MavenPomAuthSupplier doesn't decrypt passwords

[Tzrlk]

BUG REPORT:

Description

When attempting to pull from a registry during the build process, if maven authentication is enabled and an encrypted password is used, the process by which the password is retrieved doesn't decrypt the password, instead sending it as-is, subsequently causing an authorisation failure.

How to reproduce

• Configure build to use maven auth
• Encrypt registry password
• Set up registry credentials in settings.xml with encrypted password
• Run docker:build

What do you expect

The pull should start without any errors.

What happened instead

An authorisation error was produced, citing bad credentials used in the connection.

Software:

• docker version:

  Client:
    Version:      17.06.1-ce-rc1
    API version:  1.30
    Go version:   go1.8.3
    Git commit:   77b4dce
    Built:        Fri Jul 14 07:36:58 2017
    OS/Arch:      windows/amd64
  
  Server:
    Version:      17.06.1-ce-rc1
    API version:  1.30 (minimum version 1.12)
    Go version:   go1.8.3
    Git commit:   77b4dce
    Built:        Fri Jul 14 07:33:35 2017
    OS/Arch:      linux/amd64
    Experimental: true
  

• Spotify's dockerfile-maven version: 1.4.2

Full backtrace

[ERROR] Get https://[redacted]/v2/[redacted]/manifests/[redacted]: unauthorized: BAD_CREDENTIAL
[WARNING] An attempt failed, will retry 1 more times
org.apache.maven.plugin.MojoExecutionException: Could not build image
	at com.spotify.plugin.dockerfile.BuildMojo.buildImage(BuildMojo.java:185)
	at com.spotify.plugin.dockerfile.BuildMojo.execute(BuildMojo.java:105)
	at com.spotify.plugin.dockerfile.AbstractDockerMojo.tryExecute(AbstractDockerMojo.java:252)
	at com.spotify.plugin.dockerfile.AbstractDockerMojo.execute(AbstractDockerMojo.java:241)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
	at org.codehaus.classworlds.Launcher.main(Launcher.java:47)
Caused by: com.spotify.docker.client.exceptions.DockerException: Get https://[redacted]/v2/[redacted]/manifests/[redacted]: unauthorized: BAD_CREDENTIAL
	at com.spotify.plugin.dockerfile.LoggingProgressHandler.handleError(LoggingProgressHandler.java:105)
	at com.spotify.plugin.dockerfile.LoggingProgressHandler.progress(LoggingProgressHandler.java:63)
	at com.spotify.docker.client.DefaultDockerClient.build(DefaultDockerClient.java:1443)
	at com.spotify.docker.client.DefaultDockerClient.build(DefaultDockerClient.java:1402)
	at com.spotify.plugin.dockerfile.BuildMojo.buildImage(BuildMojo.java:178)
	... 26 more

[eyeqinglan]

support since V1.4.3

[NargiT]

can someone confirm ? for me it doesn't work

[andreysaksonov]

doesn't work for me in 1.4.3

Edit: I traced what happens - password is decrypted in com.spotify.plugin.dockerfile.MavenRegistryAuthSupplier#authFor(String imageName) on push, but on build you might need to download base image from secured docker-registry, in this case password is not decrypted and passed as is, see

dockerfile-maven/plugin/src/main/java/com/spotify/plugin/dockerfile/MavenRegistryAuthSupplier.java

Line 100 in 19f1f42

.password(server.getPassword())

[jackson-chris]

Sorry I opened a duplicate #204

[jackson-chris]

This problem has been addressed by the 1.4.4 release and should be closed.