1072: HTTPS Subversion repositories don't work with Review Board
- Fixed
- Review Board
| vlys*****@gmai***** (Google Code) (Is this you? Claim this profile.) | |
 |
|
| Oct. 5, 2009 |
It would be useful to provide a --config-dir support for SVN repositories. This solution is good because rb admin won't provide an svn username/password in plain text. But real deal is that the user under which the webserver starts ReviewBoard scripts can have no home directory to store permanently accepted ssl certificates. Now I can't use ReviewBoard because every repository access fails with "HTTPS certificate not accepted. Please ensure that the proper certificate exists in /root/.subversion/auth for the user that reviewboard is running as" We use apache2 on FreeBSD.
-
+ Confirmed -
+ Milestone-Release1.5 + Component-SCMTools
-
- Type-Defect + Type-Enhancement
Here is half of a patch to fix this the SSL problem. This doesn't allow the --config-dir support however it does bypass the ssl problem. I added an if with an imaginary variable repository.allow_all_certs that would turn it on or off. I am not sure how to hook this in, but I have tested the actual code and it seems to accept the ssl certs just fine.
-
+
I'm running on Debian with Apache2, by default the web server runs as www-data with homedir /var/www/. I've changed the ownership and group of this folder to www-data and if I run svn commands as this user, I was prompted the first time to accept the certificate. I can therefore confirm that .subversion/auth/... exists but I still get the problem. Any ideas?
I've tried it with apache2, too. The problem was that despite of running reviewboard scripts as www-data, HOME environment variable was set to /home/vlysenkov, not /home/www-data. Very strange, surely, and it occurs when I restart apache2 by "sudo /usr/local/etc/rc.d/apache2 restart". It seems that apache2 inherits HOME envvar value. The possible solution is to tune apache2 to set HOME variable when starting reviewboard. And my intention in this issue is to leave apache2 HOME var intact.
I ran into a similar issue. Our SVN setup uses client certificates. When trying to use ReviewBoard I'd always end up with an error message saying 'callback_ssl_client_cert_prompt required': PySVN detected it needs a client certificate but there is no code to ask for it. I worked around this by giving PySVN.Client a config dir for the current -effective- user (working around the issue vlysenkov reported in comment #5). Patch attached. Probably not the cleanest, as I'm no python developer, but this solves the issue for me.
-
+
I'm running on windows with Apache2, rise the same error. how to fix it, any ideas? thanks!
I tried to modify the following lines in svn.py:
import pysvn
self.client = pysvn.Client()
if repository.username:
self.client.set_default_username(str(repository.username))
if repository.password:
self.client.set_default_password(str(repository.password))
To:
def ssl_server_trust_prompt(trust_dict):
return True, 1, True
self.client = pysvn.Client()
self.client.callback_ssl_server_trust_prompt = ssl_server_trust_prompt
Then compile the svn.py again, try to create a review request, another error rised:
Server sent unexpected return value (403 Forbidden) in response to OPTIONS request
for 'https://xxx.com/xxx/xxx_rep/xxx_proj/trunk/xxx/xxx.mak'
anybody could help me?
Just an update on this. We are working on a way to verify, store and manage certificates for 1.1. This will work for SVN and other revision control systems.
-
- Milestone-Release1.5 + Milestone-Release1.1
Great to see your comment! My subversion repository is using https authentication, so i'm blocked by it when using Review Board. So, could you give me any suggestions to workaround it? and also, i'm hopefully to see the issue will be released in version 1.1. Many thanks!
You can use the patch that I posted previously. All it does is accept all ssl certificates regardless of if they are on the correct host or signed.
dear sharrell,
I have add the patch you provided, after compile the svn.py and restart apache
server, the following error rises when i create a new review request:
========The message is copied from apache log=======
'Repository' object has no attribute 'allow_all_certs'
Traceback (most recent call last):
File "c:\python25\lib\site-packages\django-1.0.3-
py2.5.egg\django\core\handlers\base.py", line 91, in get_response
response = callback(request, *callback_args, **callback_kwargs)
File "C:\Python25\lib\site-packages\djblets-0.5.3-py2.5.egg\djblets\auth\util.py",
line 46, in _checklogin
return view_func(request, *args, **kwargs)
File "c:\python25\lib\site-packages\ReviewBoard-1.0rc3-
py2.5.egg\reviewboard\reviews\views.py", line 84, in new_review_request
fields[repo.id] = repo.get_scmtool().get_fields()
File "c:\python25\lib\site-packages\ReviewBoard-1.0rc3-
py2.5.egg\reviewboard\scmtools\models.py", line 40, in get_scmtool
return cls(self)
File "C:\Python25\lib\site-packages\reviewboard-1.0rc3-
py2.5.egg\reviewboard\scmtools\svn.py", line 81, in __init__
if repository.allow_all_certs is True:
AttributeError: 'Repository' object has no attribute 'allow_all_certs'
please help, thanks again!
If you remove the "if repository.allow_all_certs is True:" line and unident the line after it four spaces that should probably work fine.
yes, i did it, and the 500 error gone; but when i create a request, error prompt saying: "Server sent unexpected return value (403 Forbidden) in response to OPTIONS request for "URL" i hava configed the svn repository with the username and password which can pass the authentication. and i have tried in commandline, with "svn list --username name --passowrd pass URL" it works. so i'm sure why the 403 error came out.
I enabled the review board logging setting, create request again, it seems that diff is working background, but the review request is failed to be created with the 403 Forbidden error. The apache log: 2009-09-27 19:20:57,858 - WARNING - Could not open logfile /logs/reviewboard.log. Logging to stderr 2009-09-27 19:20:57,858 - INFO - Logging to /logs/reviewboard.log with a minimum level of DEBUG 2009-09-27 19:20:57,858 - INFO - Log file for Review Board v1.0rc3 2009-09-27 19:21:07,342 - DEBUG - DiffParser.parse: Beginning parse of diff, size = 6082 2009-09-27 19:21:07,342 - DEBUG - DiffParser.parse: Finished parsing diff. 2009-09-28 13:50:05,924 - DEBUG - DiffParser.parse: Beginning parse of diff, size = 8538 2009-09-28 13:50:05,924 - DEBUG - DiffParser.parse: Finished parsing diff. 2009-09-28 13:50:24,596 - DEBUG - DiffParser.parse: Beginning parse of diff, size = 8538 2009-09-28 13:50:24,596 - DEBUG - DiffParser.parse: Finished parsing diff. 2009-09-28 13:50:32,721 - DEBUG - DiffParser.parse: Beginning parse of diff, size = 8538 2009-09-28 13:50:32,737 - DEBUG - DiffParser.parse: Finished parsing diff. 2009-09-28 13:50:42,815 - DEBUG - DiffParser.parse: Beginning parse of diff, size = 8538 2009-09-28 13:50:42,815 - DEBUG - DiffParser.parse: Finished parsing diff.
--config-dir isn't going to be supported, as we absolutely depend on using $HOME for .ssh/known_hosts anyway (this is beyond our control). So supporting --config-dir just makes it more complicated and only solves half our problem. I don't know why your Apache is inheriting $HOME. That sounds like a broken setup issue. Sure, we could in theory work around this for pysvn, but again, same problem as I mentioned above for .ssh, which we can't as easily work around. That all being said, we now support SSL in our Git repository. This bug became a mix of several different bug reports, but since it all centers around SSL support, I'm repurposing the bug. Please feel free to open a new bug for the broken $HOME issue. Maybe we can do something about it in code, but I suspect it's better as a doc'd issue. Please tell me more about your Apache/distro config in the report if you file it.
-
- Confirmed + Fixed -
+ HTTPS Subversion repositories don't work with Review Board -
+ chipx86
hi chipx86, How to work around the issue "HTTPS Subversion repositories don't work with Review Board"? I'm a little confused with your explanation, so could you please explain it in detail? thanks!
There are two options:
1) Upgrade to the 1.1 development branch (which, being in-development, may be
unstable and probably isn't suitable for development use).
2) Figure out what the home directory is for Apache (I don't know on Windows, but you
may be able to figure it out by turning on logging and temporarily modifying, say,
reviewboard/__init__.py to add:
logging.info("Home directory = %s" % os.path.expanduser("~"))
to the very end of the file. Then restart Apache, go to a URL, and check the log file.
Once you have this, create a .subversion directory inside that directory.
Then, using command line tools, do an svn checkout of the URL you need. It should
verify your certificate or user information. You'll then need to take your own
~/.subversion directory and copy all the contents into the .subversion directory you
created for Apache, and make sure the .subversion directory and everything inside of
it is writable by the web server.
Note that I have not done this on Windows, so you may have to play around with this a
bit. The problem should go away, though, in 1.1.
I choose the second solution,
after I restart Apache and then visitor site, the following error came out:
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] mod_python (pid=3316,
interpreter='reviewboard_review', phase='PythonHandler',
handler='django.core.handlers.modpython'): Application error
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] ServerName: 'IEOD-B1GW22X'
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] DocumentRoot: 'C:/Program
Files/Apache Software Foundation/Apache2.2/htdocs'
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] URI: '/reviews'
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] Location: '/reviews'
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] Directory: None
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] Filename: 'C:/Program
Files/Apache Software Foundation/Apache2.2/htdocs/reviews'
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] PathInfo: ''
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] Traceback (most recent call
last):
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "C:\\Python25
\\Lib\\site-packages\\mod_python\\importer.py", line 1537, in HandlerDispatch\n
default=default_handler, arg=req, silent=hlist.silent)
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "C:\\Python25
\\Lib\\site-packages\\mod_python\\importer.py", line 1229, in _process_target\n
result = _execute_target(config, req, object, arg)
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "C:\\Python25
\\Lib\\site-packages\\mod_python\\importer.py", line 1128, in _execute_target\n
result = object(arg)
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "c:\\python25
\\lib\\site-packages\\django-1.0.3-py2.5.egg\\django\\core\\handlers\\modpython.py",
line 228, in handler\n return ModPythonHandler()(req)
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "c:\\python25
\\lib\\site-packages\\django-1.0.3-py2.5.egg\\django\\core\\handlers\\modpython.py",
line 191, in __call__\n self.load_middleware()
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "c:\\python25
\\lib\\site-packages\\django-1.0.3-py2.5.egg\\django\\core\\handlers\\base.py", line
32, in load_middleware\n for middleware_path in settings.MIDDLEWARE_CLASSES:
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "c:\\python25
\\lib\\site-packages\\django-1.0.3-py2.5.egg\\django\\utils\\functional.py", line
269, in __getattr__\n self._setup()
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "c:\\python25
\\lib\\site-packages\\django-1.0.3-py2.5.egg\\django\\conf\\__init__.py", line 39,
in _setup\n self._wrapped = Settings(settings_module)
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "c:\\python25
\\lib\\site-packages\\django-1.0.3-py2.5.egg\\django\\conf\\__init__.py", line 72,
in __init__\n mod = __import__(self.SETTINGS_MODULE, {}, {}, [''])
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] File "C:\\Python25
\\lib\\site-packages\\reviewboard-1.0rc3-py2.5.egg\\reviewboard\\__init__.py", line
3, in <module>\n logging.info("Home directory = %s" % os.path.expanduser("~"))
[Fri Oct 09 09:16:52 2009] [error] [client 127.0.0.1] NameError: name 'logging' is
not defined
another question: Does "Review Board 1.1 alpha 1 released" support the HTTPS subversion repository?
I tried again and got the error: Something broke! (Error 500) It appears something broke when you tried to go to here. This is either a bug in Review Board or a server configuration error. Please report this to your administrator.
It doesn't look like you put that at the end of the file.
On windows, the review board app located at:
C:\Python25\Lib\site-packages\ReviewBoard-1.0rc3-py2.5.egg\reviewboard
The content of __init__.py under the directory is:
# The version of Review Board.
VERSION = "1.0rc3"
I added the line:
logging.info("Home directory = %s" % os.path.expanduser("~"))
to the end of the file, and restart apache, visite site from IE, I got the 500 error.
Anything wrong with the operation?
Ohhh.. You're running a pretty old version. Okay, place this in reviewboard/urls.py instead.
Many thanks! I following your suggesting, add the line to the end of the urls.py and restart apache server, and try to create a review request, but with error: Something broke! (Error 500) The log message of apache is: 2009-10-10 15:14:46,717 - WARNING - Could not open logfile /logs/reviewboard.log. Logging to stderr 2009-10-10 15:14:46,717 - INFO - Logging to /logs/reviewboard.log with a minimum level of DEBUG 2009-10-10 15:14:46,717 - INFO - Log file for Review Board v1.0rc3 2009-10-10 15:14:46,779 - INFO - Home directory = ~ 2009-10-10 15:14:58,030 - DEBUG - DiffParser.parse: Beginning parse of diff, size = 10045 2009-10-10 15:14:58,030 - DEBUG - DiffParser.parse: Finished parsing diff. maybe the version of review board is too old, i need switch to newer version...
Sounds like the expansion failed. The Python docs indicate that this is due to %HOME%, %USERPROFILE%, %HOMEPATH% and %HOMEDRIVE% being unset. Python needs at least two of these to expand the path. The solution may be to figure out where the home directory should be and then add some SetEnv directives to set HOME and USERPROFILE. Subversion, it seems, expects to live in %APPDATA%\.subversion (basically, C:\Document and Settings\<username>\Application Data\.subversion). Dunno about whether that directory exists for Apache at all, or whatever user Apache is running as. That's something you may need to figure out there. I don't really have a Windows install I can test this on. You may also want to look into hosting Review Board on Linux in a VM or something. It's far more supported by us.
I'm still trying to find solution for the issue, unfortunately... I found another webapp(in python), which is similar to Review Board in dealing with access to SVN repository, and it solved the problem about the https authentication support. Attached source code here for further reference. ref: http://transifex.org/browser/transifex/vcs/lib/types/svn.py?rev=946% 3Ae2782e83e8dd Wish it be useful to solved the issue.
-
+
How is going on?
Did my recommendations not work out for setting those environment variables?
yes,I did, see attached screenshot. I still got the error "HTTPS certificate not accepted. Please ensure that the proper certificate exists in C:/Documents and Settings/yunshandi/.subversion/auth for the user that reviewboard is running as." But the certificate does exist under the .subversion/auth.
-
+ +
I followed the step:
2) Figure out what the home directory is for Apache (I don't know on Windows, but you
may be able to figure it out by turning on logging and temporarily modifying, say,
reviewboard/__init__.py to add:
logging.info("Home directory = %s" % os.path.expanduser("~"))
After restart apache, check the apache log, and found a few errors
I have tried anyway i can do, still no help on this issue, i will work on the issue until it works, and i still hope someone could help me to workaround it, many thanks!
At this point, I recommend taking this to the mailing list and referencing this bug. The original bug is fixed in 1.1, and we don't support HTTPS in any official capacity for 1.0. You would have to see if other people have workarounds they've used.
hi Chipx86 Could you tell me how to fix it? I can modify it by myself. which py file should I change? how to change?
There isn't some simple thing to modify. HTTPS support requires a great deal of code, which is in the 1.1 alphas/nightlies. It's not perfectly stable yet, though, and some people have problems with it.
hi how to crete the $home/.subversion/auth? i can not find the auth in my home dir.
From the release notes, it seems the subverion https issue is gone. but after i installed the latest RB1.5 Beta1, then add a subversion repository, the error prompt: Please correct the error below. A repository was not found at the specified path.
Did you specify the path to the top-level of the repository, or a subdirectory inside of it? Is there anything in the logs?
a subdirectory of inside a repository example: https://svnserver/xxx_rep/xxx_proj
That's likely the problem. You must point to the very top of the Subversion repository. Subdirectories will cause problems.
Https authentication problem is solved by add java options when start apache. Another question: Does review board support pre-commit review? In the 1.5 Beta1, I can not find how to create a pre-commit review.
Pre-commit review is the default. Review Board was developed with pre-commit in mind. Just run post-review and it will generate a diff of your changes and post them.
run post-review under my local svn workspace, error prompt: D:\mywork\test_proj>post-review Failed to execute command: ['svn', 'diff', '--diff-cmd=diff'] ['Index: src/init.cpp\n', '=================================================================== \n', "svn: Can't start process 'diff': \xcf\xb5\xcd\xb3\ xd5\xd2\xb2\xbb\xb5\xbd\xd6\xb8\xb6\xa8\xb5\xc4\xce\xc4\xbc\xfe\xa1\xa3 \n"] D:\mywork\test_proj>
You need to install GNU diff. Further problems should be posted on the mailing list. I don't want to clutter the history of this bug with unrelated problems.
old thread but maybe the workaround I found may help some. thou apache is running as "apache" user the home I got by adding log to the py is "ERROR:root:Home directory = /root". Which I guess it the home of the apache root process. But the process running RB is running as "apache" user and thus cant access the "root/.subversion" folder. In short I did "chown -r apache:apache /root" and now it all works fine. real ugly I know....
In new installs, HOME will point to a writable directory, which should solve this problem. In new upgrades, rb-site will tell the user how to update their config to fix the home directory.
I see this is still an issue today, Getting no love on a solution.