conan client prompts for username and password, even if the remote shows as [Authenticated]

[hetaish]

Environment

Current Conan Version: 1.16.1
Previous Working Conan Version: 1.12.3
Artifactory Version: 6.10.1

Issue:-

while triggering conan user -r <ARTIFACTORY_SERVER> -p command , the Conan client takes the credentials from environment variables, if they exist. This is true for both Anonymous Access enabled or disabled in artifactory.

Since we are running script locally, without environment variables, the client prompts for username and password, even if the remote shows as [Authenticated], due to running the command with the -p flag.

Please find the below exact steps:-

[****@**** ~]$ conan user

Current user of remote 'testconan' set to: 'hetaish' [Authenticated]
Current user of remote 'testRemote' set to: 'hetaish' [Authenticated]
                                                                                                                                                          

[****@****  ~]$ conan user -r testconan -p

Remote 'testconan' username:    

Please enter a password for "" account:

Even` if the remote in above is already authenticated it will again ask for credentials.

Expected Behavior
please include the functionality if the remote is already Authenticated , it will not prompt for the password.

[lasote]

This is the expected behavior, conan user -r testconan -p is an explicit call to authenticate (maybe you want to change your credentials, so you cannot automatically assume you want to skip if you are already logged in). Can't you avoid calling it if you are already logged in?

[hetaish]

Thank you for your reply.
We have problem in the Artifactory 6.10.1 When the Anonymous access is enabled , Conan client was not able to authenticate with Environment Variables (CONAN_LOGIN_USERNAME and CONAN_PASSWORD) in Jenkins Build Job.
But if the Anonymous access is disabled conan client will automatically take the environment variable and authenticate the user. Artifactory team suggested to add conan user -r testconan –p command to read the environment variables (CONAN_LOGIN_USERNAME , CONAN_PASSWORD) and it works in the Jenkins build Job, But it will cause needless prompt for developers as same code is used in Local as well in the Jenkins CI job.

[memsharded]

Could this case be similar to what https://github.com/conan-io/docs/pull/1349/files is documenting? The related issue is #5434

Is "Hide Existence of Unauthorized Resource" activated in the Artifactory server? In this case, this is the expected behavior, as they are basically opposite things. If the code is the same in both places, then developers should set their CONAN_PASSWORD too, to achieve the same behavior, otherwise they will be prompted. Please check the docs pending in that PR and tell if it makes sense.

[hetaish]

we have tested both with "Hide Existence of Unauthorized Resource" set and unset, and neither will trigger a prompt.

[memsharded]

we have tested both with "Hide Existence of Unauthorized Resource" set and unset, and neither will trigger a prompt.

yes, it also depends on the tasks, and the other permissions. As long as the server does not return an AuthenticationError, a prompt for credentials won't be triggered. There are some operations like search (necessary to resolve version ranges), that by default will return a list of available and allowed versions, but will not return a 404 because some specific version requires to be logged in, for example.

[hetaish]

is it possible to include the functionality if the remote is already Authenticated , it will not prompt for the password?

[lasote]

, But it will cause needless prompt for developers as same code is used in Local as well in the Jenkins CI job.

It still feels a bit corner case.
Cannot you check the existence of CONAN_PASSWORD environment variable to call or not the command?

[andersnp1]

So I'm the developer having the underlying issue, triggering @hetaish to create this issue.
I think I need to explain our use case to better explain the issue we experience.

We try to maintain a neat build workflow that should be identical between developers and CI.
We wrap Conan in CMake; our CMake is responsible for configuring Conan remotes and installing dependencies defined in conanfile.txt (all requirements defined here specify a specific version).

We do not wish to impose unnecessary requirement on developer workstations, so we don't wish to require the developers set up CONAN_LOGIN_USERNAME and CONAN_PASSWORD. Since the Conan remotes are managed by CMake, we don't know ahead of CMake which remotes we need to authenticate with, so for developer authentication we depend on an interactive credential prompt from conan install. At the same time, our CI is Docker-based, so we use these environment variables to provide credentials (which also requires a credential prompt from Conan).

This works great for us as long as Anonymous access is disable in Artifactory. As soon as Anonymous access is enabled we lose the credential prompts from Conan, and everything falls apart.

As I mention above, we do not wish to require the developers always have CONAN_LOGIN_USERNAME and CONAN_PASSWORD defined. This means that the suggestion from Artifactory support to use conan user -p -r <CONAN_REMOTE> doesn't work: It would trigger multiple credential prompts every time the developers run CMake.

What we really need is either:

1. an option to prompt for credentials for a remote only if we are not already authenticated
2. conan install to prompt for credentials even when Anonymous access is enabled in Artifactory, and Anonymous does not have the necessary rights to find/download the dependencies.

[lasote]

Thanks for the clarification.
I will speak to @memsharded to confirm if we are ok introducing a --skip-auth parameter to the conan user command to skip the auth in case the user-specified already has stored credentials.

[lasote]

Ok, we've been discussing. We are introducing at the next release 1.18 the --skip-auth argument that:

• Will just check if locally we have credentials for the specified user (if any).
• It won't check if the local credentials are valid or not, in case of an expired token, the server will raise 401 later and the client will be forced to log in again.
• It will bear as "deprecated" because:
  • At Conan 2.0, the command conan user XXXX will try to use the local credentials but will check against the server if they are valid (expired.. etc)
  • At Conan 2.0, the command conan user XXX -p will always ask for the password and will try to authenticate with the server.

[lasote]

Please @andersnp1 @hetaish confirm that it looks good for you.

[andersnp1]

Thank you.
Just to see that I understand this correctly, we will have to run conan user -r <CONAN_REMOTE> -p --skip-auth, and this will trigger a prompt if and only if there are no locally stored credentials for the remote?

If so, then this fulfills our requirements.

Out of curiosity, how do you imagine this will work if username is also specified, and if this is different from the locally stored credentials?

[lasote]

Just to see that I understand this correctly, we will have to run conan user -r <CONAN_REMOTE> -p --skip-auth, and this will trigger a prompt if and only if there are no locally stored credentials for the remote?

Correct

If the username is specified and doesn't match with the stored one, it will launch the authentication. Only if the user is not specified or the specified user matches the stored, will skip the auth.

[andersnp1]

Good, thank you 👍

[schwaerz]

Following up on this old ticket:

As the conan user command has been removed from conan 2.x - and conan remote login does not seem to support the "ask-for-password-if-not-authenticated-feature" anymore, are there other means to implemnt the workflow described above:

• Local use: Ask for password if not authenticated
• CI use: Use PW / username from environment

As a downside - starting with the latest Conan releases conan remote login '*' asks for username & password for every remote configured, so a user will have to enter the username and password 10 times if 10 remotes are configured :(

[memsharded]

Hi @schwaerz

This might require a new ticket to discuss. Have you tried the conan remote auth command?

[schwaerz]

I tried to use conan remote auth. However I don't know how to use it correctly. For me it did not seem to do anything.

[schwaerz]

I will create a new ticket.