouldn't need to "google around" and would be able to get a pre-built package from Gerrit CI?

Thanks :-)

Luca.

[Björn Pedersen]

Hi,
Yes, an example would definitly be a good idea.

One just should check that the implementaion is working ( for the japysf one I suspect it does not encode/decode as encoder is set, but never used.)
And compilation should probably error out unless the default hardcoded passwords are changed.

Björn

[Edwin Kempin]

On Mon, Oct 31, 2016 at 1:49 PM, Björn Pedersen <ice...@googlemail.com> wrote:

Hi,
Yes, an example would definitly be a good idea.

One just should check that the implementaion is working ( for the japysf one I suspect it does not encode/decode as encoder is set, but never used.)
And compilation should probably error out unless the default hardcoded passwords are changed.

Björn


Am Montag, 31. Oktober 2016 13:42:30 UTC+1 schrieb lucamilanesio:

@Gerrit maintainers: can we create a Gerrit plugin project for this so that next people wouldn't need to "google around" and would be able to get a pre-built package from Gerrit CI?

Sure, if anyone is willing to write this plugin?

[luca.mi...@gmail.com]

I can do it, seems quite simple.

Luca

Sent from my iPhone

[Edwin Kempin]

On Mon, Oct 31, 2016 at 2:49 PM, <luca.mi...@gmail.com> wrote:

I can do it, seems quite simple.

Thanks! What should be the plugin name?

 

To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.

[Luca Milanesio]

What about "secure-config" ?

Description: "Plugin to encrypt the values of secure.config"

How does it sound?

Luca.

[Edwin Kempin]

On Mon, Oct 31, 2016 at 3:00 PM, Luca Milanesio <luca.mi...@gmail.com> wrote:

What about "secure-config" ?

Description: "Plugin to encrypt the values of secure.config"

How does it sound?

Good :)

https://gerrit-review.googlesource.com/#/admin/projects/plugins/secure-config

[Luca Milanesio]

Thanks, will try to submit the first change for review by today :-)

P.S. I am sure it will soon become a core plugin, cleartext passwords in config files are pretty much a red flag for most organisations.

Luca.

[David Ostrovsky]

Am Montag, 31. Oktober 2016 15:14:58 UTC+1 schrieb lucamilanesio:

Thanks, will try to submit the first change for review by today :-)

Are you aware of this secure store plugin implementation? It was done by Dariusz

during his work on this extension point: [1].

* [1] https://github.com/dluksza/secure-store-jasypt

[Luca Milanesio]

Yes, it was mentioned in the email thread ... however, it is not on gerrit.googlesource.com and there are no CI builds for it.

That's why we came with the idea of creating a new one to be used as running example :-)

Luca.

[Saša Živkov]

On Mon, Oct 31, 2016 at 3:04 PM, 'Edwin Kempin' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

On Mon, Oct 31, 2016 at 3:00 PM, Luca Milanesio <luca.mi...@gmail.com> wrote:

What about "secure-config" ?

Description: "Plugin to encrypt the values of secure.config"

How does it sound?

Good :)

https://gerrit-review.googlesource.com/#/admin/projects/plugins/secure-config

AFAIR, secure store is a library (jar file) which has to be loaded early in Gerrit startup...

much earlier than plugins are loaded. It cannot be contributed by a plugin.

[lucamilanesio]

There you go:

https://gerrit-review.googlesource.com/#/c/90438/

I called it "plugin" but it is actually a Jar library which uses the Gerrit plugin dependencies but isn't loaded as plugin.

That's why needs to be located under the /lib directory.

The symmetric PBE cipher implementation should be already good enough for basic security requirements: cipher is configurable and passphrase can be taken from an external device file.

HTH

Luca.

[lucamilanesio]

There is now a fully working example on Gerrit:

https://gerrit.googlesource.com/plugins/secure-config/+/master

It is more than an example: if you configure a proper JCE Provider (e.g. BouncyCastle) and the Unlimited Strenght files in the JVM with strong encryption, you could use it in production as well.

HTH

Luca.

[Crazy Spirit]

thanks a lot for your help :)

[Luca Milanesio]

Hi CS,

you can download the prebuilt plugin from Gerrit CI:

https://gerrit-ci.gerritforge.com/view/Plugins-master/job/plugin-secure-config-master/3/artifact/buck-out/gen/plugins/secure-config/secure-config.jar

The plugin is based on current master though and relies on Java 8.

Otherwise, just build it by yourself.

What the build job does it:

git checkout -f gerrit/master

rm -rf plugins/secure-config

git read-tree -u --prefix=plugins/secure-config origin/master

buck build -v 3 plugins/secure-config

HTH

Luca.

On 7 Nov 2016, at 14:19, Crazy Spirit <crazysp...@gmail.com> wrote:

Hi Luca,

Could you please help as I am having error

as gerrit user
./buck build //:gerrit/plugins/secure-config/
BUILD FAILED: No build file at BUCK when resolving target