Jib: Maven Encryption does not work
Description of the issue:
When credentials in settings.xml are encrypted, jib throws a 401 error, but other tools (including https://github.com/jelmerk/maven-settings-decoder) show the proper password.
If I leave password in plaintext in settings.xml it works.
Expected behavior:
Credentials should be decrypted, I expect they are being passed as is.
Steps to reproduce:
mvn --encrypt-master-password <some-string>
# save output to settings-security.xml per docs
mvn --encrypt-password <docker registry password>
# save output to settings.xml server section per docs
mvn compile jib:build
#
Environment:
Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; 2017-10-18T03:58:13-04:00)
Maven home: /Users/eddie/.m2/wrapper/dists/apache-maven-3.5.2-bin/28qa8v9e2mq69covern8vmdkj0/apache-maven-3.5.2
Java version: 1.8.0_172, vendor: Oracle Corporation
Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_172.jdk/Contents/Home/jre
jib-maven-plugin Configuration:
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>0.9.4</version>
<configuration>
<to>
<image>registry.hub.docker.com/eddiewebb/blueskygreenbuilds-demo</image>
</to>
<container>
<jvmFlags>
<jvmFlag>-Dcircle_build_num=99</jvmFlag>
<jvmFlag>-Dcircle_commit=1234abcdef</jvmFlag>
<jvmFlag>-Dcircle_user=eddiewebb</jvmFlag>
<jvmFlag>-Dcircle_repo=demo-repo</jvmFlag>
<jvmFlag>-Dcircle_workflow_guid=1234</jvmFlag>
<jvmFlag>-Dvcap.application.name=blueskygreenbuilds-test</jvmFlag>
</jvmFlags>
<ports>
<port>8080</port>
</ports>
</container>
</configuration>
</plugin>
~/.m2/settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
<servers>
<server>
<id>registry.hub.docker.com</id>
<username>eddiewebb</username>
<password>{output from --encrypt-password above}</password>
</server>
</servers>
</settings>
~/.m2/settings-security.xml
<settingsSecurity>
<master>{output from --encrypt-master-password above}</master>
</settingsSecurity>
Log output:
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.4:build (default-cli) on project blueskygreenbuilds: Build image failed, perhaps you should make sure your credentials for 'registry.hub.docker.com' are set up correctly: Unauthorized for registry.hub.docker.com/user/imagename: 401 Unauthorized
[ERROR] {"details":"incorrect username or password"}
Additional Information:
To debug I first ran maven with -X, and it confirms the existence of env.maven_security_master={output from --encrypt-master-password}
I then used https://github.com/jelmerk/maven-settings-decoder to decrypt maven credentials.
./settings-decoder/bin/settings-decoder -f ~/.m2/settings.xml -s ~/.m2/settings-security.xml
Master password is : yep-thats-what-I-entered-above
-------------------------------------------------------------------------
Credentials for server registry.hub.docker.com are :
Username : eddiewebb
Password : yep-that-also-is-my-correct-password-for-docker-that-works-in-plaintext
There are no special characters in my password (letters and numbers) and no special characters in the generated values (I also tried several iterations)
I have seen the mvn release plugin require certain version, so perhaps some dependency of jib is not where it needs to be?
eddiewebb
All 7 comments
HI @eddiewebb thanks for reporting this issue! We will investigate this as a high priority issue. @GoogleContainerTools/java-tools
coollog
on 12 Jul 2018
@briandealwis - for what its worth I believe the maven 3.0+ way to decrypt is with https://maven.apache.org/ref/3.2.5/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecrypter.html, I was working on a PR but am not your preference on injecting the component from plexus container. Nullaway yelled at me for trying a simple@component annotation.
i.e. in MavenSettingsServerCredentials
/**
* Attempts to retrieve credentials for {@code registry} from Maven settings.
*
* @param registry the registry
* @return the credentials for the registry
*/
@Nullable
RegistryCredentials retrieve(@Nullable String registry) {
if (registry == null) {
return null;
}
Server registryServerSettings = decrypt(settings.getServer(registry));
if (registryServerSettings == null) {
return null;
}
return new RegistryCredentials(
CREDENTIAL_SOURCE,
Authorizations.withBasicCredentials(
registryServerSettings.getUsername(), registryServerSettings.getPassword()));
}
@Nullable
private Server decrypt(Server server) {
if (server == null) {
return null;
}
SettingsDecryptionRequest decryptionRequest = new DefaultSettingsDecryptionRequest(server);
SettingsDecryptionResult decryptionResult = settingsDecrypter.decrypt(decryptionRequest);
return decryptionResult.getServer();
}
@coollog just to get a quick answer for my convenience, we documented that Maven password encryption will work (https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#using-maven-settings), but in reality, we never implemented the logic to decrypt it?
chanseokoh
on 13 Jul 2018
That's right @chanseokoh. I have it working, just trying to figure out how to best communicate back decryption problems.
And thanks @eddiewebb; I came across some examples too. Using @Nullable on the @Component tames nullaway. I'm not sure why we're not pulling the Settings using a @Component.
briandealwis
on 13 Jul 2018
Hi @eddiewebb , we just released versoin 0.9.7 - can you update to that version and try again?
coollog
on 20 Jul 2018
Confirmed! thanks @coollog !
(https://circleci.com/gh/eddiewebb/demo-blueskygreenbuilds/495)
eddiewebb
on 21 Jul 2018
Great! Thanks to @briandealwis for the fix
coollog
on 21 Jul 2018
Related issues
anuraaga
路
6Comments
shijiaoming
路
4Comments
chanseokoh
路
7Comments
elharo
路
4Comments
infa-bchao
路
5Comments