Closed Nekto89 closed 1 week ago
Hi @Nekto89
Thanks for your question.
This is indeed unexpected and weird, I haven't seen before anything like this.
Can conan automatically do clean-up if upload failed?
No, this is not possible. A 403 Forbidden is quite explicit and stops, even trying to remove in the server automatically from the client doesn't make much sense.
What might be the reason for this? Antivirus or firewall on Artifactory server? Maybe someone encountered similar issue in the past? Token definitely has access because I can remove package.
To be honest, I have no idea. It would be very useful to have the server side traces, please try to collect them if you are running the server, or ask IT or your devops teams to try to collect these logs, maybe they contain some further hints of what could be happening. Also, if there is some other component like scanners such as Xray connected to Artifactory that could be interacting with the upload.
From the client side, I'd try to do some extra checks, like uploading exactly that package, but empty (to see if there is something in the specific package name), or the opposite, try to have exactly the same payload of the package, but under a different name. I'd also inspect the conanmanifest.txt
file in the recipe, in case it could contain something unexpected.
Also, the exact Conan version and Artifactory versions would be needed.
Other things to try:
Also, the exact Conan version and Artifactory versions would be needed.
Other things to try:
* Trying the upload from other different machine * Trying the upload of exactly the same package to a local running ArtifactoryCE
0) conan 2.3.1, artifactory 7.63.12, jf cli 2.16.4 1) changing channel name doesn't help 2) tried uploading "conanfile.py" to generic repository through jfrog cli (jf.exe) same 403 error. 3) tried uploading "conanfile.py" to generic repository through browser - it magically works and can be downloaded afterwards.
I'm trying to get more info\logs from the team that supports Artifactory instance, but they are currently busy with other tasks. I will write here if I'll find the reason for this strange behavior.
Mystery solved. For some reason WAF service thinks that this file contains SQL injection. https://raw.githubusercontent.com/conan-io/conan-center-index/master/recipes/onetbb/all/conanfile.py
Issue can be closed if there is nothing that can be done for doing uploads as transactions with possibility of rollback.
Good to hear, happy to see it is not a bug on our end.
Issue can be closed if there is nothing that can be done for doing uploads as transactions with possibility of rollback.
The capability of more atomic uploads is something that we are already aware and we would like to try to approach some time in the future, but as this requires a lot of functionality in the server, it is a bit out of the scope of this ticket, so closing the ticket as the main issue was identified.
Thanks for the feedback.
@memsharded one more related question. Is it possible for conan to output more information and not just callstack? For example, like curl does with -vv? In this case body of response contained important data in HTML format but conan wasn't showing it.
At this moment the capturing or Forbidden and Authentication errors are assuming the human-readable response would be in the response.reason
for text/html
responses and data["message"]
for application/json
, and that should be included in the error printed.
If this is not enough, which seems the case, at the moment there are no traces for the http communication api calls details. One reason for not being able to easily print http traces is that headers will often include tokens, passwords, etc, and that is a security risk to expose them in logs.
What is your question?
Hi.
I'm trying to upload recipe to conan repository in Artifactory server. For some reason conan upload fails only on one package - onetbb/2021.12.0. It uploads conan_export.tgz and then fails with "403 Forbidden". If I understood correctly - next steps would be uploading conanfile.py and conanmanifest.txt. I'm left with this state on server and have to do conan remove manually afterwards.![image](https://github.com/conan-io/conan/assets/4276548/a795eb8e-f6bf-4246-8163-cc57779d2604)
1) Can conan automatically do clean-up if upload failed? 2) What might be the reason for this? Antivirus or firewall on Artifactory server? Maybe someone encountered similar issue in the past? Token definitely has access because I can remove package.
Have you read the CONTRIBUTING guide?