##// END OF EJS Templates
u » av6 » wip » mercurial_keyring
RSS

Clone from https://foss.heptapod.net/mercurial/mercurial_keyring

mekk.bitbucket.org → mekk.bitbucket.io
Marcin Kasperski -
r245:2428883c default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,349 +1,349 b''
1 1 .. -*- mode: rst; compile-command: "rst2html README.txt README.html" -*-
2 2
3 3 =======================================================
4 4 Mercurial Keyring
5 5 =======================================================
6 6
7 7 Mercurial Keyring is a Mercurial_ extension used to securely save HTTP
8 8 and SMTP authentication passwords in password databases (Gnome
9 9 Keyring, KDE KWallet, OSXKeyChain, Windows Vault etc).
10 10
11 11 With ``mercurial_keyring`` active, Mercurial remembers your passwords
12 12 and reuses them without prompting (as if you stored them in ``.hgrc``),
13 13 but password storage is reasonably secure.
14 14
15 15 Actual password storage is implemented by the keyring_ library, this
16 16 extension glues it to Mercurial.
17 17
18 18 .. contents::
19 19 :local:
20 20 :depth: 2
21 21
22 22 .. sectnum::
23 23
24 24 .. _keyring: http://pypi.python.org/pypi/keyring
25 25 .. _Mercurial: http://mercurial.selenic.com
26 26
27 27 How does it work
28 28 =======================================================
29 29
30 30 On your first pull or push to HTTP url (or first email sent via given
31 31 SMTP server), you are prompted for the password, just like bare
32 32 Mercurial does. But the password you entered is saved to appropriate
33 33 password database. On successive runs, whenever the password is
34 34 needed, ``mercurial_keyring`` checks for password in password
35 35 database, and uses it without troubling you.
36 36
37 37 In case password turns out to be incorrect (for example, because you
38 38 changed it, or entered it incorrectly), ``mercurial_keyring`` prompts
39 39 you again, and overwrites the password.
40 40
41 41 You can use many passwords (for various remote urls). Saved passwords
42 42 are identified by pair of username and url prefix. See below for
43 43 information how to configure those properly.
44 44
45 45 Installation
46 46 =======================================================
47 47
48 48 Prerequisites
49 49 -------------
50 50
51 51 This extension requires keyring_ and `mercurial_extension_utils`_ to
52 52 work. In many cases both will be installed automatically while you
53 53 install ``mercurial_keyring``, but you may need to control the process.
54 54
55 55 The keyring_ library can usually be installed by::
56 56
57 57 pip install --user keyring
58 58
59 59 (or ``easy_install keyring``), but on some systems it is preferable to
60 60 use official distribution archive. For example, on Debian and Ubuntu,
61 61 you may install ``python-keyring`` and either ``python-keyring-gnome``
62 62 or ``python-keyring-kwallet`` packages::
63 63
64 64 sudo apt-get install python-keyring python-keyring-gnome
65 65
66 66 (this will save you the need to provide working compiler and various
67 67 development libraries).
68 68
69 69 The `mercurial_extension_utils`_ module is tiny Python-only module,
70 70 which can be installed by::
71 71
72 72 pip install --user mercurial_extension_utils
73 73
74 74 but in some cases (Windows…) requires more care. See
75 75 `mercurial_extension_utils`_ documentation.
76 76
77 77
78 78 Extension installation
79 79 ----------------------
80 80
81 81 There are two possible ways of installing the extension: using PyPi package,
82 82 or using source clone.
83 83
84 84 To install as a package::
85 85
86 86 pip install --user mercurial_keyring
87 87
88 88 (or ``sudo pip install mercurial_keyring`` for system-wide
89 89 installation) and then enable it in ``~/.hgrc`` (or
90 90 ``/etc/mercurial/hgrc`` or ``Mercurial.ini``) using::
91 91
92 92 [extensions]
93 93 mercurial_keyring =
94 94
95 95 To install using source clone, install keyring_ according to the
96 96 instructions above, then clone::
97 97
98 98 hg clone https://bitbucket.org/Mekk/mercurial_keyring/
99 99 hg clone https://bitbucket.org/Mekk/mercurial-extension_utils/
100 100
101 101 and configure Mercurial using full path to the extension module::
102 102
103 103 [extensions]
104 104 mercurial_keyring = /path/to/mercurial_keyring/mercurial_keyring.py
105 105
106 106 .. _the code:
107 107 .. _mercurial_keyring.py: http://bitbucket.org/Mekk/mercurial_keyring/src/tip/mercurial_keyring.py
108 108
109 109 Password backend configuration
110 110 =======================================================
111 111
112 112 The most appropriate password backend should usually be picked without
113 113 configuration (considering installed libraries, operating system,
114 114 active desktop session). Still, if necessary, it can be configured
115 115 using ``keyringrc.cfg`` file. Refer to keyring_ docs for more
116 116 details.
117 117
118 118 .. note::
119 119
120 120 With current (as I write) keyring (5.6), this file is (on Linux)
121 121 located at ``~/.local/share/python_keyring/keyringrc.cfg`` and
122 122 it's example content looks like::
123 123
124 124 [backend]
125 125 default-keyring=keyring.backends.Gnome.Keyring
126 126 # default-keyring=keyring.backends.kwallet.Keyring
127 127
128 128 For list of known backends run ``pydoc keyring.backends``.
129 129
130 130
131 131 ``hgrc`` configuration (HTTP)
132 132 =======================================================
133 133
134 134 Mercurial Keyring uses standard Mercurial ``[auth]`` configuration to
135 135 detect your username (on given remote) and url prefix. You are
136 136 strongly advised to configure both.
137 137
138 138 Without the username ``mercurial_keyring`` can't save or restore
139 139 passwords, so it disables itself.
140 140
141 141 Without url prefix ``mercurial_keyring`` works, but binds passwords to
142 142 repository urls. That means you will have to (re)enter password for
143 143 every repository cloned from given remote (and that there will be many
144 144 copies of this password in secure storage).
145 145
146 146 Repository level configuration
147 147 ------------------------------------
148 148
149 149 Edit repository-local ``.hg/hgrc`` and save there the remote
150 150 repository path and the username, but do not save the password. For
151 151 example:
152 152
153 153 ::
154 154
155 155 [paths]
156 156 myremote = https://my.server.com/hgrepo/someproject
157 157
158 158 [auth]
159 159 myremote.prefix = https://my.server.com/hgrepo
160 160 myremote.username = John
161 161
162 162 Simpler form with url-embedded name can also be used:
163 163
164 164 ::
165 165
166 166 [paths]
167 167 bitbucket = https://John@my.server.com/hgrepo/someproject/
168 168
169 169 but is not recommended.
170 170
171 171 Note that all repositories sharing the same ``prefix`` share the same
172 172 password.
173 173
174 174 Mercurial allows also for password in ``.hg/hgrc`` (either given by
175 175 ``«prefix».password``, or embedded in url). If such password is found,
176 176 Mercurial Keyring disables itself.
177 177
178 178
179 179 Account-level configuration
180 180 ---------------------------
181 181
182 182 If you are consistent about remote repository nicknames, you can
183 183 configure the username in your `~/.hgrc` (`.hgrc` in your home
184 184 directory). For example, write there::
185 185
186 186 [auth]
187 187 acme.prefix = hg.acme.com/repositories
188 188 acme.username = johnny
189 189 acme.schemes = http https
190 190 bitbucket.prefix = https://bitbucket.org
191 191 bitbucket.username = Mekk
192 192 mydep.prefix = https://dev.acmeorg.com
193 193 mydep.username = drmartin
194 194
195 195 and as long as you use ``acme`` alias for repositories like
196 196 ``https://hg.acme.com/repositories/my_beautiful_app``, username
197 197 ``johnny`` will be used, and the same password reused. Similarly
198 198 any ``hg push bitbucket`` will share the same password.
199 199
200 200 With such config repository-level ``.hg/hgrc`` need only contain
201 201 ``[paths]``.
202 202
203 203 Additional advantage of this method is that it works also during
204 204 `clone`.
205 205
206 206
207 207 .. note::
208 208
209 209 Mercurial Keyring works well with `Path Pattern`_. On my setup I use
210 210 prefix as above, and::
211 211
212 212 [path_pattern]
213 213 bitbucket.local = ~/devel/{below}
214 214 bitbucket.remote = https://bitbucket.org/Mekk/{below:/=-}
215 215
216 216 so all my repositories understand ``hg push bitbucket`` without
217 217 any repository-level configuration.
218 218
219 219
220 220 ``hgrc`` configuration (SMTP)
221 221 =======================================================
222 222
223 223 Edit either repository-local ``.hg/hgrc``, or ``~/.hgrc`` and set
224 224 there all standard email and smtp properties, including SMTP
225 225 username, but without SMTP password. For example:
226 226
227 227 ::
228 228
229 229 [email]
230 230 method = smtp
231 231 from = Joe Doe <Joe.Doe@remote.com>
232 232
233 233 [smtp]
234 234 host = smtp.gmail.com
235 235 port = 587
236 236 username = JoeDoe@gmail.com
237 237 tls = true
238 238
239 239 Just as in case of HTTP, you *must* set username, but *must not* set
240 240 password here to use the extension, in other cases it will revert to
241 241 the default behavior.
242 242
243 243 Usage
244 244 ======================================================
245 245
246 246 Saving and restoring passwords
247 247 -------------------------------------------------------
248 248
249 249 Configure the repository as above, then just ``hg pull``, ``hg push``,
250 250 etc. You should be asked for the password only once (per every
251 251 username and remote repository prefix or url combination).
252 252
253 253 Similarly, for email, configure as above and just ``hg email``.
254 254 Again, you will be asked for the password once (per every username and
255 255 email server address combination).
256 256
257 257 Checking password status (``hg keyring_check``)
258 258 -------------------------------------------------------
259 259
260 260 The ``keyring_check`` command can be used to check whether/which
261 261 password(s) are saved. It can be used in three ways:
262 262
263 263 - without parameters, it prints info related to all HTTP paths
264 264 defined for current repository (everything from ``hg paths``
265 265 that resolves to HTTP url)::
266 266
267 267 hg keyring_check
268 268
269 269 - given alias as param, it prints info about this alias::
270 270
271 271 hg keyring_check work
272 272
273 273 - finally, any path can be checked::
274 274
275 275 hg keyring_check https://bitbucket.org/Mekk/mercurial_keyring
276 276
277 277 Deleting saved password (``hg keyring_clear``)
278 278 -------------------------------------------------------
279 279
280 280 The ``keyring_clear`` command removes saved password related to given
281 281 path. It can be used in two ways:
282 282
283 283 - given alias as param, it drops password used by this alias::
284 284
285 285 hg keyring_clear work
286 286
287 287 - given full path, it drops password related to this path::
288 288
289 289 hg keyring_clear https://bitbucket.org/Mekk/mercurial_keyring
290 290
291 291 Managing passwords using GUI tools
292 292 ------------------------------------------------------
293 293
294 294 Many password backends provide GUI tools for password management,
295 295 for example Gnome Keyring passwords can be managed using ``seahorse``,
296 296 and KDE Wallet using ``kwalletmanager``. Those GUI tools can be used
297 297 to review, edit, or delete saved passwords.
298 298
299 299 Unfortunately, as I write, keyring_ library does not allow one to
300 300 configure how/where exactly saved passwords are put in the hierarchy,
301 301 and the place is not always intuitive. For example, in KDE Wallet, all
302 302 passwords saved using ``mercurial_keyring`` show up in the folder
303 303 named ``Python``.
304 304
305 305 .. note::
306 306
307 307 This is slightly problematic in case ``mercurial_keyring`` is not
308 308 the only program using keyring_ library. Passwords saved by another
309 309 Python application or script (which also uses keyring_) will be put
310 310 into the same place, and it may be unclear which password belongs
311 311 to which program. To remedy this, ``mercurial_keyring`` applies
312 312 slightly unusual labels of the form
313 313 ``«username»@@«urlprefix»@Mercurial`` - for example my bitbucket
314 314 password is labelled ``Mekk@@https://bitbucket.org@Mercurial``.
315 315
316 316 Implementation details
317 317 =======================================================
318 318
319 319 The extension is monkey-patching the mercurial ``passwordmgr`` class
320 320 to replace the ``find_user_password`` method. Detailed order of operations
321 321 is described in the comments inside `the code`_.
322 322
323 323 History
324 324 =======================================================
325 325
326 326 See `HISTORY.txt`_.
327 327
328 328 Development
329 329 =======================================================
330 330
331 331 Development is tracked on BitBucket, see
332 332 http://bitbucket.org/Mekk/mercurial_keyring/
333 333
334 334
335 335 Additional notes
336 336 =======================================================
337 337
338 338 Information about this extension is also available
339 339 on Mercurial Wiki: http://mercurial.selenic.com/wiki/KeyringExtension
340 340
341 341 Check also `other Mercurial extensions I wrote`_.
342 342
343 .. _other Mercurial extensions I wrote: http://mekk.bitbucket.org/mercurial.html
343 .. _other Mercurial extensions I wrote: http://mekk.bitbucket.io/mercurial.html
344 344
345 345 .. _HISTORY.txt: http://bitbucket.org/Mekk/mercurial_keyring/src/tip/HISTORY.txt
346 346 .. _TortoiseHg: http://tortoisehg.bitbucket.org/
347 347 .. _Mercurial: http://mercurial.selenic.com
348 348 .. _mercurial_extension_utils: https://bitbucket.org/Mekk/mercurial-extension_utils/
349 349 .. _Path Pattern: https://bitbucket.org/Mekk/mercurial-path_pattern/
General Comments 0
You need to be logged in to leave comments. Login now