Skip to content

feat: basic credentials support for maven repos #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: basic credentials support for maven repos #20

wants to merge 1 commit into from

Conversation

patwid
Copy link

@patwid patwid commented Jun 18, 2024
edited
Loading

This adds basic credentials support for accessing maven repositories.

There is currently no mechanism to distinguish between private and public repositories. If specified, it unconditionally adds the authorization header as bearer token value to the request when fetching the artifacts. Another limitation is, that currently only a bearer token is supported and not e.g. basic auth using username and password.

This seems to be working, as long as the package is being built with elevated privileges, e.g.:

# AUTH_TOKEN=hunter2 nix build

This closes #8.

Please, let me know what you think.

@C0D3-M4513R
Copy link
Contributor

I don't believe adding an impure env-var is the nix way. (generally anything requiring impure eval isn't)
I believe you should add a parameter for an auth token, that's passed through or can be overridden.

@raphiz
Copy link
Owner

raphiz commented Jun 24, 2024

First of all: Thanks for your PR!

This is a tricky one - and I don't think there is a great solution for credentials support right now. Here are my thoughts so far:

  • Using a parameter for the derivation directly is dangerous, as it might potentially leak sensitive information.
  • Using the impureEnvVars (as it is used in fetchurl eg. for NIX_CURL_FLAGS or HTTP_PROXY) does not feel too bad to me. However, the not-so-nice thing is that the impureEnvVars implementation takes environment variables from the current builder process (which might be the daemon). This might be a bit tricky to set up.
  • The authentication mechanism should support different authentication schemes. I think Gradle supports Basic, Digest and HTTP Header based authentication. From personal experience, Basic Auth is common in enterprise contexts - so I would be happy if at least this works.
  • When using the impureEnvVars approach, I would prefer a more general NIX_CURL_FLAGS style approach instead of specific ones for each authentication mechanism (eg. AUTH_TOKEN).
  • It gets even worse when having multiple repositories - which credentials to use and how to avoid using the wrong ones - which will leak sensitive information. Maybe adding another constraint might solve this: Just one (single) private Repository as it is common in an enterprise settings🤷
  • Using a netrc file might be another valid approach - but just for Basic HTTP Auth

Related links:

@patwid patwid force-pushed the main branch 4 times, most recently from d2e57d5 to fd5afd2 Compare June 29, 2024 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Credentials Support for Maven Repositories
3 participants
@patwid @C0D3-M4513R @raphiz