Skip to content

security

Jump to bottom Edit New page
Joe Wright edited this page Nov 30, 2018 · 6 revisions

What does Nevergreen store locally?

Usernames and passwords can be entered to allow Nevergreen to authenticate itself with your CI server. Every password entered will be sent to the Nevergreen server for encryption, only the encrypted value will be stored client-side, in local storage. Usernames will be stored in plain text.

How are the username & password used?

The username and encrypted password gets sent to Nevergreen during API calls for projects. The password gets decrypted and passed onto your server using basic auth to authenticate Nevergreen as the given user.

IMPORTANT: The url used to fetch the cctray xml should be https otherwise the username and password would be readable during the call from Nevergreen to your server.

What does Nevergreen need to access?

Nevergreen only needs access to the cctray xml feed from your CI server.

How can I lock down Nevergreen access?

Most [all?] CI servers do not have granular enough user access controls to only allow access to the cctray xml feed. This means you'll have to do some extra work to fully lock down access.

Creating a read only user

This is the bare minimum you should do to lock down access to your CI server. This would mean if the username and password was exposed an attacker would not be able to make any potentially destructive changes. However they would still be able to read all the logs from your various builds which would likely expose many details about your internal infrastructure.

See the documentation for your CI server to learn how to create a read only user.

Adding a proxy for access control

Adding a reverse proxy such as nginx or HAProxy would allow you to lock down access to only the cctray xml feed over https with basic auth. If additional security was required it could easily be layered on top of this basic set up, techniques such as whitelisting.

This is the recommended approach as it allows you to completely lock down access and doesn't require your CI server to be exposed outside of your internal network at all.

Using Nevergreen from an <iframe>

By default Nevergreen is not accessible via an <iframe> to prevent click-jacking attacks. You can override this behaviour to allow a whitelist of hosts via an environment variable

Copyright © 2014 - 2024 Build Canaries

Distributed under the Eclipse Public License either version 1.0 or (at your option) any later version.

Add a custom sidebar
Clone this wiki locally