Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validate-pyenv-and-poetry can overexpose repository credentials #138

Closed
4 tasks done
d-ryan-ashcraft opened this issue May 15, 2024 · 3 comments
Closed
4 tasks done

validate-pyenv-and-poetry can overexpose repository credentials #138

d-ryan-ashcraft opened this issue May 15, 2024 · 3 comments
Assignees
@d-ryan-ashcraft
Labels
bug Something isn't working
Milestone
2.15.0

Comments

@d-ryan-ashcraft
Copy link
Contributor

d-ryan-ashcraft commented May 15, 2024
edited
Loading

During the execution of Habushu's validate-pyenv-and-poetry phase, it is possible to have repository credentials exposed. For instance:

[INFO] --- habushu:2.14.0:validate-pyenv-and-poetry (default-validate-pyenv-and-poetry) @ xxxx ---
[INFO] Using Python 3.11.4 (managed by pyenv)
[INFO] Found Poetry 1.8.2 
...
[INFO] Using version ^1.2.0 for poetry-monorepo-dependency-plugin
[INFO] 
[INFO] Updating dependencies
[INFO] Resolving dependencies...
...
[INFO] Adding username and password configuration for pypi
[INFO] Executing Poetry command: poetry config http-basic.pypi __token__ <PLAIN TEXT PASSWORD HERE>
[INFO]

There are multiple issues here that need to be resolved:

  • Should never be logging the password in plain text; an existing helper exists for preventing this situation
  • We should suppress this action on well known, public repositories (e.g., pypi.org, test.pypi.org)
  • It needs to run before any dependencies are installed, which is not the poetry-mono-repo-plugin
  • Should also run on the devRepository, if being used

It is worth noting that this cleans up the amount of work that habushu was doing in clean, where the method to setup python and poetry was also being used to enable deletion of virtual environments.

Test Steps

  • Build the latest plugin:
mvn clean install -Pbootstrap
  • Validate that with the defaults of pypi.org and test.pypi.org for releases and dev versions, no repository credentials are configured:
  • Run the following:
mvn initialize -pl :habushu-mixology -Dmaven.build.cache.skipCache=true
  • For the next steps, ensure you have an existing server in your settings.xml file for each id below, or add the ones you don't have. The values are not important, but they must exist for the test and must be valid values encrypted via mvn -ep:
...
 <servers>
    ...
    <server>
      <id>pypi</id>
      <username>__token__</username>
      <password>{yourEncryptedPassword}</password>
    </server>
    <server>
      <id>dev-pypi</id>
      <username>__token__</username>
      <password>{yourEncryptedPassword}</password>
    </server>
 <servers>
...
  • Validate that there is no http-basic. in the validate-pyenv-and-poetry output:
[INFO] --- habushu:2.15.0-SNAPSHOT:validate-pyenv-and-poetry (default-validate-pyenv-and-poetry) @ habushu-mixology ---
[INFO] Using Python 3.11.4 (managed by pyenv)
[INFO] Found Poetry 1.8.3
...
  • Validate that when pypiRepoUrl is configured to something besides https://pypi.org (the implicit default), we do see the repository credentials configured:
  • Add the following line to the end of the habushu-maven-plugin block in habushu-mixology/pom.xml:
<pypiRepoUrl>https://nexus.foobar.blah/repository/my-custom-pypi/</pypiRepoUrl>
  • Run the following:
mvn initialize -pl :habushu-mixology -Dmaven.build.cache.skipCache=true
  • Validate that there IS http-basic. in the validate-pyenv-and-poetry output:
INFO] --- habushu:2.15.0-SNAPSHOT:validate-pyenv-and-poetry (default-validate-pyenv-and-poetry) @ habushu-mixology ---
...
[INFO] Adding username and password configuration for pypi
[INFO] Executing Poetry command: poetry config http-basic.pypi __token__ XXXX
  • Revert changes to the habushu-mixology/pom.xml
  • Validate that when devRepositoryUrl is configured to something besides https://test.pypi.org (the default), we do see the repository credentials configured:
  • Add the following line to the end of the habushu-maven-plugin block in habushu-mixology/pom.xml:
<devRepositoryUrl>https://nexus.foobar.blah/repository/my-custom-pypi/</devRepositoryUrl>
  • Run the following:
mvn initialize -pl :habushu-mixology -Dmaven.build.cache.skipCache=true
  • Validate that there IS a http-basic. in the validate-pyenv-and-poetry output:
INFO] --- habushu:2.15.0-SNAPSHOT:validate-pyenv-and-poetry (default-validate-pyenv-and-poetry) @ habushu-mixology ---
...
[INFO] Adding username and password configuration for pypi
[INFO] Executing Poetry command: poetry config http-basic.dev-pypi __token__ XXXX
  • Revert changes to the habushu-mixology/pom.xml
  • Remove the test server blocks you may have created earlier in the test script.
@d-ryan-ashcraft d-ryan-ashcraft self-assigned this May 15, 2024
@d-ryan-ashcraft d-ryan-ashcraft added the bug Something isn't working label May 15, 2024
@d-ryan-ashcraft d-ryan-ashcraft added this to the 2.15.0 milestone May 15, 2024
d-ryan-ashcraft added a commit that referenced this issue May 16, 2024
@d-ryan-ashcraft
#138 🔒 prevent passwords from being emitted as clear text
5951b70
d-ryan-ashcraft added a commit that referenced this issue May 16, 2024
@d-ryan-ashcraft
#138 🔒 prevent passwords from being emitted as clear text
488f2bf
d-ryan-ashcraft added a commit that referenced this issue May 16, 2024
@d-ryan-ashcraft
Merge pull request #139 from TechnologyBrewery/138-validate-pyenv-and…
fec1683 
…-poetry-bug

#138 🔒 prevent passwords from being emitted as clear text
@d-ryan-ashcraft
Copy link
Contributor Author

Over the shoulder completed with @jacksondelametter

@d-ryan-ashcraft
Copy link
Contributor Author

CI build passed

@chang-annie
Copy link

all tests pass!

  • habushu builds successfully
  • validated no http-basic in validate-pyenv-and-poetry output
  • added pypi repo url and validated http-basic exists
  • removed pypi repo url from pom file
  • added dev pypi repo url and validated http basic exists
  • removed dev pypi repo url from pom file
  • reverted settings.xml changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d-ryan-ashcraft d-ryan-ashcraft

Labels
bug Something isn't working
Projects
None yet
Milestone
2.15.0
Development

No branches or pull requests
2 participants
@d-ryan-ashcraft @chang-annie