Use dotnet credential provider

dependabot · Feb 22, 2024 · 7610a8f · 7610a8f
1 parent 716baa8
commit 7610a8f
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 2 deletions.
diff --git a/nuget/Dockerfile b/nuget/Dockerfile
@@ -24,7 +24,8 @@ RUN cd /tmp \
   && chmod +x dotnet-install.sh \
   && mkdir -p "${DOTNET_INSTALL_DIR}" \
   && ./dotnet-install.sh --version "${DOTNET_SDK_VERSION}" --install-dir "${DOTNET_INSTALL_DIR}" \
-  && rm dotnet-install.sh
+  && rm dotnet-install.sh \
+  && sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)"
 
 ENV PATH="${PATH}:${DOTNET_INSTALL_DIR}"
 RUN dotnet --list-runtimes

diff --git a/nuget/lib/dependabot/nuget/native_helpers.rb b/nuget/lib/dependabot/nuget/native_helpers.rb
@@ -113,10 +113,14 @@ def self.run_nuget_updater_tool(repo_root:, proj_path:, dependency:, is_transiti
         (command, fingerprint) = get_nuget_updater_tool_command(repo_root: repo_root, proj_path: proj_path,
                                                                 dependency: dependency, is_transitive: is_transitive)
 
+        env = NuGetConfigCredentialHelpers.get_credentials_to_credential_helper_env(credentials)
+
         puts "running NuGet updater:\n" + command
 
         NuGetConfigCredentialHelpers.patch_nuget_config_for_action(credentials) do
-          output = SharedHelpers.run_shell_command(command, allow_unsafe_shell_command: true, fingerprint: fingerprint)
+          output = SharedHelpers.run_shell_command(command,
+                                                   allow_unsafe_shell_command: true, fingerprint: fingerprint,
+                                                   env: env)
           puts output
         end
       end

diff --git a/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb b/nuget/lib/dependabot/nuget/nuget_config_credential_helpers.rb
@@ -4,6 +4,8 @@
 module Dependabot
   module Nuget
     module NuGetConfigCredentialHelpers
+      extend T::Sig
+
       def self.user_nuget_config_path
         home_directory = Dir.home
         File.join(home_directory, ".nuget", "NuGet", "NuGet.Config")
@@ -48,6 +50,36 @@ def self.add_credentials_to_nuget_config(credentials)
         File.write(user_nuget_config_path, nuget_config)
       end
 
+      sig { params(credentials: T::Array[Dependabot::Credential]).returns(T::Hash[String, String]) }
+      def self.get_credentials_to_credential_helper_env(credentials)
+        env = {}
+
+        nuget_credentials = credentials.select { |cred| cred["type"] == "nuget_feed" }
+
+        if nuget_credentials.any?
+          endpoint_credentials = []
+
+          nuget_credentials.each do |c|
+            next unless c["token"]
+
+            exploded_token = T.must(c["token"]).split(":", 2)
+
+            next unless exploded_token.length == 2
+
+            username = exploded_token[0]
+            password = exploded_token[1]
+
+            endpoint_credentials << <<~NUGET_ENDPOINT_CREDENTIAL
+              {"endpoint":"#{c['url']}", "username":"#{username}", "password":"#{password}"}
+            NUGET_ENDPOINT_CREDENTIAL
+          end
+
+          env["VSS_NUGET_EXTERNAL_FEED_ENDPOINTS"] = "{\"endpointCredentials\": [#{endpoint_credentials.join(',')}]}"
+        end
+
+        env
+      end
+
       def self.restore_user_nuget_config
         return unless File.exist?(temporary_nuget_config_path)