search

jbangdev / jbang

Unleash the power of Java - JBang Lets Students, Educators and Professional Developers create, edit and run self-contained source-only Java programs with unprecedented ease.
https://jbang.dev
MIT License
1.42k stars 157 forks source link

Dependency download does not work with encrypted password #1620

Open rH4rtinger opened 1 year ago

rH4rtinger commented 1 year ago

Describe the bug According to https://www.jbang.dev/documentation/guide/latest/dependencies.html#repositories

For secure authentication jbang will honor ~/.m2/settings-security.xml for configuring username/passwords.

I have in ~/.m2/settings.xml a mirror to a proxy repository which requires authentication. The username and password to the proxy are encrypted like Maven Password Encryption is telling.

That means in my settings.xml is a username in plain text and a encrypted password in curly brackets.

In my  settings-security.xml is my master password also encrypted.

When I am trying to access a dependency which is not in my local .m2 directory, I am getting 401 Unauthorized.

To Reproduce Steps to reproduce the behavior:

  1. Follow the guidelines of https://maven.apache.org/guides/mini/guide-encryption.html to encrypt maven password and store them encrypted
  2. redirect in the settings all traffic to the proxy repository
  3. create a new jbang file with a dependency (for example cli template)
  4. make sure the dependency is currently not in your .m2 directory
  5. try to run your script with downloading the resources
  6. get a 401 error, because the password was not decrypted

Expected behavior Encrypted passwords should be recognized and decrypted for the communication with a proxy repository which required authentication.

JBang version [jbang] [0:226] jbang version 0.106.3 Cache: C:\Users\.jbang\cache Config: C:\Users\.jbang Repository:C:\Users\.m2 0.106.3

Additional context If I am using a normal Java project and trying to resolve a maven dependency, my encrypted password is working and the resources are normally downloaded.

Also if I change the encrypted password with the plain text password in my settings.xml, maven download is working.

samizzy commented 1 year ago

Also facing the same problem, is this going to be picked up anytime soon?

quintesse commented 1 year ago

@maxandersen could be useful to see if using MIMA fixes this problem.

baldimir commented 10 months ago

Also facing the same problem. Could this be prioritized please? I think using custom Maven repositories with authentication is an important use case.

maxandersen commented 10 months ago

@baldimir to be clear. you can access repos with authentication with jbang.

the issue here is about having a way to use encrypted credentials rather than setting env var to the right thing.

If someone is around with some good ideas with how to easily test and verify this im all ears - PR's welcome too.

maxandersen commented 10 months ago

@baldimir what is the latest jbang version you tried with? the latest 0.114 has MIMA integrated that could potentially fixed it.

cstamas commented 10 months ago

MIMA should handle this transparently. If not, that is MIMA bug. Please Use JBang 0.114+ version that has MIMA as @maxandersen said.

But have to say a bit more about "password encryption" in Maven with my Maven PMC hat on: current Maven password encryption is inherently insecure. It is much better to have your configuration files properly secured (FS perms, disk encryption, physical security, etc) to be on safe side.

For start, Maven team is somewhat aligned (share same arguments) as Tomcat team regarding "security through obscurity". Moreover, there was this fix (not yet used by Maven or MIMA) that shows technical issues with existing code as well. While the change improves things, the fundamental situation remains unchanged, as it is really "turtles, all way down...".