-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.12.1
-
Fix Version/s: 3.14.0
-
Component/s: PyPI, User Token
-
Labels:
-
Story Points:1
-
Release Note:Yes
Certain primitive repository formats only support URL based authentication of the form:
http://user:password@localhost:8081
For example PyPI is known to have this problem:
https://github.com/pypa/pip/issues/4315
YUM auth has a similar problem.
Admins may want to enforce authenticated access to repo manager using our User Tokens feature.
Currently User Tokens may be generated with non-url safe characters which prevent using the above URL based authentication mechanism.
Expected
To support primitive url based auth, there should be an optional option to generate user tokens which only contain url safe characters.
Possible Workaround Some Formats
Take the user token name and value generated by Nexus and URL Encode them manually first, before adding them to the URL being used in your tool.
For example, Nexus generates these tokens:
Name Code: /pKsRLhn
Pass Code: /HAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh
As expected, this URL will not parse correctly:
curl -v "http:///pKsRLhn:/HAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh@localhost:8081/repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom" -o /dev/null * Unwillingly accepted illegal URL using 3 slashes!
URL Encode each value:
Name Code: %2FpKsRLhn
Pass Code: %2FHAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh
All of these requests authenticate properly:
curl -v -u "/pKsRLhn:/HAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh" http://localhost:8081/repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom -o /dev/null
curl -v "http://%2FpKsRLhn:%2FHAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh@localhost:8081/repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom" -o /dev/null
While no authentication for the same URL will fail:
curl -v "http://localhost:8081/repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom" -o /dev/null * TCP_NODELAY set * Connection failed * connect to ::1 port 8081 failed: Connection refused * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 8081 (#0) > GET /repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom HTTP/1.1 > Host: localhost:8081 > User-Agent: curl/7.57.0 > Accept: */* > < HTTP/1.1 401 Unauthorized < Date: Fri, 29 Jun 2018 16:47:22 GMT < Server: Nexus/3.13.0-SNAPSHOT (PRO) < X-Content-Type-Options: nosniff < Set-Cookie: NX-ANTI-CSRF-TOKEN=8d0c3bff-fe84-408e-a60d-c1c49eb07a17; Path=/ < Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation < WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager" < Content-Length: 0
Windows Pip
This workaround does not solve this issue for python/pip when running on Windows, see my comment below for details.