Re: Maven Security, @Component and MNG-4384
server001
my_login
my_password
${user.home}/.ssh/id_dsa
some_passphrase
664
775
from ${MAVEN_HOME}/conf/settings.xml
https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List)
so your org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers
needs to gather up
the list of server ids from {MAVEN_HOME}/conf/settings.xml
not so clear as javadoc is missing from maven-settings-builder site..romain can
you post this info on
http://maven.apache.org/ref/3.6.1/maven-settings-builder/
?
thanks
From: Romain Manni-Bucau
Sent: Monday, June 24, 2019 1:11 AM
To: Maven Developers List
Subject: Re: Maven Security, @Component and MNG-4384
Hi
Did you have a look to org.apache.maven.settings.crypto.SettingsDecrypter?
It can be injected as a component then you can call decrypt on it passing a
request to the method. You get a new null server if it is not encrypted or
the new server with everything in clear.
Would that work better for you?
Romain
Le lun. 24 juin 2019 à 03:31, Chris Graham a écrit :
> Hi everyone,
>
> I need to add the ability to load users, passwords etc in a 3rd party
> plugin.
>
> It currently requires a userid and password in the section
> of the pom (ugh), ideally, I'd like to look them up from the
> section of settings.xml, and even better yet, make use of being able to
> decrypt passwords.
>
> So I did what we all do, and go and look to see what has been done before,
> and I came across this:
>
>
> /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java:
>
> /**
> * When this plugin requires Maven 3.0 as minimum, this component can
> be removed and o.a.m.s.c.SettingsDecrypter be
> * used instead.
> */
> @Component( hint = "mng-4384" )
> private SecDispatcher secDispatcher;
>
> and:
>
>
> /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml:
>
>
>
>
>
> org.sonatype.plexus.components.sec.dispatcher.SecDispatcher
> mng-4384
>
>
> org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher
>
>
> org.sonatype.plexus.components.cipher.PlexusCipher
> mng-4384
> _cipher
>
>
>
>
> <_configuration-file>~/.m2/settings-security.xml
>
>
>
> org.sonatype.plexus.components.cipher.PlexusCipher
> mng-4384
>
>
> org.sonatype.plexus.components.cipher.DefaultPlexusCipher
>
>
>
>
> So, I'm left with the question, what is the current, correct way of
> accessing userids, passwords (encrypted or not)?
>
> I could simply, copy the same approach, but I'd prefer not too, as it's a
> good opportunity 'to do it right'.
>
> Any suggestions?
>
> Would we then consider updating the existing maven plugins to support this?
>
> @Stephen, sounds like a good idea for a blog entry? ;)
>
Re: Maven Security, @Component and MNG-4384
Here is what i'm using:
@Parameter(property = "myplugin.repository")
private String repository;
@Parameter(defaultValue = "${session}", readonly = true)
private MavenSession session;
@Component
private SettingsDecrypter settingsDecrypter;
void someMethod() {
Server credentials =
session.getSettings().getServer(repository);
if (credentials != null) {
credentials =
ofNullable(settingsDecrypter.decrypt(new
DefaultSettingsDecryptionRequest(credentials)))
.map(SettingsDecryptionResult::getServer) // can be null if it does not
need decryption
.orElse(credentials);
}
}
Romain Manni-Bucau
@rmannibucau | Blog
| Github |
LinkedIn | Book
Le lun. 24 juin 2019 à 12:34, Martin Gainty a écrit :
>
> server001
> my_login
> my_password
> ${user.home}/.ssh/id_dsa
> some_passphrase
> 664
> 775
>
>
>
> from ${MAVEN_HOME}/conf/settings.xml
>
>
> https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List)
>
> so your
> org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers needs
> to gather up
> the list of server ids from {MAVEN_HOME}/conf/settings.xml
>
> not so clear as javadoc is missing from maven-settings-builder
> site..romain can you post this info on
> http://maven.apache.org/ref/3.6.1/maven-settings-builder/
>
> ?
> thanks
>
>
> From: Romain Manni-Bucau
> Sent: Monday, June 24, 2019 1:11 AM
> To: Maven Developers List
> Subject: Re: Maven Security, @Component and MNG-4384
>
> Hi
>
> Did you have a look to org.apache.maven.settings.crypto.SettingsDecrypter?
>
> It can be injected as a component then you can call decrypt on it passing a
> request to the method. You get a new null server if it is not encrypted or
> the new server with everything in clear.
>
> Would that work better for you?
>
> Romain
>
> Le lun. 24 juin 2019 à 03:31, Chris Graham a écrit
> :
>
> > Hi everyone,
> >
> > I need to add the ability to load users, passwords etc in a 3rd party
> > plugin.
> >
> > It currently requires a userid and password in the
> section
> > of the pom (ugh), ideally, I'd like to look them up from the
> > section of settings.xml, and even better yet, make use of being able to
> > decrypt passwords.
> >
> > So I did what we all do, and go and look to see what has been done
> before,
> > and I came across this:
> >
> >
> >
> /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java:
> >
> > /**
> > * When this plugin requires Maven 3.0 as minimum, this component can
> > be removed and o.a.m.s.c.SettingsDecrypter be
> > * used instead.
> > */
> > @Component( hint = "mng-4384" )
> > private SecDispatcher secDispatcher;
> >
> > and:
> >
> >
> >
> /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml:
> >
> >
> >
> >
> >
> > org.sonatype.plexus.components.sec.dispatcher.SecDispatcher
> > mng-4384
> >
> >
> >
> org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher
> >
> >
> > org.sonatype.plexus.components.cipher.PlexusCipher
> > mng-4384
> > _cipher
> >
> >
> >
> >
> > <_configuration-file>~/.m2/settings-security.xml
> >
> >
> >
> > org.sonatype.plexus.components.cipher.PlexusCipher
> > mng-4384
> >
> >
> >
> org.sonatype.plexus.components.cipher.DefaultPlexusCipher
> >
> >
> >
> >
> > So, I'm left with the question, what is the current, correct way of
> > accessing userids, passwords (encrypted or not)?
> >
> > I could simply, copy the same approach, but I'd prefer not too, as it's a
> > good opportunity 'to do it right'.
> >
> > Any suggestions?
> >
> > Would we then consider updating the existing maven plugins to support
> this?
> >
> > @Stephen, sounds like a good idea for a blog entry? ;)
> >
>
[VOTE] Release Maven Site Plugin version 3.8
Hi, We solved 10 issues: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12317923&version=12343145 There are still a couple of issues left in JIRA: https://issues.apache.org/jira/issues/?jql=project%20%3D%20MSITE%20AND%20resolution%20%3D%20Unresolved Staging repo: https://repository.apache.org/content/repositories/maven-1518/ https://repository.apache.org/content/repositories/maven-1518/org/apache/maven/plugins/maven-site-plugin/3.8/maven-site-plugin-3.8-source-release.zip Source release checksum(s): maven-site-plugin-3.8-source-release sha512: 5d2b1bd671052179a27a55ca3bbc5ed82c3a0c3a16f2cfb20b3b06388fc4e4fa71e571d958d93d665df8b4f1add7b47a0480df7e9139ccee77f7ee906485f189 Staging site: https://maven.apache.org/plugins-archives/maven-site-plugin-LATEST/ Guide to testing staged releases: https://maven.apache.org/guides/development/guide-testing-releases.html Vote open for 72 hours. [ ] +1 [ ] +0 [ ] -1 - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Maven Security, @Component and MNG-4384
Thanks all, I will investigate!
On Mon, Jun 24, 2019 at 10:12 PM Romain Manni-Bucau
wrote:
> Here is what i'm using:
>
> @Parameter(property = "myplugin.repository")
> private String repository;
>
> @Parameter(defaultValue = "${session}", readonly = true)
> private MavenSession session;
>
> @Component
> private SettingsDecrypter settingsDecrypter;
>
> void someMethod() {
> Server credentials =
> session.getSettings().getServer(repository);
> if (credentials != null) {
> credentials =
> ofNullable(settingsDecrypter.decrypt(new
> DefaultSettingsDecryptionRequest(credentials)))
>
> .map(SettingsDecryptionResult::getServer) // can be null if it does not
> need decryption
> .orElse(credentials);
> }
> }
>
> Romain Manni-Bucau
> @rmannibucau | Blog
> | Github <
> https://github.com/rmannibucau> |
> LinkedIn | Book
> <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
>
>
> Le lun. 24 juin 2019 à 12:34, Martin Gainty a écrit
> :
>
> >
> > server001
> > my_login
> > my_password
> > ${user.home}/.ssh/id_dsa
> > some_passphrase
> > 664
> > 775
> >
> >
> >
> > from ${MAVEN_HOME}/conf/settings.xml
> >
> >
> >
> https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List)
> >
> > so your
> > org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers
> needs
> > to gather up
> > the list of server ids from {MAVEN_HOME}/conf/settings.xml
> >
> > not so clear as javadoc is missing from maven-settings-builder
> > site..romain can you post this info on
> > http://maven.apache.org/ref/3.6.1/maven-settings-builder/
> >
> > ?
> > thanks
> >
> >
> > From: Romain Manni-Bucau
> > Sent: Monday, June 24, 2019 1:11 AM
> > To: Maven Developers List
> > Subject: Re: Maven Security, @Component and MNG-4384
> >
> > Hi
> >
> > Did you have a look to
> org.apache.maven.settings.crypto.SettingsDecrypter?
> >
> > It can be injected as a component then you can call decrypt on it
> passing a
> > request to the method. You get a new null server if it is not encrypted
> or
> > the new server with everything in clear.
> >
> > Would that work better for you?
> >
> > Romain
> >
> > Le lun. 24 juin 2019 à 03:31, Chris Graham a
> écrit
> > :
> >
> > > Hi everyone,
> > >
> > > I need to add the ability to load users, passwords etc in a 3rd party
> > > plugin.
> > >
> > > It currently requires a userid and password in the
> > section
> > > of the pom (ugh), ideally, I'd like to look them up from the
> > > section of settings.xml, and even better yet, make use of being able to
> > > decrypt passwords.
> > >
> > > So I did what we all do, and go and look to see what has been done
> > before,
> > > and I came across this:
> > >
> > >
> > >
> >
> /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java:
> > >
> > > /**
> > > * When this plugin requires Maven 3.0 as minimum, this component
> can
> > > be removed and o.a.m.s.c.SettingsDecrypter be
> > > * used instead.
> > > */
> > > @Component( hint = "mng-4384" )
> > > private SecDispatcher secDispatcher;
> > >
> > > and:
> > >
> > >
> > >
> >
> /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml:
> > >
> > >
> > >
> > >
> > >
> > >
> org.sonatype.plexus.components.sec.dispatcher.SecDispatcher
> > > mng-4384
> > >
> > >
> > >
> >
> org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher
> > >
> > >
> > >
> org.sonatype.plexus.components.cipher.PlexusCipher
> > > mng-4384
> > > _cipher
> > >
> > >
> > >
> > >
> > > <_configuration-file>~/.m2/settings-security.xml
> > >
> > >
> > >
> > > org.sonatype.plexus.components.cipher.PlexusCipher
> > > mng-4384
> > >
> > >
> > >
> >
> org.sonatype.plexus.components.cipher.DefaultPlexusCipher
> > >
> > >
> > >
> > >
> > > So, I'm left with the question, what is the current, correct way of
> > > accessing userids, passwords (encrypted or not)?
> > >
> > > I could simply, copy the same approach, but I'd prefer not too, as
> it's a
> > > good opportunity 'to do it right'.
> > >
> > > Any suggestions?
> > >
> > > Would we then consider updating the existing maven plugins to support
> > this?
> > >
> > > @Stephen, sounds like a good idea for a blog entry? ;)
> > >
> >
>
