Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maven Encryption does not work #592

Closed
eddiewebb opened this issue Jul 12, 2018 · 7 comments
Closed

Maven Encryption does not work #592

eddiewebb opened this issue Jul 12, 2018 · 7 comments
Assignees
@briandealwis
Labels
priority :p0
Milestone
v0.9.7

Comments

@eddiewebb
Copy link

Description of the issue:
When credentials in settings.xml are encrypted, jib throws a 401 error, but other tools (including https://github.com/jelmerk/maven-settings-decoder) show the proper password.

If I leave password in plaintext in settings.xml it works.

Expected behavior:

Credentials should be decrypted, I expect they are being passed as is.

Steps to reproduce: 

mvn --encrypt-master-password <some-string>
# save output to settings-security.xml per docs
mvn --encrypt-password <docker registry password>
# save output to settings.xml server section per docs
mvn compile jib:build
#

Environment: 

Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; 2017-10-18T03:58:13-04:00)
Maven home: /Users/eddie/.m2/wrapper/dists/apache-maven-3.5.2-bin/28qa8v9e2mq69covern8vmdkj0/apache-maven-3.5.2
Java version: 1.8.0_172, vendor: Oracle Corporation
Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/jre

jib-maven-plugin Configuration: 

			<plugin>
				<groupId>com.google.cloud.tools</groupId>
				<artifactId>jib-maven-plugin</artifactId>
				<version>0.9.4</version>
				<configuration>
					<to>
						<image>registry.hub.docker.com/eddiewebb/blueskygreenbuilds-demo</image>
					</to>
					<container>
						<jvmFlags>
							<jvmFlag>-Dcircle_build_num=99</jvmFlag>
							<jvmFlag>-Dcircle_commit=1234abcdef</jvmFlag>
							<jvmFlag>-Dcircle_user=eddiewebb</jvmFlag>
							<jvmFlag>-Dcircle_repo=demo-repo</jvmFlag>
							<jvmFlag>-Dcircle_workflow_guid=1234</jvmFlag>
							<jvmFlag>-Dvcap.application.name=blueskygreenbuilds-test</jvmFlag>
						</jvmFlags>
						<ports>
							<port>8080</port>
						</ports>
					</container>
				</configuration>
			</plugin>

~/.m2/settings.xml

<?xml version="1.0" encoding="UTF-8"?>

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <servers>
        <server>
            <id>registry.hub.docker.com</id>
            <username>eddiewebb</username>
            <password>{output from --encrypt-password above}</password>
        </server>
    </servers>
</settings>

~/.m2/settings-security.xml

<settingsSecurity>
  <master>{output from --encrypt-master-password above}</master>
</settingsSecurity>

Log output:

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.4:build (default-cli) on project blueskygreenbuilds: Build image failed, perhaps you should make sure your credentials for 'registry.hub.docker.com' are set up correctly: Unauthorized for registry.hub.docker.com/user/imagename: 401 Unauthorized
[ERROR] {"details":"incorrect username or password"}

Additional Information:

To debug I first ran maven with -X, and it confirms the existence of env.maven_security_master={output from --encrypt-master-password}

I then used https://github.com/jelmerk/maven-settings-decoder to decrypt maven credentials.

./settings-decoder/bin/settings-decoder -f ~/.m2/settings.xml -s ~/.m2/settings-security.xml 
Master password is : yep-thats-what-I-entered-above
-------------------------------------------------------------------------
Credentials for server registry.hub.docker.com are :
Username : eddiewebb
Password : yep-that-also-is-my-correct-password-for-docker-that-works-in-plaintext

There are no special characters in my password (letters and numbers) and no special characters in the generated values (I also tried several iterations)

I have seen the mvn release plugin require certain version, so perhaps some dependency of jib is not where it needs to be?
@coollog
Copy link
Contributor

coollog commented Jul 12, 2018

HI @eddiewebb thanks for reporting this issue! We will investigate this as a high priority issue. @GoogleContainerTools/java-tools

@briandealwis briandealwis self-assigned this Jul 13, 2018
@eddiewebb
Copy link
Author

@briandealwis - for what its worth I believe the maven 3.0+ way to decrypt is with https://maven.apache.org/ref/3.2.5/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecrypter.html, I was working on a PR but am not your preference on injecting the component from plexus container. Nullaway yelled at me for trying a simple@component annotation.

i.e. in MavenSettingsServerCredentials

  /**
   * Attempts to retrieve credentials for {@code registry} from Maven settings.
   *
   * @param registry the registry
   * @return the credentials for the registry
   */
  @Nullable
  RegistryCredentials retrieve(@Nullable String registry) {
    if (registry == null) {
      return null;
    }

    Server registryServerSettings = decrypt(settings.getServer(registry));
    if (registryServerSettings == null) {
      return null;
    }

    return new RegistryCredentials(
        CREDENTIAL_SOURCE,
        Authorizations.withBasicCredentials(
            registryServerSettings.getUsername(), registryServerSettings.getPassword()));
  }

  @Nullable
  private Server decrypt(Server server) {
    if (server == null) {
      return null;
    }
    SettingsDecryptionRequest decryptionRequest = new DefaultSettingsDecryptionRequest(server);
    SettingsDecryptionResult decryptionResult = settingsDecrypter.decrypt(decryptionRequest);
    return decryptionResult.getServer();
  }

@chanseokoh
Copy link
Member

@coollog just to get a quick answer for my convenience, we documented that Maven password encryption will work (https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#using-maven-settings), but in reality, we never implemented the logic to decrypt it?

@briandealwis
Copy link
Member

briandealwis commented Jul 13, 2018
edited
Loading

That's right @chanseokoh. I have it working, just trying to figure out how to best communicate back decryption problems.

And thanks @eddiewebb; I came across some examples too. Using @Nullable on the @Component tames nullaway. I'm not sure why we're not pulling the Settings using a @Component.

@briandealwis briandealwis mentioned this issue Jul 13, 2018
Merged
@coollog coollog added this to the v0.9.7 milestone Jul 14, 2018
@coollog coollog mentioned this issue Jul 16, 2018
Closed
@coollog
Copy link
Contributor

coollog commented Jul 20, 2018

Hi @eddiewebb , we just released versoin 0.9.7 - can you update to that version and try again?

@eddiewebb
Copy link
Author

Confirmed! thanks @coollog !
(https://circleci.com/gh/eddiewebb/demo-blueskygreenbuilds/495)

@coollog
Copy link
Contributor

coollog commented Jul 20, 2018

Great! Thanks to @briandealwis for the fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@briandealwis briandealwis

Labels
priority :p0
Projects
None yet
Milestone
v0.9.7
Development

No branches or pull requests
4 participants
@briandealwis @coollog @eddiewebb @chanseokoh