Support for NuGet feed credentials with only username/password in nuget.config

[rhyskoedijk]

What are you trying to accomplish?

Fix #9098; specifically, #9098 (comment)
Fix #8914; specifically, #8914 (comment)

When dependabot uses NuGet.exe to perform the update, it injects registry credentials to nuget.config. If a registry requires basic access auth (username/password), there is no way to set the username as it is always hard-coded to "user".

For example, when using configuration:

version: 2
registries:
  private-devops:
    type: nuget-feed
    url: https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json
    password: 1234567890
  telerik:
    type: nuget-feed
    url: https://nuget.telerik.com/v3/index.json
    username: user@company.com
    password: secret
updates:
  - package-ecosystem: "nuget"
    directory: "/NetFx-PrivateFeeds"
    registries: "*"

nuget.config would be:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget_source_1" value="https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json" />
    <add key="nuget_source_2" value="https://nuget.telerik.com/v3/index.json" />
  </packageSources>
  <packageSourceCredentials>
    <nuget_source_1>
      <add key="Username" value="user" />
      <add key="ClearTextPassword" value="" /><!-- EXPECTED: '1234567890' -->
    </nuget_source_1>
    <nuget_source_2>
      <add key="Username" value="user" /><!-- EXPECTED: 'user@company.com' -->
      <add key="ClearTextPassword" value="" /><!-- EXPECTED: 'secret' -->
    </nuget_source_2>
  </packageSourceCredentials>
</configuration>

Changing the dependabot.yml config to use a basic access auth formatted token for the registry does not fix the issue. The nuget.config becomes:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget_source_1" value="https://pkgs.dev.azure.com/rhyskoedijk/Dependabot/_packaging/Private-NuGet/nuget/v3/index.json" />
    <add key="nuget_source_2" value="https://nuget.telerik.com/v3/index.json" />
  </packageSources>
  <packageSourceCredentials>
    <nuget_source_1>
      <add key="Username" value="user" />
      <add key="ClearTextPassword" value=":1234567890" /><!-- EXPECTED: '1234567890' -->
    </nuget_source_1>
    <nuget_source_2>
      <add key="Username" value="user" /><!-- EXPECTED: 'user@company.com' -->
      <add key="ClearTextPassword" value="user@company.com:secret" /><!-- EXPECTED: 'secret' -->
    </nuget_source_2>
  </packageSourceCredentials>
</configuration>

There appears to be no way to influence the value of Username; Without this, NuGet feeds secured with basic access auth cannot be used if the username is a significant part of the credentials (e.g. nuget.telerik.com)

Anything you want to highlight for special attention from reviewers?

There was an existing unit test for this which I've just added more scenarios too.
Should I break this out in to individual tests?

How will you know you've accomplished your goal?

The nuget.config has the expected values (see above).

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[rhyskoedijk]

I assume this is triggered because the variable name contains the word "password"?
Technically this issue is pre-existing since "token" already contained the password and was used in the same way previously (stored as plain-text). The only difference here is I've renamed the variables so that they are more specific and File.write is not air-gaped by the nuget_config variable anymore.

Any guidance on how to resolve this in Ruby? I'm not very familiar with the language and am unsure how to avoid this given the point of this class is to inject the plain-text password to the file.

[rhyskoedijk]

@brettfo could you let me know if this is sane or not before I invest more time in to resolving the linting and codeql issues? After having got this far in to the change, I now suspect the approach of injecting plain-text creds in to the nuget.config probably wasn't ideal to start with.

[brettfo]

@rhyskoedijk We're trying to remove all credential handling from this codebase, especially since all* package handling is now done directly with NuGet.exe/dotnet.exe. Are you able to use the dependabot CLI? That uses a special proxy that auto-injects credentials and should be the best way of handling it.

* There is still some manual API poking in the Ruby code, but we're very close to having that removed entirely.

[rhyskoedijk]

I understand now that this code is deprecated and trying to improve the NuGet username/password/token handling here is not the correct approach.

Unfortunately I can't run the CLI tool as I need to run dependabot on Azure DevOps and many of the features I need are not currently supported by dependabot-core (e.g. auto-complete, policy by-pass, merge strategies, etc), but that is unrelated to this issue.

I'm going to abandon this change, but based on what you are saying, shouldn't the code that writes "packageSourceCredentials" in to nuget.config be deleted given the initiative to remove auth from dependabot-core and the CodeQL security issue flagged above? From the sounds of things, the proxy wrapper should be auto-injecting the auth already, so attempting to write the plain-text password in to nuget.config shouldn't be required (even if the password is nil currently).