RE: Re: Custom auth plugin/extension - how to?
A “maven-rfc” repo is a good idea if the issue of governance can be worked out.
There will be a good deal of overhead related to maintaining, gatekeeping, and
administration of such a repository. If RFC’s were just specs with problem
statements, decision records that might be easier. An RFC should also be
sponsored/owned by a committer. The work could happen in a fork somewhere that
was established by the sponsor who could then manage whether to leave it wide
open for contribution or to a select few.
As for Bernd’s question and the “Handling sensitive data in Maven” wiki,
couldn’t this problem be solved by injecting an implementation of
org.apache.maven.settings.building.SettingsBuilder to suite your needs? For
example, I could have a SettingsBuilder that gets settings from some on-line
storage (imagine a build environment where “settings.xml" is centralized).
On 2024/06/05 20:31:40 Tamás Cservenák wrote:
> Asf wiki is not the best place for brainstorming, as is usable only for
> people w asf accounts (i guess).
>
> What if we create a repo like "maven-rfc", where anyone can raise PRs (new
> functionality, change requests or just ideas), these would be like
> "proposals", that we discuss and modify specs w PRs, and once proposal
> considered "complete", it can be moved to "to be implemented" state (those
> could be plain directories), maybe even version those things?
>
> And then implementation can happen based on documented
> requirements/functionality?
>
> T
>
> On Wed, Jun 5, 2024, 20:27 Tamás Cservenák
> mailto:ta...@cservenak.net>> wrote:
>
> > Howdy,
> >
> > Bernd, I would be very interested to collect some ideas to solve exactly
> > this problem...
> > When I revamped maven-gpg-plugin re "worst practices", I started tinkering
> > about this...
> >
> > Created page just to gather ideas...
> >
> > https://cwiki.apache.org/confluence/display/MAVEN/Handling+sensitive+data+in+Maven
> >
> > Unsure is this editable for you... we may want some other place for
> > brainstorming?
> >
> > Thanks
> > T
> >
> > On Wed, Jun 5, 2024 at 7:24 PM Bernd Eckenfels
> > mailto:ec...@zusammenkunft.net>>
> > wrote:
> >
> >> BTW Speaking of “custom”, I would be very interested in
> >> a token based authentication, at least for read access to
> >> our repository server and mirror, we currently ship a static
> >> read-only login, and also we don’t want to allow putting
> >> their write (LDAP Login) credentials into files.
> >>
> >> If the maven ecosystem would have a OS/Token method
> >> like requestin a JWT token from a distribution point which
> >> uses native Kerberos SSPI or user certificates that would
> >> greatly improve this,
> >>
> >> What’s your plan for that auth, can you upstream it?
> >>
> >> Gruß
> >> Bernd
> >>
> >> David Grieve wrote on 4. June 2024 20:33 (GMT +02:00):
> >>
> >> > Thank you for the hint, Tamás.
> >> >
> >> > The problem I’m trying to solve is that I want a custom Authentication
> >> > for a particular server. I do not want to re-implement HttpTransporter.
> >> > Here are the important bits of what I’ve come up with.
> >> > --
> >> > public class MyTransporterFactory implements TransporterFactory {
> >> >
> >> > // copied from
> >> > org.eclipse.aether.transport.http.HttpTransporterFactory
> >> > private static Map
> >> > getManuallyCreatedExtractors() {
> >> > HashMap map = new HashMap<>();
> >> > map.put(Nexus2ChecksumExtractor.NAME, new
> >> > Nexus2ChecksumExtractor());
> >> > map.put(XChecksumChecksumExtractor.NAME, new
> >> > XChecksumChecksumExtractor());
> >> > return Collections.unmodifiableMap(map);
> >> > }
> >> >
> >> > // I’m not happy with this...
> >> > private final HttpTransporterFactory httpTransporterFactory = new
> >> > HttpTransporterFactory(getManuallyCreatedExtractors());
> >> >
> >> > @Override
> >> > public Transporter newInstance(RepositorySystemSession session,
> >> > RemoteRepository repository) throws NoTransporterException {
> >> >
> >> > if (requiresSpecialAuth(repository)) {
> >> > repository = new Re
Re: [EXTERNAL] Re: Re: Custom auth plugin/extension - how to?
Thanks again, Tamás. It is comforting to know that my implementation was not
far off.
From: Tamás Cservenák
Date: Wednesday, June 5, 2024 at 3:38 AM
To: Maven Users List
Subject: [EXTERNAL] Re: Re: Custom auth plugin/extension - how to?
[You don't often get email from ta...@cservenak.net. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
Howdy,
I'd do it as this:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Fcstamas%2F5c787875fc3196dbd200e3bd24692c98=05%7C02%7CDavid.Grieve%40microsoft.com%7Cc5e5dc98de28474fb72808dc85328934%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638531699300812986%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=GYJefX6wgOXA0SDH%2BuNpHqlYYq9hp26r6bfGRttFrf4%3D=0<https://gist.github.com/cstamas/5c787875fc3196dbd200e3bd24692c98>
Facts:
- make priority higher than than of HTTP - this makes sure your transport
will be always asked before Http one
- just delegate/reuse http transport, no need to reimplement anything (make
it also a JSR330 component!)
- in newInstance there is a check (copied from http transport) to ensure
httpTransport will not throw, then do your thing, and call into
httpTransport
HTH
T
On Tue, Jun 4, 2024 at 8:34 PM David Grieve
wrote:
> Thank you for the hint, Tamás.
>
> The problem I’m trying to solve is that I want a custom Authentication for
> a particular server. I do not want to re-implement HttpTransporter. Here
> are the important bits of what I’ve come up with.
> --
> public class MyTransporterFactory implements TransporterFactory {
>
> // copied from org.eclipse.aether.transport.http.HttpTransporterFactory
> private static Map
> getManuallyCreatedExtractors() {
> HashMap map = new HashMap<>();
> map.put(Nexus2ChecksumExtractor.NAME, new
> Nexus2ChecksumExtractor());
> map.put(XChecksumChecksumExtractor.NAME, new
> XChecksumChecksumExtractor());
> return Collections.unmodifiableMap(map);
> }
>
> // I’m not happy with this...
> private final HttpTransporterFactory httpTransporterFactory = new
> HttpTransporterFactory(getManuallyCreatedExtractors());
>
> @Override
> public Transporter newInstance(RepositorySystemSession session,
> RemoteRepository repository) throws NoTransporterException {
>
> if (requiresSpecialAuth(repository)) {
> repository = new RemoteRepository.Builder(repository)
> .setAuthentication(new MyAuthentication(repository))
> .build();
> }
> return httpTransporterFactory.newInstance(session, repository);
> }
> --
>
> Then “MyAuthentication” does the right thing for the fill method.
>
> This approach is working for me, but I’d be interested to know if there is
> a better way. I do not want to re-implement HttpTransport!
>
>
> On 2024/06/03 20:25:48 Tamás Cservenák wrote:
> > Howdy,
> >
> > What are you trying to do? You may go better if you implement custom
> > (resolver) transport maybe?
> >
> > Thanks
> > T
> >
> > On Mon, Jun 3, 2024, 22:22 David Grieve <mailto:da...@microsoft.com.inva>lid>
> > wrote:
> >
> > > My questions are: Is this doable and, if so, how would one go about it?
> > >
> > > I’m trying to cobble together a plugin/extension that will either get
> an
> > > auth token for resolving an artifact before the artifact is resolved,
> or
> > > will get an auth token if the resolution returns a 401.
> > > The plugin route happens too late in the execution, but I’ve found that
> > > with an AbstractMavenLifecycleParticipant at least afterProjectsRead
> gets
> > > called before artifact resolution. However, I can’t seem to affect the
> > > server password in a way that allows artifact resolution to succeed.
> > > I’ve also tried overriding some default implementations, but I don’t
> see
> > > the extension getting invoked (I see that Maven is aware of the
> extension,
> > > but it doesn’t get used AFAICT).
> > >
> >
>
>
RE: Re: Custom auth plugin/extension - how to?
Thank you for the hint, Tamás.
The problem I’m trying to solve is that I want a custom Authentication for a
particular server. I do not want to re-implement HttpTransporter. Here are the
important bits of what I’ve come up with.
--
public class MyTransporterFactory implements TransporterFactory {
// copied from org.eclipse.aether.transport.http.HttpTransporterFactory
private static Map
getManuallyCreatedExtractors() {
HashMap map = new HashMap<>();
map.put(Nexus2ChecksumExtractor.NAME, new Nexus2ChecksumExtractor());
map.put(XChecksumChecksumExtractor.NAME, new
XChecksumChecksumExtractor());
return Collections.unmodifiableMap(map);
}
// I’m not happy with this...
private final HttpTransporterFactory httpTransporterFactory = new
HttpTransporterFactory(getManuallyCreatedExtractors());
@Override
public Transporter newInstance(RepositorySystemSession session,
RemoteRepository repository) throws NoTransporterException {
if (requiresSpecialAuth(repository)) {
repository = new RemoteRepository.Builder(repository)
.setAuthentication(new MyAuthentication(repository))
.build();
}
return httpTransporterFactory.newInstance(session, repository);
}
--
Then “MyAuthentication” does the right thing for the fill method.
This approach is working for me, but I’d be interested to know if there is a
better way. I do not want to re-implement HttpTransport!
On 2024/06/03 20:25:48 Tamás Cservenák wrote:
> Howdy,
>
> What are you trying to do? You may go better if you implement custom
> (resolver) transport maybe?
>
> Thanks
> T
>
> On Mon, Jun 3, 2024, 22:22 David Grieve
> mailto:da...@microsoft.com.inva>lid>
> wrote:
>
> > My questions are: Is this doable and, if so, how would one go about it?
> >
> > I’m trying to cobble together a plugin/extension that will either get an
> > auth token for resolving an artifact before the artifact is resolved, or
> > will get an auth token if the resolution returns a 401.
> > The plugin route happens too late in the execution, but I’ve found that
> > with an AbstractMavenLifecycleParticipant at least afterProjectsRead gets
> > called before artifact resolution. However, I can’t seem to affect the
> > server password in a way that allows artifact resolution to succeed.
> > I’ve also tried overriding some default implementations, but I don’t see
> > the extension getting invoked (I see that Maven is aware of the extension,
> > but it doesn’t get used AFAICT).
> >
>
Custom auth plugin/extension - how to?
My questions are: Is this doable and, if so, how would one go about it? I’m trying to cobble together a plugin/extension that will either get an auth token for resolving an artifact before the artifact is resolved, or will get an auth token if the resolution returns a 401. The plugin route happens too late in the execution, but I’ve found that with an AbstractMavenLifecycleParticipant at least afterProjectsRead gets called before artifact resolution. However, I can’t seem to affect the server password in a way that allows artifact resolution to succeed. I’ve also tried overriding some default implementations, but I don’t see the extension getting invoked (I see that Maven is aware of the extension, but it doesn’t get used AFAICT).
