sbt: Add http headers when fetching private maven repo with credentials - maven

I try to use credentials in my build.sbt config in order to retrieve private artifacts from a gitlab private maven repository.
But as sbt documentation states :
The credentials file is a properties file with keys realm, host, user, and password.
And gitab private maven documentation states :
If a project is private or you want to upload Maven artifacts to GitLab,
credentials will need to be provided for authorization. Support is available for personal access tokens and CI job tokens only. Deploy tokens and regular username/password credentials do not work.
The only way to authenticate when fetching or pushing artifacts to gitlab maven private repository is to use a maven settings.xml file with :
<settings>
<servers>
<server>
<id>gitlab-maven</id>
<configuration>
<httpHeaders>
<property>
<name>Private-Token</name>
<value>REPLACE_WITH_YOUR_PERSONAL_ACCESS_TOKEN</value>
</property>
</httpHeaders>
</configuration>
</server>
</servers>
</settings>
I found a workaround to push my private artifacts (intermediate step locally) but I am out of options to use these private artifacts as libraryDependencies in other scala repositories.
Is there anyway to have sbt fetching my private gitlab repository with the required httpHeaders ?
Do you know any workaround (multi-step fetchs) to have my private artifacts retrieved ?

Related

Maven settings.xml with an Artifactory <server/> using SSH keys for authentication

Using the Artifacory generated maven settings I can run mvn deploy, the build completes, and artifacts are deployed successfully.
With the ability to upload a public key to Artifactory (see: https://jfrog.com/article/ssh/), I was hoping to swap out the username/password in the generated ~/.m2/settings.xml with a privateKey/passphrase pair (see: https://maven.apache.org/settings.html#Servers).
Unfortunately, switching from username/password to privateKey/passphrase I get the following "Not authorized" error:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy) on project my-project: Failed to retrieve remote metadata com.test:my-project:1.0-SNAPSHOT/maven-metadata.xml: Could not transfer metadata com.test:my-project:1.0-SNAPSHOT/maven-metadata.xml from/to my-artifactory (https://na.artifactory.xxxx.com:443/artifactory/my-artifactory-local): Not authorized -> [Help 1]
Does Artifactory support privateKey/passphrase authentication from Maven? Or, is it possible to use something other than username/password (API Key maybe?) to allow Maven to authenticate?
I don't know about getting public key authentication to work with Artifactory and Maven, but at least with Artifactory 6.15.1 you can use the Artifactory API Key for your account instead of the password. In the Artifactory web UI, click on your login name to open your profile, enter your current password to unlock your profile, then copy the API Key and paste it in to the <servers> section of your Maven settings.xml, replacing ARTIFACTORY_USERNAME and ARTIFACTORY_API_KEY in the sample below:
<servers>
<server>
<id>central</id>
<username>ARTIFACTORY_USERNAME</username>
<password>ARTIFACTORY_API_KEY</password>
</server>
<server>
<id>snapshots</id>
<username>ARTIFACTORY_USERNAME</username>
<password>ARTIFACTORY_API_KEY</password>
</server>
</servers>

Adding maven nexus repo to my pom.xml

I have installed nexus on my local machine. I want my pom file to point to this repo. How can I add my custom repository to my pom.xml file?
From Maven - Settings Reference
The repositories for download and deployment are defined by the repositories and distributionManagement elements of the POM. However, certain settings such as username and password should not be distributed along with the pom.xml. This type of information should exist on the build server in the settings.xml.
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
http://maven.apache.org/xsd/settings-1.0.0.xsd">
...
<servers>
<server>
<id>server001</id>
<username>my_login</username>
<password>my_password</password>
<privateKey>${user.home}/.ssh/id_dsa</privateKey>
<passphrase>some_passphrase</passphrase>
<filePermissions>664</filePermissions>
<directoryPermissions>775</directoryPermissions>
<configuration></configuration>
</server>
</servers>
...
</settings>
id: This is the ID of the server (not of the user to login as) that matches the id element of the repository/mirror that Maven tries to connect to.
username, password: These elements appear as a pair denoting the login and password required to authenticate to this server.
privateKey, passphrase: Like the previous two elements, this pair specifies a path to a private key (default is ${user.home}/.ssh/id_dsa) and a passphrase, if required. The passphrase and password elements may be externalized in the future, but for now they must be set plain-text in the settings.xml file.
filePermissions, directoryPermissions: When a repository file or directory is created on deployment, these are the permissions to use. The legal values of each is a three digit number corrosponding to *nix file permissions, ie. 664, or 775.
Note: If you use a private key to login to the server, make sure you omit the element. Otherwise, the key will be ignored.
All you should need is the id, username and password
The id and URL should be defined in your pom.xml like this:
<repositories>
...
<repository>
<id>acme-nexus-releases</id>
<name>acme nexus</name>
<url>https://nexus.acme.net/content/repositories/releases</url>
</repository>
...
</repositories>
If you need a username and password to your server, you should encrypt it.
Maven Password Encryption
First of all I can highly recommend reading the Nexus book. It will explain the benefits of using a Maven repository manager.
There is a section on how to configure your Maven build to use Nexus:
http://www.sonatype.com/books/nexus-book/reference/config.html
This leads me to question why you altering your POM file? I suspect what you really want to do is setup Nexus as a remote repository mirror. This is done in your Maven settings file.
The following tells Maven use Nexus as your default repository (Instead of Maven Central)
<settings>
..
..
<mirrors>
<mirror>
<id>nexus</id>
<url>http://localhost:8081/nexus/content/groups/public</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
This is desired behaviour since your Nexus repository is configured to cache artifacts retrieved from Central (which is good for build performance).
Note:
The "public" repository group could include other repositories proxied by your Nexus instance (Not just Maven Central). You probabily want this behaviour, as it centralizes all repository management. It just makes your build less portable for people outside of your organization.
It seems the answers here do not support an enterprise use case where a Nexus server has multiple users and has project-based isolation (protection) based on user id ALONG with using an automated build (CI) system like Jenkins. You would not be able to create a settings.xml file to satisfy the different user ids needed for different projects. I am not sure how to solve this, except by opening Nexus up to anonymous access for reading repositories, unless the projects could store a project-specific generic user id in their pom.xml.
From the Apache Maven site
<project>
...
<repositories>
<repository>
<id>my-internal-site</id>
<url>http://myserver/repo</url>
</repository>
</repositories>
...
</project>
"The repositories for download and deployment are defined by the repositories and distributionManagement elements of the POM. However, certain settings such as username and password should not be distributed along with the pom.xml. This type of information should exist on the build server in the settings.xml." - Apache Maven site - settings reference
<servers>
<server>
<id>server001</id>
<username>my_login</username>
<password>my_password</password>
<privateKey>${user.home}/.ssh/id_dsa</privateKey>
<passphrase>some_passphrase</passphrase>
<filePermissions>664</filePermissions>
<directoryPermissions>775</directoryPermissions>
<configuration></configuration>
</server>
</servers>
If you don't want or you cannot modify the settings.xml file, you can create a new one at the root of your project, and call maven passing it as a parameter with the -s argument:
$ mvn COMMAND ... -s settings.xml
From maven setting reference, you can not put your username/password in a pom.xml
The repositories for download and deployment are defined by the repositories and distributionManagement elements of the POM. However, certain settings such as username and password should not be distributed along with the pom.xml. This type of information should exist on the build server in the settings.xml.
You can first add a repository in your pom and then add the username/password in the $MAVEN_HOME/conf/settings.xml:
<servers>
<server>
<id>my-internal-site</id>
<username>yourUsername</username>
<password>yourPassword</password>
</server>
</servers>

How do I deploy to private Maven repo from CloudBees?

I'd like to use CloudBees for my CI environment, but I'd also like to deploy my Maven artifacts to my existing private Nexus repository. In my current local Hudson setup, I utilize the username/password settings within the .m2/settings.xml file as follows:
...
<servers>
<server>
<id>my-repository</id>
<username>username</username>
<password>password</password>
</server>
</servers>
...
How/where can I configure these credentials on CloudBees?
You can put these in your private webdav filestore: http://wiki.cloudbees.com/bin/view/DEV/Sharing+Files+with+Build+Executors
Then, just point Maven at this by passing the '-s' option, or clicked the "Advanced" section of your Maven build and add the path in the "Alternate settings file" field.
You should follow this step by step guide:
http://developer.cloudbees.com/bin/view/DEV/Accessing+under+an+external+Maven+repository

Github authentication: how to use Github as Maven repo when repo is private

I'm trying to store some of our private artifacts on Github and would like to access them as if they were part of a Maven repo. There are lots of pages that explain how to create a public Maven repo on Github: you just put the artifacts in the proper directory structure in your project, and then access them using a "raw" URL:
<repositories>
<repository>
<id>myrepo.myname.github.com</id>
<url>https://github.com/myname/myproject/raw/master/repositories/releases/</url>
</repository>
</repositories>
So far, so good. Now the trouble is that I can't figure out how to access the repo if it's private. I've added a username and password to my settings.xml, but it doesn't work:
<servers>
<server>
<id>myrepo.myname.github.com</id>
<username>myusername</username>
<password>mypassword</password>
</server>
</servers>
What's the trick?
The question is now moot. Github has eliminated downloads. They don't host binaries any more. Probably because of exactly the kind of abuse I've proposed...
You can access private repositories from Maven pom.xml using the following URL:
https://api.github.com/users/username/repos?login=username&token=oauthtoken&repositoryname=reponame

Infrastructure - Maven + Nexus

I've installed a sonatype nexus to be my maven repo. The nexus instalation is using the Active Directory to authenticate users, and the annonymous login is off.
Every user that uploads an artifact to my repo must be identifyed with a unique username, thus the AD integration.
The regular way to use this structure is to set in the POM.xml the Distribution Managemente tag so the artifact is sent to nexus
<distributionManagement>
...
<repository>
<id>deploymentRepo</id>
<name>Internal Releases</name>
<url>http://nexusserver:8081/nexus/content/repositories/releases</url>
</repository>
...
</distributionManagement>
In the local repo settings (~/.m2/settings.xml) add the username/password combo to login into nexus
<server>
<id>deploymentRepo</id>
<username>deployment</username>
<password>deployment123</password>
</server>
It's working great for me, but what I'm trying to achieve is to somehow do the auth in nexus without having to put the user password in the local repo. Is it possible?
What are you trying to achieve: not to store password as plain text or for user having to pass password every time it runs maven deploy command?
Password could be stored in encrypted form, as described here
Or you could try to pass password on command line like below, but I haven't tried that:
mnv -Dpassword=deployment123 deploy
Nexus 2.1 is due to be released in June and we've built a new feature to support secure authentication without requiring a clear text password in the settings.xml.

Resources