search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.62k stars 990 forks source link

Nuget from private ProGet feed: found dependencies to update but Package.csproj restore fails #9098

Open jjolidon opened 6 months ago

jjolidon commented 6 months ago

Is there an existing issue for this?

Package ecosystem

nuget

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Expected: credentials are properly passed to the MSBuild step and used during restore.

The updater properly authenticates with ProGet and finds updates, but later the restore step with MSBuild fails to authenticate and retrieve packages.

The error looks like this:

/tmp/package-dependency-resolution_U7SCGL/Project.csproj : error NU1301: Unable to load the service index for source https://redacted-proget-host.example.org/nuget/FeedName/v3/index.json.

This seems somewhat related to #8887. At least parts of #9004 might solve the issue, in that ProGet expects a user name and password.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

jjolidon commented 6 months ago

Dependabot is executed in the context of Azure DevOps through the TingleSoftware docker image: https://github.com/tinglesoftware/dependabot-azure-devops

jjolidon commented 6 months ago

Solution proposed in #8887 DOES NOT apply to ProGet, the feed manifest includes the needed endpoints.

(Also to note: ProGet does support nuspec download, but I don't think there's an easy way of figuring out the feed is a ProGet feed short of trying downloading the nuspec...)

brettfo commented 6 months ago

@jjolidon Do you have an example of a public repo and a full log where this failure occurs? I'd like to see how the authentication is passed around and how it should get passed to MSBuild.

jjolidon commented 6 months ago

Unfortunately not. Here is the relevant section of script:

          foreach ($feed in $credentials) {
            $feed["token"] = "${env:PROGET_USER_NAME}:${env:PROGET_USER_PASSWORD}"
          }

          $env:DEPENDABOT_EXTRA_CREDENTIALS = ConvertTo-Json $credentials -Compress
jjolidon commented 6 months ago

This ends up being a structure of the form:

[
  {
    "type": "nuget_feed",
    "url": "https://proget.example.org/nuget/FeedName/v3/index.json"
    "token": "ProGetUserName:ProGetPassword"
  }
]

While I can't give you the whole script and sources, I'm willing to do my best providing the information you're missing, so do not hesitate to ask!

rhyskoedijk commented 1 month ago

Hi @jjolidon, I see you are using the Dependabot Azure DevOps Extension here. It might be possible to get this to work by using your personal api key as the raw token value. e.g.

[
  {
    "type": "nuget_feed",
    "url": "https://proget.example.org/nuget/FeedName/v3/index.json"
    "token": "ProGetPAT"
  }
]

If that doesn't work or you need to use username+password for auth, this issue could likely be due to to how username+password auth isn't handled correctly when doing updates using MSBuild. A proposed fix has been submitted to https://github.com/tinglesoftware/dependabot-azure-devops/pull/1248 which adds better support for feeds requiring username+password auth.

For context, when Dependabot uses MSBuild to perform NuGet updates, it relies on credentials stored in an auto-generated nuget.config. Dependabot only supports "token" auth when using this config file. If your registry is configured with username+password, it wouldn't work as username is always set to "user" and password is always set to the registry token property. See: https://github.com/dependabot/dependabot-core/blob/8441dbad1bb13149f897cdbe92c11d36f98c8248/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb#L38-L41

After https://github.com/tinglesoftware/dependabot-azure-devops/pull/1248, it should be possible to use username and password auth for projects that update via MSBuild. e.g.

version: 2
registries:
  proget:
    type: nuget-feed
    url: https://proget.example.org/nuget/FeedName/v3/index.json
    username: ${{ProGetUserName}}
    password: ${{ProGetPassword}}
    token: ${{ProGetUserName}}:${{ProGetPassword}}

Or using a personal api key. e.g.

version: 2
registries:
  proget:
    type: nuget-feed
    url: https://proget.example.org/nuget/FeedName/v3/index.json
    username: api
    password: ${{ProGetPAT}}
    token: api:${{ProGetPAT}}