How to only trigger private repository credentials fetching when required

electrofelix · June 6, 2023, 3:48pm

The standard examples of configuring private repositories with gradle uses the following:

repositories {
    maven {
        name "myPrivateRepo"
        url  "https://some.private.domain.example.com"
        credentials {
          username 'user'
          password 'password'
        }
    }
}

Following AWS guide to allow this to work for CodeArtifact from IDEs Use CodeArtifact with Gradle - CodeArtifact

I can see from documentation that if it’s possible to use the builtin credential providers Declaring repositories then gradle can avoid retrieving the credentials needed unless it is necessary.

It’s possible to get to a point where I can use a system property to store the token generated and pull it back out so that for a given run, even with multiple projects only one token is generated to keep down the latency. It would be annoying though on slower connections and most of the time after the first run it should be unnecessary unless there is a need to refresh dependencies.

Is there any way to do this when dealing with custom authentication handling? I don’t think that the existing authentication APIs support CodeArtifact, but it appears that it’s also not possible to define the repositories block in a way that skips executing the block unless the credentials are needed. Or at least not obvious.

Vampire · June 6, 2023, 3:58pm

Unless I got you wrong, why can’t you use credentials(PasswordCredentials::class)?
As it pulls the credentials from project properties, you can supply them as environment variable, or as system property, or as commandline argument, or as content of a properties file.

electrofelix · June 6, 2023, 5:03pm

I probably should have used a better example rather than just linking to it. Since codeartifact tokens expire after 12 hours, end up with the following to ensure a nice experience

def codeartifactToken = "aws codeartifact get-authorization-token --domain my_domain --domain-owner 111122223333 --query authorizationToken --output text --profile profile-name".execute().text
    repositories {
        maven {
            url 'https://my_domain-111122223333.d.codeartifact.region.amazonaws.com/maven/my_repo/'
            credentials {
                username "aws"
                password codeartifactToken
            }
        }
    }

Problem is that the function is always executed, there doesn’t seem to be an easy way to define it and have it only execute if Gradle actually needs the credentials

Vampire · June 6, 2023, 6:31pm

Maybe if you create a subclass of PasswordCredentials where you lazily calculate the value in the getPassword function and supply that class?

electrofelix · June 6, 2023, 7:57pm

I’ve been trying to experiment a bit in that area but I keep bumping into where the code says the credentials type is unknown and lists only 3 that are supported.

Unknown credentials type: ‘GenerateCodeArtifactPasswordCredentials’ (supported types: org.gradle.api.artifacts.repositories.PasswordCredentials, org.gradle.api.credentials.AwsCredentials and org.gradle.api.credentials.HttpHeaderCredentials).

Looking around I’m seeing the following checks and I’m wondering if I’m just out of luck here? Essentially gradle requires that the Credentials is one of the build in and otherwise can only supply the values but not provide a custom class to resolve?

github.com

gradle/gradle/blob/8d6317d4b39a8196868f87931e8f82f06d17cc88/subprojects/dependency-management/src/main/java/org/gradle/api/internal/artifacts/repositories/AuthenticationSupporter.java#L143-L153


      
          private static <T extends Credentials> Class<? extends T> getCredentialsImplType(Class<T> publicType) {
              if (publicType == PasswordCredentials.class) {
                  return Cast.uncheckedCast(DefaultPasswordCredentials.class);
              } else if (publicType == AwsCredentials.class) {
                  return Cast.uncheckedCast(DefaultAwsCredentials.class);
              } else if (publicType == HttpHeaderCredentials.class) {
                  return Cast.uncheckedCast(DefaultHttpHeaderCredentials.class);
              } else {
                  throw new IllegalArgumentException(String.format("Unknown credentials type: '%s' (supported types: %s, %s and %s).", publicType.getName(), PasswordCredentials.class.getName(), AwsCredentials.class.getName(), HttpHeaderCredentials.class.getName()));
              }
          }

Vampire · June 6, 2023, 10:05pm

Seems so unfortunately

Topic		Replies	Views
Lazily evaluate repo password in pluginManagement section Help/Discuss	1	323	July 21, 2023
Is there a (sane) way to define a maven repository once and then reuse it multiple times? Help/Discuss	18	130	September 9, 2024
Extract repositiories block Help/Discuss	3	504	July 13, 2016
How are people dealing with authenticated maven proxies? Old Forum Archive	1	809	November 13, 2011
Gradle and maven-publis-auth issue Help/Discuss plugins	0	1232	July 30, 2015

How to only trigger private repository credentials fetching when required

Related topics