search

conan-io / conan

Conan - The open-source C and C++ package manager
https://conan.io
MIT License
7.95k stars 951 forks source link

[question] Corrupted package after upload (403) #16508

Closed Nekto89 closed 1 week ago

Nekto89 commented 1 week ago

What is your question?

Hi.

I'm trying to upload recipe to conan repository in Artifactory server. For some reason conan upload fails only on one package - onetbb/2021.12.0. It uploads conan_export.tgz and then fails with "403 Forbidden". If I understood correctly - next steps would be uploading conanfile.py and conanmanifest.txt. I'm left with this state on server and have to do conan remove manually afterwards. image

1) Can conan automatically do clean-up if upload failed? 2) What might be the reason for this? Antivirus or firewall on Artifactory server? Maybe someone encountered similar issue in the past? Token definitely has access because I can remove package.

C:\conan\test_conan\recipes\onetbb\all>conan upload -vtrace -r my_remote "onetbb/2021.12.0@user/stable"

======== Uploading to remote my_remote ========

-------- Checking server existing packages --------
onetbb/2021.12.0@user/stable: Checking which revisions exist in the remote server

-------- Preparing artifacts for upload --------

-------- Uploading artifacts --------
onetbb/2021.12.0@user/stable: Uploading recipe 'onetbb/2021.12.0@user/stable#84857be2c472043a9492e96348c9fbc8' (10.1KB)
Traceback (most recent call last):
  File "C:\Soft\Python311\Lib\site-packages\conans\client\rest\auth_manager.py", line 41, in call_rest_api_method
    ret = getattr(rest_client, method_name)(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Soft\Python311\Lib\site-packages\conans\client\rest\rest_client.py", line 72, in upload_recipe
    return self._get_api().upload_recipe(ref, files_to_upload)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Soft\Python311\Lib\site-packages\conans\client\rest\rest_client_common.py", line 193, in upload_recipe
    self._upload_recipe(ref, files_to_upload)
  File "C:\Soft\Python311\Lib\site-packages\conans\client\rest\rest_client_v2.py", line 126, in _upload_recipe
    self._upload_files(files_to_upload, urls)
  File "C:\Soft\Python311\Lib\site-packages\conans\client\rest\rest_client_v2.py", line 144, in _upload_files
    uploader.upload(resource_url, files[filename], auth=self.auth,
  File "C:\Soft\Python311\Lib\site-packages\conans\client\rest\file_uploader.py", line 70, in upload
    return self._upload_file(url, abs_path, headers, auth)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Soft\Python311\Lib\site-packages\conans\client\rest\file_uploader.py", line 88, in _upload_file
    self._handle_400_response(response, auth)
  File "C:\Soft\Python311\Lib\site-packages\conans\client\rest\file_uploader.py", line 30, in _handle_400_response
    raise ForbiddenException(response_to_str(response))
conans.errors.ForbiddenException: 403: Forbidden

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Soft\Python311\Lib\site-packages\conan\cli\cli.py", line 193, in run
    command.run(self._conan_api, args[0][1:])
  File "C:\Soft\Python311\Lib\site-packages\conan\cli\command.py", line 164, in run
    info = self._method(conan_api, parser, *args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Soft\Python311\Lib\site-packages\conan\cli\commands\upload.py", line 104, in upload
    conan_api.upload.upload_full(package_list, remote, enabled_remotes, args.check,
  File "C:\Soft\Python311\Lib\site-packages\conan\api\subapi\upload.py", line 92, in upload_full
    _upload_pkglist(package_list, subtitle=ConanOutput().subtitle)
  File "C:\Soft\Python311\Lib\site-packages\conan\api\subapi\upload.py", line 83, in _upload_pkglist
    self.upload(pkglist, remote)
  File "C:\Soft\Python311\Lib\site-packages\conan\api\subapi\upload.py", line 58, in upload
    executor.upload(package_list, remote)
  File "C:\Soft\Python311\Lib\site-packages\conans\client\cmd\uploader.py", line 217, in upload
    self.upload_recipe(ref, bundle, remote)
  File "C:\Soft\Python311\Lib\site-packages\conans\client\cmd\uploader.py", line 229, in upload_recipe
    self._app.remote_manager.upload_recipe(ref, cache_files, remote)
  File "C:\Soft\Python311\Lib\site-packages\conans\client\remote_manager.py", line 40, in upload_recipe
    self._call_remote(remote, "upload_recipe", ref, files_to_upload)
  File "C:\Soft\Python311\Lib\site-packages\conans\client\remote_manager.py", line 257, in _call_remote
    return self._auth_manager.call_rest_api_method(remote, method, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Soft\Python311\Lib\site-packages\conans\client\rest\auth_manager.py", line 44, in call_rest_api_method
    raise ForbiddenException(f"Permission denied for user: '{user}': {e}")
conans.errors.ForbiddenException: Permission denied for user: 'mklymov': 403: Forbidden. [Remote: my_remote]

ERROR: Permission denied for user: 'mklymov': 403: Forbidden. [Remote: my_remote]

Have you read the CONTRIBUTING guide?

memsharded commented 1 week ago

Hi @Nekto89

Thanks for your question.

This is indeed unexpected and weird, I haven't seen before anything like this.

Can conan automatically do clean-up if upload failed?

No, this is not possible. A 403 Forbidden is quite explicit and stops, even trying to remove in the server automatically from the client doesn't make much sense.

What might be the reason for this? Antivirus or firewall on Artifactory server? Maybe someone encountered similar issue in the past? Token definitely has access because I can remove package.

To be honest, I have no idea. It would be very useful to have the server side traces, please try to collect them if you are running the server, or ask IT or your devops teams to try to collect these logs, maybe they contain some further hints of what could be happening. Also, if there is some other component like scanners such as Xray connected to Artifactory that could be interacting with the upload.

From the client side, I'd try to do some extra checks, like uploading exactly that package, but empty (to see if there is something in the specific package name), or the opposite, try to have exactly the same payload of the package, but under a different name. I'd also inspect the conanmanifest.txt file in the recipe, in case it could contain something unexpected.

memsharded commented 1 week ago

Also, the exact Conan version and Artifactory versions would be needed.

Other things to try:

Nekto89 commented 1 week ago

Also, the exact Conan version and Artifactory versions would be needed.

Other things to try:

* Trying the upload from other different machine

* Trying the upload of exactly the same package to a local running ArtifactoryCE

0) conan 2.3.1, artifactory 7.63.12, jf cli 2.16.4 1) changing channel name doesn't help 2) tried uploading "conanfile.py" to generic repository through jfrog cli (jf.exe) same 403 error. 3) tried uploading "conanfile.py" to generic repository through browser - it magically works and can be downloaded afterwards.

I'm trying to get more info\logs from the team that supports Artifactory instance, but they are currently busy with other tasks. I will write here if I'll find the reason for this strange behavior.

Nekto89 commented 1 week ago

Mystery solved. For some reason WAF service thinks that this file contains SQL injection. https://raw.githubusercontent.com/conan-io/conan-center-index/master/recipes/onetbb/all/conanfile.py

Issue can be closed if there is nothing that can be done for doing uploads as transactions with possibility of rollback.

memsharded commented 1 week ago

Good to hear, happy to see it is not a bug on our end.

Issue can be closed if there is nothing that can be done for doing uploads as transactions with possibility of rollback.

The capability of more atomic uploads is something that we are already aware and we would like to try to approach some time in the future, but as this requires a lot of functionality in the server, it is a bit out of the scope of this ticket, so closing the ticket as the main issue was identified.

Thanks for the feedback.

Nekto89 commented 1 week ago

@memsharded one more related question. Is it possible for conan to output more information and not just callstack? For example, like curl does with -vv? In this case body of response contained important data in HTML format but conan wasn't showing it.

memsharded commented 1 week ago

At this moment the capturing or Forbidden and Authentication errors are assuming the human-readable response would be in the response.reason for text/html responses and data["message"] for application/json, and that should be included in the error printed.

If this is not enough, which seems the case, at the moment there are no traces for the http communication api calls details. One reason for not being able to easily print http traces is that headers will often include tokens, passwords, etc, and that is a security risk to expose them in logs.