Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Integrate AzArtifacts Credential Provider #1764

Closed
wants to merge 7 commits into from

Conversation

alerickson
Copy link
Member

@alerickson alerickson commented Dec 19, 2024

PR Summary

This PR integrates the Azure Artifacts Credential Provider into PSResourceGet.
Information on the cred provider and how to install, discover, and use the cred provider is located here: https://github.com/NuGet/Home/wiki/NuGet-cross-plat-authentication-plugin#plugin-installation-and-discovery.
Please use this link for setting up and configuring the cred provider for PSResourceGet as well.

This PR adds a new dynamic parameter to Register-PSResourceRepository and Set-PSResourceRepository called -CredentialProvider, which is an enum with values None and AzArtifacts. The parameter only works with repositories that are not ContainerRegistry repositories. This is because the credential provider only works with Azure Artifact feeds, however Azure Artifact feeds can have any uri. Instead of only allowing the parameter to be used with Azure Artifact feeds, we are not allowing use for feeds in which we know we cannot use the credential provider for.

PSResourceGet will automatically set the value CredentialProvider to AzArtifacts if it recognizes that the repository is definitely an Azure Artifacts feed. This is done by checking to see if the uri contains pkgs.dev.azure.com or pkgs.visualstudio.com. This check is done when registering a new repository or when PSResourceGet reads repositories from the PSResourceRepository.xml file.

PSResourceGet looks for the credential provider any time network credentials are set. The new priority ordering for credentials is:
     1. Credentials passed in via parameter -Credential.
     2. Credentials retrieved via the AzArtifacts Credential Provider.
     3. Credentials retrieved from SecretManagement.

The Credential Provider can be bypassed by setting the -CredentialProvider parameter to None.

If the CredentialProvider property is set to AzArtifacts for a repository, PSResourceGet will attempt to find the Credential Provider file on the machine in the following order:
     1. Checking the environment variable NUGET_PLUGIN_PATHS
     2. Checking the default locations: $env:UserProfile\.nuget\plugins
     3. Checking the fixed location where Visual Studio is installed: common7\IDE\CommonExtensions\Microsoft\NuGet
More information on this discovery process can be found in the link above.

Once the Credential Provider is found, PSResourceGet calls the provider with the following arguments:
CredentialProvider.Microsoft.exe -Uri <uri> -NonInteractive -IsRetry -F Json
Or
dotnet CredentialProvider.Microsoft.dll -Uri <uri> -NonInteractive -IsRetry -F Json

Right now, this means that for Unix machines, there is a dependency on the dotnet cli to call the Credential Provider.

Once credentials are retrieved, they are used to make the network call, as is done when using the -Credential parameter or SecretManagement.

PR Context

Resolves #1658
Resolves #1601
Resolves #1511

PR Checklist

@alerickson alerickson closed this Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant