Re: Maven Security, @Component and MNG-4384

Mon, 24 Jun 2019 05:13:07 -0700 

Here is what i'm using:

     @Parameter(property = "myplugin.repository")
     private String repository;

     @Parameter(defaultValue = "${session}", readonly = true)
     private MavenSession session;

     @Component
     private SettingsDecrypter settingsDecrypter;

     void someMethod() {
                     Server credentials =
session.getSettings().getServer(repository);
                     if (credentials != null) {
                         credentials =
                                 ofNullable(settingsDecrypter.decrypt(new
DefaultSettingsDecryptionRequest(credentials)))

 .map(SettingsDecryptionResult::getServer) // can be null if it does not
need decryption
                                         .orElse(credentials);
                     }
    }

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le lun. 24 juin 2019 à 12:34, Martin Gainty <mgai...@hotmail.com> a écrit :

>   <server>
>       <id>server001</id>
>       <username>my_login</username>
>       <password>my_password</password>
>       <privateKey>${user.home}/.ssh/id_dsa</privateKey>
>       <passphrase>some_passphrase</passphrase>
>       <filePermissions>664</filePermissions>
>       <directoryPermissions>775</directoryPermissions>
>       <configuration></configuration>
>     </server>
>
> from ${MAVEN_HOME}/conf/settings.xml
>
>
> https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List)
>
> so your
> org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers needs
> to gather up
> the list of server ids from {MAVEN_HOME}/conf/settings.xml
>
> not so clear as javadoc is missing from maven-settings-builder
> site..romain can you post this info on
> http://maven.apache.org/ref/3.6.1/maven-settings-builder/
>
> ?
> thanks
>
> ________________________________
> From: Romain Manni-Bucau <rmannibu...@gmail.com>
> Sent: Monday, June 24, 2019 1:11 AM
> To: Maven Developers List
> Subject: Re: Maven Security, @Component and MNG-4384
>
> Hi
>
> Did you have a look to org.apache.maven.settings.crypto.SettingsDecrypter?
>
> It can be injected as a component then you can call decrypt on it passing a
> request to the method. You get a new null server if it is not encrypted or
> the new server with everything in clear.
>
> Would that work better for you?
>
> Romain
>
> Le lun. 24 juin 2019 à 03:31, Chris Graham <chrisgw...@gmail.com> a écrit
> :
>
> > Hi everyone,
> >
> > I need to add the ability to load users, passwords etc in a 3rd party
> > plugin.
> >
> > It currently requires a userid and password in the <configuration>
> section
> > of the pom (ugh), ideally, I'd like to look them up from the <servers>
> > section of settings.xml, and even better yet, make use of being able to
> > decrypt passwords.
> >
> > So I did what we all do, and go and look to see what has been done
> before,
> > and I came across this:
> >
> >
> >
> /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java:
> >
> >     /**
> >      * When this plugin requires Maven 3.0 as minimum, this component can
> > be removed and o.a.m.s.c.SettingsDecrypter be
> >      * used instead.
> >      */
> >     @Component( hint = "mng-4384" )
> >     private SecDispatcher secDispatcher;
> >
> > and:
> >
> >
> >
> /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml:
> >
> > <component-set>
> >   <components>
> >     <component>
> >
> > <role>org.sonatype.plexus.components.sec.dispatcher.SecDispatcher</role>
> >       <role-hint>mng-4384</role-hint>
> >
> >
> >
> <implementation>org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher</implementation>
> >       <requirements>
> >         <requirement>
> >           <role>org.sonatype.plexus.components.cipher.PlexusCipher</role>
> >           <role-hint>mng-4384</role-hint>
> >           <field-name>_cipher</field-name>
> >         </requirement>
> >       </requirements>
> >       <configuration>
> >
> > <_configuration-file>~/.m2/settings-security.xml</_configuration-file>
> >       </configuration>
> >     </component>
> >     <component>
> >       <role>org.sonatype.plexus.components.cipher.PlexusCipher</role>
> >       <role-hint>mng-4384</role-hint>
> >
> >
> >
> <implementation>org.sonatype.plexus.components.cipher.DefaultPlexusCipher</implementation>
> >     </component>
> >   </components>
> > </component-set>
> >
> > So, I'm left with the question, what is the current, correct way of
> > accessing userids, passwords (encrypted or not)?
> >
> > I could simply, copy the same approach, but I'd prefer not too, as it's a
> > good opportunity 'to do it right'.
> >
> > Any suggestions?
> >
> > Would we then consider updating the existing maven plugins to support
> this?
> >
> > @Stephen, sounds like a good idea for a blog entry? ;)
> >
>

Reply via email to