Fix a bug when mvn uses the dependency proxy with basic auth
🥘 Context
In Maven dependency proxy (&3610 - closed), we introduced the Maven dependency proxy.
The Maven dependency proxy accept several types of credentials transport. Among them, Basic Auth.
In https://gitlab.com/gitlab-com/ops-sub-department/section-ops-request-for-help/-/issues/289, we were made aware of a typebug with the $ mvn
client.
The $ mvn
client will not send the request with the credentials with it's properly set up. Instead, it will:
- Send a request without the credentials.
- Expect a
401 Unauthorized
. - Send the exact same request with the credentials (using Basic Auth).
The problem is that how we handle (2.) for public projects, see this line. Anonymous user will have read_project
permission on public projects and as such, that line will trigger a 403 Forbidden
response which is not what $ mvn
expects.
As such, $ mvn
will completely stop its execution.
This does not affect other maven clients such as $ gradle
.
This is issue #442957 (closed).
🤔 What does this MR do and why?
- Make sure that the Maven dependency proxy always return the proper response code when using basic auth.
- Update the related specs.
- Update the Maven dependency proxy documentation to recommend the custom http header authentication when using
$ mvn
as this will avoid sending2
requests when pulling1
file = 50% less network requests.
🏎 MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
🌈 Screenshots or screen recordings
No UI changes.
⚙ How to set up and validate locally
Let's setup things to demonstrate the bug with a CI job.
Have a project with the following files:
`pom.xml`
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.mycompany.app</groupId>
<artifactId>my-app</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
</dependency>
</dependencies>
<repositories>
<repository>
<id>gitlab-maven</id>
<url>${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/dependency_proxy/packages/maven</url>
</repository>
</repositories>
</project>
`settings.xml`
<settings>
<mirrors>
<mirror>
<id>gitlab-maven</id>
<name>GitLab proxy of central repo</name>
<url>${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/dependency_proxy/packages/maven</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
<servers>
<server>
<id>gitlab-maven</id>
<username>gitlab-ci-token</username>
<password>${CI_JOB_TOKEN}</password>
<configuration>
<authenticationInfo>
<userName>gitlab-ci-token</userName>
<password>${CI_JOB_TOKEN}</password>
</authenticationInfo>
</configuration>
</server>
</servers>
</settings>
`.gitlab-ci.yml`
test_maven:
image: maven:latest
script:
- mvn test -s settings.xml
Lastly, in the project settings > Packages and Registries
, use these settings for the maven dependency proxy:
With the above setup, $ mvn
will pull maven packages using only the maven dependency proxy. We have a project with a few dependencies. As we will see below, pulling the first file will file due to the Basic Auth
On master
, the CI job
Plugin org.apache.maven.plugins:maven-resources-plugin:3.3.1 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.1: The following artifacts could not be resolved: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.1 (absent): Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.1 from/to gitlab-maven (http://gdk.test:8000/api/v4/projects/291/dependency_proxy/packages/maven): status code: 403, reason phrase: Forbidden (403) -> [Help 1]
With this MR, the CI job is