Re: Maven Security, @Component and MNG-4384
Thanks all, I will investigate! On Mon, Jun 24, 2019 at 10:12 PM Romain Manni-Bucau wrote: > Here is what i'm using: > > @Parameter(property = "myplugin.repository") > private String repository; > > @Parameter(defaultValue = "${session}", readonly = true) > private MavenSession session; > > @Component > private SettingsDecrypter settingsDecrypter; > > void someMethod() { > Server credentials = > session.getSettings().getServer(repository); > if (credentials != null) { > credentials = > ofNullable(settingsDecrypter.decrypt(new > DefaultSettingsDecryptionRequest(credentials))) > > .map(SettingsDecryptionResult::getServer) // can be null if it does not > need decryption > .orElse(credentials); > } > } > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://rmannibucau.metawerx.net/> | Old Blog > <http://rmannibucau.wordpress.com> | Github < > https://github.com/rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > < > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > Le lun. 24 juin 2019 à 12:34, Martin Gainty a écrit > : > > > > > server001 > > my_login > > my_password > > ${user.home}/.ssh/id_dsa > > some_passphrase > > 664 > > 775 > > > > > > > > from ${MAVEN_HOME}/conf/settings.xml > > > > > > > https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List) > > > > so your > > org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers > needs > > to gather up > > the list of server ids from {MAVEN_HOME}/conf/settings.xml > > > > not so clear as javadoc is missing from maven-settings-builder > > site..romain can you post this info on > > http://maven.apache.org/ref/3.6.1/maven-settings-builder/ > > > > ? > > thanks > > > > > > From: Romain Manni-Bucau > > Sent: Monday, June 24, 2019 1:11 AM > > To: Maven Developers List > > Subject: Re: Maven Security, @Component and MNG-4384 > > > > Hi > > > > Did you have a look to > org.apache.maven.settings.crypto.SettingsDecrypter? > > > > It can be injected as a component then you can call decrypt on it > passing a > > request to the method. You get a new null server if it is not encrypted > or > > the new server with everything in clear. > > > > Would that work better for you? > > > > Romain > > > > Le lun. 24 juin 2019 à 03:31, Chris Graham a > écrit > > : > > > > > Hi everyone, > > > > > > I need to add the ability to load users, passwords etc in a 3rd party > > > plugin. > > > > > > It currently requires a userid and password in the > > section > > > of the pom (ugh), ideally, I'd like to look them up from the > > > section of settings.xml, and even better yet, make use of being able to > > > decrypt passwords. > > > > > > So I did what we all do, and go and look to see what has been done > > before, > > > and I came across this: > > > > > > > > > > > > /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java: > > > > > > /** > > > * When this plugin requires Maven 3.0 as minimum, this component > can > > > be removed and o.a.m.s.c.SettingsDecrypter be > > > * used instead. > > > */ > > > @Component( hint = "mng-4384" ) > > > private SecDispatcher secDispatcher; > > > > > > and: > > > > > > > > > > > > /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml: > > > > > > > > > > > > > > > > > > > org.sonatype.plexus.components.sec.dispatcher.SecDispatcher > > > mng-4384 > > > > > > > > > > > > org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher > > > > > > > > > > org.sonatype.plexus.components.cipher.PlexusCipher > > > mng-4384 > > > _cipher > > > > > > > > > > > > > > > <_configuration-file>~/.m2/settings-security.xml > > > > > > > > > > > > org.sonatype.plexus.components.cipher.PlexusCipher > > > mng-4384 > > > > > > > > > > > > org.sonatype.plexus.components.cipher.DefaultPlexusCipher > > > > > > > > > > > > > > > So, I'm left with the question, what is the current, correct way of > > > accessing userids, passwords (encrypted or not)? > > > > > > I could simply, copy the same approach, but I'd prefer not too, as > it's a > > > good opportunity 'to do it right'. > > > > > > Any suggestions? > > > > > > Would we then consider updating the existing maven plugins to support > > this? > > > > > > @Stephen, sounds like a good idea for a blog entry? ;) > > > > > >
Re: Maven Security, @Component and MNG-4384
Here is what i'm using: @Parameter(property = "myplugin.repository") private String repository; @Parameter(defaultValue = "${session}", readonly = true) private MavenSession session; @Component private SettingsDecrypter settingsDecrypter; void someMethod() { Server credentials = session.getSettings().getServer(repository); if (credentials != null) { credentials = ofNullable(settingsDecrypter.decrypt(new DefaultSettingsDecryptionRequest(credentials))) .map(SettingsDecryptionResult::getServer) // can be null if it does not need decryption .orElse(credentials); } } Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le lun. 24 juin 2019 à 12:34, Martin Gainty a écrit : > > server001 > my_login > my_password > ${user.home}/.ssh/id_dsa > some_passphrase > 664 > 775 > > > > from ${MAVEN_HOME}/conf/settings.xml > > > https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List) > > so your > org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers needs > to gather up > the list of server ids from {MAVEN_HOME}/conf/settings.xml > > not so clear as javadoc is missing from maven-settings-builder > site..romain can you post this info on > http://maven.apache.org/ref/3.6.1/maven-settings-builder/ > > ? > thanks > > ________ > From: Romain Manni-Bucau > Sent: Monday, June 24, 2019 1:11 AM > To: Maven Developers List > Subject: Re: Maven Security, @Component and MNG-4384 > > Hi > > Did you have a look to org.apache.maven.settings.crypto.SettingsDecrypter? > > It can be injected as a component then you can call decrypt on it passing a > request to the method. You get a new null server if it is not encrypted or > the new server with everything in clear. > > Would that work better for you? > > Romain > > Le lun. 24 juin 2019 à 03:31, Chris Graham a écrit > : > > > Hi everyone, > > > > I need to add the ability to load users, passwords etc in a 3rd party > > plugin. > > > > It currently requires a userid and password in the > section > > of the pom (ugh), ideally, I'd like to look them up from the > > section of settings.xml, and even better yet, make use of being able to > > decrypt passwords. > > > > So I did what we all do, and go and look to see what has been done > before, > > and I came across this: > > > > > > > /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java: > > > > /** > > * When this plugin requires Maven 3.0 as minimum, this component can > > be removed and o.a.m.s.c.SettingsDecrypter be > > * used instead. > > */ > > @Component( hint = "mng-4384" ) > > private SecDispatcher secDispatcher; > > > > and: > > > > > > > /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml: > > > > > > > > > > > > org.sonatype.plexus.components.sec.dispatcher.SecDispatcher > > mng-4384 > > > > > > > org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher > > > > > > org.sonatype.plexus.components.cipher.PlexusCipher > > mng-4384 > > _cipher > > > > > > > > > > <_configuration-file>~/.m2/settings-security.xml > > > > > > > > org.sonatype.plexus.components.cipher.PlexusCipher > > mng-4384 > > > > > > > org.sonatype.plexus.components.cipher.DefaultPlexusCipher > > > > > > > > > > So, I'm left with the question, what is the current, correct way of > > accessing userids, passwords (encrypted or not)? > > > > I could simply, copy the same approach, but I'd prefer not too, as it's a > > good opportunity 'to do it right'. > > > > Any suggestions? > > > > Would we then consider updating the existing maven plugins to support > this? > > > > @Stephen, sounds like a good idea for a blog entry? ;) > > >
Re: Maven Security, @Component and MNG-4384
server001 my_login my_password ${user.home}/.ssh/id_dsa some_passphrase 664 775 from ${MAVEN_HOME}/conf/settings.xml https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List) so your org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers needs to gather up the list of server ids from {MAVEN_HOME}/conf/settings.xml not so clear as javadoc is missing from maven-settings-builder site..romain can you post this info on http://maven.apache.org/ref/3.6.1/maven-settings-builder/ ? thanks From: Romain Manni-Bucau Sent: Monday, June 24, 2019 1:11 AM To: Maven Developers List Subject: Re: Maven Security, @Component and MNG-4384 Hi Did you have a look to org.apache.maven.settings.crypto.SettingsDecrypter? It can be injected as a component then you can call decrypt on it passing a request to the method. You get a new null server if it is not encrypted or the new server with everything in clear. Would that work better for you? Romain Le lun. 24 juin 2019 à 03:31, Chris Graham a écrit : > Hi everyone, > > I need to add the ability to load users, passwords etc in a 3rd party > plugin. > > It currently requires a userid and password in the section > of the pom (ugh), ideally, I'd like to look them up from the > section of settings.xml, and even better yet, make use of being able to > decrypt passwords. > > So I did what we all do, and go and look to see what has been done before, > and I came across this: > > > /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java: > > /** > * When this plugin requires Maven 3.0 as minimum, this component can > be removed and o.a.m.s.c.SettingsDecrypter be > * used instead. > */ > @Component( hint = "mng-4384" ) > private SecDispatcher secDispatcher; > > and: > > > /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml: > > > > > > org.sonatype.plexus.components.sec.dispatcher.SecDispatcher > mng-4384 > > > org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher > > > org.sonatype.plexus.components.cipher.PlexusCipher > mng-4384 > _cipher > > > > > <_configuration-file>~/.m2/settings-security.xml > > > > org.sonatype.plexus.components.cipher.PlexusCipher > mng-4384 > > > org.sonatype.plexus.components.cipher.DefaultPlexusCipher > > > > > So, I'm left with the question, what is the current, correct way of > accessing userids, passwords (encrypted or not)? > > I could simply, copy the same approach, but I'd prefer not too, as it's a > good opportunity 'to do it right'. > > Any suggestions? > > Would we then consider updating the existing maven plugins to support this? > > @Stephen, sounds like a good idea for a blog entry? ;) >
Re: Maven Security, @Component and MNG-4384
Hi Did you have a look to org.apache.maven.settings.crypto.SettingsDecrypter? It can be injected as a component then you can call decrypt on it passing a request to the method. You get a new null server if it is not encrypted or the new server with everything in clear. Would that work better for you? Romain Le lun. 24 juin 2019 à 03:31, Chris Graham a écrit : > Hi everyone, > > I need to add the ability to load users, passwords etc in a 3rd party > plugin. > > It currently requires a userid and password in the section > of the pom (ugh), ideally, I'd like to look them up from the > section of settings.xml, and even better yet, make use of being able to > decrypt passwords. > > So I did what we all do, and go and look to see what has been done before, > and I came across this: > > > /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java: > > /** > * When this plugin requires Maven 3.0 as minimum, this component can > be removed and o.a.m.s.c.SettingsDecrypter be > * used instead. > */ > @Component( hint = "mng-4384" ) > private SecDispatcher secDispatcher; > > and: > > > /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml: > > > > > > org.sonatype.plexus.components.sec.dispatcher.SecDispatcher > mng-4384 > > > org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher > > > org.sonatype.plexus.components.cipher.PlexusCipher > mng-4384 > _cipher > > > > > <_configuration-file>~/.m2/settings-security.xml > > > > org.sonatype.plexus.components.cipher.PlexusCipher > mng-4384 > > > org.sonatype.plexus.components.cipher.DefaultPlexusCipher > > > > > So, I'm left with the question, what is the current, correct way of > accessing userids, passwords (encrypted or not)? > > I could simply, copy the same approach, but I'd prefer not too, as it's a > good opportunity 'to do it right'. > > Any suggestions? > > Would we then consider updating the existing maven plugins to support this? > > @Stephen, sounds like a good idea for a blog entry? ;) >
Maven Security, @Component and MNG-4384
Hi everyone, I need to add the ability to load users, passwords etc in a 3rd party plugin. It currently requires a userid and password in the section of the pom (ugh), ideally, I'd like to look them up from the section of settings.xml, and even better yet, make use of being able to decrypt passwords. So I did what we all do, and go and look to see what has been done before, and I came across this: /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java: /** * When this plugin requires Maven 3.0 as minimum, this component can be removed and o.a.m.s.c.SettingsDecrypter be * used instead. */ @Component( hint = "mng-4384" ) private SecDispatcher secDispatcher; and: /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml: org.sonatype.plexus.components.sec.dispatcher.SecDispatcher mng-4384 org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher org.sonatype.plexus.components.cipher.PlexusCipher mng-4384 _cipher <_configuration-file>~/.m2/settings-security.xml org.sonatype.plexus.components.cipher.PlexusCipher mng-4384 org.sonatype.plexus.components.cipher.DefaultPlexusCipher So, I'm left with the question, what is the current, correct way of accessing userids, passwords (encrypted or not)? I could simply, copy the same approach, but I'd prefer not too, as it's a good opportunity 'to do it right'. Any suggestions? Would we then consider updating the existing maven plugins to support this? @Stephen, sounds like a good idea for a blog entry? ;)