[Question] Problem with local private artifact feeds: private_source_authentication_failure

[gadeynebram]

I'm trying to set this up for a .Net 8 project on a on premise DevOps Server. A docker enabled Ubuntu agent is provisioned. In my repository I have a NuGet.Config with 3 sources (of which one is nuget.org). I have also added packageSourceMappings in the nuget.config.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <clear />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
    <add key="A First Repo" value="https://***/Organisation1/_packaging/feedname1/nuget/v3/index.json" />
    <add key="A Second Repo" value="https://***/Organisation2/_packaging/feedname2/nuget/v3/index.json" />
  </packageSources>
  <packageSourceMapping>
    <packageSource key="nuget.org">
      <package pattern="*" />
      <package pattern="coverlet.*" />
      <package pattern="Microsoft.*" />
      <package pattern="MSTest.*" />
      <package pattern="Swashbuckle*" />
      <package pattern="System.*" />
    </packageSource>
    <packageSource key="A First Repo">
      <package pattern="Org.*" />
    </packageSource>
    <packageSource key="A Second Repo">
      <package pattern="COM.GE.*" />
      <package pattern="Org.Dep.*" />
    </packageSource>
  </packageSourceMapping>
</configuration>

In the dependabot.yml I've referenced 2 registraties (also tried with a explicit reference to nuget.org)

version: 2

registries:
  org1-artifacts:
    type: nuget-feed
    key: A First Repo
    url: https://***/Organisation1/_packaging/feedname1/nuget/v3/index.json
    token: PAT:${{ DEPENDABOT_ORG1_PAT }}
  org2-artifacts:
    type: nuget-feed
    key: A Second Repo
    url: https://***/Organisation2/_packaging/feedname2/nuget/v3/index.json
    token: PAT:${{ DEPENDABOT_ORG2_PAT }}

updates: 
  - package-ecosystem: "nuget"
    directory: "/"
    registries:
      - org1-artifacts
      - org2-artifacts
    schedule:
      interval: "daily"

I have a feeling that the PAT's are recognised because in the beginning I see the following logging:

proxy | 2024/11/12 14:42:00 fetching service index for nuget feed https://***/Organisation1/_packaging/feedname1/nuget/v3/index.json
proxy | 2024/11/12 14:42:00 * authenticating nuget feed request (host: ***, basic auth)
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/Organisation1/_packaging/56d70a53-b5a9-4b66-aee4-92554c3ac53a/nuget/v2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/Organisation1/_packaging/56d70a53-b5a9-4b66-aee4-92554c3ac53a/nuget/v2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/Organisation1/_packaging/56d70a53-b5a9-4b66-aee4-92554c3ac53a/nuget/v3/registrations2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/Organisation1/_packaging/56d70a53-b5a9-4b66-aee4-92554c3ac53a/nuget/v3/registrations2-semver2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/Organisation1/_packaging/56d70a53-b5a9-4b66-aee4-92554c3ac53a/nuget/v3/registrations2-semver2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/Organisation1/_packaging/56d70a53-b5a9-4b66-aee4-92554c3ac53a/nuget/v3/query2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/Organisation1/_packaging/56d70a53-b5a9-4b66-aee4-92554c3ac53a/nuget/v3/flat2/
proxy | 2024/11/12 14:42:00   added url to authentication list: urn:uuid:56d70a53-b5a9-4b66-aee4-92554c3ac53a
proxy | 2024/11/12 14:42:00   added url to authentication list: com.visualstudio.feeds.feedview:56d70a53-b5a9-4b66-aee4-92554c3ac53a
proxy | 2024/11/12 14:42:00 fetching service index for nuget feed https://***/Organisation2/_packaging/feedname2/nuget/v3/index.json
proxy | 2024/11/12 14:42:00 * authenticating nuget feed request (host: ***, basic auth)
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/***/_packaging/1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f/nuget/v2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/***/_packaging/1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f/nuget/v2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/***/_packaging/1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f/nuget/v3/registrations2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/***/_packaging/1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f/nuget/v3/registrations2-semver2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/***/_packaging/1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f/nuget/v3/registrations2-semver2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/***/_packaging/1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f/nuget/v3/query2/
proxy | 2024/11/12 14:42:00   added url to authentication list: https://***/***/_packaging/1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f/nuget/v3/flat2/
proxy | 2024/11/12 14:42:00   added url to authentication list: urn:uuid:1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f
proxy | 2024/11/12 14:42:00   added url to authentication list: com.visualstudio.feeds.feedview:1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f

However the script ends with

updater | 2024/11/12 14:42:48 INFO <job_update_0_nuget_all> Finished job processing
updater | 2024/11/12 14:42:48 INFO Results:
updater | Dependabot encountered '14' error(s) during execution, please check the logs for more details.
updater | +----------------------------------------------------------------------------------------------------+
updater | |                                   Dependencies failed to update                                    |
updater | +------------------------------------------------------------+---------------------------------------+
updater | | Microsoft.AspNetCore.Components.Web                        | private_source_authentication_failure |
updater | | System.Reactive                                            | private_source_authentication_failure |
updater | | Microsoft.AspNetCore.Components.WebAssembly.Authentication | private_source_authentication_failure |
updater | | COM.GE.xxx                                   | private_source_authentication_failure |
updater | | Org.Dep.xxx                                   | private_source_authentication_failure |
updater | | Org.Dep.xxx                                 | private_source_authentication_failure |
updater | | Org.Dep.xxx                                 | private_source_authentication_failure |
updater | | Org.xxx                                       | private_source_authentication_failure |
updater | | Org.xxx                                | private_source_authentication_failure |
updater | | Org.xxx                                | private_source_authentication_failure |
updater | | Org.xxx              | private_source_authentication_failure |
updater | | Org.xxx                               | private_source_authentication_failure |
updater | | Org.xxx                 | private_source_authentication_failure |
updater | | Org.Dep.xxx                                         | private_source_authentication_failure |
updater | +------------------------------------------------------------+---------------------------------------+

If I look closer to the dependencies I see these kinds of loggings.

updater | 2024/11/12 14:42:46 INFO <job_update_0_nuget_all> Checking if org.xxx 0.0.1 needs updating
  proxy | 2024/11/12 14:42:47 [325] GET https://api.nuget.org:443/v3/registration5-gz-semver2/org.xxx/index.json
  proxy | 2024/11/12 14:42:47 [325] 404 https://api.nuget.org:443/v3/registration5-gz-semver2/org.xxx/index.json
  proxy | 2024/11/12 14:42:47 [327] GET https://***:443/Organisation1/_packaging/56d70a53-b5a9-4b66-aee4-92554c3ac53a/nuget/v3/registrations2/org.xxx/index.json
  proxy | 2024/11/12 14:42:47 [327] * authenticating git server request (host: ***)
  proxy | 2024/11/12 14:42:47 [327] * authenticating nuget feed request (host: ***, basic auth)
  proxy | 2024/11/12 14:42:47 [327] 200 https://***:443/Organisation1/_packaging/56d70a53-b5a9-4b66-aee4-92554c3ac53a/nuget/v3/registrations2/org.xxx/index.json
  proxy | 2024/11/12 14:42:47 [329] GET https://***:443/***/_packaging/1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f/nuget/v3/registrations2/org.xxx/index.json
  proxy | 2024/11/12 14:42:47 [329] * authenticating git server request (host: ***)
  proxy | 2024/11/12 14:42:47 [329] * authenticating nuget feed request (host: ***, basic auth)
  proxy | 2024/11/12 14:42:47 [329] 404 https://***:443/***/_packaging/1aa219d8-cc7a-4bb8-ae03-ef6fc2beef3f/nuget/v3/registrations2/org.xxx/index.json
  proxy | 2024/11/12 14:42:47 [329] * auth'd git request returned 404, retrying without auth
  proxy | 2024/11/12 14:42:47 [329] * de-auth'd request returned 401, replacing response
  proxy | 2024/11/12 14:42:47 [330] POST http://host.docker.internal:39719/update_jobs/update_0_nuget_all/record_update_job_error
{"data":{"error-type":"private_source_authentication_failure","error-details":{"source":"https://***/***/_packaging/feedname2/nuget/v3/index.json"}},"type":"record_update_job_error"}
  proxy | 2024/11/12 14:42:47 [330] 200 http://host.docker.internal:39719/update_jobs/update_0_nuget_all/record_update_job_error
updater | 2024/11/12 14:42:47 INFO <job_update_0_nuget_all> Handled error whilst updating org.xxx: private_source_authentication_failure {:source=>"https://***/***/_packaging/feedname2/nuget/v3/index.json"}

Does anyone have any more suggestions? The PAT's have Packaging(Read) and Build(Read) permissions.

[rhyskoedijk]

@gadeynebram it looks like Dependabot is ignoring your NuGet source mappings. My understanding of your nuget.config is that package org.xxx should only be fetch from https://***/Organisation1/_packaging/feedname1/nuget/v3/index.json correct?

Reading the logs, Dependabot seems to be searching for the package in this order:

1. api.nuget.org (anon); Returns 404, not found.
2. https://***/Organisation2/_packaging/feedname2/nuget/v3/index.json (with PAT); Returns 404, not found.
3. https://***/Organisation2/_packaging/feedname2/nuget/v3/index.json (anon); Returns 401, not authenticated. Fails the update due to auth error.

Dependabot should not be checking these feeds based on your config, but it does anyway.

I did a brief search on the dependabot-core issue backlog and the closest comment I found is dependabot/dependabot-core#10865 (comment). It might be worth chipping in if this sounds like the same issue you are facing.

When I get a chance, I will see if I can reproduce your issue, just to confirm if this is a problem with this project, or within Dependabot itself.