Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add dotnet nuget <add|remove|update|disable|enable|list> source command #4126

Closed
TheRealPiotrP opened this issue Dec 18, 2016 · 24 comments · Fixed by NuGet/NuGet.Client#3206
Closed

Comments

@TheRealPiotrP
Copy link

TheRealPiotrP commented Dec 18, 2016

Update on 2/6/2020 from @rrelyea:
Fixed with: NuGet/NuGet.Client#3206
Spec link: https://github.com/NuGet/Home/wiki/Add-nuget-sources-command-to-the-dotnet-CLI


Original text:

Moving from https://github.com/dotnet/cli/issues/5053#issuecomment-267794961 on behalf of @meichtf, @emgarten.


Steps to reproduce

try to add a username/ClearTextPassword in the dotnet restore --source command

Expected behavior

My nuget repository requires authentication and it is not possible to add a username/ClearTextPassword in the dotnet restore command for a source

Actual behavior

It's not possible to add a username/ClearTextPassword for a ..source

Environment data

dotnet --info output:
.NET Command Line Tools (1.0.0-preview2-1-003177)

Product Information:
Version: 1.0.0-preview2-1-003177
Commit SHA-1 hash: a2df9c2576

Runtime Environment:
OS Name: Windows
OS Version: 10.0.14393
OS Platform: Windows
RID: win10-x64

@nukelytide
Copy link

Are there any plans for this to be looked at sometime soon? There's currently no way to add the source with authentication through the dotnet cli. The only workaround is to add the source then manually patch the config, which is far from ideal.

@zhili1208 zhili1208 changed the title dotnet restore --source is lacking Username/Password/ClearTextPassword support add support for dotnet nuget sources command Oct 17, 2017
@zhili1208 zhili1208 added this to the Backlog milestone Oct 17, 2017
@zhili1208 zhili1208 added Area:Settings NuGet.Config and related issues Type:Feature Platform:Xplat labels Oct 17, 2017
@cwardcode
Copy link

cwardcode commented Feb 14, 2018

Any idea of when this will be added? :(

@AceHack
Copy link

AceHack commented Jun 1, 2018

yes any update?

@jcapellman
Copy link

jcapellman commented Aug 11, 2018

Wondering the status of this as well - hitting this on the non-Windows platforms right now where NuGet.exe doesn't exist.

@jhgoodwin
Copy link

For those stuck and needing a workaround for docker, like I did, this is what I did for now:

  1. Created docker-compose.ci.build.yml
version: '2'

services:
  ci-build:
    image: microsoft/aspnetcore-build:2.0.5-2.1.4-stretch
    volumes:
      - .:/src
    working_dir: /src
    environment:
      - PACKAGESUSERNAME=${PACKAGESUSERNAME}
      - PACKAGESPAT=${PACKAGESPAT}
    command: /bin/bash "./build.sh"
  1. Create a nuget.ci.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
	<config>
	</config>
	<packageRestore>
		<!-- Allow NuGet to download missing packages -->
		<add key="enabled" value="True" />
	</packageRestore>
	<packageSources>
		<add key="packages" value="YOURPRIVATREPOLOCATIONHERE" />
		<add key="Nuget official package source" value="https://api.nuget.org/v3/index.json" />
	</packageSources>
  <packageSourceCredentials>
    <packages>
      <add key="Username" value="PackagesUsername" />
      <add key="ClearTextPassword" value="PackagesPAT" />
    </packages>
  </packageSourceCredentials>
</configuration>
  1. Create build.sh
#!/bin/bash
: "${PACKAGESUSERNAME:?Need to set environment variable PACKAGESUSERNAME}"
: "${PACKAGESPAT:?Need to set environment variable PACKAGESPAT}"

sed -r "s/PACKAGESUSERNAME/$PACKAGESUSERNAME/i" ./nuget.ci.config \
	| sed -r "s/PACKAGESPAT/$PACKAGESPAT/i" > ./nuget.ci.build.config \
	&& dotnet restore ./MyProject.sln --configfile nuget.ci.build.config \
	&& dotnet publish ./MyProject.sln -c Release -o ./obj/Docker/publish
eval "rm -f ./nuget.ci.build.config; exit $?"

The idea is that you would set the environment variables, then invoke the docker compose to make the build happen inside the docker container, mapping the source folder into the container. As a quick note, the build will happen as the root user, so your file ownership may be root at the end.

I find this type of work around unsuitable and really hope that Microsoft adds a wrap that allows us to just pass in the username/password for each nuget source as part of the command line.

@AMoghrabi
Copy link

Hello @TheRealPiotrP ,

Would you happen to know if this is on the team's radar? I see that there is a spec for a cross-platform credentials plugin but I don't see it being developed for generic uses, only for Azure pipelines: https://github.com/NuGet/Home/wiki/NuGet-Cross-Plat-Credential-Plugin

In any case, Is this something that I can attempt to develop and open a PR for or does the NuGet team have other plans (e.g. the credential plugin)?

Thanks!

@infin8x
Copy link

infin8x commented May 5, 2019

We'd love to see this feature added so we can streamline the process of setting up and using an Azure Artifacts private NuGet feed.

@jcapellman
Copy link

Hello @TheRealPiotrP ,

Would you happen to know if this is on the team's radar? I see that there is a spec for a cross-platform credentials plugin but I don't see it being developed for generic uses, only for Azure pipelines: https://github.com/NuGet/Home/wiki/NuGet-Cross-Plat-Credential-Plugin

In any case, Is this something that I can attempt to develop and open a PR for or does the NuGet team have other plans (e.g. the credential plugin)?

Thanks!

Agreed - if it's not on the radar, I could help out on this as well. As my team moves more and more to cross-platform .NET Core it would be great to have it.

@anangaur
Copy link
Member

We need to support this, else GitHub Package Registry cannot use it.

@infin8x
Copy link

infin8x commented Sep 18, 2019

@clarkbw FYI that this will make it easier to configure dotnet to use GPR.

@rrelyea
Copy link
Contributor

rrelyea commented Sep 18, 2019

note, since these earlier discussions, the ADO (azure dev ops) team has shipped an artifacts credential provider: https://github.com/Microsoft/artifacts-credprovider

That said, we do want to move an implementation of nuget sources to dotnet.exe.

here is the help output from "nuget sources -help"
I'm assuming the need is for somthing like this:

usage: dotnet.exe NuGet sources <List|Add|Remove|Enable|Disable|Update> -Name [name] -Source [source]

Provides the ability to manage list of sources located in %AppData%\NuGet\NuGet.config

options:

-Name Name of the source.
-Source (src) Path to the package(s) source.
-Username UserName to be used when connecting to an authenticated source.
-Password Password to be used when connecting to an authenticated source.
-StorePasswordInClearText Enables storing portable package source credentials by disabling password encryption.
-ValidAuthenticationTypes Comma-separated list of valid authentication types for this source. By default, all authentication types are valid. Example: basic,negotiate
-Format Applies to the list action. Accepts two values: Detailed (the default) and Short
.
-Help (?) help
-Verbosity Display this amount of details in the output: normal, quiet, detailed.
-NonInteractive Do not prompt for user input or confirmations.
-ConfigFile The NuGet configuration file. If specified, only the settings from this file will be used. If not specified, the hierarchy of configuration files from the current directory will be used.

To learn more about NuGet configuration go to https://docs.microsoft.com/en-us/nuget/consume-packages/configuring-nuget-behavior.

-ForceEnglishOutput Forces the application to run using an invariant, English-based culture.

For more information, visit https://docs.nuget.org/docs/reference/command-line-reference

@anangaur
Copy link
Member

anangaur commented Sep 18, 2019

@rrelyea I guess the idea is to also not leak the token and still be able to use it i.e. support encrypting the password without the need for -StorePasswordInClearText

@infin8x, how long is the validity of GITHUB_TOKEN? Is there a new token created on every use?

@infin8x
Copy link

infin8x commented Sep 19, 2019

@anangaur yep, it expires shortly after the run ends.

@rrelyea
Copy link
Contributor

rrelyea commented Sep 19, 2019

ah ok, so this whole thing is really just an ask for encrypted passwords in nuget.config via dotnet.exe?
(that is tricky...last time we talked to corefx about that one, they didn't have an answer for us that works cross platform.)

this issue is confusing...cause the title asks for the command. and during the thread, somebody says having a cross platform credential provider would solve it too.

  1. we have delivered the artifacts credential provider -- works xplat.
  2. we have not delivered a dotnet nuget sources command
  3. when we do deliver dotnet nuget sources-- adding credentials in non-clear text will be extra hard, i believe.

are all these requests just asking us for 3?

@infin8x
Copy link

infin8x commented Sep 19, 2019

dotnet nuget sources would make it easier for GitHub Package Registry to provide good configuration experiences for using NuGet packages in absence of a credential provider. I don't think it matters particularly to us if the token is encrypted or not - I assume it would be on Windows but not on Mac and Linux unless the dotnet team has solved the cryptography problem.

@anangaur
Copy link
Member

I agree. Not necessary or urgent but encryption will be great to have for dev machine scenarios. Not so much for Actions as they run temporarily and the GITHUB_TOKEN anyway expires after use.

/cc: @zivkan

@infin8x
Copy link

infin8x commented Sep 19, 2019

Yeah, and encryption is important to enterprise security types but there seems to be a strong culture on Mac and Linux of putting tokens in the home directory and using file system permissions to keep them limited access. Not my area of expertise, just an observation.

@zivkan
Copy link
Member

zivkan commented Sep 20, 2019

As a temporary workaround, here's a basic powershell script that can be used with Powershell Core anywhere that the dotnet cli runs:

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)][string]$ConfigFile,
    [Parameter(Mandatory = $true)][string]$Source,
    [Parameter(Mandatory = $true)][string]$Username,
    [Parameter(Mandatory = $true)][string]$Password
)
$doc = New-Object System.Xml.XmlDocument
$filename = (Get-Item $ConfigFile).FullName
$doc.Load($filename)

$creds = $doc.DocumentElement.SelectSingleNode("packageSourceCredentials")
if ($creds -eq $null)
{
    $creds = $doc.CreateElement("packageSourceCredentials")
    $doc.DocumentElement.AppendChild($creds) | Out-Null
}

$sourceElement = $creds.SelectSingleNode($Source)
if ($sourceElement -eq $null)
{
    $sourceElement = $doc.CreateElement($Source)
    $creds.AppendChild($sourceElement) | Out-Null
}

$usernameElement = $sourceElement.SelectSingleNode("add[@key='Username']")
if ($usernameElement -eq $null)
{
    $usernameElement = $doc.CreateElement("add")
    $usernameElement.SetAttribute("key", "Username")
    $sourceElement.AppendChild($usernameElement) | Out-Null
}
$usernameElement.SetAttribute("value", $Username)

$passwordElement = $sourceElement.SelectSingleNode("add[@key='ClearTextPassword']")
if ($passwordElement -eq $null)
{
    $passwordElement = $doc.CreateElement("add")
    $passwordElement.SetAttribute("key", "ClearTextPassword")
    $sourceElement.AppendChild($passwordElement) | Out-Null
}
$passwordElement.SetAttribute("value", $Password)

$doc.Save($filename)

I used it in a GitHub Actions workflow with the following YAML:

    - name: Set NuGet creds
      shell: pwsh
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: ./Set-NuGetCredentials -ConfigFile ./nuget.config -Source gpr-test -Username zivkan -Password $env:GITHUB_TOKEN

@rrelyea rrelyea self-assigned this Oct 10, 2019
@rrelyea rrelyea changed the title add support for dotnet nuget sources command add support for dotnet nuget sources command Oct 29, 2019
@rrelyea rrelyea changed the title add support for dotnet nuget sources command add dotnet nuget <add|remove|update|disable|enable|list> source command Jan 7, 2020
@rrelyea rrelyea modified the milestones: Backlog, Sprint 165 Jan 21, 2020
rrelyea pushed a commit to NuGet/NuGet.Client that referenced this issue Feb 6, 2020
Fixes: NuGet/Home#4126
Fixes: NuGet/Home#8668

Spec link: https://github.com/NuGet/Home/blob/dev/designs/DotNet-Sources-Support.md

## Main Work - `dotnet nuget add|remove|* source` implementation
Moves and refactors existing `NuGet.exe sources add|remove|*` command into NuGet.Commands.csproj, so that it can be called by NuGet.exe and by DotNet.exe.

## Localization fixes were then necessary
Dealt with some localization challenges as part of the strings that moved into NuGet.Commands.dll. Needed to make the ILMerge command that makes NuGet.exe to get localization strings from the 13 NuGet.Commands.resources.dll.

## CodeGeneration templates and datafile for commands/verbs
Also implemented a CodeGeneration engine (see .tt files) based on data in commands.xml - which automated code creation of much of the infrastructure. As we add more commands into dotnet.exe, this should be useful.
@OskarKlintrot
Copy link

Great work @rrelyea! 👍 Any ETA for when the fix will be released so we can start using it? Can't wait to throw out my bodges from my pwsh-scripts 😁

@AceHack
Copy link

AceHack commented Feb 6, 2020

This is great news

@rrelyea
Copy link
Contributor

rrelyea commented Feb 6, 2020

@OskarKlintrot -This should ship during the NuGet 5.5 wave.

We hope to insert a build that contains this into VS 16.5p3 daily builds today.
Next, we create a PR that inserts this into SDK/CLI... dotnet SDK 3.1.200.
If all goes well, 3.1.200-preview that ships with VS 16.5 preview 3 will be the first build that will be available externally.

@rido-min
Copy link

When there is a nuget.config file in the current folder, I'd like all read/write operations to use that file instead of %APPDATA%\NuGet\NuGet.config without using the explicit -c switch.

@anangaur
Copy link
Member

@rido-min , I think that is the current behavior except when it comes to persisting creds which is machine/user leve nuget.config. @rrelyea ?

@gilly42
Copy link

gilly42 commented Aug 19, 2021

Why is this closed. Problem still exists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment