Skip to content

Fix a bug when mvn uses the dependency proxy with basic auth

David Fernandez requested to merge 442957-fix-maven-basic-auth into master

🥘 Context

In Maven dependency proxy (&3610 - closed), we introduced the Maven dependency proxy.

The Maven dependency proxy accept several types of credentials transport. Among them, Basic Auth.

In https://gitlab.com/gitlab-com/ops-sub-department/section-ops-request-for-help/-/issues/289, we were made aware of a typebug with the $ mvn client.

The $ mvn client will not send the request with the credentials with it's properly set up. Instead, it will:

  1. Send a request without the credentials.
  2. Expect a 401 Unauthorized.
  3. Send the exact same request with the credentials (using Basic Auth).

The problem is that how we handle (2.) for public projects, see this line. Anonymous user will have read_project permission on public projects and as such, that line will trigger a 403 Forbidden response which is not what $ mvn expects.

As such, $ mvn will completely stop its execution. 💥

This does not affect other maven clients such as $ gradle.

This is issue #442957 (closed).

🤔 What does this MR do and why?

  • Make sure that the Maven dependency proxy always return the proper response code when using basic auth.
  • Update the related specs.
  • Update the Maven dependency proxy documentation to recommend the custom http header authentication when using $ mvn as this will avoid sending 2 requests when pulling 1 file = 50% less network requests.

🏎 MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

🌈 Screenshots or screen recordings

No UI changes.

How to set up and validate locally

Let's setup things to demonstrate the bug with a CI job.

Have a project with the following files:

`pom.xml` 
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
 
  <groupId>com.mycompany.app</groupId>
  <artifactId>my-app</artifactId>
  <version>1.0-SNAPSHOT</version>
 
  <properties>
    <maven.compiler.source>1.7</maven.compiler.source>
    <maven.compiler.target>1.7</maven.compiler.target>
  </properties>
 
  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>4.12</version>
    </dependency>
  </dependencies>

  <repositories>
    <repository>
      <id>gitlab-maven</id>
      <url>${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/dependency_proxy/packages/maven</url>
    </repository>
  </repositories>

</project>
`settings.xml` 
<settings>
  <mirrors>
    <mirror>
      <id>gitlab-maven</id>
      <name>GitLab proxy of central repo</name>
      <url>${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/dependency_proxy/packages/maven</url>
      <mirrorOf>central</mirrorOf>
    </mirror>
  </mirrors>
  <servers>
    <server>
      <id>gitlab-maven</id>
      <username>gitlab-ci-token</username>
      <password>${CI_JOB_TOKEN}</password>
      <configuration>
        <authenticationInfo>
          <userName>gitlab-ci-token</userName>
          <password>${CI_JOB_TOKEN}</password>
        </authenticationInfo>
      </configuration>
    </server>
  </servers>
</settings>
`.gitlab-ci.yml` 
test_maven:
  image: maven:latest
  script:
    - mvn test -s settings.xml

Lastly, in the project settings > Packages and Registries, use these settings for the maven dependency proxy:

Screenshot_2024-02-23_at_17.27.23

With the above setup, $ mvn will pull maven packages using only the maven dependency proxy. We have a project with a few dependencies. As we will see below, pulling the first file will file due to the Basic Auth 🐛 we described above.

On master, the CI job 💥 with:

Plugin org.apache.maven.plugins:maven-resources-plugin:3.3.1 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.1: The following artifacts could not be resolved: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.1 (absent): Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.1 from/to gitlab-maven (http://gdk.test:8000/api/v4/projects/291/dependency_proxy/packages/maven): status code: 403, reason phrase: Forbidden (403) -> [Help 1]

With this MR, the CI job is 💚

Edited by David Fernandez

Merge request reports