RhodeCode 4.14 and 4.15 Released

Published on January 09, 2019, by Marcin Kuzminski


We're happy to announce that RhodeCode 4.14 and 4.15 series release is out.

In 4.14 release, we introduced improvements in code-review components, repository archiving, and a new more powerful rcextensions component.
The 4.15 release adds SAML 2.0 Authentication support.

This release highlights are:

  • SAML 2.0 Authentication with support for Google, OneLogin, DuoSecurity.
  • Improved code review with new diff options, and smart context.
  • All new rcextensions extending functionality.
  • Updated fonts to show more consistent style across all different platforms.
  • Switched Polymer components to Polymer 3.0.

Take a few minutes to update your RhodeCode instance:
rccontrol self-update && rccontrol upgrade '*'

New to RhodeCode? Download the latest RhodeCode 4.15 Series from our website.
Keep reading for full release details.

SAML Authentication

In Release 4.15 RhodeCode added new authentication options.
It's now possible to use SAML 2.0 Authentication protocol to leverage existing SSO solutions such as OneLogin, Duo Security, or Google SAML.

SAML stands for Security Assertion Markup Language.
SAML is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

In medium/big sized organizations managing users is a non-trivial task.
If you consider managing additionally 2FA components (Hardware Keys, SSO Apps) it gets even harder and more complex.
Simply ensuring all users properly add 2FA devices or such device is properly deactivated across all company applications could be a nightmare.

Of course, this problem has been solved by many companies that provide unified users management across all company applications.
With SAML added into RhodeCode it can come that one-click access application within your portfolio of applications.
We're seeing more companies adopt a unified solution to manage users to fix the problem of managing users and all their security aspects globally.
This is why SAML got a priority implementation in RhodeCode

Our own 2FA will eventually come to RhodeCode, but this is aimed at smaller organizations which don't require to have solutions like DuoSecurity or OneLogin implemented.
If your company is currently using LDAP/AD adding 2FA to all its users we recommend DUO Security which can use LDAP as the source of users, and in addition, can be installed on-premises.

RhodeCode integrations

Diff changes and code-review improvements

When viewing a diff with a large number of changes it's easy to get lost browsing through 100s of changed files.
To make that experience better we introduced a new context-aware diff browser and quick diff file switcher.
Scrolling through long diffs, name, and type of the file will be always visible to indicate which file we're reviewing at the moment.
The same context bar will also include a changed files switcher and a handy diff option menu.

RhodeCode integrations

There are in addition few improvements in the code-review system of RhodeCode.

In pull-request view, it's possible to view a range diff. In other words, instead of a combined view of changed that all commits produced, the view can be changed to showing each individual commit changes.

The commenting components will now allow inline comment on empty files without a diff.
It's possible to comment on that accidentally added empty file.
We're not stopping here. Expect next 1-2 releases to have more great code-review changes shipped.

Archive repository

Closed, or deprecated projects in RhodeCode can already be deleted.
However, this poses some problems.
If you'd like to keep the history of changes, comments, pull-requests related to this repository complete removal isn't the best option.
This is why we're introducing archive repository option in this release. Archiving the repository will make it entirely read-only.
The repository cannot be committed to and it is hidden from the search results and dashboard.

This is the best option to keep the full history and make sure the project won't be accidentally removed or altered.

RhodeCode integrations

New RCExtensions

RCExtensions are our low-level hooks that allow writing custom logic for the most sophisticated use cases, which the builtin integration system cannot handle.
Some good examples when you could use the rcextensions logic would be:

  • using _create_user_hook to create a user in a different system once RhodeCode user is created
  • using _pre_push_hook to add extra validation of some pushed data before it's stored in the VCS system

We updated rcextensions in 4.14 release. There are few new helpers available, we put some complex examples in there too.
The most significant change is ability to push the rcextensions output onto the VCS client output.

For example, writing such a small post_push rcextensions logic:

def _push_hook(*args, **kwargs):  
    from .helpers import extra_fields
    # fetch stored deploy url from repo extra fields
    repo_extra_fields = extra_fields.run(**kwargs)
    deploy_url = repo_extra_fields.get('deploy_endpoint_url', {}).get('field_value')

    msg = ''
    if deploy_url:
        my_deploy_function(deploy_url)
        last_commit = kwargs['commit_ids'][-1]
        msg = 'Commit {} was deployed to: {}'.format(last_commit, deploy_url)
    return HookResponse(0, msg)


Would result in triggering a deploy onto deploy_url (if defined in extra_fields for repository)
And push the message back to the client:

RhodeCode integrations


In addition, rcextensions now allow modifying the builtin integrations templates.
For example, the email integration that sends an email after a push uses our own template.
If you'd like to modify that template and put additional information onto that email, modify how the showed changes are displayed it's now possible using new rcextensions logic.
Please check the example of how to do this.

Security Improvements

Security is as always very important to us at RhodeCode.
In this release we worked to strengthen some components we use, in particular, we worked on:

  • Support evolve sub-commands when checking for permissions. Those defaulted to write, while the only read is required for certain evolve operations.
  • Add additional components to the Javascript RST sandbox.
  • Sanitize markdown cells inside Jupyter rendered notebooks.

If you use any of the above, we highly recommend upgrading to the latest version.

Summary

See the full list of changes in the 4.14 release release notes.
See the full list of changes in the 4.15 release release notes.

As usual, the update process is a simple one-liner type:
rccontrol self-update && rccontrol upgrade '*'
in the command line interface. Done!

Sincerely yours,
The RhodeCode team.