##// END OF EJS Templates
u » av6 » wip » mercurial_keyring
RSS

Clone from https://foss.heptapod.net/mercurial/mercurial_keyring

docs: remove duplicate link to Mercurial...
av6 -
r288:f4ae2c4b default draft
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,431 +1,430 b''
1 1 .. -*- mode: rst; compile-command: "rst2html README.rst README.html" -*-
2 2
3 3 =======================================================
4 4 Mercurial Keyring
5 5 =======================================================
6 6
7 7 Mercurial Keyring is a Mercurial_ extension used to securely save HTTP
8 8 and SMTP authentication passwords in password databases (Gnome
9 9 Keyring, KDE KWallet, OSXKeyChain, Windows Vault etc).
10 10
11 11 With ``mercurial_keyring`` active, Mercurial remembers your passwords
12 12 and reuses them without prompting (as if you stored them in ``.hgrc``),
13 13 but password storage is reasonably secure.
14 14
15 15 Actual password storage is implemented by the keyring_ library, this
16 16 extension glues it to Mercurial.
17 17
18 18 .. contents::
19 19 :local:
20 20 :depth: 2
21 21
22 22 .. sectnum::
23 23
24 24 .. _keyring: http://pypi.python.org/pypi/keyring
25 .. _Mercurial: http://mercurial.selenic.com
26 25
27 26 How does it work
28 27 =======================================================
29 28
30 29 On your first pull or push to HTTP url (or first email sent via given
31 30 SMTP server), you are prompted for the password, just like bare
32 31 Mercurial does. But the password you entered is saved to appropriate
33 32 password database. On successive runs, whenever the password is
34 33 needed, ``mercurial_keyring`` checks for password in password
35 34 database, and uses it without troubling you.
36 35
37 36 In case password turns out to be incorrect (for example, because you
38 37 changed it, or entered it incorrectly), ``mercurial_keyring`` prompts
39 38 you again, and overwrites the password.
40 39
41 40 You can use many passwords (for various remote urls). Saved passwords
42 41 are identified by pair of username and url prefix. See below for
43 42 information how to configure those properly.
44 43
45 44 Installation
46 45 =======================================================
47 46
48 47 Prerequisites
49 48 -------------
50 49
51 50 This extension requires keyring_ and `mercurial_extension_utils`_ to
52 51 work. In many cases both will be installed automatically while you
53 52 install ``mercurial_keyring``, but you may need to control the process.
54 53
55 54 The keyring_ library can usually be installed by::
56 55
57 56 pip install --user keyring
58 57
59 58 (or ``easy_install keyring``), but on some systems it is preferable to
60 59 use official distribution archive. For example, on Debian and Ubuntu,
61 60 you may install ``python-keyring`` and either ``python-keyring-gnome``
62 61 or ``python-keyring-kwallet`` packages::
63 62
64 63 sudo apt-get install python-keyring python-keyring-gnome
65 64
66 65 (this will save you the need to provide working compiler and various
67 66 development libraries).
68 67
69 68 The `mercurial_extension_utils`_ module is tiny Python-only module,
70 69 which can be installed by::
71 70
72 71 pip install --user mercurial_extension_utils
73 72
74 73 but in some cases (Windows…) requires more care. See
75 74 `mercurial_extension_utils`_ documentation.
76 75
77 76
78 77 Extension installation
79 78 ----------------------
80 79
81 80 There are two possible ways of installing the extension: using PyPi package,
82 81 or using source clone.
83 82
84 83 To install as a package::
85 84
86 85 pip install --user mercurial_keyring
87 86
88 87 (or ``sudo pip install mercurial_keyring`` for system-wide
89 88 installation) and then enable it in ``~/.hgrc`` (or
90 89 ``/etc/mercurial/hgrc`` or ``Mercurial.ini``) using::
91 90
92 91 [extensions]
93 92 mercurial_keyring =
94 93
95 94 To install using source clone, install keyring_ according to the
96 95 instructions above, then clone::
97 96
98 97 hg clone https://foss.heptapod.net/mercurial/mercurial_keyring/
99 98 hg clone https://foss.heptapod.net/mercurial/mercurial-extension_utils/
100 99
101 100 and configure Mercurial using full path to the extension module::
102 101
103 102 [extensions]
104 103 mercurial_keyring = /path/to/mercurial_keyring/mercurial_keyring.py
105 104
106 105 .. _the code:
107 106 .. _mercurial_keyring.py: https://foss.heptapod.net/mercurial/mercurial_keyring/src/tip/mercurial_keyring.py
108 107
109 108 Password backend configuration
110 109 =======================================================
111 110
112 111 The most appropriate password backend should usually be picked without
113 112 configuration (considering installed libraries, operating system,
114 113 active desktop session). Still, if necessary, it can be configured
115 114 using ``keyringrc.cfg`` file. Refer to keyring_ docs for more
116 115 details.
117 116
118 117 .. note::
119 118
120 119 With current (as I write) keyring (5.6), this file is (on Linux)
121 120 located at ``~/.local/share/python_keyring/keyringrc.cfg`` and
122 121 it's example content looks like::
123 122
124 123 [backend]
125 124 default-keyring=keyring.backends.Gnome.Keyring
126 125 # default-keyring=keyring.backends.kwallet.Keyring
127 126
128 127 For list of known backends run ``pydoc keyring.backends`` or
129 128 ``keyring --list-backends`` (which of those commands work,
130 129 depends on the keyring_ version).
131 130
132 131
133 132 ``hgrc`` configuration (HTTP)
134 133 =======================================================
135 134
136 135 Mercurial Keyring uses standard Mercurial ``[auth]`` configuration to
137 136 detect your username (on given remote) and url prefix. You are
138 137 strongly advised to configure both.
139 138
140 139 Without the username ``mercurial_keyring`` can't save or restore
141 140 passwords, so it disables itself.
142 141
143 142 Without url prefix ``mercurial_keyring`` works, but binds passwords to
144 143 repository urls. That means you will have to (re)enter password for
145 144 every repository cloned from given remote (and that there will be many
146 145 copies of this password in secure storage).
147 146
148 147 Repository level configuration
149 148 ------------------------------------
150 149
151 150 Edit repository-local ``.hg/hgrc`` and save there the remote
152 151 repository path and the username, but do not save the password. For
153 152 example:
154 153
155 154 ::
156 155
157 156 [paths]
158 157 myremote = https://my.server.com/hgrepo/someproject
159 158
160 159 [auth]
161 160 myremote.prefix = https://my.server.com/hgrepo
162 161 myremote.username = John
163 162
164 163 Simpler form with url-embedded name can also be used:
165 164
166 165 ::
167 166
168 167 [paths]
169 168 bitbucket = https://John@my.server.com/hgrepo/someproject/
170 169
171 170 but is not recommended.
172 171
173 172 Note that all repositories sharing the same ``prefix`` share the same
174 173 password.
175 174
176 175 Mercurial allows also for password in ``.hg/hgrc`` (either given by
177 176 ``Β«prefixΒ».password``, or embedded in url). If such password is found,
178 177 Mercurial Keyring disables itself.
179 178
180 179
181 180 Account-level configuration
182 181 ---------------------------
183 182
184 183 If you are consistent about remote repository nicknames, you can
185 184 configure the username in your `~/.hgrc` (`.hgrc` in your home
186 185 directory). For example, write there::
187 186
188 187 [auth]
189 188 acme.prefix = hg.acme.com/repositories
190 189 acme.username = johnny
191 190 acme.schemes = http https
192 191 bitbucket.prefix = https://bitbucket.org
193 192 bitbucket.username = Mekk
194 193 mydep.prefix = https://dev.acmeorg.com
195 194 mydep.username = drmartin
196 195
197 196 and as long as you use ``acme`` alias for repositories like
198 197 ``https://hg.acme.com/repositories/my_beautiful_app``, username
199 198 ``johnny`` will be used, and the same password reused. Similarly
200 199 any ``hg push bitbucket`` will share the same password.
201 200
202 201 With such config repository-level ``.hg/hgrc`` need only contain
203 202 ``[paths]``.
204 203
205 204 Additional advantage of this method is that it works also during
206 205 `clone`.
207 206
208 207
209 208 .. note::
210 209
211 210 Mercurial Keyring works well with `Path Pattern`_. On my setup I use
212 211 prefix as above, and::
213 212
214 213 [path_pattern]
215 214 bitbucket.local = ~/devel/{below}
216 215 bitbucket.remote = https://bitbucket.org/Mekk/{below:/=-}
217 216
218 217 so all my repositories understand ``hg push bitbucket`` without
219 218 any repository-level configuration.
220 219
221 220
222 221 ``hgrc`` configuration (SMTP)
223 222 =======================================================
224 223
225 224 Edit either repository-local ``.hg/hgrc``, or ``~/.hgrc`` and set
226 225 there all standard email and smtp properties, including SMTP
227 226 username, but without SMTP password. For example:
228 227
229 228 ::
230 229
231 230 [email]
232 231 method = smtp
233 232 from = Joe Doe <Joe.Doe@remote.com>
234 233
235 234 [smtp]
236 235 host = smtp.gmail.com
237 236 port = 587
238 237 username = JoeDoe@gmail.com
239 238 tls = true
240 239
241 240 Just as in case of HTTP, you *must* set username, but *must not* set
242 241 password here to use the extension, in other cases it will revert to
243 242 the default behavior.
244 243
245 244 Usage
246 245 ======================================================
247 246
248 247 Saving and restoring passwords
249 248 -------------------------------------------------------
250 249
251 250 Configure the repository as above, then just ``hg pull``, ``hg push``,
252 251 etc. You should be asked for the password only once (per every
253 252 username and remote repository prefix or url combination).
254 253
255 254 Similarly, for email, configure as above and just ``hg email``.
256 255 Again, you will be asked for the password once (per every username and
257 256 email server address combination).
258 257
259 258 Checking password status (``hg keyring_check``)
260 259 -------------------------------------------------------
261 260
262 261 The ``keyring_check`` command can be used to check whether/which
263 262 password(s) are saved. It can be used in three ways:
264 263
265 264 - without parameters, it prints info related to all HTTP paths
266 265 defined for current repository (everything from ``hg paths``
267 266 that resolves to HTTP url)::
268 267
269 268 hg keyring_check
270 269
271 270 - given alias as param, it prints info about this alias::
272 271
273 272 hg keyring_check work
274 273
275 274 - finally, any path can be checked::
276 275
277 276 hg keyring_check https://foss.heptapod.net/mercurial/mercurial_keyring
278 277
279 278 Deleting saved password (``hg keyring_clear``)
280 279 -------------------------------------------------------
281 280
282 281 The ``keyring_clear`` command removes saved password related to given
283 282 path. It can be used in two ways:
284 283
285 284 - given alias as param, it drops password used by this alias::
286 285
287 286 hg keyring_clear work
288 287
289 288 - given full path, it drops password related to this path::
290 289
291 290 hg keyring_clear https://foss.heptapod.net/mercurial/mercurial_keyring
292 291
293 292 Managing passwords using GUI tools
294 293 ------------------------------------------------------
295 294
296 295 Many password backends provide GUI tools for password management,
297 296 for example Gnome Keyring passwords can be managed using ``seahorse``,
298 297 and KDE Wallet using ``kwalletmanager``. Those GUI tools can be used
299 298 to review, edit, or delete saved passwords.
300 299
301 300 Unfortunately, as I write, keyring_ library does not allow one to
302 301 configure how/where exactly saved passwords are put in the hierarchy,
303 302 and the place is not always intuitive. For example, in KDE Wallet, all
304 303 passwords saved using ``mercurial_keyring`` show up in the folder
305 304 named ``Python``.
306 305
307 306 .. note::
308 307
309 308 This is slightly problematic in case ``mercurial_keyring`` is not
310 309 the only program using keyring_ library. Passwords saved by another
311 310 Python application or script (which also uses keyring_) will be put
312 311 into the same place, and it may be unclear which password belongs
313 312 to which program. To remedy this, ``mercurial_keyring`` applies
314 313 slightly unusual labels of the form
315 314 ``Β«usernameΒ»ο»Ώ@@ο»ΏΒ«urlprefixΒ»ο»Ώ@ο»ΏMercurial`` - for example my bitbucket
316 315 password is labelled ``Mekkο»Ώ@@ο»Ώhttpsο»Ώ://ο»Ώbitbucket.orgο»Ώ@ο»ΏMercurial``.
317 316
318 317 Implementation details
319 318 =======================================================
320 319
321 320 The extension is monkey-patching the mercurial ``passwordmgr`` class
322 321 to replace the ``find_user_password`` method. Detailed order of operations
323 322 is described in the comments inside `the code`_.
324 323
325 324 Frequent problems
326 325 =======================================================
327 326
328 327 Most problems people face while using ``mercurial_keyring`` are in
329 328 fact problems with ``keyring`` library and it's backends. In
330 329 particular, those can manifest by:
331 330
332 331 - technical errors mentioning sentences like ``No recommended backend
333 332 was available. Install the keyrings.alt package…`` (or similar),
334 333
335 334 - warnings like ``keyring: keyring backend doesn't seem to work…``
336 335
337 336 - password prompts on every action (= passwords not being saved).
338 337
339 338 Those almost always mean that *natural* keyring backend for given
340 339 desktop type doesn't work, or is not present at all. For example,
341 340 some necessary runtime component can be down (say, you use Linux, but
342 341 neither Gnome Keyring, nor KDE Wallet, is running). Or appropriate
343 342 backend is not installed because it could not be build during keyring_
344 343 library installation (maybe because some required library was not
345 344 present at the moment of keyring installation, or maybe because
346 345 compiler as such is not present on the system).
347 346
348 347 To diagnose such problems, try using ``keyring`` utility, as described
349 348 on keyring_ documentation page, for example by::
350 349
351 350 keyring --list-backends
352 351 keyring -b keyrings.alt.Gnome.Keyring set testsvc testuser
353 352 keyring -b keyrings.alt.Gnome.Keyring get testsvc testuser
354 353
355 354 (of course using appropriate backend). If you miss the ``keyring`` command
356 355 as such, try ``python -m keyring`` instead::
357 356
358 357 python -m keyring --list-backends
359 358 python -m keyring -b keyrings.alt.Gnome.Keyring set testsvc testuser
360 359 python -m keyring -b keyrings.alt.Gnome.Keyring get testsvc testuser
361 360
362 361 If appropriate backend is missing (not listed), or doesn't work
363 362 (second or third command fails), your keyring is broken. Try looking
364 363 for further pointers in keyring_ documentation, that project mailing
365 364 list, or issue tracker. Typically it will turn out, that you need to
366 365 install some missing tool, or library, and reinstall keyring.
367 366
368 367 .. note::
369 368
370 369 Depending on keyring_ version, installation of some dependency may
371 370 resolve problem. For example (as of late 2018), I got KDE Wallet
372 371 backend working with pip-installed keyring after::
373 372
374 373 pip install dbus-python
375 374
376 375 Note also, that recent versions of keyring library (since version 12) use Python
377 376 entrypoints to find available backends. Those are incompatible with
378 377 some binary packaging methods (like ``py2app``) and may cause
379 378 problems. In particular there were packaged installations of TortoiseHG
380 379 which were unable to load keyring backends. See `#61 <https://foss.heptapod.net/mercurial/mercurial_keyring/issues/61/tortoisehg-encounters-unknown-exception>`_ for some more details.
381 380
382 381
383 382 If ``keyring`` command works, but mercurial with mercurial_keyring does not,
384 383 try enforcing proper backend (by means of ``keyringrc.cfg``, see above).
385 384 Only if this doesn't help, there may be a bug in mercurial_keyring.
386 385
387 386 By far easiest way to have properly working keyring is to use packaged
388 387 binary version (like ``python-keyring`` Ubuntu package, or keyring
389 388 bundled with TortoiseHG on some systems). If you pip-installed keyring
390 389 and it doesn't work, you may consider removing it via ``pip uninstall
391 390 keyring`` and looking for binary package instead.
392 391
393 392
394 393
395 394
396 395 History
397 396 =======================================================
398 397
399 398 See `HISTORY.rst`_.
400 399
401 400 Repository, bug reports, enhancement suggestions
402 401 ===================================================
403 402
404 403 Development is tracked on HeptaPod, see
405 404 https://foss.heptapod.net/mercurial/mercurial_keyring/
406 405
407 406 Use issue tracker there for bug reports and enhancement
408 407 suggestions.
409 408
410 409 Thanks to Octobus_ and `Clever Cloud`_ for hosting this service.
411 410
412 411
413 412
414 413 Additional notes
415 414 =======================================================
416 415
417 416 Information about this extension is also available
418 417 on Mercurial Wiki: http://mercurial.selenic.com/wiki/KeyringExtension
419 418
420 419 Check also `other Mercurial extensions I wrote`_.
421 420
422 421 .. _Octobus: https://octobus.net/
423 422 .. _Clever Cloud: https://www.clever-cloud.com/
424 423
425 424 .. _other Mercurial extensions I wrote: http://code.mekk.waw.pl/mercurial.html
426 425
427 426 .. _HISTORY.rst: https://foss.heptapod.net/mercurial/mercurial_keyring/src/tip/HISTORY.rst
428 427 .. _TortoiseHg: http://tortoisehg.bitbucket.org/
429 428 .. _Mercurial: http://mercurial.selenic.com
430 429 .. _mercurial_extension_utils: https://foss.heptapod.net/mercurial/mercurial-extension_utils/
431 430 .. _Path Pattern: https://foss.heptapod.net/mercurial/mercurial-path_pattern/
General Comments 0
You need to be logged in to leave comments. Login now