Nant, Vault e autenticazione integrata di Windows

Question

Sono voler eseguire una serie di compiti a SourceGear Vault (V4.1.4) con Nant (V0.86.3317.0).

C'è un modo che possiamo ottenere Vault per utilizzare l'autenticazione di Windows da Nant per creare la connessione?

Il blocco Nant che sto usando per inizializzare la volta Connect è:

<target name="InitialiseVaultSettings">
<echo>InitialiseVaultSettings</echo>
<vaultsetloginoptions user="${vault.Username}" password="${vault.Password}" URL="${vault.Host}" repository="${vault.Repository}" />
<vaultsetworkingfolder repositoryFolderPath="${vault.Folder}" diskPath="${vault.WorkingDirectory}" createDiskPath="true" />

Come sto lavorando al progetto con altri sviluppatori, codifica duro nomi utente e password nel file di build Nant non è una buona idea. Sia username e password sono le opzioni necessarie nel comando vaultsetloginoptions.

Altre alternative (tutte con catture) includono:

(a) hardcode l'account 'Admin' nelle proprietà Nant e accedere volta in utilizzando tale. Questo non è così grande, come abbiamo poi perdiamo un itinerario di controllo di chi è responsabile per le operazioni di check-in / check-out lo script Nant esegue. Essa provoca anche problemi quando la soluzione è file estratti (parte dello script assicura tutti i file vengono controllati di nuovo nel controllo di origine prima di generare un'etichetta in Vault).

(b) Utilizzare uno script C # dal codice Nant per impostare le proprietà di username e password in modo dinamico ... tranne che abbiamo poi un problema di ottenere la password da parte dell'utente ancora

(c) Leggere le informazioni profilo memorizzato dal client Vault e connettersi utilizzando tale (tranne che non so dove è memorizzato).

Grazie per la vostra considerazione.

Answer 1

I have implemented with success the prototype to work-around this problem.

Full Source and Binaries for the workaround described below can be found here :

Vault Login Extensions

I have created some custom NAnt tasks and functions.

<VaultLogin> checks the Windows Registry for username and password information previously stored. If not found it prompts the user with a Login window. It stores the entries in two functions and clears the registry (in case the login fails - see <SaveVaultLogin> below) :

${VaultLoginFunctions::UserName()}
${VaultLoginFunctions::Password()}

The <vaultsetloginoptions> task is then able to use the functions :

<vaultsetloginoptions user="${VaultLoginFunctions::UserName()}" password="${VaultLoginFunctions::Password()}" URL="${vault.Host}" repository="${vault.Repository}" />

After calling the <vaultsetloginoptions> task, we then call the <SaveVaultLogin> task which writes the username and password values back to the registry. This ensures that only successful authentication details are stored (as the script fails at the task if the username and password are incorrect.

This is the code block put together :

  <target name="InitialiseVaultSettings">
<echo>InitialiseVaultSettings</echo>

<loadtasks assembly="CompassHealth.NAntExtensions.Tasks.dll" />

<VaultLoginGet />
<echo message="UserName = ${VaultLoginFunctions::UserName()}" />

<vaultsetloginoptions user="${VaultLoginFunctions::UserName()}" password="${VaultLoginFunctions::Password()}" URL="${vault.Host}" repository="${vault.Repository}" />

<vaultsetworkingfolder repositoryFolderPath="${vault.Folder}" diskPath="${vault.WorkingDirectory}" createDiskPath="true" />


<!-- need to save the login here, as it is cleared once VaultLoginGet is called, this ensures that only correct username and password are stored -->
<VaultLoginSave />    

Update : link to binaries and source for work-around now at top of post.

Answer 2

I'm unfamiliar with Vault so please forgive the potential vagueness of this answer. I've worked with NAnt a lot and anything that gets executed (tasks, execs, etc) have the inherent potential to be running in integrated authenticated mode.

In the end, authentication gets passed along to whichever user happens to be running the parent NAnt process. That being said, this could be a sign that Vault's NAnt tasks don't support integrated authentication? Meaning, if the vaultsetloginoptions task requires the user and password arguments, then there is no good way to pass along credentials (as you pointed out).

If there happens to be no workarounds for the potential lacking in Vault's NAnt tasks it might be possible to use the <exec> task to call a command line version of their client side tool (not even sure if they have one). If this is an option, integrated authentication will automatically kick in as long as the user running the NAnt process is the same as the one needing to connect to Vault.

We've had to do this for a few things we integrate with in our build process. We've either exec'd out to the command line version or have written our own Task(s) by extending the NAnt framework. Either way, this should be possible.

Update

Did some looking around on the Vault forums and it seems that the AD integration is merely a way to have Vault Client prompt the user and pass along to server. From the forum:

The Vault client will always prompt for the username/password. Our AD integration is limited to the server verifying that the password entered matches the password in Active Directory.

Therefore, there is no true way for the client to pass along windows authentication information in a built-in way. The Vault client program requires one to input the username and password when running in AD mode. Sadly, it would seem without storing the username/password, the chances of seamless NAnt integration is a far shot.

Answer 3

After looking at Scott Saad's suggestion, unfortunately there appears to be no option in the command line tool either to call it using Windows Authentication.

My current thinking is in line with (b) above.

I'll create a library that can be called from the Nant script, asking for the current windows user's Vault username and password.

The library will look in a resigstry entry for a previously entered Vault username and login for this windows user. If it exists, it will be passed to the script without any user interaction.

If this username / password fails the vault login, or if it doesn't exist then the library will provide a dialog for the user to enter the current vault username and password.

The user's entry will be stored in the registry (encrypted) meaning this should only have to be entered once each time the Vault username and password change.

Not an ideal solution, but should be relatively straight-forward and an acceptable enough work around.

What do you think?