-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chocolatey CLI v2.0.0 prompts for credentials when authenticating to a source that is using Windows Authentication #3242
Comments
@norbertstoll sorry to hear that you are having issues! In order to fully understand what is going on here, we are going to need some more information in order to setup a replica system, so that we can attempt to reproduce the problem. Can you go back to the |
Hi @gep13. Thanks for this quick response. |
Thank you for providing the additional information. I am happy (and a little sad 😢 ) to say that I have been able to reproduce the issue that you have described here. To summarize...
Digging into this further, when using NuGet.exe, there is no prompt for a username/password either. So the current thinking is that when we uplifted Chocolatey CLI to use the latest NuGet.Client assemblies, we haven't brought over everything from an authentication point of view, and as a result, things isn't working as it once was. To workaround this issue, I was able to provide credentials when I was asked, and the operation succeeded as expected. In addition, if I added an authenticated source, i.e. I am going to assign this issue to @corbob as he is going to be looking into this problem. |
Thanks for investigating. Glad you've been able to reproduce and identify the problem Looking forward to a fix resp. new release. We really appreciate your support! |
So the request for credentials is happening here: choco/src/chocolatey/infrastructure.app/nuget/ChocolateyNugetCredentialProvider.cs Lines 88 to 151 in d836138
This I pretty much copy-pasted this from the authentication provider code used with NuGet.Core, but it seems like behavior somewhere changed, so some of the assumptions that code is making must no longer be valid. |
Thank you for that pointer @TheCakeIsNaOH. I did some stepping through the code on a system that had an AD authenticated source, and noticed that if no password was provided, then we pass back the Default Credentials. Trying this, I was able to see that in my test scenario it worked. I've got to do some more investigation, but I think I've got a fix. In the mean time, @norbertstoll would you mind testing and verifying that leaving the username/password blank does in fact work? You should get a warning that it's using default credentials, and that it might error, but in my tests it then just works. |
When attempting a query to a source that requires credentials, we were always prompting for credentials. This prevents attempting the default credentials unless entering an empty password. We should attempt initially with the default credentials, and only prompt if it's a retry for credentials.
I've got a draft pr up for this, and have scheduled it to run through test kitchen tests. Tomorrow I'll take a look at running through some manual tests to ensure prompting for credentials still works. |
Add a script to take in a repository and API Key so that the tests can be run against an authenticated end point using Windows Authentication.
I do get a warning, right. See output below and thanks so far 😃 PS C:\> choco search googlechrome
Chocolatey v2.1.0
Please provide credentials for: https://my.internarepo.net/nuget/choco_test/
User name:
Password:
No password specified, this will probably error.
GoogleChrome 114.0.5735.110
1 packages found.
PS C:\>``` |
(#3242) Attempt default credentials for sources
* release/2.2.0: (21 commits) (doc) Update to indicate new package version used (maint) Add helper to split on max line lengths (#3281) Add validation for cache folder permissions (#3264) Update to latest Chocolatey.NuGet.Client (#3264) Ignore lock folders in cache directories (#3186) Remove easter egg (doc) Improve error message for defaultPushSource (tests) Clear HTTP Cache before getting packages (#3258) Expand logging for nuget resources errors (maint) Set file encoding to include BOM (#3237) Reduce number of queries for dependencies (#3231) Add tests to ensure package listing (maint) Remove unnecessary using statements (#3231) Don't refresh local package info during upgrade no-ops (build) Update to latest recipe package (doc) Minor corrections to wording (#3242) Add a script to run Authenticated tests (#3242) Attempt default credentials for sources (maint) Fix incorrect naming style uses (doc) Apply scripting best practices to output ...
🎉 This issue has been resolved in version 2.2.0 🎉 The release is available on: Your GitReleaseManager bot 📦🚀 |
I have the same issue in version 2.2.0 :( |
@p333ter This issue is closed. Please open a new issue. |
Checklist
What You Are Seeing?
Hi,
we recently updated chocolatey from 1.3.1 to 2.1.0. Our repositories/feeds are hosted by ProGet and we enabled windows authentication both, in IIS and ProGet. Things were working fine until the update.
After installing version 2.1.0 (2.0.0 also affected), while being logged on as a domain user, we are prompted to authenticate after invoking choco search. In addition: We aren't asked for credentials during adding the source.
In order to get choco search working, we need to submit username and password while adding/updating the source.
This hasn't been the case in former versions including 1.4.0.
Which also leads to the assumption that this is a problem:
If no username and password is provided, chocolatey will first output a warning No password specified, this will probably error but then list all packages within the queried feed.
What is Expected?
Chocolatey using windows authentication resp. the credentials of the logged on user ([System.Net.CredentialCache]::DefaultCredentials ?) and not querying for authentication.
How Did You Get This To Happen?
Environment:
We're using ProGet in combination with Microsoft IIS:
We've been testing with dedicated permissions for Active Directory-users and also with anonymous permissions 'View & Download Packages' on the feeds and didn't experience any differences in ProGet's/Chocolatey's behaviour.
Commands:
System Details
Installed Packages
Output Log
Additional Context
No response
The text was updated successfully, but these errors were encountered: