search

jfrog / jfrog-cli

JFrog CLI is a client that provides a simple interface that automates access to the JFrog products.
https://www.jfrog.com/confluence/display/CLI/JFrog+CLI
Apache License 2.0
531 stars 234 forks source link

jfrog rt go-publish command totally ignores --user/--password flags #1160

Open KJTsanaktsidis opened 3 years ago

KJTsanaktsidis commented 3 years ago

Describe the bug I'm setting up a CI pipeline that publishes Go modules to Artifactory. I would like the jfrog CLI configuration to be checked in to the repository, however I would like the artifactory credentials to be supplied only at run-time when the build is running in CI.

The help output for jfrog rt go-publish indicates that it supports a --user and --password flag for this purpose:

% jfrog rt go-publish -h
...
  --password            [Optional] Artifactory password.
...
  --user                [Optional] Artifactory username.
...

However, they appear to to be totally ignored.

To Reproduce

So, I configured an artifactory server like so:

% JFROG_CLI_HOME_DIR=.jfrog CI=true jfrog config add zdrepo --url https://zdrepo.jfrog.io/ --artifactory-url https://zdrepo.jfrog.io/zdrepo 
% JFROG_CLI_HOME_DIR=.jfrog CI=true jfrog rt go-config --repo-deploy go-pkg --repo-resolve zen-go --server-id-deploy zdrepo --server-id-resolve zdrepo
% cat .jfrog/jfrog-cli.conf.v5
{
  "servers": [
    {
      "url": "https://zdrepo.jfrog.io/",
      "artifactoryUrl": "https://zdrepo.jfrog.io/zdrepo/",
      "distributionUrl": "https://zdrepo.jfrog.io/distribution/",
      "xrayUrl": "https://zdrepo.jfrog.io/xray/",
      "missionControlUrl": "https://zdrepo.jfrog.io/mc/",
      "pipelinesUrl": "https://zdrepo.jfrog.io/pipelines/",
      "serverId": "zdrepo",
      "isDefault": true
    }
  ],
  "version": "5"
}

And then tried to publish like so. However, it does not actually attempt to authenticate to artifactory with the provided user/password arguments.

% JFROG_CLI_LOG_LEVEL=DEBUG JFROG_CLI_HOME_DIR=.jfrog CI=true jfrog rt go-publish  --user="$ARTIFACTORY_USERNAME" --password="$ARTIFACTORY_PASSWORD"  "v1.7.0-demo1"
[Debug] Go config file was found in: /Users/ktsanaktsidis/Code/go/src/github.com/confluentinc/confluent-kafka-go/.jfrog/projects/go.yaml
[Info] Using go: go version go1.16.3 darwin/amd64

[Debug] Found deployer in the config file /Users/ktsanaktsidis/Code/go/src/github.com/confluentinc/confluent-kafka-go/.jfrog/projects/go.yaml
[Debug] Sending HTTP GET request to: https://zdrepo.jfrog.io/zdrepo/api/system/version
{
  "status": "failure",
  "totals": {
    "success": 0,
    "failure": 0
  }
}
[Error] Server response: 401 Unauthorized
{
  "errors": [
    {
      "status": 401,
      "message": "Authentication is required"
    }
  ]
}

Expected behavior The provided --user and --password credentials should overwrite the (nonexistant) values in the artifactory config file.

Screenshots N/A

Versions

Additional context N/A

eyalbe4 commented 3 years ago

@KJTsanaktsidis, For security reasons, JFrog CLI either uses the entire configuration stored by the "jfrog config add" command or reads the entire configuration from the command flags. It intentionally doesn't read the URL from the stored configuration and the credentials from the flags. If you prefer to send the credentials as command flags, also add the --url flag. Make sure the --url flag includes the Artifactory API endpoint (which usually emds with /artifactory). The reason why mixing stored configuration and flags is blocked, is to minimize the chances of mistakenly sending the credentials of one server to another. Please let me if the above helps and that everything works for you.

KJTsanaktsidis commented 3 years ago

Thanks @eyalbe4 - that makes sense, except the go-publish command refuses to work without a locally stored configuration:

% jfrog rt go-publish --password "$ARTIFACTORY_API_KEY" --user "$ARTIFACTORY_USERNAME" --url "https://zdrepo.jfrog.io" v2.0.1-testing123kj
[Error] No config file was found! Before running the go command on a project for the first time, the project should be configured using the go-config command.
% jfrog rt go-config
[Error] No Artifactory servers configured. Use the 'jfrog c add' command to set the Artifactory server details.

This behaviour is actually documented in the v2 release notes: https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-ListofchangesinJFrogCLIv2 although it did used to work with only command line flags as you describe in v1.

eyalbe4 commented 3 years ago

Right @KJTsanaktsidis. V2 streamlines the usage of all package managers' related commands, and now all rely on a config command to be executed before the command (jfrog rt go-config in the case of jfrog rt go and jfrog rt go-publish). V1 is still available to be installed from https://jfrog.com/getcli-legacy/ We do however recommend moving to v2 at your convenience. Let us know if you have additional questions.