Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NuGet feed credentials configured with only username/password raise 401 errors in repository_finder and metadata_finder #10357

Closed
1 task done
rhyskoedijk opened this issue Aug 3, 2024 · 2 comments
Closed
1 task done

NuGet feed credentials configured with only username/password raise 401 errors in repository_finder and metadata_finder #10357

rhyskoedijk opened this issue Aug 3, 2024 · 2 comments
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet L: git:submodules Git submodules T: bug 🐞 Something isn't working

Comments

@rhyskoedijk
Copy link

rhyskoedijk commented Aug 3, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

NuGet

Package manager version

v0.267.0

Language version

No response

Manifest location and content before the Dependabot update

WebApplication1.csproj
https://github.com/rhyskoedijk/dependabot-tests/blob/main/NetFx-PrivateFeeds/WebApplication1.csproj

packges.config
https://github.com/rhyskoedijk/dependabot-tests/blob/main/NetFx-PrivateFeeds/packages.config

dependabot.yml content

Executed using command line:

LOCAL_CONFIG_VARIABLES='[{"type":"nuget_feed","password":"*****","url":"https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json"},{"type":"nuget_feed","username":"*****","password":"*****","url":"https://nuget.telerik.com/v3/index.json"}]'
bin/dry-run.rb nuget rhyskoedijk/dependabot-tests --dir="/NetFx-PrivateFeeds" --dep="Telerik.Reporting"

Equivalent config is:

version: 2
registries:
  private-devops:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json
    password: ${{secrets.PRIVATE_AZURE_DEVOPS_FEED_PAT}}
  telerik:
    type: nuget-feed
    url: https://nuget.telerik.com/v3/index.json
    username: ${{secrets.TELERIK_USERNAME}}
    password: ${{secrets.TELERIK_PASSWORD}}
updates:
  - package-ecosystem: "nuget"
    directory: "/NetFx-PrivateFeeds"
    registries: "*"

Updated dependency

Telerik.Reporting from 10.1.16.615 to 15.1.21.616

What you expected to see, versus what you actually saw

I expect no authentication errors when querying the nuget feeds using username/password.
I actually see 401 errors.

The code for repository_finder and metadata_finder currently only work with feeds configured using token. The documentation on configuration options for private registries and #8927 (comment) suggest that username/password should work.

Updater logs:

=> cloning into /home/dependabot/tmp/rhyskoedijk/dependabot-tests
=> parsing dependency files
running NuGet discovery:
/opt/nuget/NuGetUpdater/NuGetUpdater.Cli discover --repo-root /home/dependabot/tmp/rhyskoedijk/dependabot-tests --workspace /NetFx-PrivateFeeds --output /tmp/.dependabot/discovery.1.json --verbose
Discovering build files in workspace [/home/dependabot/tmp/rhyskoedijk/dependabot-tests/NetFx-PrivateFeeds].
  No dotnet-tools.json file found.
  No global.json file found.
  Discovering projects beneath [NetFx-PrivateFeeds].
  Discovered [packages.config] file.
  Central Package Management is not enabled.
Discovery complete.
I, [2024-08-03T08:43:01.410406 #10359]  INFO -- : Discovery JSON content: {
  "Path": "NetFx-PrivateFeeds",
  "IsSuccess": true,
  "Projects": [
    {
      "FilePath": "WebApplication1.csproj",
      "Dependencies": [
        {
          "Name": "Microsoft.NETFramework.ReferenceAssemblies",
          "Version": "1.0.3",
          "Type": "Unknown",
          "EvaluationResult": null,
          "TargetFrameworks": [
            "net481"
          ],
          "IsDevDependency": false,
          "IsDirect": false,
          "IsTransitive": true,
          "IsOverride": false,
          "IsUpdate": false,
          "InfoUrl": null
        },
        {
          "Name": "Telerik.Reporting",
          "Version": "10.1.16.615",
          "Type": "PackagesConfig",
          "EvaluationResult": null,
          "TargetFrameworks": [
            "net481"
          ],
          "IsDevDependency": false,
          "IsDirect": false,
          "IsTransitive": false,
          "IsOverride": false,
          "IsUpdate": false,
          "InfoUrl": null
        }
      ],
      "IsSuccess": true,
      "Properties": [
        ...snip...
      ],
      "TargetFrameworks": [
        "net481"
      ],
      "ReferencedProjectPaths": []
    }
  ],
  "DirectoryPackagesProps": null,
  "GlobalJson": null,
  "DotNetToolsJson": null,
  "ErrorType": null,
  "ErrorDetails": null
}
=> updating 1 dependencies: Telerik.Reporting
...snip...

Logged auth errors for the Azure DevOps private nuget-feed:

=== Telerik.Reporting (10.1.16.615)
 => checking for updates 1/1
🌍 --> GET https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json
🌍 <-- 401 https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json
 => handled error whilst updating Telerik.Reporting: private_source_authentication_failure {:source=>"https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json"}
🌍 Total requests made: '1'

Logged auth errors for the Telerik nuget-feed:

=== Telerik.Reporting (10.1.16.615)
 => checking for updates 1/1
🌍 --> GET https://nuget.telerik.com/v3/index.json
🌍 <-- 401 https://nuget.telerik.com/v3/index.json
 => handled error whilst updating Telerik.Reporting: private_source_authentication_failure {:source=>"https://nuget.telerik.com/v3/index.json"}
🌍 Total requests made: '1'

Logged auth errors for the metadata finder:

🌍 --> GET https://nuget.telerik.com/v3/package/telerik.reporting/15.1.21.616/telerik.reporting.nuspec
🌍 <-- 401 https://nuget.telerik.com/v3/package/telerik.reporting/15.1.21.616/telerik.reporting.nuspec
🌍 --> GET https://nuget.telerik.com/v3/index.json
🌍 <-- 401 https://nuget.telerik.com/v3/index.json

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

Repo:
https://github.com/rhyskoedijk/dependabot-tests/tree/main/NetFx-PrivateFeeds

Dry-run command:

LOCAL_CONFIG_VARIABLES='[{"type":"nuget_feed","password":"*****","url":"https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json"},{"type":"nuget_feed","username":"*****","password":"*****","url":"https://nuget.telerik.com/v3/index.json"}]'
bin/dry-run.rb nuget rhyskoedijk/dependabot-tests --dir="/NetFx-PrivateFeeds" --dep="Telerik.Reporting"
@rhyskoedijk rhyskoedijk added the T: bug 🐞 Something isn't working label Aug 3, 2024
@github-actions github-actions bot added L: dotnet:nuget NuGet packages via nuget or dotnet L: git:submodules Git submodules labels Aug 3, 2024
@rhyskoedijk rhyskoedijk mentioned this issue Aug 3, 2024
Closed
5 tasks
@rhyskoedijk rhyskoedijk changed the title NuGet feeds configured with username/password raise 401 errors in repository_finder and metadata_finder NuGet feeds credentials configured with only username/password raise 401 errors in repository_finder and metadata_finder Aug 3, 2024
@rhyskoedijk rhyskoedijk changed the title NuGet feeds credentials configured with only username/password raise 401 errors in repository_finder and metadata_finder NuGet feed credentials configured with only username/password raise 401 errors in repository_finder and metadata_finder Aug 3, 2024
@brettfo
Copy link
Contributor

brettfo commented Aug 7, 2024

Are you able to run an update job with the official Docker images? There's been a recent effort to remove all credential and authentication handling from the Ruby code and only do it in the proxy image. If you run dependabot from the CLI tool then it'll do the correct thing and use a separate proxy handler for all authentication.

@rhyskoedijk
Copy link
Author

I'm going to close this as after reading more in to @brettfo's comment and the git history around auth, it seems clear that this is intended behavior when the proxy handler is not running.

Unfortunately I can't run the CLI tool as I need to run dependabot on Azure DevOps and many of the features I need are not currently supported by dependabot-core (e.g. auto-complete, policy by-pass, merge strategies, etc), but that is unrelated to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: dotnet:nuget NuGet packages via nuget or dotnet L: git:submodules Git submodules T: bug 🐞 Something isn't working
Projects
Dependabot
Status: Done
Milestone
No milestone
2 participants
@rhyskoedijk @brettfo