Jfrog CLI fails with `400 Bad Request` instead of maybe `403 Forbidden`, returning error impossible to debug error message

[marcellodesales]

Describe the bug

When using a dockerized version of jfrog, I can successfully upload a golang project to a Local repository, failing with the following error messages:

• [Info] Failed to extract file's sha256 from response body.
  • The error from the client right after it is as follows

File: /tmp/jfrog.cli.temp.-1698358228-2006190903/project.zip809349309
{
  "status": "failure",
Error:  400 Bad Request 
  "totals": {
    "success": 0,
    "failure": 0
  }
}

❓ Possible root causes

• How can I determine what the possible root causes are given that this is performed in a container in github actions?
• What are the possible file-system changes that might be involved in the difference of computation, when nothing is added to the container other than the login credentials from the command that generates ~/.jfrog settings?

❗ Data from Logs

• Upon inspecting the logs from Artifactory, we found the following error message

console.log:2023-10-26T21:01:15.500Z [jfrt ] [WARN ] [41c757d2efb779f7] 
[.r.ArtifactoryResponseBase:144] [tp-nio-8081-exec-240] - Sending HTTP error code 403: 
User svc_seceng-devsecops is not permitted to deploy 'git.company.com/seceng-devsecops-platform/company-ghas-k8s-operator/@v/v0.1.4.zip' into 'vionix-devsecops-platform-golang-local:git.company.com/seceng-devsecops-platform/company-ghas-k8s-operator/@v/v0.1.4.zip'.

• It's clear that the 403 error message was not proxied back to the API client

Current behavior

Locally from a Desktop

NOTE: Using the proper credentials (username and APIKey)

* Jfrog authentication config from the dir '~/.jfrog'
Server ID:                      company
Artifactory URL:                https://artifactory.company.com/artifactory/
API key:                        ***
Default:                        true

* Will fetch dependencies from 'vionix-devsecops-platform-golang'
* Will publish dependencies to 'vionix-devsecops-platform-golang-local' configured under .jfrog
Project Jfrog Golang Settings
* Reusing JFrog Golang settings from existing '.jfrog/projects/go.yaml'
* Will fetch dependencies from resolver.repo and publish at deployer.repo from the following:
version: v0.1.2
type: go
deployer:
  repo: vionix-devsecops-platform-golang-local
  serverId: company
resolver:
  repo: vionix-devsecops-platform-golang
  serverId: company
Removed version company-ghas-k8s-operator from go.mod
Publishing the golang module version v0.1.2 and all its dependencies in go.mod
jfrog rt go-publish v0.1.2 --deps  --detailed-summary=true
[Debug] Go config file was found in: /company/platform/vionix/.jfrog/projects/go.yaml
[Info] Using go: go version go1.21.3 linux/amd64

[Debug] Found deployer in the config file /company/platform/vionix/.jfrog/projects/go.yaml
[Debug] Sending HTTP GET request to: https://artifactory.company.com/artifactory/api/system/version
[Debug] Sending HTTP GET request to: https://artifactory.company.com/artifactory/api/system/version
[Debug] The Artifactory version is: 7.59.16
[Info] Publishing git.company.com/seceng-devsecops-platform/company-ghas-k8s-operator to vionix-devsecops-platform-golang-local
[Debug] Creating info file /company/platform/vionix
[Debug] Info file was successfully created: /company/platform/vionix/v0.1.2.info
[Debug] Sum file exists: /company/platform/vionix
[Info] Running 'go list -m all' in /company/platform/vionix
[Debug] Initializing protocol regexp
[Debug] Initializing not found regexp
[Debug] Initializing not found go 1.13 regexp
[Debug] Initializing unrecognized import path regexp
[Debug] Initializing unknown revision regexp


[Info] Publishing package dependencies...
{
  "status": "success",
  "totals": {
    "success": 3,
    "failure": 0
  }
}

🐛 Cant publish: [Info] Failed to extract file's sha256 from response body.

NOTE: Incorrect credentials fail with the error message hard to decipher what happened

* Jfrog authentication config from the dir '~/.jfrog'
[Debug] Creating lock file:  /root/.jfrog/lock/jfrog-cli.conf.lck.8.1698251773684508099
[Debug] Sending HTTP GET request to: https://artifactory.company.com/artifactory/api/security/encryptedPassword
[Debug] Sending HTTP GET request to: https://artifactory.company.com/artifactory/api/security/encryptedPassword
[Debug] Releasing lock:  /root/.jfrog/lock/jfrog-cli.conf.lck.8.1698251773684508099
Server ID:			company
Artifactory URL:		https://artifactory.company.com/artifactory/
User:				***
Password:			***
Default:			true

* Will fetch dependencies from 'vionix-devsecops-platform-golang'
* Will publish dependencies to 'vionix-devsecops-platform-golang' configured under .jfrog
Project Jfrog Golang Settings
* Reusing JFrog Golang settings from existing '.jfrog/projects/go.yaml'
* Will fetch dependencies from resolver.repo and publish at deployer.repo from the following:
version: v0.1.2
type: go
deployer:
  repo: vionix-devsecops-platform-golang-local
  serverId: company
resolver:
  repo: vionix-devsecops-platform-golang
  serverId: company
Removed version company-ghas-k8s-operator from go.mod
Publishing the golang module version v0.1.2 and all its dependencies in go.mod
jfrog rt go-publish v0.1.2 --deps ALL --detailed-summary=true
[Debug] Go config file was found in: /company/platform/vionix/.jfrog/projects/go.yaml
[Info] Using go: go version go1.21.3 linux/amd64

[Debug] Found deployer in the config file /company/platform/vionix/.jfrog/projects/go.yaml
[Debug] Sending HTTP GET request to: https://artifactory.company.com/artifactory/api/system/version
[Debug] Sending HTTP GET request to: https://artifactory.company.com/artifactory/api/system/version
[Debug] The Artifactory version is: 7.59.16
[Info] Publishing git.company.com/seceng-devsecops-platform/company-ghas-k8s-operator to vionix-devsecops-platform-golang-local
[Debug] Creating info file /company/platform/vionix
[Debug] Info file was successfully created: /company/platform/vionix/v0.1.2.info
[Info] Failed to extract file's sha256 from response body.
File: /tmp/jfrog.cli.temp.-1698251774-3458283834/project.zip2976578699
Error:  400 Bad Request 
{
  "status": "failure",
  "totals": {
    "success": 0,
    "failure": 0
  }
}

Reproduction steps

1. Setup the dockerized version of Jfrog
2. Implement go-publish commands to publish a golang app
3. Set the incorrect credentials at the jfrog config command
4. Try to publish using the go-publish command

Expected behavior

• The error message showing a 403 Forbidden for the given credentials should be displayed
• At least show the username doesn't have permission to the repo or anything informative

JFrog Client-Go version

associated to docker image 1.54.1

JFrog CLI version (if applicable)

1.54.1

Operating system type and version

ubuntu 20.20

JFrog Artifactory version

Enterprise Plus 7.59.16 rev 75916900

JFrog Xray version

No response

[marcellodesales]

Current Workaround

• Just issue an HTTP HEAD to the API storage to verify if the user has write permissions to the repo

curl -I -u svc_seceng-devsecops:AKCp***siUaP49xU https://artifactory.company.com/artifactory/api/storage/vioni
x-devsecops-platform-golang-local
HTTP/2 403 
date: Fri, 27 Oct 2023 04:06:28 GMT
content-type: application/json
set-cookie: 
x-artifactory-id: ddb770a14d7818293f3b2fd86e4d5b1cd2e6f529
x-artifactory-node-id: art2-secondary
x-jfrog-version: Artifactory/7.59.16 75916900

[marcellodesales]

Applied solution in Github Actions

• The Jfrog CLI has a ping call, but it only verifies the host information
• We should have a CLI for verifying the provided credentials against a repository
• I tried jfrog rt curl and it actually helps with it

jfrog rt curl mdesales:sdsoksodksd https://artifactory.company.com/artifactory/api/storage/vionix-devsecops-platform-golang-local
curl: (3) URL using bad/illegal format or missing URL
[Warn] Attempt 0 - Failure occurred while sending GET request to api/system/version - Get "api/system/version": unsupported protocol scheme ""
[Warn] Attempt 1 - Failure occurred while sending GET request to api/system/version - Get "api/system/version": unsupported protocol scheme ""
[Warn] Attempt 2 - Failure occurred while sending GET request to api/system/version - Get "api/system/version": unsupported protocol scheme ""
[Warn] Attempt 3 - Failure occurred while sending GET request to api/system/version - Get "api/system/version": unsupported protocol scheme ""
Request for 'vionix-devsecops-platform-golang-local:' is forbidden for user: 'anonymous'./ # 

• In essence, I just want to perform an HTTP HEAD (cheaper) and verify if the credentials has write access to
• At this point, we can just fail fast in our automation environment

[yahavi]

Hey @marcellodesales, Appreciate the heads-up on this matter. It seems you're on JFrog CLI v1. In v2, we've made substantial updates in this area that could potentially address this issue.

Would you mind informing us if this problem persists in the most recent JFrog CLI version? (currently v2.50.4)

Check out the documentation at this link: JFrog CLI Documentation. Check out downloading and installing instructions for the most recent JFrog CLI at this link: https://jfrog.com/getcli.