Vagrant: Bug: Can't download vagrant boxes from Jfrog artifactory with vagrant version 2.2.11 and up

Created on 26 Nov 2020  路  4Comments  路  Source: hashicorp/vagrant

Vagrant version

2.2.11 and up

Host operating system

macOS v10.15.7

Vagrantfile

require 'net/http'

@box_name_latest = 'testbox'
@box_url_local_jfrog = "https://<custom_jfrog_url>/artifactory/api/vagrant/vagrant/#{@box_name_latest}"
ENV['VAGRANT_SERVER_URL'] = "https://<custom_jfrog_url>/artifactory/api/vagrant"

Vagrant.configure('2') do |config|
  config.vm.box = @box_name_latest
  config.vm.box_url = @box_url_local_jfrog
end

Debug output

https://gist.github.com/shailygupta/1e5c5b1286d3248ee840603f7b77ab6c

Expected behavior

Box gets downloaded from artifactory using the ATLAS_TOKEN and VAGRANT_SERVER_URL.
This worked up until vagrant version 2.2.10

Actual behavior

An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

The requested URL returned error: 403 Forbidden

Steps to reproduce

  1. Install the latest vagrant version
  2. Create a Vagrantfile similar to above
  3. Set your ATLAS_TOKEN in your environment
  4. Run vagrant up and try to downloade a box from artifactory (vagrant repo)
picture shailygupta
👍4

Most helpful comment

We are experiencing the exact same issue. After some investigation it seems that the problem is that the Authorization HTTP header introduced in 2.2.11 contains the token in % escaped encoding. This makes authentication fail on Artifactory. My understanding of RFC2616 & RFC2396 is that escaped encoding is only permitted for URI's, but not in HTTP headers so this seems to be a Vagrant issue.

picture CognexBela on 26 Nov 2020
👍3

All 4 comments

We are experiencing the exact same issue. After some investigation it seems that the problem is that the Authorization HTTP header introduced in 2.2.11 contains the token in % escaped encoding. This makes authentication fail on Artifactory. My understanding of RFC2616 & RFC2396 is that escaped encoding is only permitted for URI's, but not in HTTP headers so this seems to be a Vagrant issue.

CognexBela picture CognexBela on 26 Nov 2020
👍3

We are affected by this issue and have stopped upgrading vagrant because of this. This is also tracked in artifactory jira here.

rockdreamer picture rockdreamer on 10 Dec 2020

This looks like the related change.
@soapy1 I'm afraid my ruby-fu is not that good. Is is possible to change this code so that the token value doesn't get escaped? (@CognexBela does this sound right?)

rockdreamer picture rockdreamer on 29 Dec 2020

I'm able to confirm this behavior with Vagrant 2.2.14 and Artifactory 7.4.1. No issues when trying the same with Vagrant 2.2.7.

exit-code0 picture exit-code0 on 13 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lebogan picture lebogan  路  3Comments
Cbeck527 picture Cbeck527  路  3Comments
hesco picture hesco  路  3Comments
mpontillo picture mpontillo  路  3Comments
jazzfog picture jazzfog  路  3Comments