rewrite
rewrite copied to clipboard
openrewrite
Maven - attempt anonymous artifact download
Consider a Maven settings.xml which uses property resolution for credentials:
<servers>
<server>
<id>my-organization-repository</id>
<username>${MAVEN_USERNAME}</username>
<password>${MAVEN_PASSWORD}</password>
</server>
<servers>
And, suppose those properties are not resolved at runtime (eg the environment does not have those variables set, perhaps because most requests to that repository do not actually require authentication).
When rewrite-maven attempts to download artifacts using this config, it will use the placeholders directly as credentials, and inevitably receive a 401 (bad credentials) response. (Note that if the properties are set, then rewrite-maven works as expected, and if those properties are explicitly set to blank values, then rewrite-maven proceeds with anonymous requests to the repository)
However, with the same config, Apache Maven succeeds at downloading artifacts. Ostensibly, Apache Maven either attempts anonymous requests (either before or after attempting authenticated requests), or has some logic to discard credentials which are formatted like placeholder properties. It would be nice if rewrite-maven had a similar behavior.
This scenario might be a bit niche, but, solving it would increase the likelihood of rewrite-maven "just working" across diverse environments.
Hi @nmck257 ,
It appears that maven will fall back to anonymous access even when you define a user/password with no property place-holders. So this might be a fix where, if we get a 4xx error from the repo (and we have user/pass), try again without.
<mirrors>
<mirror>
<id>moderne-remote-cache</id>
<mirrorOf>
central
</mirrorOf>
<url>https://artifactory.moderne.ninja/artifactory/moderne-remote-cache</url>
</mirror>
</mirrors>
<servers>
<server>
<id>moderne-remote-cache</id>
<username>MYNAME</username>
<password>MYPASS</password>
</server>
</servers>
Maven still uses anonymous access
Sure, I can prepare an implementation for that.
IIRC, I didn't go that route originally because I was worried about the extreme case of ~doubling round-trips per download -- then I considered logic to remember whether the credentials were good or bad for a given server, but that could get complex if the user is only authorized for certain paths in that repository, and different repos might give different HTTP codes for that case... Eventually I yielded and just went for this "offline" solution.
But your proposal is indeed more robust, and all those optimizations I fussed over can come later if they prove necessary and worthwhile :)
The implementation of requestAsAuthenticatedOrAnonymous currently only reports the failure from the anonymous retry. This leads to a confusing error messages in the case where the first attempt fails with a 404 and the anonymous retry with a 401. From the user's POV there seems to be something wrong with authentication, while the problem is a non existing artifact.
@mduerig - that's a good point. I'd gladly accept a PR to improve that error reporting, if you have a clever fix in mind.
@nmck257, here is a first shot at it: https://github.com/openrewrite/rewrite/pull/2889