How to troubleshoot sbt credentials usage? - sbt

I need to retrieve dependencies from a secured internal Nexus OSS repository.
I don't need to make any deploy at the moment, only get the dependencies, but I'm having no luck.
This is my build.sbt file:
credentials += Credentials("Sonatype Nexus Repository Manager", "repo.server.com", "admin", "admin123")
libraryDependencies += "group" % "artifact" % "1.0.0"
The realm is the one returned by Nexus.
This my ~/.sbt/repositories file:
[repositories]
local
releases: https://repo.server.com:8110/nexus/content/repositories/releases/
ivy-releases: https://repo.server.com:8110/nexus/content/groups/ivy-releases/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext]
custom-public: https://repo.server.com:8110/nexus/content/groups/custom-public
I have three repos:
custom-public is open for the anonymous user. I does not include the releases repo.
ivy-releases its a group with Typesafe ivy releases and SBT plugin releases. It is public too, and its separated from custom-public following the advice in this guide.
releases is restricted to some users.
This is my SBT_OPTS environment variable:
set SBT_OPTS=-Dsbt.override.build.repos=true -Xmx1024M -Xss20m -XX:MaxPermSize=256m -XX:ReservedCodeCacheSize=128m -Dsbt.log.format=true -Djavax.net.ssl.trustStore=~/trust.jks -Djavax.net.ssl.trustStorePassword=passs
SBT finds the public repos without problem. But I could not make it download any dependency from the restricted repo. It gives the following error:
[warn] module not found: group#artifact;1.0.0
[warn] ==== local: tried
[warn] C:\Documents and Settings\gferrari\.ivy2\local\group\artifact\1.0.0\ivys\ivy.xml
[warn] ==== releases: tried
[warn] https://repo.server.com:8110/nexus/content/repositories/releases/group/artifact/1.0.0/artifact-1.0.0.pom
[warn] ==== ivy-releases: tried
[warn] https://repo.server.com:8110/nexus/content/groups/ivy-releases/group/artifact/1.0.0/ivys/ivy.xml
[warn] ==== custom-public: tried
[warn] https://repo.server.com:8110/nexus/content/groups/custom-public/group/artifact/1.0.0/artifact-1.0.0.pom
If I try the releases url https://repo.server.com:8110/nexus/content/repositories/releases/group/artifact/1.0.0/artifact-1.0.0.pom in the browser, with the admin user logged in, it shows the pom file correctly.
What options do I have to troubleshoot this problem?

It turned out to be an issue with the jsessionid request parameter in the production webserver (Oracle iPlanet).
These are the steps I've made to troubleshoot the problem:
I mirrored the server configuration in a local Nexus installation running on Tomcat, which worked OK.
Then I run the same command (compile) over both installations and compared the Nexus logs (with level DEBUG).
At some point on Tomcat, Nexus reported that no session was found and proceeded to search for user credentials in the http headers. At the same point on iPlanet, Nexus found a valid Session of the anonymous user, and never looked at the http headers.
This was the reason the user was forbidden to access the artifact. It was mistaken as the anonymous user.
Following this SO answer I've added a filter in the Nexus web.xml to remove any jsessionid parameter using the Tuckey rewrite filter.
After that change, the server stopped to create spurious sessions, and started to correctly locate the user credentials in the http headers.
There should be some iPlanet configuration parameter to change the behaviour regarding the jsessionid parameter. The above steps are just my current solution.

Related

SBT 1.1.1 not using credentials for Nexus proxy

We moved to a new authenticated Nexus to act as a proxy to get dependencies.
I've tried to to give SBT (1.1.1) the credentials it needs, in multiple ways, but I always endup getting :
[error] Unable to find credentials for [Sonatype Nexus Repository Manager # nexus3.company.com]
[debug] CLIENT ERROR: Unauthorized url=https://nexus3.company.com/repository/maven2-proxy-all/org/scala-sbt/actions_2.12/1.1.1/actions_2.12-1.1.1.pom
It's repeated for a lot of dependencies.
I've created a .credentials file in my project as follow:
realm=Sonatype Nexus Repository Manager
host=nexus3.company.com
user=xxxxx
password=xxxxx
Here's what I've tried, based on inputs I got from other threads on the internet:
Adding the path to this credentials file in the command : -Dsbt.boot.credentials=.credentials
Adding the path to this credentials file to an environment variable : $SBT_CREDENTIALS = PATH
Adding the following line in the build.sbt : credentials += Credentials(new File(".credentials"))
Adding the following line in the build.sbt : credentials += Credentials("Sonatype Nexus Repository Manager", "nexus3.company.com", "xxxxx", "xxxxxx")
Checking what's going on with a proxy : my requests don't seem to have any authorization header and all come back as HTTP 401
And yet, when I access the URL mentioned from the same machine, with the credentials in the file, there is no issue at all.
I'm running out of ideas here :(
After more attempts, adding :
~/.sbt/1.0/credentials.sbt
credentials += Credentials("Sonatype Nexus Repository Manager", "nexus3.company.com", USER, PWD)
AND
The SBT_CREDENTIALS variable mentioned above,
Seems to do the job.
I also updated the image we use for our pipelines, not sure if it helped.

Auth fail when running `sbt new`

Here's a transcript so far:
$ sbt new lagom/lagom-scala.g8
[info] Loading global plugins from /Users/abrahma/.sbt/1.0/plugins
[info] Set current project to lagomlife (in build file:/Users/abrahma/Bitbucket/Practice-Scala/LagomLife/)
[info] Set current project to lagomlife (in build file:/Users/abrahma/Bitbucket/Practice-Scala/LagomLife/)
ssh://git#github.com/lagom/lagom-scala.g8.git: Auth fail
I've verified authentication with
GitHub:
$ ssh -T git#github.com
Hi agam! You've successfully authenticated, but GitHub does not provide shell access.
Also verified that I can access the repo in question (i.e. I can do the following, in a separate location):
git clone ssh://git#github.com/lagom/lagom-scala.g8.git
Edit: fwiw I'm able to work around whatever the root cause is here:
git clone ssh://git#github.com/lagom/lagom-scala.g8.git
g8 file:///Users/abrahma/tmp/lagom-scala.g8
I ran into this problem as well, and solved it by removing the following from my ~/.gitconfig:
[url "git#github.com:"]
insteadOf = https://github.com/
Are you using OpenSSH 7.8 or newer, and have you recently created your private key?
If so you might be running into the issue described in “Invalid privatekey” when using JSch aka jsch#129.
The root cause was discovered to be the ssh private key mismatch.
The question has a workaround to convert the key file to an older format if that's the error you're seeing.
You need to add your SSH key to the agent:
ssh-add ~/.ssh/id_rsa

SBT Basic Auth Problems

I'm setting up SBT on our buildserver (bamboo) for multiple buildagents. For this I created for each agent a separate directory which contains the agent specific config and the .ivy home to make sure agent isolation is fullfilled.
The build itself is call like this:
/sbt-launcher-packaging-0.13.13/bin/sbt -java-home /usr/lib/jvm/jdk1.7.0_79 -Dsbt.override.build.repos=true -Dsbt.repository.config=/data/bamboo/localbuildagents/${bamboo.agentId}/sbt/sbt.conf -Dsbt.ivy.home=/data/bamboo/localbuildagents/${bamboo.agentId}/.ivy2 clean compile dist
The credentials (basic realm) are store under the user home which is starting the bamboo server (~/.sbt/.credentials and ~/.sbt/0.13/plugins/credentials.sbt)
Each sbt.conf contains the agent-specific repos e.g the agent specific local maven repo and urls for the remote artifactory.
[repositories]
local-buildagent-mvn: file:///data/bamboo/home/.m2/AGENT-xxxxxxxx/repository/
ivy-release: http://xxx/artifactory/ivy-release/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext]
mvn-release: http://xxx/artifactory/libs-release/
mvn-snapshot: http://xxx/artifactory/libs-snapshot/
[ivy]
ivy-home: file:///data/bamboo/localbuildagents/xxxxxxxx/.ivy2/
I'm encountering login problems while sbt is checking the remote artifactory repos (first http error 401 and then surprisingly 403). A curl with the same credentials and repo url is working as expected (first 401 and then 200).
I guess, that if -D switches are used for sbt startup, the credentials are not considered. I'm really stuck any advise warmly welcome...
From your question I don't see if you specified where your credentials are defined. In case you didn't do it, you must add something like this to your build definition (documentation):
// inline
credentials += Credentials("Some Nexus Repository Manager", "my.artifact.repo.net", "admin", "admin123")
// file
credentials += Credentials(Path.userHome / ".ivy2" / ".credentials")

SBT not passing credentials when publishing to Artifactory

I am coding a Java project and I'm automating the build and the publishing to JFrog Artifactory using SBT.
Whenever it's time to publish to Artifactory I want to do it using the Ivy directory layout and obviously publish the Ivy XML file along with the jar. I managed to achieve this by using the following lines in the build.sbt file:
crossPaths := false
publishTo := Some("Artifactory Realm" at "http://<Artifactory IP>:<Artifactory Port>/artifactory/org.project.my")
credentials += Credentials(Path.userHome / ".ivy2" / ".credentials")
publishMavenStyle := false
However it only works when anonymous users are allowed to deploy into Artifactory. I realized that sbt is not really passing my credentials to Artifactory but, instead, logging in as anonymous.
My $HOME/.ivy2/.credentials file looks like this:
realm=Artifactory Realm
host=http://<Artifactory IP>:<Artifactory Port>/artifactory/org.project.my
user=<my user name>
password=<my user name>
However, if I change the Artifactory configuration in order to prevent anonymous users from deploying new Artifacts, when I run "sbt publish" I get the following output:
[error] Unable to find credentials for [Artifactory Realm # <Artifactory IP>].
java.io.IOException: Access to URL http://<Artifactory IP>:<Artifactory Port>/artifactory//org.project.my/org/project/my/project-my/1.0.0/project-my-1.0.0.jar was refused by the server: Unauthorized
The Artifactory request.log file then contains:
20160219011657|319|REQUEST|10.0.2.2|anonymous|PUT|/org.project.my/org/project/my/project-my/1.0.0/project-my-1.0.0.jar|HTTP/1.1|401|24978
I have also tried passing the credentials manually instead of using a file:
credentials += Credentials("Artifactory Realm", "localhost", "<USERNAME>", "<PASS>")
But I am getting the same result.
Any idea what I might be missing?
try:
host=<Artifactory IP>
old answer (doesn't work):
host=<Artifactory IP>:<Artifactory port>
I had a different problem: I had the wrong realm set on my .credentials file.
Looking at the error output from sbt, I was able to figure out that I should use:
realm=Artifactory Realm
Error shows the expected values for realm and host:
[error] Unable to find credentials for [Artifactory Realm # myhost].

How to access a secured Nexus with sbt?

I'm trying to access a Nexus repository manager which requires some basic authentication. Everything works fine from Maven2 but when I try to configure things in SBT it can't find the artifacts. It is using a custom repository pattern (see this related question) but I don't think that should matter. In any case the relevant configuration is here.
Project.scala:
val snapshotsName = "Repository Snapshots"
val snapshotsUrl = new java.net.URL("http://nexusHostIp:8081/nexus/content/repositories/snapshots")
val snapshotsPattern = "[organisation]/[module]/[revision]-SNAPSHOT/[artifact]-[revision](-[timestamp]).[ext]"
val snapshots = Resolver.url(snapshotsName, snapshotsUrl)(Patterns(snapshotsPattern))
Credentials(Path.userHome / ".ivy2" / ".credentials", log)
val dep = "group" % "artifact" % "0.0.1" extra("timestamp" -> "20101202.195418-3")
~/.ivy2/.credentials:
realm=Snapshots Nexus
host=nexusHostIp:8081
user=nexususername
password=nexuspassword
According to a similar discussion in the SBT user group this should work fine but I am getting the following when I try to build.
==== Repository Snapshots: tried
[warn] -- artifact group#artifact;0.0.1!artifact.jar:
[warn] http://nexusHostIp:8081/nexus/content/repositories/snapshots/group/artifact/0.0.1-SNAPSHOT/artifact-0.0.1-20101202.195418-3.jar
I'm fairly certain this is a credentials problem and not something else because I can hit the URL it says it is trying directly and download the jar (after authenticating).
I have also tried declaring the credentials inline (even though it is less than ideal) like so:
Credentials.add("Repository Snapshots", "nexusHostIp", "nexususername", "nexuspassword")
Here's what I did (sbt 0.13 + artifactory - setup should be similar for nexus):
1) Edited the file ~/.sbt/repositories as specified here: http://www.scala-sbt.org/0.13.0/docs/Detailed-Topics/Proxy-Repositories.html
[repositories]
local
my-ivy-proxy-releases: http://repo.company.com/ivy-releases/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext]
my-maven-proxy-releases: http://repo.company.com/maven-releases/
2) Locked down my artifactory to disable anonymous access.
3) Created a credentials file in ~/.sbt/.credentials
realm=Artifactory Realm
host=artifactory.mycompany.com
user=username
password=password
4) Created a file under ~/.sbt/0.13/plugins/credentials.sbt that wires up the default credentials
credentials += Credentials(Path.userHome / ".sbt" / ".credentials")
Now when my project loads sbt hits artifactory like normal.
The reason I did it this way is to keep the repository definitions, etc, out of the project files to enable teams to have flexibility (they can set up an internal server to serve in-progress artifacts, etc).
-Austen
UPDATE: This answer does not work in recent sbt versions - see Austen's answer instead.
Alright I finally got this sorted out.
snapshotsName can be anything. realm in .credentials must be the HTTP Authentication realm that shows up when trying to hit the URL of the repository (nexus in my case). realm is also the first parameter of Credentials.add. So that line should have been
Credentials.add("Sonatype Nexus Repository Manager", "nexusHostIp", "nexususername", "nexuspassword")
The host name is just the ip or DNS name. So in .credentials host is just nexusHostIp without the port number.
So the working Project configuration is:
val snapshotsName = "Repository Snapshots"
val snapshotsUrl = new java.net.URL("http://nexusHostIp:8081/nexus/content/repositories/snapshots")
val snapshotsPattern = "[organisation]/[module]/[revision]-SNAPSHOT/[artifact]-[revision](-[timestamp]).[ext]"
val snapshots = Resolver.url(snapshotsName, snapshotsUrl)(Patterns(snapshotsPattern))
Credentials(Path.userHome / ".ivy2" / ".credentials", log)
val dep = "group" % "artifact" % "0.0.1" extra("timestamp" -> "20101202.195418-3")
With a .credentials file that looks like:
realm=Sonatype Nexus Repository Manager
host=nexusHostIp
user=nexususername
password=nexuspassword
Where "Sonatype Nexus Repository Manager" is the HTTP Authentication realm.
Following the SBT Documetation:
There are two ways to specify credentials for such a repository:
Inline
credentials += Credentials("Some Nexus Repository Manager", "my.artifact.repo.net", "admin", "password123")
External File
credentials += Credentials(Path.userHome / ".ivy2" / ".credentials")
The .credentials file is a properties file with keys realm, host, user, and password. For example:
realm=Some Nexus Repository Manager
host=my.artifact.repo.net
user=admin
password=password123
If SBT launcher is failing to download a new version of SBT from your proxy, and that ~/.sbt/boot/update.log is showing that you're getting 401 authentication errors, you can use the environment variable SBT_CREDENTIALS to specify where the ivy credential file is.
Either of these should work and download the new sbt version:
SBT_CREDENTIALS='/home/YOUR_USER_NAME/.ivy2/.credentials' sbt
Putting export SBT_CREDENTIALS="/home/YOUR_USER_NAME/.ivy2/.credentials" in your .bashrc (or .zshrc), start a new shell session and then run sbt
(You'll need have the ~/.ivy2/.credentials file setup like other answers here has shown)
Source: https://github.com/sbt/sbt/commit/96e5a7957c830430f85b6b89d7bbe07824ebfc4b
This worked for me. I'm using SBT version 0.13.15:
~/.ivy2/.my-credentials (host without port):
realm=Sonatype Nexus Repository Manager
host=mynexus.mycompany.com
user=my_user
password=my_password
build.sbt (nexus url with port):
import sbt.Credentials
...
credentials += Credentials(Path.userHome / ".ivy2" / ".my-credentials")
...
resolvers in ThisBuild ++= Seq(
MavenRepository("my-company-nexus", "https://mynexus.mycompany.com:8081/repository/maven-releases/")
)
Check for all files containing credentials.
For me I had a new project in sbt 1.0 (instead of good old 0.13), where I had a ~/.sbt/1.0/global.sbt file containing my credentials, which I forgot about. So after a mandatory password change, the artifactory downloads was broken and locking my account.
Would be nice if the chain of credentials and files filling them can be easily inspected. Would also be nice if SBT was a bit more careful and first checking if authentication/authorization is correct, before starting tot download X files and locking my account after 3 misauthenticated attempts.

Resources