JFrog CLI configuration command is not working when MFA is enabled

[swarnendukayal]

Description:

If the MFA (Multi-factor authentication) is enabled, none of the Internal users are able to configure the platform. It is giving the error as below -

$ ./jfrog rt c Server ID [test-saas]: test-cloud JFrog platform URL [https://myartifactory.jfrog.io/]: https://myartifactory.jfrog.io/ JFrog access token (Leave blank for username and password/API key): JFrog username [admin]: JFrog password or API key: Is the Artifactory reverse proxy configured to accept a client certificate? (y/n) [n]? [Error] The following error was received while trying to encrypt your password: Artifactory response: 403 Forbidden

Steps to Reproduce:

1. Enable the MFA on Artifactory
2. Scan the QR code and log in to the Artifactory.
3. Wait for 5 mins
4. Run the JFrog CLI command ( ./jfrog rt c) as mentioned above and the error will be reproduced.
5. Disable the MFA and the error will be gone.

Expected Behavior: The configuration should happen successfully.

Versions:

• JFrog CLI version: 1.53.1
• Artifactory Version: 7.33.4 (Should be reproducible from the Artifactory version 7.31.10)

[yahavi]

The root cause of this issue is a change in Artifactory 7.31.10.

Workaround: ~Run config command with --enc-password=false:~

jf config add <server-id> --enc-password=false

Edit: This workaround will not work. Only access tokens are allowed to use with MFA.

[kutysam]

Unfortunately, this 'workaround' will not work with the circleci orb at https://circleci.com/developer/orbs/orb/jfrog/artifactory-orb#commands-configure

It only accepts ARTIFACTORY_API_KEY / ARTIFACTORY_URL / ARTIFACTORY_USER and not ENC_PASSWORD It will be good if jfrog updates the orb with all the possible input parameters from jfrog cli

[yahavi]

After further investigation, we concluded that this behavior is actually by design in Artifactory 7.31.0 and above. From this version, in some of the APIs, only access tokens are allowed to be used with MFA. --enc-password=false will only help with the configuration, but not with the other commands.

To make things more clear during configuration, we created https://github.com/jfrog/jfrog-cli-core/pull/341 that prints the response from Artifactory.

@kutysam Since only access tokens are fully supported with MFA, and the Artifactory orb doesn't support access tokens, we suggest using the CLI directly: You can find here the various ways to install the JFrog CLI: https://jfrog.com/getcli Configure the JFrog CLI by running jf c add --url=$JFROG_PLATFORM_URL --access-token=$JFROG_ACCESS_TOKEN See the relevant documentation here: https://www.jfrog.com/confluence/display/CLI/JFrog+CLI#JFrogCLI-JFrogPlatformConfiguration.

Please let us know if you need any further assistance. 🙏🏼

[kutysam]

However, it doesn't explain on why a SAML / SSO authenticated user can still login without the enc password and use the API key in CLI.

Additionally, as mentioned, we are using the orb that is provided by jfrog to circleci. Will you guys be updating this orb so that we can specify the enc password parameter.

[yahavi]

@kutysam I took this issue with our security and Artifactory teams. We decided to reopen the password encryption API when using MFA with username and password/api-key. After this version, you should be able to work with Artifactory without any issues. This change is expected to take place in the next Artifactory version 7.36.0 and above. We'll keep you updated.

[yahavi]

@kutysam, The fix is included in Artifactory 7.36.1 or 7.37.13 and above. No upgrade for the JFrog CLI is needed. Feel free to use it - we'd appreciate your feedback on that.