SONARSCSVN-9 Support SVN+SSH authentication using private key

[henryju]

No description provided.

[jakub-bochenski]

I've upgraded the SVN plugin, but adding -Dsonar.svn.privateKeyPath=/home/acme/.ssh/id_rsa has no effect. I still get the same svn: E170001: Authentication required

[henryju]

@jakub-bochenski Would you mind debugging the same way you did in your orignal SO post just to be sure data is correctly passed to SVNKit. I would expect something like:

myPreviousAuthentication SVNSSHAuthentication  (id=392)  
    myAgentProxy    null    
    myIsPartial false   
    myIsStorageAllowed  false   
    myKind  "svn.ssh" (id=387)  
    myPassphrase    null    
    myPassword  (id=608)    
    myPortNumber    -1  
    myPrivateKeyFile    "/home/acme/.ssh/id_rsa"    
    myPrivateKeyValue   null (or maybe not null?)
    myURL   SVNURL  (id=345)    
    myUserName  "jbochenski" (id=610)

[jakub-bochenski]

I see the file property is set, but server response is the same

myPrivateKeyFile    File  (id=189)  
    filePath    null    
    path    "/home/acme/.ssh/id_rsa" (id=191)   
    prefixLength    1   
    status  File$PathStatus  (id=192)   
myPrivateKeyValue    null   

[jakub-bochenski]

Setting passphrase to -Dsonar.svn.passphrase.secure="" or -Dsonar.svn.passphrase.secure= has no effect either

[henryju]

@jakub-bochenski I finally spend the time to set up a SVN+SSH repo and did some tests. It was working fine after I managed to solve all SSH configuration issues that are not specific to SVN. Please test:

• export SVN_SSH="ssh -i /home/acme/.ssh/id_rsa"
• svn co svn+ssh://jbochenski@/path path

It should not prompt you for a password.

In my case I had to fix permission issues following: http://unix.stackexchange.com/questions/36540/why-am-i-still-getting-a-password-prompt-with-ssh-with-public-key-authentication

[jakub-bochenski]

No, as I've written in the initial post on SO:

The svn command works properly when invoked from command line, also connecting to ssh svn@svn.acme.com succeeds. I'm using SVNKit in Eclipse with this repository and it also works fine

Note the username for ssh connection is "ssh", "jbochenski" is used for SVN auth.

PS. I've also had sonarruner working with previous versions of SVN plugin that used svn command directly
PPS. I'm also checking-out this repository on Jenkins with Jenkins SVN plugin over svn+ssh without any problem

[jakub-bochenski]

FTR, without ant ENV changes I just did:

$ svn co  svn+ssh://svn@svn.acme.com/repos/trunk/common_core
A    common_core/.classpath
[ SNIP ... ]
 U   common_core
Checked out revision 162371.

[henryju]

@jakub-bochenski Strange because in your logs I see: myUserName "jbochenski" (id=610) If you say username is supposed to be svn then you should pass: -Dsonar.svn.username=svn

[jakub-bochenski]

This indeed worked, but I think the current situation is confusing.
When using "plain" svn the sonar.svn.username property is supposed to contain the SVN username (in this case "jbochenski"), but when using svn+ssh it's supposed to contain the SSH username (which is already included in the URL anyway - svn+ssh://svn@svn.acme.com).

I think sonar should at least report an error or a warning when the property-bound username doesn't match the one in URL

[henryju]

Do you confirm that in SVN+SSH "mode" the SSH user and SVN user are the same? I can add a note in sonar.svn.username property to say it could also be the SSH user in case of SVN+SSH. But doing some check regarding the URL will be more work since we don't process this URL (SVNKit take the one in the repo). Also having a way to override the user to be used could be interesting: you can configure your CI engine to checkout with a user "ci" then let SonarQube do the blame with another user "sonarqube" so that you can monitor the traffic on your SVN server.

[jakub-bochenski]

Do you confirm that in SVN+SSH "mode" the SSH user and SVN user are the same?

No, and this is WAI
The SSH user is "svn", the SVN user is "jbochenski".

What works for me is setting -Dsonar.svn.privateKeyPath=/home/acme/.ssh/id_rsa -Dsonar.svn.username=svn and the SSH tunnel then sets the SVN username according to the SSH key (transparently to SVNKit)

But doing some check regarding the URL will be more work since we don't process this URL (SVNKit take the one in the repo)

How about sending a PR to SVNKit?

[henryju]

Maybe the documentation is not clear but in both case (HTTP auth / SSH auth) we are not interested by the SVN username but only the username needed to perform authentication.

[jakub-bochenski]

It was certainly confusing to me, so I'd appreciate a clarification

[jakub-bochenski]

This is strange - I see the SVNKit version was supposedly upgraded to 1.8.11 but I'm still getting https://issues.tmatesoft.com/issue/SVNKIT-606 when using 1.3-SNAPSHOT version

[jakub-bochenski]

The version in RC you've sent me is still 1.8.10 :(

unzip -p sonar-scm-svn-plugin-1.3-SNAPSHOT.jar META-INF/maven/org.sonarsource.scm.svn/sonar-scm-svn-plugin/pom.xml | grep svnkit -A1
      <groupId>org.tmatesoft.svnkit</groupId>
      <artifactId>svnkit</artifactId>
      <version>1.8.10</version>

unzip -p sonar-scm-svn-plugin-1.3* META-INF/MANIFEST.MF | grep svnkit -A1
 oxy.svnkit-trilead-ssh2-0.0.7.jar META-INF/lib/jsch.agentproxy.pagean
 t-0.0.7.jar META-INF/lib/sequence-library-1.0.3.jar META-INF/lib/jna-
--
 META-INF/lib/svnkit-1.8.10.jar META-INF/lib/jsch.agentproxy.usocket-j
 na-0.0.7.jar META-INF/lib/jsch.agentproxy.connector-factory-0.0.7.jar

[henryju]

Yep, I made this change later. Do you want that I push a new RC or are you able to build and test from sources?

[jakub-bochenski]

I tried doing it on my own but the problem still appears so I'd like to try a CI-built one.
Any chance of upgrading it to 1.8.12? They claim to have fixed some more of those issues https://issues.tmatesoft.com/issue/SVNKIT-476

[henryju]

We can't easily update to SVNKit 1.8.12 until they have deployed it on Central. I have created a ticket: https://issues.tmatesoft.com/issue/SVNKIT-650 Feel free to add some pressure ;)
New RC with 1.8.11: https://github.com/SonarSource/sonar-scm-svn/releases/download/1.3-rc2/sonar-scm-svn-plugin-1.3-SNAPSHOT.jar

[henryju]

@jakub-bochenski Was it ok with rc2 ?

[alexbde]

I tried using new version. Downloaded and installed 1.3-SNAPSHOT RC2 (double checked in update center). Set keys sonar.svn.username to sonar and sonar.svn.privateKeyPath to /etc/ssh/id_rsa-sonar through UI. Same credentials are successfully working in Jenkins (naming svn user "sonar" was not the best choice I know ☕).

Run mvn sonar:sonar in Jenkins. SVN checkout and SonarQube analysis successful but I'm experiencing exception SVNAuthenticationException: svn: E170001: Authentication required for 'svn+ssh://svn.example.com' at the end. Hrm. Tried setting username and privateKeyPath through parameters but no success. Tried adding user in URL ("svn+ssh://sonar@svn.example.com") but no change. Have you got any idea what's wrong?

I also tried to get some more debug information. Latest run was mvn sonar:sonar -Dsonar.svn.username=sonar -Dsonar.svn.privateKeyPath=/etc/ssh/id_rsa-sonar -Dsonar.log.level=TRACE -X -e but I only got exception above and it's stacktrace. Is there a way to get information jakub printed above?

[henryju]

@alexbde When you say SonarQube analysis is successful: does it mean you manage to see blame info in SonarQube UI? Can you share logs of your analysis (send them to me privately if you want). You can enable logs with -X but not sure it will show more details. To get more details you may need to plug a remote debugger on the process, but that's not easy on Jenkins.

[alexbde]

@henryju No, I can't see it in SonarQube. I meant there is no failure before svn blame, sorry. How should I send logs to you?

[henryju]

@alexbde OK so no need for logs. Are you sure your keystore is not protected by a passphrase? Is /etc/ssh/id_rsa-sonar readable to SQ Scanner process?

[alexbde]

@henryju Yep, I double checked passphrase protection, none at all. Readability is a good thought. It's rw-r--r-- so it should be readable at least. Wouldn't there be an FileNotFoundException or similar if it won't be readable?

[alexbde]

Okay, I solved my issue. I didn't thought it matters but I got two different machines, one running Jenkins and one running SonarQube. I've had placed file /etc/ssh/id_rsa-sonar on SonarQube machine because I thought "SonarQube settings => SonarQube machine". Turns out to be a false conclusion because SonarQube runner executes on Jenkins machine and is (of course) looking for file /etc/ssh/id_rsa-sonar on same machine. Copied file to Jenkins machine and it worked. I'm sorry for any inconvenience. Maybe you could add some more debug information in a future release so you can find out easier about a file missing :) Anyway thank you for extending SVN plugin!

[henryju]

Checking existence of the file is a very good idea. I'll do that (it is very strange SVNKit is not doing this check).

[alexbde]

Okay. Just let me know when there's a RC3 you need to be tested.

[henryju]

I don't plan to do another RC. I'll do the final release. But thanks for offering ;)

[alexbde]

That's even better ;)