Where do I put my credentials when using Ivy and a

2019-01-11 01:52发布

问题:

I'm using Ant + Ivy, and my company has recently set up a Nexus server for our own private libraries. Ivy can get dependencies from the Nexus server by using a ibilio resolver and m2compatible=true, but I have to put my credentials in a ivysettings.xml file.

How are different developers supposed to store their credentials?

Is the ivysettings.xml file not supposed to be commited in vcs?

I really don't want to store my password in plain text.

回答1:

Use a settings file with properties controlling the Nexus credentials:

<ivysettings>
    <property name="repo.host" value="default.mycompany.com" override="false"/>
    <property name="repo.realm" value="Sonatype Nexus Repository Manager" override="false"/>
    <property name="repo.user" value="deployment"  override="false"/>
    <property name="repo.pass" value="deployment123"  override="false"/>          

    <credentials host="${repo.host}" realm="${repo.realm}" username="${repo.user}" passwd="${repo.pass}"/>

    ..
    ..
</ivysettings>

When you run the build you can then specify the true username and password:

ant -Drepo.user=mark -Drepo.pass=s3Cret

Update/Enhancement

Storing passwords as properties on the file system requires encryption.

Jasypt has a command-line program that can generate encrypted strings:

$ encrypt.sh verbose=0 password=123 input=s3Cret
hXiMYkpsPY7j3aIh/2/vfQ==

This can be saved in the build's property file:

username=bill
password=ENC(hXiMYkpsPY7j3aIh/2/vfQ==)

The following ANT target will decrypt any encrypted ANT properties:

<target name="decrypt">
    <taskdef name="groovy" classname="org.codehaus.groovy.ant.Groovy" classpathref="build.path"/>

    <groovy>
    import org.jasypt.properties.EncryptableProperties
    import org.jasypt.encryption.pbe.StandardPBEStringEncryptor

    StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor()
    encryptor.setPassword(properties["master.pass"])

    Properties props = new EncryptableProperties((Properties)properties, encryptor);

    props.propertyNames().each {
        properties[it] = props.getProperty(it)
    }
    </groovy>
</target>

Of course to make this work, the password used for encrypting the properties needs to be specified as part of the build.

ant -Dmaster.pass=123

This means the solution is only good for hiding data at rest.



回答2:

For my purposes the command-line credentials weren't an option because I'm running through Jenkins and they'd be clearly pasted on the build output, so here was my solution which strikes a balance by being reasonably secure.

  • Create a properties file in your home directory that contains the sensitive information (we'll call it "maven.repo.properties")

    repo.username=admin
    repo.password=password
    
  • Near the top of your build file, import the property file

    <property file="${user.home}/maven.repo.properties"/>
    
  • In your publish target under build.xml, set your ivy settings file location (which does get checked in to code control) but embed your credential properties

    <target name="publish">
        <ivy:settings file="ivysettings.xml">
            <credentials host="repohostname" realm="Artifactory Realm" username="${repo.username}" passwd="${repo.password}"/>
        </ivy:settings>
        <!-- ivy:makepom and ivy:publish targets go here -->
    </target>
    
  • Create your ivysettings.xml just as you did before, but strip out the username and passwd attributes

You can then leverage your operating system's permissions to make sure that the maven.repo.properties file is properly hidden from everybody except you (or your automatic build implementation).



回答3:

The ivysettings.xml sample in Mark O'Connor's answer should actually be as follows:

<ivysettings>
  <property name="repo.host" value="default.mycompany.com" override="false"/>
  <property name="repo.realm" value="Sonatype Nexus Repository Manager" override="false"/>
  <property name="repo.user" value="deployment"  override="false"/>
  <property name="repo.pass" value="deployment123"  override="false"/>          

  <credentials host="${repo.host}" realm="${repo.realm}" username="${repo.user}" passwd="${repo.pass}"/>

  ..
</ivysettings>

Means, the property names should not be surrounded by ${...} (it took me quite a while to find out why this failed - but now I know how to debug ivy access - use commons-httpclient-3.0, set everything to verbose etc.)



回答4:

Additional to Mark O'Connor's answer you can hide the password from your daily work and from the prying eyes of your workmates by putting these properties either into the antrc startup file or into the environment variables used by ant. Please note that they are not very secure in either place.



标签: java ant ivy nexus