Better Authentication Options about setup-jfrog-cli HOT 9 CLOSED

Thanks for your feedback, @NickLiffen!
Configuring the "JF_ARTIFACTORY_" server token is the easiest and most recommended way to config the Artifactory credentials.
However, it is not mandatory. You still have the option to use the CLI as usual:

Example 1:

- uses: jfrog/setup-jfrog-cli@v1
- run: |
    jfrog rt ping --url=https://<jfrog-platform-url>/artifactory --access-token=${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}

Example 2:

- uses: jfrog/setup-jfrog-cli@v1
- run: |
    jfrog c add kermit --artifactory-url=https://<jfrog-platform-url>/artifactory --access-token=${{ secrets.RT_TOKEN }}
    jfrog rt ping

One more thing - jfrog rt c is decrecated in favour of jfrog c add. Read more about this command under Authentication.
I updated the Setup JFrog CLI documentation - thanks!

Please let me know if that helped.

from setup-jfrog-cli.

@yahavi I agree that for most people this would be okay 👍

The thing about this command:

  jfrog rt ping --url=https://<jfrog-platform-url>/artifactory --access-token=${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}

Is I would have to run this with every command I run 😢 Which is a little bit messy. Also, across 100 repos using this, it just starts to not get very modular IMO.

We could create something custom in the company that I work for which does what we are asking, but I just didn't know if there was appetite at the broader community to have the OPTION (not mandatory), to just do a one-time setup of:

- uses: jfrog/setup-jfrog-cli@v1
  env:
    JF_ARTIFACTORY_SERVER_URL: ${{ secretsJF_ARTIFACTORY_SERVER_URL }}
    JF_ARTIFACTORY_ACCESS_TOKEN: ${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN}}

What that means is in another job I could be rotating the JF_ARTIFACTORY_ACCESS_TOKEN every X hours, meaning we are fully secure.

The problem is, even though GitHub makes it really hard to console.log() GitHub Secrets, it's 100% possible with hacky solutions which I don't like, but it's done. So if we don't rotate it, someone could get it out of Secrets and use it. That is why we need to rotate if that makes sense 👍

If this isn't something you are interested in then it's fine, we are happy to build something custom, just wanted to ask here first 👍

from setup-jfrog-cli.

@NickLiffen,
if I not misunderstood you, you can easily create the server token In the action that updates Artifactory's token.
Something like that:

- uses: jfrog/setup-jfrog-cli@v1
- run: |
    # Create a new access token
    export NEW_ACCESS_TOKEN=`jfrog rt atc <artifactory-username> --url=${{ secrets.JF_ARTIFACTORY_SERVER_URL }} --access-token=${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN }} | jq '.access_token' -r`

    # Configure Artifactory server
    jfrog c add kermit --artifactory-url=${{ secrets.JF_ARTIFACTORY_SERVER_URL }} --access-token=$NEW_ACCESS_TOKEN

    # Create a new server token
    export NEW_TOKEN=`jfrog c export kermit`

Please let me know if that helped.

from setup-jfrog-cli.

Agreed 👍 But look how messy that is 😢 This is what we are trying to get away from. It's a lot of characters of code where someone could go in and change something which breaks the auth process. IF someone was to go in and accidently change something, it stops working.

It sounds like you aren't open to this suggestion, (which is fine), we are happy to go and build our own action 👍 Appreciate the conversation 💯

from setup-jfrog-cli.

I also don't think I am explaining myself very well, to be honest, 🙃

I would like to have a workflow that has a one-time Artifactory setup step, then multiple steps after that, that don't need to worry about anything config related, it would use the one-time setup process. E.G

- uses: jfrog/setup-jfrog-cli@v1
  env:
    JF_ARTIFACTORY_SERVER_URL: ${{ secretsJF_ARTIFACTORY_SERVER_URL }}
    JF_ARTIFACTORY_ACCESS_TOKEN: ${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN}}

That would be the setup, then I could run any command after that line, like this:

- run: |
    jfrog rt ping

This token here: ${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN}} we would like to be set the GitHub Organisation layer. This token would have read access to certain enterprise repos. Now, as it's at the org level, we need to be careful on this token. So, in a completely separate GitHub Repo, I will use the Artifactory REST API to create a new token and update the GitHub Org Secret with the new Access Token.

I would then put this GitHub action on a cron to run X times every day.

As it's at the org level, it means 1000's of repos can reference this one token, whilst staying secure, as the token is scoped to groups, and also if someone managed to get it out of actions, it is only valid for X amount of time. If that makes sense.

We can't ask a 1000's repos to do this, so we will have 1 secret at the GitHub Org Level. We will have 1 separate locked off GitHub Repo that updates this org level secret every X hours. Then set the org level secret so every repo in the org can use it.

Hopefully that makes sense 👍

from setup-jfrog-cli.

Maybe the PR I recently created could help creating the feature that is requested here?
#43

I have it working in our private action but would make our devs really happy if they could use it with this public version of the action.

from setup-jfrog-cli.

@rkustner -
I added a question for you inside your PR.
@NickLiffen -
Are you suggesting that we create a new and separate action for refreshing the token periodically?

from setup-jfrog-cli.

HI @NickLiffen
This #76 is merged and adds the following functionality.
Looking forward to your feedback on it.
I will update this thread once the next release will be out.

Storing the connection details using separate environment variables

You can set the connection details to your JFrog Platform by using one of the following environment variables combinations:

1. JF_URL (no authentication)
2. JF_URL + JF_USER + JF_PASSWORD (basic authentication)
3. JF_URL + JF_ACCESS_TOKEN (authentication using a JFrog Access Token)

You can use these environment variables in your workflow as follows:

- uses: jfrog/setup-jfrog-cli@v2
  env:
    # JFrog platform URL (for example: https://acme.jfrog.io) 
    JF_URL: ${{ secrets.JF_URL }}
    
    # Basic authentication credentials
    JF_USER: ${{ secrets.JF_USER }}
    JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
    
    # JFrog platform access token (if JF_USER and JF_PASSWORD are not provided)
    # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
- run: |
    jf rt ping

from setup-jfrog-cli.

Hi @NickLiffen,
Setup JFrog CLI 2.4.0 is released and includes the above feature.
We'd appreciate your feedback on that.

from setup-jfrog-cli.