Cannot use choco list on nuget repositories

[gretel]

Bug Description

The default configuration has ANONYMOUS_ROLE set but trying to browse a nuget directory does always require authentication.

Steps To Reproduce

1. Deploy strongbox using default configuration
2. Enable "Allow directory browsing" in nuget-storage
3. Try to do any api transaction anonomously (like choco list)

Expected Behavior

Anonoymous users should be able to browse the directory as inherited by ARTIFACTS_RESOLVE

Environment

• Strongbox Version: {"strongbox":{"version":"1.0-SNAPSHOT","revision":"eccd13064b1e3bfa"}}
• OS: adoptopenjdk/openjdk8:jdk8u232-b09-alpine

[steve-todorov]

These might be two different problems. Are you talking about choco list or about browsing /api/browse/storage/nuget-repository ?

[gretel]

@steve-todorov choco list should be possible anonymously.

[anki2189]

@gretel : Please share source used for command choco list .

[gretel]

choco source add --name=strongbox --source=$internalRepositoryLocation --user=$internalRepositoryUser --password=$internalRepositoryScrt --priority=1 --bypass-proxy

[anki2189]

There is a method in NugetArtifactController NugetArtifactController#greet() which is used to
check storage availability.
This method requires ARTIFACTS_DEPLOY role , hence choco list or nuget list command prompt for authentication.

Issue can be fixed by changing ARTIFACTS_DEPLOY to ARTIFACTS_RESOLVE or by removing auth from greet() method.

@strongbox/core-developers : Suggestions??

[carlspring]

The greet method is absolutely useless and can be removed. Will that solve your problem altogether?

[gretel]

i guess i would solve mine, too :)

[steve-todorov]

There's actually a comment for this in the code - the greet method is necessary because Nuget will ping it to determine if the repository is healthy or not. In this case we should probably use ARTIFACTS_RESOLVE for this case.

[carlspring]

Upon closer look this is actually doing something. We used to have these greet methods long before we migrated to restassured and Spring Boot which were purely for testing purposes and should have been removed a long time ago. Perhaps it would be better to rename the method to something more meaningful...(?)

[gretel]

btw, repository is healthy or not - how is this determined?

[sbespalov]

There's actually a comment for this in the code - the greet method is necessary because Nuget will ping it to determine if the repository is healthy or not. In this case we should probably use ARTIFACTS_RESOLVE for this case.

this comment also say that Nuget using this method to check that authentication required. AFAIK it will fail to deploy with ARTIFACTS_RESOLVE on this method.

[sbespalov]

@anki2189 can you please check it with Nuget v2 and v3 and latest mono? Also from your previous comment it's become unclear how choco determines the need for authentication?

[anki2189]

choco list command fails after trying multiple times.

choco list -Source http://192.168.1.2:48080/storages/storage-nuget/nuget-releases/

Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
[NuGet] Not able to contact source 'http://192.168.1.2:48080/storages/storage-nuget/nuget-releases/'. Error was The remote server returned an error: (401) Unauthorized.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
Invalid credentials specified.
[NuGet] Not able to contact source 'http://192.168.1.2:48080/storages/storage-nuget/nuget-releases/'. Error was The remote server returned an error: (401) Unauthorized.
0 packages found.

Whereas nuget list prompts for username.

nuget list  -Source  http://localhost:48080/storages/storage-nuget/nuget-releases/              
Please provide credentials for: http://localhost:48080/storages/storage-nuget/nuget-releases/
UserName: admin
Password: ********
No packages found.

[anki2189]

@anki2189 can you please check it with Nuget v2 and v3 and latest mono? Also from your previous comment it's become unclear how choco determines the need for authentication?

Behaviour is same using both nuget 2 and 3 exe.

NuGet Version: 2.8.60717.93

NuGet Version: 3.5.0.1938

Mono JIT compiler version 6.4.0.198 (2019-06/fe64a4765e6 Wed Sep 18 14:14:51 EDT 2019)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
	TLS:           
	SIGSEGV:       altstack
	Notification:  kqueue
	Architecture:  amd64
	Disabled:      none
	Misc:          softdebug 
	Interpreter:   yes
	LLVM:          yes(610)
	Suspend:       hybrid
	GC:            sgen (concurrent by default)

[sbespalov]

@anki2189 why choco fails with Invalid credentials specified.? Does it send any credentials?

[sbespalov]

I mean that we should find the root cause of why choco is not request the authentication like Nuget. Maybe it expect another Authentication Entry Point or send Authentication which is not supported by strongbox.

[anki2189]

@anki2189 why choco fails with Invalid credentials specified.? Does it send any credentials?

From documentation it doesn't . https://github.com/chocolatey/choco/wiki/CommandsList

[gretel]

choco can send credentials on each command, this is how i work around this issue currently.

[anki2189]

Also there is no Authorization header in request for choco list command.

[anki2189]

choco can send credentials on each command, this is how i work around this issue currently.

By default it assumes username to be empty it not provided.

[sbespalov]

By default it assumes username to be empty it not provided.

@anki2189 does it requests the authentication for push command?

[anki2189]

By default it assumes username to be empty it not provided.

@anki2189 does it requests the authentication for push command?

Yes, api-key

[sbespalov]

ok, let's try @PreAuthorize("hasAuthority('ARTIFACTS_RESOLVE')") then for greet. @anki2189 can you pelase check how Nuget push and list will work with it?

[sbespalov]

PR #1674 seems works fine, so I suggest to merge it and resolve the issue. Just to be clear regarding
the ARTIFACTS_DEPLOY authority, which we had on greet method before, then it probably was needed when there was no API Key authentication implemented. So since we have the API Key authentication ARTIFACTS_RESOLVE seems works fine as well.

[carlspring]

@gretel : Could you please test this out?

[gretel]

@carlspring the pipeline eats the github snapshot.. dont have any maven running :(

[carlspring]

@steve-todorov : Could you please take a look? Thanks!

[steve-todorov]

It's already in the master and on github as 1.0-SNAPSHOT. You can download the compiled version from there.

[gretel]

@steve-todorov ah i didnt notice the merge. can bump the deployment tomorrow. regards