Outdated does not work with authenticated nexus repository

[TheCakeIsNaOH]

When running roco outdated on a machine that has an authenticated nexus repository as the only source, it does not find any updates and gives warnings for all packages installed. There are a number of outdated packages found when running choco outdated.

---

Also, this lives up to the hype and is super fast compared to choco with checking the chocolatey.org repo.

[mwallner]

Thanks for reporting this!
will try to reproduce & fix the issue with the OSS version of sonartype nexus, hope that it supports authenticated feeds.

[TheCakeIsNaOH]

Should have said this in the first post, but I am using the OSS version 3.29.2-02 (current latest on docker hub), so hopefully, it should be easy to setup.

[mwallner]

can confirm/reproduce this issue.
expect a fix until next week

[mwallner]

Okay... I might have been a little hasty here 😐
Just realized that I need to decrypt the password for both proxy as well as feed connections before I can use them in 'reqwest'.

• figure out how to decrypt_string, accodring to IEncryptionUtility (=> choco source)
• add parameters -user and -password as well as -source in order to allow user to directly pass credentials for authenticated sources.

slight note @TheCakeIsNaOH - I haven't seen this issue up until now b/c I've only been using feeds with 'anonymous viewer access' - which is all that's required to receive the neccessary ODATA info.

(don't know if possible for you or not, but you could enable this in your nexus instance and see if it works then)
(nexus/#admin/security/anonymous => "Allow anonymous users to access the server")

[TheCakeIsNaOH]

(don't know if possible for you or not, but you could enable this in your nexus instance and see if it works then)
(nexus/#admin/security/anonymous => "Allow anonymous users to access the server")

I tested it temporarily, and roco oudated does work for me with anonymous access enabled, however, I need authentication normally as the server is exposed to the internet.

[TheCakeIsNaOH]

figure out how to decrypt_string, accodring to IEncryptionUtility (=> choco source)

Here is how to do it in powershell:

Add-Type -AssemblyName System.Security
$entropyBytes = [System.Text.UTF8Encoding]::UTF8.GetBytes("Chocolatey")
Function Unprotect-Arguments {
    param([string]$data)
    $encryptedByteArray = [System.Convert]::FromBase64String($data)
    $decryptedByteArray = [System.Security.Cryptography.ProtectedData]::Unprotect(
        $encryptedByteArray,
        $entropyBytes,
        [System.Security.Cryptography.DataProtectionScope]::LocalMachine
    )
    return [System.Text.UTF8Encoding]::UTF8.GetString($decryptedByteArray)
}

Works for the passwords and api keys in chocolatey.config, and it also for .arguments files in .chocolatey. Hopefully, that windows api is available in rust somewhere.
https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata.unprotect

[mwallner]

Hey @TheCakeIsNaOH , thanks for your input!
I've been playing around with rust-winapi, rust-win-crypto-ng and a couple of hours, but haven't been able to decypher the credentials in native code so far.

My 'proof-of-concept' was actually a little C# app that did the 'unprotect step' ... but your powershell code made me think of this little hack:

    let pwsh = format!(
        "Add-Type -AssemblyName System.Security;([System.Text.UTF8Encoding]::UTF8.GetString([System.Security.Cryptography.ProtectedData]::Unprotect(([System.Convert]::FromBase64String('{}')),([System.Text.UTF8Encoding]::UTF8.GetBytes('Chocolatey')),[System.Security.Cryptography.DataProtectionScope]::LocalMachine)))",
        cypher
    );
    let chdec = std::process::Command::new("powershell.exe")
        .arg("-NoProfile")
        .arg("-ExecutionPolicy")
        .arg("Bypass")
        .arg(pwsh)
        .output()
        .expect("failed to run decypher text");
    let decrypted = String::from_utf8_lossy(&chdec.stdout);

it's still ugly, but that'll do / probably be in the bugfix version until I figure out how to properly use the dpapi.CryptUnprotectData.

[mwallner]

hey @TheCakeIsNaOH , could you check if the provided artifact works with your authenticated repo?

rocolatey.0.5.2-dev.zip

[TheCakeIsNaOH]

@mwallner It is working for me.

Thanks for working on this.

[mwallner]

would you mind checking how this version of roco compares to choco in terms of speed?

Measure-Command { choco outdated }

vs.

Measure-Command { roco.exe outdated }

tbh, I haven't had time to look up how to use the native dpapi, so I basically just included the powershell snippet you provided above, which unfortuantely adds quite some overhead when reading the config file... 😅

[TheCakeIsNaOH]

Choco was 101.23 seconds.
Roco was 10.08 seconds.

203 packages installed.

[mwallner]

thanks for your help on this @TheCakeIsNaOH , this issue has been resolved in version 0.5.2

[TheCakeIsNaOH]

It is working, thanks for the fix.