[feature] Better support for local & CI workflow for conan remote login

[schwaerz]

What is your suggestion?

Following up on #5443:

It looks like what was implemented back then is no longer available or did not make it into the final Conan 2.x release.

What would be very useful to us (to reduce the required scripting in every repository):

Have one conan remote ... command to

1. Log on in CI using CONAN_LOGIN_USERNAME and CONAN_PASSWORD
2. Log on to the remote when executed locally, where...
   • It shall ask interactively for username and password for a remote if not authenticated
   • It shall not ask for username and passort if already authenticated to the remote - and the authentication token is still valid

Have you read the CONTRIBUTING guide?

• I've read the CONTRIBUTING guide

[memsharded]

Hi @schwaerz

Thanks for your suggestion.

I have been reviewing this, but so far it seems that this is how the conan remote auth works:

• If CONAN_ variables are defined for login/pass, they will be used, see

  conan/test/integration/command/user_test.py

  Line 380 in d144ef2

  def test_remote_auth_with_user_env_var(self):

• For devs, it will interactively ask for login/password, and it will only re-ask for login/password if the token is expired, see

  conan/test/integration/command/user_test.py

  Line 402 in d144ef2

  def test_remote_auth_server_expire_token_secret(self):

  and

  conan/test/integration/command/user_test.py

  Line 419 in d144ef2

  def test_remote_auth_server_expire_token(self):

I have added an extra check in #17374, to validate that when the user is authenticated and the token is valid, it will not request credentials to the user again.

[schwaerz]

@memsharded Thanks for the update. I will need to try with conan auth once more. Maybe I did something wrong.

[memsharded]

Great, looking forward your feedback.
As you can see, the test framework that we have should be pretty straightforward, it can help a lot to automate testing, avoiding lots of manual tests, if you want to leverage it.

[schwaerz]

Unfortunately it does not seem to work for me. I executed the following using conan 2.9.3 on my local machine. Conan did not ask for username and / or password:

schwaerz@localhost:~/repositories/c-lib$ ./pdm.sh run conan remote auth conan-css-iphub-local
conan-css-iphub-local:
    user: schwaerz
schwaerz@localhost:~/repositories/c-lib$ ./pdm.sh run conan remote logout conan-css-iphub-local
Changed user of remote 'conan-css-iphub-local' from 'schwaerz' (authenticated) to 'None' (anonymous)
schwaerz@localhost:~/repositories/c-lib$ ./pdm.sh run conan remote auth conan-css-iphub-local
conan-css-iphub-local:
    user: None

[schwaerz]

I just tried enabling some debug logging. However it looks like the -v option to conan remote / conan remote auth does not work.

[memsharded]

I am a bit surprised about that. I have tried to add a new test to the PR (90437b9), you can check it, but also tried locally against a real ArtifactoryCE server:

$ conan remote auth art
Remote 'art' needs authentication, obtaining credentials
Remote 'art' username: admin
Please enter a password for user 'admin' on remote 'art':
art:
    user: admin


$ conan remote logout art
Changed user of remote 'art' from 'admin' (authenticated) to 'None' (anonymous)

$ conan remote auth art
Remote 'art' needs authentication, obtaining credentials
Remote 'art' username: admin
Please enter a password for user 'admin' on remote 'art':
art:
    user: admin

[schwaerz]

Could this be possibly related to some specific settings on the Artifactory remote?

[memsharded]

It seems there is something different in your setup, I don't see the Remote 'art' needs authentication, obtaining credentials message, even the first remote auth, I don't understand why.

[schwaerz]

I will try some debugging.

[memsharded]

Could this be possibly related to some specific settings on the Artifactory remote?

It might be. Maybe if the repo allows anonymous reads, then it doesn't really need auth, so the conan remote auth will continue without issues. For this kind of configuration, users must explicitly conan remote login to force authentication.

[schwaerz]

The repo does not allow anonymous access. However the check_credentials REST api call seems to return 200 anyways:

c-lib-3.11schwaerz@localhost:~/repositories/c-lib$ curl -I https://artifactory.url/artifactory/api/conan/conan-css-iphub-local/v2/users/check_credentials
HTTP/1.1 200 
Date: Mon, 25 Nov 2024 11:07:05 GMT
Connection: keep-alive
X-JFrog-Version: Artifactory/7.63.14 76314900
X-Artifactory-Id: ceaa3e3d815fee0bb7a5f60661ef5f20e09dd998
X-Artifactory-Node-Id: artifactory-ha-artifactory-ha-primary-2
X-Conan-Server-Version: 0.20.0
X-Conan-Server-Capabilities: complex_search,checksum_deploy,revisions,matrix_params
Strict-Transport-Security: always

[schwaerz]

I did not find the documentation for this REST call. Probably you have a link so I could check with our Artifactory guys what's going on?

[schwaerz]

What I found:
If I run curl like this - I will get the 401 as expected:

curl -I -H "Authorization: Bearer foo" https://artifactory.url/artifactory/api/conan/conan-css-iphub-local/v2/users/check_credentials

If I then use a valid token, I will get a 200:

curl -I -H "Authorization: Bearer {my-valid-token}" https://artifactory.url/artifactory/api/conan/conan-css-iphub-local/v2/users/check_credentials

[schwaerz]

So maybe this can be fixed in conan after all?

[schwaerz]

conan remote auth will work if I revoke the token in Artfactory. But it doesn't if I do a conan remote logout or if I never called conan remote login before.

[schwaerz]

following could be a workaround:

If we set token to something other than None here: https://github.com/conan-io/conan/blob/develop2/conans/client/rest/auth_manager.py#L30, the authentication will be done as expected.

However I am not sure how to test this properly - or whether you would accept a PR doing that? Maybe this would have other implications I currently cannot see?

[schwaerz]

@memsharded As it took not much time to come up with a quick fix, I gave it a shot.

[memsharded]

I did not find the documentation for this REST call. Probably you have a link so I could check with our Artifactory guys what's going on?

I am afraid we don't have any documentation of the http rest api, just the code (both client and server side)

conan remote auth will work if I revoke the token in Artfactory. But it doesn't if I do a conan remote logout or if I never called conan remote login before.

But if it is not a server side different configuration, why the unitttest linked in the PR will work, and the conan remote logout will work as expected?

[schwaerz]

But if it is not a server side different configuration, why the unitttest linked in the PR will work, and the conan remote logout will work as expected?

I cannot tell. But what I can see is that the check_crededentials endpoint will always return 200 on our instance if no authentication header is provided. However if you provide an invalid token instead, it returns 401 as expected.

[schwaerz]

@memsharded Another question wrt to this: Do you believe it makes sense to create a ticket wrt the the 200 response of check_credentials?
As this API call is not documented I wonder whether it is officially supported in Artifactory?

[memsharded]

Just in case, in my local Artifactory conan repo:

$ curl -I https://localhost:8081/artifactory/api/conan/conan/v2/users/check_credentials
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid

[schwaerz]

Let me try to get some local server running.

[schwaerz]

Works like a charm with Artifactory CE version 7.63.12

curl -I http://localhost:8082/artifactory/api/conan/conan-local/v2/users/check_credentials
2/users/check_credentials
HTTP/1.1 401 Unauthorized
Content-Type: application/json;charset=ISO-8859-1
Date: Wed, 27 Nov 2024 10:14:13 GMT
Www-Authenticate: Basic realm="Artifactory Realm"

[schwaerz]

I think I found the setting causing this behavior. If anonymous access is enabled on instance level, check_credentials returns 200 for the locally hosted Artifactory CE (same version like our official server), too.

[memsharded]

Implemented in #17377 for next Conan 2.10, with conan remote auth --force