Where do I put my credentials when using Ivy and a private company repository?

前端 未结 4 688
遥遥无期
遥遥无期 2020-12-02 23:56

I\'m using Ant + Ivy, and my company has recently set up a Nexus server for our own private libraries. Ivy can get dependencies from the Nexus server by using a ibilio resol

相关标签:
4条回答
  • 2020-12-03 00:29

    Additional to Mark O'Connor's answer you can hide the password from your daily work and from the prying eyes of your workmates by putting these properties either into the antrc startup file or into the environment variables used by ant. Please note that they are not very secure in either place.

    0 讨论(0)
  • 2020-12-03 00:39

    The ivysettings.xml sample in Mark O'Connor's answer should actually be as follows:

    <ivysettings>
      <property name="repo.host" value="default.mycompany.com" override="false"/>
      <property name="repo.realm" value="Sonatype Nexus Repository Manager" override="false"/>
      <property name="repo.user" value="deployment"  override="false"/>
      <property name="repo.pass" value="deployment123"  override="false"/>          
    
      <credentials host="${repo.host}" realm="${repo.realm}" username="${repo.user}" passwd="${repo.pass}"/>
    
      ..
    </ivysettings>
    

    Means, the property names should not be surrounded by ${...} (it took me quite a while to find out why this failed - but now I know how to debug ivy access - use commons-httpclient-3.0, set everything to verbose etc.)

    0 讨论(0)
  • 2020-12-03 00:41

    For my purposes the command-line credentials weren't an option because I'm running through Jenkins and they'd be clearly pasted on the build output, so here was my solution which strikes a balance by being reasonably secure.

    • Create a properties file in your home directory that contains the sensitive information (we'll call it "maven.repo.properties")

      repo.username=admin
      repo.password=password
      
    • Near the top of your build file, import the property file

      <property file="${user.home}/maven.repo.properties"/>
      
    • In your publish target under build.xml, set your ivy settings file location (which does get checked in to code control) but embed your credential properties

      <target name="publish">
          <ivy:settings file="ivysettings.xml">
              <credentials host="repohostname" realm="Artifactory Realm" username="${repo.username}" passwd="${repo.password}"/>
          </ivy:settings>
          <!-- ivy:makepom and ivy:publish targets go here -->
      </target>
      
    • Create your ivysettings.xml just as you did before, but strip out the username and passwd attributes

    You can then leverage your operating system's permissions to make sure that the maven.repo.properties file is properly hidden from everybody except you (or your automatic build implementation).

    0 讨论(0)
  • 2020-12-03 00:43

    Use a settings file with properties controlling the Nexus credentials:

    <ivysettings>
        <property name="repo.host" value="default.mycompany.com" override="false"/>
        <property name="repo.realm" value="Sonatype Nexus Repository Manager" override="false"/>
        <property name="repo.user" value="deployment"  override="false"/>
        <property name="repo.pass" value="deployment123"  override="false"/>          
    
        <credentials host="${repo.host}" realm="${repo.realm}" username="${repo.user}" passwd="${repo.pass}"/>
    
        ..
        ..
    </ivysettings>
    

    When you run the build you can then specify the true username and password:

    ant -Drepo.user=mark -Drepo.pass=s3Cret
    

    Update/Enhancement

    Storing passwords as properties on the file system requires encryption.

    Jasypt has a command-line program that can generate encrypted strings:

    $ encrypt.sh verbose=0 password=123 input=s3Cret
    hXiMYkpsPY7j3aIh/2/vfQ==
    

    This can be saved in the build's property file:

    username=bill
    password=ENC(hXiMYkpsPY7j3aIh/2/vfQ==)
    

    The following ANT target will decrypt any encrypted ANT properties:

    <target name="decrypt">
        <taskdef name="groovy" classname="org.codehaus.groovy.ant.Groovy" classpathref="build.path"/>
    
        <groovy>
        import org.jasypt.properties.EncryptableProperties
        import org.jasypt.encryption.pbe.StandardPBEStringEncryptor
    
        StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor()
        encryptor.setPassword(properties["master.pass"])
    
        Properties props = new EncryptableProperties((Properties)properties, encryptor);
    
        props.propertyNames().each {
            properties[it] = props.getProperty(it)
        }
        </groovy>
    </target>
    

    Of course to make this work, the password used for encrypting the properties needs to be specified as part of the build.

    ant -Dmaster.pass=123
    

    This means the solution is only good for hiding data at rest.

    0 讨论(0)
提交回复
热议问题