Re: Maven Security, @Component and MNG-4384
Thanks all, I will investigate!
On Mon, Jun 24, 2019 at 10:12 PM Romain Manni-Bucau
wrote:
> Here is what i'm using:
>
> @Parameter(property = "myplugin.repository")
> private String repository;
>
> @Parameter(defaultValue = "${session}", readonly = true)
> private MavenSession session;
>
> @Component
> private SettingsDecrypter settingsDecrypter;
>
> void someMethod() {
> Server credentials =
> session.getSettings().getServer(repository);
> if (credentials != null) {
> credentials =
> ofNullable(settingsDecrypter.decrypt(new
> DefaultSettingsDecryptionRequest(credentials)))
>
> .map(SettingsDecryptionResult::getServer) // can be null if it does not
> need decryption
> .orElse(credentials);
> }
> }
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <https://rmannibucau.metawerx.net/> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
>
>
> Le lun. 24 juin 2019 à 12:34, Martin Gainty a écrit
> :
>
> >
> > server001
> > my_login
> > my_password
> > ${user.home}/.ssh/id_dsa
> > some_passphrase
> > 664
> > 775
> >
> >
> >
> > from ${MAVEN_HOME}/conf/settings.xml
> >
> >
> >
> https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List)
> >
> > so your
> > org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers
> needs
> > to gather up
> > the list of server ids from {MAVEN_HOME}/conf/settings.xml
> >
> > not so clear as javadoc is missing from maven-settings-builder
> > site..romain can you post this info on
> > http://maven.apache.org/ref/3.6.1/maven-settings-builder/
> >
> > ?
> > thanks
> >
> >
> > From: Romain Manni-Bucau
> > Sent: Monday, June 24, 2019 1:11 AM
> > To: Maven Developers List
> > Subject: Re: Maven Security, @Component and MNG-4384
> >
> > Hi
> >
> > Did you have a look to
> org.apache.maven.settings.crypto.SettingsDecrypter?
> >
> > It can be injected as a component then you can call decrypt on it
> passing a
> > request to the method. You get a new null server if it is not encrypted
> or
> > the new server with everything in clear.
> >
> > Would that work better for you?
> >
> > Romain
> >
> > Le lun. 24 juin 2019 à 03:31, Chris Graham a
> écrit
> > :
> >
> > > Hi everyone,
> > >
> > > I need to add the ability to load users, passwords etc in a 3rd party
> > > plugin.
> > >
> > > It currently requires a userid and password in the
> > section
> > > of the pom (ugh), ideally, I'd like to look them up from the
> > > section of settings.xml, and even better yet, make use of being able to
> > > decrypt passwords.
> > >
> > > So I did what we all do, and go and look to see what has been done
> > before,
> > > and I came across this:
> > >
> > >
> > >
> >
> /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java:
> > >
> > > /**
> > > * When this plugin requires Maven 3.0 as minimum, this component
> can
> > > be removed and o.a.m.s.c.SettingsDecrypter be
> > > * used instead.
> > > */
> > > @Component( hint = "mng-4384" )
> > > private SecDispatcher secDispatcher;
> > >
> > > and:
> > >
> > >
> > >
> >
> /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml:
> > >
> > >
> > >
> > >
> > >
> > >
> org.sonatype.plexus.components.sec.dispatcher.SecDispatcher
> > > mng-4384
> > >
> > >
> > >
> >
> org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher
> > >
> > >
> > >
> org.sonatype.plexus.components.cipher.PlexusCipher
> > > mng-4384
> > > _cipher
> > >
> > >
> > >
> > >
> > > <_configuration-file>~/.m2/settings-security.xml
> > >
> > >
> > >
> > > org.sonatype.plexus.components.cipher.PlexusCipher
> > > mng-4384
> > >
> > >
> > >
> >
> org.sonatype.plexus.components.cipher.DefaultPlexusCipher
> > >
> > >
> > >
> > >
> > > So, I'm left with the question, what is the current, correct way of
> > > accessing userids, passwords (encrypted or not)?
> > >
> > > I could simply, copy the same approach, but I'd prefer not too, as
> it's a
> > > good opportunity 'to do it right'.
> > >
> > > Any suggestions?
> > >
> > > Would we then consider updating the existing maven plugins to support
> > this?
> > >
> > > @Stephen, sounds like a good idea for a blog entry? ;)
> > >
> >
>
Re: Maven Security, @Component and MNG-4384
Here is what i'm using:
@Parameter(property = "myplugin.repository")
private String repository;
@Parameter(defaultValue = "${session}", readonly = true)
private MavenSession session;
@Component
private SettingsDecrypter settingsDecrypter;
void someMethod() {
Server credentials =
session.getSettings().getServer(repository);
if (credentials != null) {
credentials =
ofNullable(settingsDecrypter.decrypt(new
DefaultSettingsDecryptionRequest(credentials)))
.map(SettingsDecryptionResult::getServer) // can be null if it does not
need decryption
.orElse(credentials);
}
}
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Le lun. 24 juin 2019 à 12:34, Martin Gainty a écrit :
>
> server001
> my_login
> my_password
> ${user.home}/.ssh/id_dsa
> some_passphrase
> 664
> 775
>
>
>
> from ${MAVEN_HOME}/conf/settings.xml
>
>
> https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List)
>
> so your
> org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers needs
> to gather up
> the list of server ids from {MAVEN_HOME}/conf/settings.xml
>
> not so clear as javadoc is missing from maven-settings-builder
> site..romain can you post this info on
> http://maven.apache.org/ref/3.6.1/maven-settings-builder/
>
> ?
> thanks
>
> ________
> From: Romain Manni-Bucau
> Sent: Monday, June 24, 2019 1:11 AM
> To: Maven Developers List
> Subject: Re: Maven Security, @Component and MNG-4384
>
> Hi
>
> Did you have a look to org.apache.maven.settings.crypto.SettingsDecrypter?
>
> It can be injected as a component then you can call decrypt on it passing a
> request to the method. You get a new null server if it is not encrypted or
> the new server with everything in clear.
>
> Would that work better for you?
>
> Romain
>
> Le lun. 24 juin 2019 à 03:31, Chris Graham a écrit
> :
>
> > Hi everyone,
> >
> > I need to add the ability to load users, passwords etc in a 3rd party
> > plugin.
> >
> > It currently requires a userid and password in the
> section
> > of the pom (ugh), ideally, I'd like to look them up from the
> > section of settings.xml, and even better yet, make use of being able to
> > decrypt passwords.
> >
> > So I did what we all do, and go and look to see what has been done
> before,
> > and I came across this:
> >
> >
> >
> /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java:
> >
> > /**
> > * When this plugin requires Maven 3.0 as minimum, this component can
> > be removed and o.a.m.s.c.SettingsDecrypter be
> > * used instead.
> > */
> > @Component( hint = "mng-4384" )
> > private SecDispatcher secDispatcher;
> >
> > and:
> >
> >
> >
> /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml:
> >
> >
> >
> >
> >
> > org.sonatype.plexus.components.sec.dispatcher.SecDispatcher
> > mng-4384
> >
> >
> >
> org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher
> >
> >
> > org.sonatype.plexus.components.cipher.PlexusCipher
> > mng-4384
> > _cipher
> >
> >
> >
> >
> > <_configuration-file>~/.m2/settings-security.xml
> >
> >
> >
> > org.sonatype.plexus.components.cipher.PlexusCipher
> > mng-4384
> >
> >
> >
> org.sonatype.plexus.components.cipher.DefaultPlexusCipher
> >
> >
> >
> >
> > So, I'm left with the question, what is the current, correct way of
> > accessing userids, passwords (encrypted or not)?
> >
> > I could simply, copy the same approach, but I'd prefer not too, as it's a
> > good opportunity 'to do it right'.
> >
> > Any suggestions?
> >
> > Would we then consider updating the existing maven plugins to support
> this?
> >
> > @Stephen, sounds like a good idea for a blog entry? ;)
> >
>
Re: Maven Security, @Component and MNG-4384
server001
my_login
my_password
${user.home}/.ssh/id_dsa
some_passphrase
664
775
from ${MAVEN_HOME}/conf/settings.xml
https://maven.apache.org/ref/3.3.9/maven-settings-builder/apidocs/org/apache/maven/settings/crypto/SettingsDecryptionRequest.html#setServers(java.util.List)
so your org.apache.maven.settings.crypto.SettingsDecryptionRequest.setServers
needs to gather up
the list of server ids from {MAVEN_HOME}/conf/settings.xml
not so clear as javadoc is missing from maven-settings-builder site..romain can
you post this info on
http://maven.apache.org/ref/3.6.1/maven-settings-builder/
?
thanks
From: Romain Manni-Bucau
Sent: Monday, June 24, 2019 1:11 AM
To: Maven Developers List
Subject: Re: Maven Security, @Component and MNG-4384
Hi
Did you have a look to org.apache.maven.settings.crypto.SettingsDecrypter?
It can be injected as a component then you can call decrypt on it passing a
request to the method. You get a new null server if it is not encrypted or
the new server with everything in clear.
Would that work better for you?
Romain
Le lun. 24 juin 2019 à 03:31, Chris Graham a écrit :
> Hi everyone,
>
> I need to add the ability to load users, passwords etc in a 3rd party
> plugin.
>
> It currently requires a userid and password in the section
> of the pom (ugh), ideally, I'd like to look them up from the
> section of settings.xml, and even better yet, make use of being able to
> decrypt passwords.
>
> So I did what we all do, and go and look to see what has been done before,
> and I came across this:
>
>
> /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java:
>
> /**
> * When this plugin requires Maven 3.0 as minimum, this component can
> be removed and o.a.m.s.c.SettingsDecrypter be
> * used instead.
> */
> @Component( hint = "mng-4384" )
> private SecDispatcher secDispatcher;
>
> and:
>
>
> /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml:
>
>
>
>
>
> org.sonatype.plexus.components.sec.dispatcher.SecDispatcher
> mng-4384
>
>
> org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher
>
>
> org.sonatype.plexus.components.cipher.PlexusCipher
> mng-4384
> _cipher
>
>
>
>
> <_configuration-file>~/.m2/settings-security.xml
>
>
>
> org.sonatype.plexus.components.cipher.PlexusCipher
> mng-4384
>
>
> org.sonatype.plexus.components.cipher.DefaultPlexusCipher
>
>
>
>
> So, I'm left with the question, what is the current, correct way of
> accessing userids, passwords (encrypted or not)?
>
> I could simply, copy the same approach, but I'd prefer not too, as it's a
> good opportunity 'to do it right'.
>
> Any suggestions?
>
> Would we then consider updating the existing maven plugins to support this?
>
> @Stephen, sounds like a good idea for a blog entry? ;)
>
Re: Maven Security, @Component and MNG-4384
Hi Did you have a look to org.apache.maven.settings.crypto.SettingsDecrypter? It can be injected as a component then you can call decrypt on it passing a request to the method. You get a new null server if it is not encrypted or the new server with everything in clear. Would that work better for you? Romain Le lun. 24 juin 2019 à 03:31, Chris Graham a écrit : > Hi everyone, > > I need to add the ability to load users, passwords etc in a 3rd party > plugin. > > It currently requires a userid and password in the section > of the pom (ugh), ideally, I'd like to look them up from the > section of settings.xml, and even better yet, make use of being able to > decrypt passwords. > > So I did what we all do, and go and look to see what has been done before, > and I came across this: > > > /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java: > > /** > * When this plugin requires Maven 3.0 as minimum, this component can > be removed and o.a.m.s.c.SettingsDecrypter be > * used instead. > */ > @Component( hint = "mng-4384" ) > private SecDispatcher secDispatcher; > > and: > > > /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml: > > > > > > org.sonatype.plexus.components.sec.dispatcher.SecDispatcher > mng-4384 > > > org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher > > > org.sonatype.plexus.components.cipher.PlexusCipher > mng-4384 > _cipher > > > > > <_configuration-file>~/.m2/settings-security.xml > > > > org.sonatype.plexus.components.cipher.PlexusCipher > mng-4384 > > > org.sonatype.plexus.components.cipher.DefaultPlexusCipher > > > > > So, I'm left with the question, what is the current, correct way of > accessing userids, passwords (encrypted or not)? > > I could simply, copy the same approach, but I'd prefer not too, as it's a > good opportunity 'to do it right'. > > Any suggestions? > > Would we then consider updating the existing maven plugins to support this? > > @Stephen, sounds like a good idea for a blog entry? ;) >
Maven Security, @Component and MNG-4384
Hi everyone, I need to add the ability to load users, passwords etc in a 3rd party plugin. It currently requires a userid and password in the section of the pom (ugh), ideally, I'd like to look them up from the section of settings.xml, and even better yet, make use of being able to decrypt passwords. So I did what we all do, and go and look to see what has been done before, and I came across this: /maven-scm/maven-scm-plugin/src/main/java/org/apache/maven/scm/plugin/AbstractScmMojo.java: /** * When this plugin requires Maven 3.0 as minimum, this component can be removed and o.a.m.s.c.SettingsDecrypter be * used instead. */ @Component( hint = "mng-4384" ) private SecDispatcher secDispatcher; and: /maven-scm/maven-scm-plugin/src/main/resources/META-INF/plexus/components.xml: org.sonatype.plexus.components.sec.dispatcher.SecDispatcher mng-4384 org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher org.sonatype.plexus.components.cipher.PlexusCipher mng-4384 _cipher <_configuration-file>~/.m2/settings-security.xml org.sonatype.plexus.components.cipher.PlexusCipher mng-4384 org.sonatype.plexus.components.cipher.DefaultPlexusCipher So, I'm left with the question, what is the current, correct way of accessing userids, passwords (encrypted or not)? I could simply, copy the same approach, but I'd prefer not too, as it's a good opportunity 'to do it right'. Any suggestions? Would we then consider updating the existing maven plugins to support this? @Stephen, sounds like a good idea for a blog entry? ;)
