Continuum

Build agent should only accept requests from its master

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.3.1 (Alpha)
  • Fix Version/s: 1.4.1
  • Component/s: Distributed Builds
  • Labels:
    None
  • Complexity:
    Intermediate
  • Number of attachments :
    0

Description

In the current implementation, a build agent will accept a request from anyone who knows the url, although it will only send responses to the master url in its config file.

The agent should only accept requests from its master, and should send an error response to any other requests.

On the dev list, Christian suggested using a shared secret as the simplest way for the agent to be sure the master making the request is who it says it is. See: http://www.nabble.com/How-can-an-agent-be-sure-that-a-request-comes-from-its-master--td21546892.html

Related to CONTINUUM-2041 (Master should be able to detect an incorrect master url in a build agent's config file)

Issue Links

relates to

New Feature - A new feature of the product, which has yet to be developed. CONTINUUM-2632 Secure working copies of Continuum build agents

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Wendy Smoak added a comment -

Also need to consider CONTINUUM-2545 which added a webdav interface that currently does respond to anyone who connects.

Show
Wendy Smoak added a comment - Also need to consider CONTINUUM-2545 which added a webdav interface that currently does respond to anyone who connects.
Hide
Permalink
Maria Catherine Tan added a comment -

Fixed in r1134319

  • added a pre-shared key between master and all its agents.

To add a pre-shared key
1. Go to the configuration page and tick enable distributed build.
2. Enter the pre-shared secret key which will be encrypted once you save the changes.
3. Copy the encrypted key either from the continuum.xml or from the db and paste it to the configuration file (continuum-buildagent.xml) of the agents.

ToDo: documentation

Show
Maria Catherine Tan added a comment - Fixed in r1134319 added a pre-shared key between master and all its agents. To add a pre-shared key 1. Go to the configuration page and tick enable distributed build. 2. Enter the pre-shared secret key which will be encrypted once you save the changes. 3. Copy the encrypted key either from the continuum.xml or from the db and paste it to the configuration file (continuum-buildagent.xml) of the agents. ToDo: documentation
Hide
Permalink
Wendy Smoak added a comment -

What is the benefit of encrypting the key for this? Seems like any string of characters would do, since no one is ever expected to enter the un encrypted value anywhere.

Show
Wendy Smoak added a comment - What is the benefit of encrypting the key for this? Seems like any string of characters would do, since no one is ever expected to enter the un encrypted value anywhere.
Hide
Permalink
Maria Catherine Tan added a comment -

The key will be saved in the database and in configuration files that's why I thought of encrypting it. But if it's unnecessary I could remove it.

Show
Maria Catherine Tan added a comment - The key will be saved in the database and in configuration files that's why I thought of encrypting it. But if it's unnecessary I could remove it.
Hide
Permalink
Maria Catherine Tan added a comment -

r1135020

  • remove encryption of PSK
  • update documentation
Show
Maria Catherine Tan added a comment - r1135020 remove encryption of PSK update documentation
Hide
Permalink
Maria Catherine Tan added a comment -

r1137294

  • downgrade atlassian xmlrpc to 0.8.2 to fix the intermittent NPE
Show
Maria Catherine Tan added a comment - r1137294 downgrade atlassian xmlrpc to 0.8.2 to fix the intermittent NPE

People

  • Assignee:
    Maria Catherine Tan
    Reporter:
    Wendy Smoak
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: