Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chocolatey CLI v2.0.0 prompts for credentials when authenticating to a source that is using Windows Authentication #3242

Closed
4 tasks done
norbertstoll opened this issue Jun 30, 2023 · 11 comments · Fixed by #3252
Assignees
Milestone

Comments

@norbertstoll
Copy link

norbertstoll commented Jun 30, 2023

Checklist

  • I have verified this is the correct repository for opening this issue.
  • I have verified no other issues exist related to my problem.
  • I have verified this is not an issue for a specific package.
  • I have verified this issue is not security related.

What You Are Seeing?

Hi,

we recently updated chocolatey from 1.3.1 to 2.1.0. Our repositories/feeds are hosted by ProGet and we enabled windows authentication both, in IIS and ProGet. Things were working fine until the update.

After installing version 2.1.0 (2.0.0 also affected), while being logged on as a domain user, we are prompted to authenticate after invoking choco search. In addition: We aren't asked for credentials during adding the source.

In order to get choco search working, we need to submit username and password while adding/updating the source.
This hasn't been the case in former versions including 1.4.0.

Which also leads to the assumption that this is a problem:
If no username and password is provided, chocolatey will first output a warning No password specified, this will probably error but then list all packages within the queried feed.

What is Expected?

Chocolatey using windows authentication resp. the credentials of the logged on user ([System.Net.CredentialCache]::DefaultCredentials ?) and not querying for authentication.

How Did You Get This To Happen?

Environment:
We're using ProGet in combination with Microsoft IIS:

  • Version 2023.9 (Build 9)
  • Basic license
  • SSL enabled with cert issued by internal CA
  • Local file repository resp. feeds
  • ProGet: Windows Integrated Authentication enabled
  • IIS: Windows Authentication enabled (anything else disabled within IIS's Authentication)
  • MSSQL database on dedicated server

We've been testing with dedicated permissions for Active Directory-users and also with anonymous permissions 'View & Download Packages' on the feeds and didn't experience any differences in ProGet's/Chocolatey's behaviour.

Commands:

  1. choco source add -n='test' -s='https://server.fqdn/nuget/test/'
  2. choco upgrade chocolatey --version=2.1.0
  3. choco search

System Details

  • Operating System: Windows Server 2019
  • Windows PowerShell version: 5.1.17763.3770
  • Chocolatey CLI Version: 2.1.0
  • Chocolatey Licensed Extension version: -
  • Chocolatey License type: free
  • Terminal/Emulator: Windows PowerShell

Installed Packages

PS C:\> choco list
Chocolatey v2.1.0
chocolatey 2.1.0
1 packages installed.
PS C:\>

Output Log

PS C:\> choco search
Chocolatey v2.1.0
Please provide credentials for: https://server.fqdn/nuget/test/
User name:
Password:
No password specified, this will probably error.
chocolatey 2.1.0
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
GoogleChrome 114.0.5735.110
notepadplusplus 8.5.2
6 packages found.
PS C:\> choco install chocolatey --version='1.4.0' -f
Chocolatey v2.1.0
Installing the following packages:
chocolatey
By installing, you accept licenses for the packages.
Please provide credentials for: https://server.fqdn/nuget/test/
User name:
Password:
No password specified, this will probably error.
Progress: Downloading chocolatey 1.4.0... 100%

chocolatey v1.4.0 (forced)
chocolatey package files install completed. Performing other installation steps.
Creating ChocolateyInstall as an environment variable (targeting 'Machine')
  Setting ChocolateyInstall to 'C:\ProgramData\chocolatey'
WARNING: It's very likely you will need to close and reopen your shell
  before you can use choco.
Restricting write permissions to Administrators
We are setting up the Chocolatey package repository.
The packages themselves go to 'C:\ProgramData\chocolatey\lib'
  (i.e. C:\ProgramData\chocolatey\lib\yourPackageName).
A shim file for the command line goes to 'C:\ProgramData\chocolatey\bin'
  and points to an executable in 'C:\ProgramData\chocolatey\lib\yourPackageName'.

Creating Chocolatey folders if they do not already exist.

WARNING: You can safely ignore errors related to missing log files when
  upgrading from a version of Chocolatey less than 0.9.9.
  'Batch file could not be found' is also safe to ignore.
  'The system cannot find the file specified' - also safe.
WARNING: Not setting tab completion: Profile file does not exist at 'C:\Users\NPF1A00069uDevNPA08\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'.
Chocolatey (choco.exe) is now ready.
You can call choco from anywhere, command line or powershell by typing choco.
Run choco /? for a list of functions.
You may need to shut down and restart powershell and/or consoles
 first prior to using choco.
Environment Vars (like PATH) have changed. Close/reopen your shell to
 see the changes (or in powershell/cmd.exe just type `refreshenv`).
 The install of chocolatey was successful.
  Software install location not explicitly set, it could be in package or
  default install location of installer.

Chocolatey installed 1/1 packages.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
PS C:\> choco list
Chocolatey v1.4.0
Using the list command with remote sources is deprecated and will be made
to only list locally installed packages in v2.0.0. Use the search, or find,
command to find packages on remote sources (such as the Chocolatey Community
Repository).
chocolatey 2.1.0
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
GoogleChrome 114.0.5735.110
notepadplusplus 8.5.2
6 packages found.
PS C:\>

Additional Context

No response

@gep13
Copy link
Member

gep13 commented Jun 30, 2023

@norbertstoll sorry to hear that you are having issues!

In order to fully understand what is going on here, we are going to need some more information in order to setup a replica system, so that we can attempt to reproduce the problem. Can you go back to the How Did You Get This To Happen? section, and provide additional information about the setup and configuration of Proget that you are using, so that we can attempt to replicate the problem.

@norbertstoll
Copy link
Author

norbertstoll commented Jul 3, 2023

Hi @gep13.

Thanks for this quick response.
I updated the issue and added information as requested. Please check and tell me if you need anything else :)

@gep13
Copy link
Member

gep13 commented Jul 4, 2023

@norbertstoll said...
I updated the issue and added information as requested. Please check and tell me if you need anything else :)

Thank you for providing the additional information. I am happy (and a little sad 😢 ) to say that I have been able to reproduce the issue that you have described here.

To summarize...

  1. Setup ProGet feed using Windows Authentication. and no Anonymous Authentication
  2. Attempt to install a package from this feed using Chocolatey CLI 1.4.0 - everything works. There is no prompt for credentials, and no requirement to create an authentication source using choco source command
  3. Update to latest Chocolatey CLI (currently 2.1.0)
  4. Attempt to install a package from the same feed as in step 2, and immediately prompted for username/password

Digging into this further, when using NuGet.exe, there is no prompt for a username/password either. So the current thinking is that when we uplifted Chocolatey CLI to use the latest NuGet.Client assemblies, we haven't brought over everything from an authentication point of view, and as a result, things isn't working as it once was.

To workaround this issue, I was able to provide credentials when I was asked, and the operation succeeded as expected.

In addition, if I added an authenticated source, i.e. choco source add --name proget --source <url to feed> --user xxx --password xxx which was a valid domain user, i.e. DEMO\bob, then commands via Chocolatey CLI worked as expected. However, the need to create this authentication source is not what is expected to be required, I am providing this simply as a workaround in the interim.

I am going to assign this issue to @corbob as he is going to be looking into this problem.

@norbertstoll
Copy link
Author

norbertstoll commented Jul 4, 2023

Thanks for investigating.

Glad you've been able to reproduce and identify the problem ☺️
We've been aware of the mentioned workaround but thought things should be consistent in new versions of chocolatey as well.

Looking forward to a fix resp. new release. We really appreciate your support!

@TheCakeIsNaOH
Copy link
Member

So the request for credentials is happening here:

// credentials were not explicit
// discover based on closest match in sources
var candidateSources = _config.MachineSources.Where(
s =>
{
var sourceUrl = s.Key.TrimEnd('/');
try
{
var sourceUri = new Uri(sourceUrl);
return sourceUri.Host.IsEqualTo(uri.Host)
&& !string.IsNullOrWhiteSpace(s.Username)
&& !string.IsNullOrWhiteSpace(s.EncryptedPassword);
}
catch (Exception)
{
this.Log().Error("Source '{0}' is not a valid Uri".FormatWith(sourceUrl));
}
return false;
}).ToList();
MachineSourceConfiguration source = null;
if (candidateSources.Count == 1)
{
// only one match, use it
source = candidateSources.FirstOrDefault();
}
else if (candidateSources.Count > 1)
{
// find the source that is the closest match
foreach (var candidateSource in candidateSources.OrEmpty())
{
var candidateRegEx = new Regex(Regex.Escape(candidateSource.Key.TrimEnd('/')),RegexOptions.CultureInvariant | RegexOptions.IgnoreCase);
if (candidateRegEx.IsMatch(uri.OriginalString.TrimEnd('/')))
{
this.Log().Debug("Source selected will be '{0}'".FormatWith(candidateSource.Key.TrimEnd('/')));
source = candidateSource;
break;
}
}
if (source == null && !isRetry)
{
// use the first source. If it fails, fall back to grabbing credentials from the user
var candidateSource = candidateSources.First();
this.Log().Debug("Evaluated {0} candidate sources but was unable to find a match, using {1}".FormatWith(candidateSources.Count, candidateSource.Key.TrimEnd('/')));
source = candidateSource;
}
}
if (source == null)
{
this.Log().Debug("Asking user for credentials for '{0}'".FormatWith(uri.OriginalString));
return Task.FromResult(new CredentialResponse(GetUserCredentials(uri, proxy, credentialType)));
}
else
{
this.Log().Debug("Using saved credentials");
}
return Task.FromResult(new CredentialResponse(new NetworkCredential(source.Username, NugetEncryptionUtility.DecryptString(source.EncryptedPassword))));

This I pretty much copy-pasted this from the authentication provider code used with NuGet.Core, but it seems like behavior somewhere changed, so some of the assumptions that code is making must no longer be valid.

@corbob
Copy link
Member

corbob commented Jul 5, 2023

Thank you for that pointer @TheCakeIsNaOH. I did some stepping through the code on a system that had an AD authenticated source, and noticed that if no password was provided, then we pass back the Default Credentials. Trying this, I was able to see that in my test scenario it worked. I've got to do some more investigation, but I think I've got a fix.

In the mean time, @norbertstoll would you mind testing and verifying that leaving the username/password blank does in fact work? You should get a warning that it's using default credentials, and that it might error, but in my tests it then just works.

corbob added a commit to corbob/choco that referenced this issue Jul 5, 2023
When attempting a query to a source that requires credentials, we were
always prompting for credentials. This prevents attempting the default
credentials unless entering an empty password. We should attempt
initially with the default credentials, and only prompt if it's a retry
for credentials.
@corbob
Copy link
Member

corbob commented Jul 5, 2023

I've got a draft pr up for this, and have scheduled it to run through test kitchen tests. Tomorrow I'll take a look at running through some manual tests to ensure prompting for credentials still works.

corbob added a commit to corbob/choco that referenced this issue Jul 5, 2023
Add a script to take in a repository and API Key so that the tests can
be run against an authenticated end point using Windows Authentication.
@gep13 gep13 added this to the 2.2.0 milestone Jul 7, 2023
@norbertstoll
Copy link
Author

norbertstoll commented Jul 10, 2023

In the mean time, @norbertstoll would you mind testing and verifying that leaving the username/password blank does in fact work? You should get a warning that it's using default credentials, and that it might error, but in my tests it then just works

I do get a warning, right. See output below and thanks so far 😃

PS C:\> choco search googlechrome
Chocolatey v2.1.0
Please provide credentials for: https://my.internarepo.net/nuget/choco_test/
User name:
Password:
No password specified, this will probably error.
GoogleChrome 114.0.5735.110
1 packages found.
PS C:\>```

vexx32 added a commit that referenced this issue Jul 10, 2023
(#3242) Attempt default credentials for sources
@gep13 gep13 changed the title Chocolatey >2.0.0 asking for credentials while using windows authentication Chocolatey CLI v2.0.0 prompts for credentials when authenticating to a source that is using Windows Authentication Jul 26, 2023
gep13 added a commit that referenced this issue Jul 26, 2023
* release/2.2.0: (21 commits)
  (doc) Update to indicate new package version used
  (maint) Add helper to split on max line lengths
  (#3281) Add validation for cache folder permissions
  (#3264) Update to latest Chocolatey.NuGet.Client
  (#3264) Ignore lock folders in cache directories
  (#3186) Remove easter egg
  (doc) Improve error message for defaultPushSource
  (tests) Clear HTTP Cache before getting packages
  (#3258) Expand logging for nuget resources errors
  (maint) Set file encoding to include BOM
  (#3237) Reduce number of queries for dependencies
  (#3231) Add tests to ensure package listing
  (maint) Remove unnecessary using statements
  (#3231) Don't refresh local package info during upgrade no-ops
  (build) Update to latest recipe package
  (doc) Minor corrections to wording
  (#3242) Add a script to run Authenticated tests
  (#3242) Attempt default credentials for sources
  (maint) Fix incorrect naming style uses
  (doc) Apply scripting best practices to output
  ...
@choco-bot
Copy link

🎉 This issue has been resolved in version 2.2.0 🎉

The release is available on:

Your GitReleaseManager bot 📦🚀

@p333ter
Copy link

p333ter commented Aug 7, 2023

🎉 This issue has been resolved in version 2.2.0 🎉

The release is available on:

Your GitReleaseManager bot 📦🚀

I have the same issue in version 2.2.0 :(

@pauby
Copy link
Member

pauby commented Aug 7, 2023

@p333ter This issue is closed. Please open a new issue.

@chocolatey chocolatey locked and limited conversation to collaborators Aug 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants