##// END OF EJS Templates
u » av6 » wip » mercurial_keyring
RSS

Clone from https://foss.heptapod.net/mercurial/mercurial_keyring

Current link to my extensions list
Marcin Kasperski -
r284:7392c14e default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,431 +1,431 b''
1 1 .. -*- mode: rst; compile-command: "rst2html README.rst README.html" -*-
2 2
3 3 =======================================================
4 4 Mercurial Keyring
5 5 =======================================================
6 6
7 7 Mercurial Keyring is a Mercurial_ extension used to securely save HTTP
8 8 and SMTP authentication passwords in password databases (Gnome
9 9 Keyring, KDE KWallet, OSXKeyChain, Windows Vault etc).
10 10
11 11 With ``mercurial_keyring`` active, Mercurial remembers your passwords
12 12 and reuses them without prompting (as if you stored them in ``.hgrc``),
13 13 but password storage is reasonably secure.
14 14
15 15 Actual password storage is implemented by the keyring_ library, this
16 16 extension glues it to Mercurial.
17 17
18 18 .. contents::
19 19 :local:
20 20 :depth: 2
21 21
22 22 .. sectnum::
23 23
24 24 .. _keyring: http://pypi.python.org/pypi/keyring
25 25 .. _Mercurial: http://mercurial.selenic.com
26 26
27 27 How does it work
28 28 =======================================================
29 29
30 30 On your first pull or push to HTTP url (or first email sent via given
31 31 SMTP server), you are prompted for the password, just like bare
32 32 Mercurial does. But the password you entered is saved to appropriate
33 33 password database. On successive runs, whenever the password is
34 34 needed, ``mercurial_keyring`` checks for password in password
35 35 database, and uses it without troubling you.
36 36
37 37 In case password turns out to be incorrect (for example, because you
38 38 changed it, or entered it incorrectly), ``mercurial_keyring`` prompts
39 39 you again, and overwrites the password.
40 40
41 41 You can use many passwords (for various remote urls). Saved passwords
42 42 are identified by pair of username and url prefix. See below for
43 43 information how to configure those properly.
44 44
45 45 Installation
46 46 =======================================================
47 47
48 48 Prerequisites
49 49 -------------
50 50
51 51 This extension requires keyring_ and `mercurial_extension_utils`_ to
52 52 work. In many cases both will be installed automatically while you
53 53 install ``mercurial_keyring``, but you may need to control the process.
54 54
55 55 The keyring_ library can usually be installed by::
56 56
57 57 pip install --user keyring
58 58
59 59 (or ``easy_install keyring``), but on some systems it is preferable to
60 60 use official distribution archive. For example, on Debian and Ubuntu,
61 61 you may install ``python-keyring`` and either ``python-keyring-gnome``
62 62 or ``python-keyring-kwallet`` packages::
63 63
64 64 sudo apt-get install python-keyring python-keyring-gnome
65 65
66 66 (this will save you the need to provide working compiler and various
67 67 development libraries).
68 68
69 69 The `mercurial_extension_utils`_ module is tiny Python-only module,
70 70 which can be installed by::
71 71
72 72 pip install --user mercurial_extension_utils
73 73
74 74 but in some cases (Windows…) requires more care. See
75 75 `mercurial_extension_utils`_ documentation.
76 76
77 77
78 78 Extension installation
79 79 ----------------------
80 80
81 81 There are two possible ways of installing the extension: using PyPi package,
82 82 or using source clone.
83 83
84 84 To install as a package::
85 85
86 86 pip install --user mercurial_keyring
87 87
88 88 (or ``sudo pip install mercurial_keyring`` for system-wide
89 89 installation) and then enable it in ``~/.hgrc`` (or
90 90 ``/etc/mercurial/hgrc`` or ``Mercurial.ini``) using::
91 91
92 92 [extensions]
93 93 mercurial_keyring =
94 94
95 95 To install using source clone, install keyring_ according to the
96 96 instructions above, then clone::
97 97
98 98 hg clone https://foss.heptapod.net/mercurial/mercurial_keyring/
99 99 hg clone https://foss.heptapod.net/mercurial/mercurial-extension_utils/
100 100
101 101 and configure Mercurial using full path to the extension module::
102 102
103 103 [extensions]
104 104 mercurial_keyring = /path/to/mercurial_keyring/mercurial_keyring.py
105 105
106 106 .. _the code:
107 107 .. _mercurial_keyring.py: https://foss.heptapod.net/mercurial/mercurial_keyring/src/tip/mercurial_keyring.py
108 108
109 109 Password backend configuration
110 110 =======================================================
111 111
112 112 The most appropriate password backend should usually be picked without
113 113 configuration (considering installed libraries, operating system,
114 114 active desktop session). Still, if necessary, it can be configured
115 115 using ``keyringrc.cfg`` file. Refer to keyring_ docs for more
116 116 details.
117 117
118 118 .. note::
119 119
120 120 With current (as I write) keyring (5.6), this file is (on Linux)
121 121 located at ``~/.local/share/python_keyring/keyringrc.cfg`` and
122 122 it's example content looks like::
123 123
124 124 [backend]
125 125 default-keyring=keyring.backends.Gnome.Keyring
126 126 # default-keyring=keyring.backends.kwallet.Keyring
127 127
128 128 For list of known backends run ``pydoc keyring.backends`` or
129 129 ``keyring --list-backends`` (which of those commands work,
130 130 depends on the keyring_ version).
131 131
132 132
133 133 ``hgrc`` configuration (HTTP)
134 134 =======================================================
135 135
136 136 Mercurial Keyring uses standard Mercurial ``[auth]`` configuration to
137 137 detect your username (on given remote) and url prefix. You are
138 138 strongly advised to configure both.
139 139
140 140 Without the username ``mercurial_keyring`` can't save or restore
141 141 passwords, so it disables itself.
142 142
143 143 Without url prefix ``mercurial_keyring`` works, but binds passwords to
144 144 repository urls. That means you will have to (re)enter password for
145 145 every repository cloned from given remote (and that there will be many
146 146 copies of this password in secure storage).
147 147
148 148 Repository level configuration
149 149 ------------------------------------
150 150
151 151 Edit repository-local ``.hg/hgrc`` and save there the remote
152 152 repository path and the username, but do not save the password. For
153 153 example:
154 154
155 155 ::
156 156
157 157 [paths]
158 158 myremote = https://my.server.com/hgrepo/someproject
159 159
160 160 [auth]
161 161 myremote.prefix = https://my.server.com/hgrepo
162 162 myremote.username = John
163 163
164 164 Simpler form with url-embedded name can also be used:
165 165
166 166 ::
167 167
168 168 [paths]
169 169 bitbucket = https://John@my.server.com/hgrepo/someproject/
170 170
171 171 but is not recommended.
172 172
173 173 Note that all repositories sharing the same ``prefix`` share the same
174 174 password.
175 175
176 176 Mercurial allows also for password in ``.hg/hgrc`` (either given by
177 177 ``Β«prefixΒ».password``, or embedded in url). If such password is found,
178 178 Mercurial Keyring disables itself.
179 179
180 180
181 181 Account-level configuration
182 182 ---------------------------
183 183
184 184 If you are consistent about remote repository nicknames, you can
185 185 configure the username in your `~/.hgrc` (`.hgrc` in your home
186 186 directory). For example, write there::
187 187
188 188 [auth]
189 189 acme.prefix = hg.acme.com/repositories
190 190 acme.username = johnny
191 191 acme.schemes = http https
192 192 bitbucket.prefix = https://bitbucket.org
193 193 bitbucket.username = Mekk
194 194 mydep.prefix = https://dev.acmeorg.com
195 195 mydep.username = drmartin
196 196
197 197 and as long as you use ``acme`` alias for repositories like
198 198 ``https://hg.acme.com/repositories/my_beautiful_app``, username
199 199 ``johnny`` will be used, and the same password reused. Similarly
200 200 any ``hg push bitbucket`` will share the same password.
201 201
202 202 With such config repository-level ``.hg/hgrc`` need only contain
203 203 ``[paths]``.
204 204
205 205 Additional advantage of this method is that it works also during
206 206 `clone`.
207 207
208 208
209 209 .. note::
210 210
211 211 Mercurial Keyring works well with `Path Pattern`_. On my setup I use
212 212 prefix as above, and::
213 213
214 214 [path_pattern]
215 215 bitbucket.local = ~/devel/{below}
216 216 bitbucket.remote = https://bitbucket.org/Mekk/{below:/=-}
217 217
218 218 so all my repositories understand ``hg push bitbucket`` without
219 219 any repository-level configuration.
220 220
221 221
222 222 ``hgrc`` configuration (SMTP)
223 223 =======================================================
224 224
225 225 Edit either repository-local ``.hg/hgrc``, or ``~/.hgrc`` and set
226 226 there all standard email and smtp properties, including SMTP
227 227 username, but without SMTP password. For example:
228 228
229 229 ::
230 230
231 231 [email]
232 232 method = smtp
233 233 from = Joe Doe <Joe.Doe@remote.com>
234 234
235 235 [smtp]
236 236 host = smtp.gmail.com
237 237 port = 587
238 238 username = JoeDoe@gmail.com
239 239 tls = true
240 240
241 241 Just as in case of HTTP, you *must* set username, but *must not* set
242 242 password here to use the extension, in other cases it will revert to
243 243 the default behavior.
244 244
245 245 Usage
246 246 ======================================================
247 247
248 248 Saving and restoring passwords
249 249 -------------------------------------------------------
250 250
251 251 Configure the repository as above, then just ``hg pull``, ``hg push``,
252 252 etc. You should be asked for the password only once (per every
253 253 username and remote repository prefix or url combination).
254 254
255 255 Similarly, for email, configure as above and just ``hg email``.
256 256 Again, you will be asked for the password once (per every username and
257 257 email server address combination).
258 258
259 259 Checking password status (``hg keyring_check``)
260 260 -------------------------------------------------------
261 261
262 262 The ``keyring_check`` command can be used to check whether/which
263 263 password(s) are saved. It can be used in three ways:
264 264
265 265 - without parameters, it prints info related to all HTTP paths
266 266 defined for current repository (everything from ``hg paths``
267 267 that resolves to HTTP url)::
268 268
269 269 hg keyring_check
270 270
271 271 - given alias as param, it prints info about this alias::
272 272
273 273 hg keyring_check work
274 274
275 275 - finally, any path can be checked::
276 276
277 277 hg keyring_check https://foss.heptapod.net/mercurial/mercurial_keyring
278 278
279 279 Deleting saved password (``hg keyring_clear``)
280 280 -------------------------------------------------------
281 281
282 282 The ``keyring_clear`` command removes saved password related to given
283 283 path. It can be used in two ways:
284 284
285 285 - given alias as param, it drops password used by this alias::
286 286
287 287 hg keyring_clear work
288 288
289 289 - given full path, it drops password related to this path::
290 290
291 291 hg keyring_clear https://foss.heptapod.net/mercurial/mercurial_keyring
292 292
293 293 Managing passwords using GUI tools
294 294 ------------------------------------------------------
295 295
296 296 Many password backends provide GUI tools for password management,
297 297 for example Gnome Keyring passwords can be managed using ``seahorse``,
298 298 and KDE Wallet using ``kwalletmanager``. Those GUI tools can be used
299 299 to review, edit, or delete saved passwords.
300 300
301 301 Unfortunately, as I write, keyring_ library does not allow one to
302 302 configure how/where exactly saved passwords are put in the hierarchy,
303 303 and the place is not always intuitive. For example, in KDE Wallet, all
304 304 passwords saved using ``mercurial_keyring`` show up in the folder
305 305 named ``Python``.
306 306
307 307 .. note::
308 308
309 309 This is slightly problematic in case ``mercurial_keyring`` is not
310 310 the only program using keyring_ library. Passwords saved by another
311 311 Python application or script (which also uses keyring_) will be put
312 312 into the same place, and it may be unclear which password belongs
313 313 to which program. To remedy this, ``mercurial_keyring`` applies
314 314 slightly unusual labels of the form
315 315 ``Β«usernameΒ»ο»Ώ@@ο»ΏΒ«urlprefixΒ»ο»Ώ@ο»ΏMercurial`` - for example my bitbucket
316 316 password is labelled ``Mekkο»Ώ@@ο»Ώhttpsο»Ώ://ο»Ώbitbucket.orgο»Ώ@ο»ΏMercurial``.
317 317
318 318 Implementation details
319 319 =======================================================
320 320
321 321 The extension is monkey-patching the mercurial ``passwordmgr`` class
322 322 to replace the ``find_user_password`` method. Detailed order of operations
323 323 is described in the comments inside `the code`_.
324 324
325 325 Frequent problems
326 326 =======================================================
327 327
328 328 Most problems people face while using ``mercurial_keyring`` are in
329 329 fact problems with ``keyring`` library and it's backends. In
330 330 particular, those can manifest by:
331 331
332 332 - technical errors mentioning sentences like ``No recommended backend
333 333 was available. Install the keyrings.alt package…`` (or similar),
334 334
335 335 - warnings like ``keyring: keyring backend doesn't seem to work…``
336 336
337 337 - password prompts on every action (= passwords not being saved).
338 338
339 339 Those almost always mean that *natural* keyring backend for given
340 340 desktop type doesn't work, or is not present at all. For example,
341 341 some necessary runtime component can be down (say, you use Linux, but
342 342 neither Gnome Keyring, nor KDE Wallet, is running). Or appropriate
343 343 backend is not installed because it could not be build during keyring_
344 344 library installation (maybe because some required library was not
345 345 present at the moment of keyring installation, or maybe because
346 346 compiler as such is not present on the system).
347 347
348 348 To diagnose such problems, try using ``keyring`` utility, as described
349 349 on keyring_ documentation page, for example by::
350 350
351 351 keyring --list-backends
352 352 keyring -b keyrings.alt.Gnome.Keyring set testsvc testuser
353 353 keyring -b keyrings.alt.Gnome.Keyring get testsvc testuser
354 354
355 355 (of course using appropriate backend). If you miss the ``keyring`` command
356 356 as such, try ``python -m keyring`` instead::
357 357
358 358 python -m keyring --list-backends
359 359 python -m keyring -b keyrings.alt.Gnome.Keyring set testsvc testuser
360 360 python -m keyring -b keyrings.alt.Gnome.Keyring get testsvc testuser
361 361
362 362 If appropriate backend is missing (not listed), or doesn't work
363 363 (second or third command fails), your keyring is broken. Try looking
364 364 for further pointers in keyring_ documentation, that project mailing
365 365 list, or issue tracker. Typically it will turn out, that you need to
366 366 install some missing tool, or library, and reinstall keyring.
367 367
368 368 .. note::
369 369
370 370 Depending on keyring_ version, installation of some dependency may
371 371 resolve problem. For example (as of late 2018), I got KDE Wallet
372 372 backend working with pip-installed keyring after::
373 373
374 374 pip install dbus-python
375 375
376 376 Note also, that recent versions of keyring library (since version 12) use Python
377 377 entrypoints to find available backends. Those are incompatible with
378 378 some binary packaging methods (like ``py2app``) and may cause
379 379 problems. In particular there were packaged installations of TortoiseHG
380 380 which were unable to load keyring backends. See `#61 <https://foss.heptapod.net/mercurial/mercurial_keyring/issues/61/tortoisehg-encounters-unknown-exception>`_ for some more details.
381 381
382 382
383 383 If ``keyring`` command works, but mercurial with mercurial_keyring does not,
384 384 try enforcing proper backend (by means of ``keyringrc.cfg``, see above).
385 385 Only if this doesn't help, there may be a bug in mercurial_keyring.
386 386
387 387 By far easiest way to have properly working keyring is to use packaged
388 388 binary version (like ``python-keyring`` Ubuntu package, or keyring
389 389 bundled with TortoiseHG on some systems). If you pip-installed keyring
390 390 and it doesn't work, you may consider removing it via ``pip uninstall
391 391 keyring`` and looking for binary package instead.
392 392
393 393
394 394
395 395
396 396 History
397 397 =======================================================
398 398
399 399 See `HISTORY.rst`_.
400 400
401 401 Repository, bug reports, enhancement suggestions
402 402 ===================================================
403 403
404 404 Development is tracked on HeptaPod, see
405 405 https://foss.heptapod.net/mercurial/mercurial_keyring/
406 406
407 407 Use issue tracker there for bug reports and enhancement
408 408 suggestions.
409 409
410 410 Thanks to Octobus_ and `Clever Cloud`_ for hosting this service.
411 411
412 412
413 413
414 414 Additional notes
415 415 =======================================================
416 416
417 417 Information about this extension is also available
418 418 on Mercurial Wiki: http://mercurial.selenic.com/wiki/KeyringExtension
419 419
420 420 Check also `other Mercurial extensions I wrote`_.
421 421
422 422 .. _Octobus: https://octobus.net/
423 423 .. _Clever Cloud: https://www.clever-cloud.com/
424 424
425 .. _other Mercurial extensions I wrote: http://mekk.bitbucket.io/mercurial.html
425 .. _other Mercurial extensions I wrote: http://code.mekk.waw.pl/mercurial.html
426 426
427 427 .. _HISTORY.rst: https://foss.heptapod.net/mercurial/mercurial_keyring/src/tip/HISTORY.rst
428 428 .. _TortoiseHg: http://tortoisehg.bitbucket.org/
429 429 .. _Mercurial: http://mercurial.selenic.com
430 430 .. _mercurial_extension_utils: https://foss.heptapod.net/mercurial/mercurial-extension_utils/
431 431 .. _Path Pattern: https://foss.heptapod.net/mercurial/mercurial-path_pattern/
General Comments 0
You need to be logged in to leave comments. Login now