Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dotnet add package won't use credentials from global config for a source specified in local config #6935

Open
livarcocc opened this issue May 15, 2018 · 7 comments
Open

dotnet add package won't use credentials from global config for a source specified in local config #6935

livarcocc opened this issue May 15, 2018 · 7 comments
Labels
Area:Authentication Area:Settings NuGet.Config and related issues Category:Quality Week Issues that should be considered for quality week Priority:2 Issues for the current backlog. Type:Bug

Comments

@livarcocc
Copy link

From @evil-shrike on May 15, 2018 11:40

Steps to reproduce

Given an internal Artifactory server with several repositories, all of them require authentication.

dotnet add package Microsoft.AspNetCore.All work for an arbitrary new project. That means that all cached credentials in "C:\Users\UserName\AppData\Roaming\NuGet\NuGet.Config" are fine.

That global NuGet.Config contains several sources:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageRestore>
    <add key="enabled" value="True" />
    <add key="automatic" value="True" />
  </packageRestore>
  <packageSources>
    <add key="rnd-virtual-dev" value="https://company.org/api/nuget/nuget-virtual-dev" />
    <add key="rnd-virtual" value="https://company.org/api/nuget/nuget-virtual" />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>
  <activePackageSource>
    <add key="rnd-virtual" value="https://company.org/api/nuget/nuget-virtual" />
  </activePackageSource>
  <bindingRedirects>
    <add key="skip" value="False" />
  </bindingRedirects>
  <packageManagement>
    <add key="format" value="0" />
    <add key="disabled" value="True" />
  </packageManagement>
  <packageSourceCredentials>
    <rnd-virtual-dev>
      <add key="Username" value="username" />
      <add key="Password" value="AQA..." />
    </rnd-virtual-dev>
    <rnd-virtual>
      <add key="Username" value="username" />
      <add key="Password" value="AQA..." />
    </rnd-virtual>
  </packageSourceCredentials>
</configuration>

Now I'm adding a local NuGet.Config besides my csproj and try the same install: dotnet add package Microsoft.AspNetCore.All

It fails with 401 Unauthorized!

The local nuget.config contains one of the source from global config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
	<packageSources>
		<add key="Dev" value="https://company.org/api/nuget/nuget-virtual" />
	</packageSources>
</configuration>

If I run nuget.exe (4.6.2.5055) directly it works fine (that is it uses credentials from global config).

Expected behavior

Credentials are being used.

Actual behavior

Installation fails:

D:\Work\temp\testapp\Server>dotnet add package Microsoft.AspNetCore.All
  Writing C:\Users\UserName\AppData\Local\Temp\tmp2C0.tmp
info : Adding PackageReference for package 'Microsoft.AspNetCore.All' into project 'D:\Work\temp\testapp\Server\Server.csproj'.
log  : Restoring packages for D:\Work\temp\testapp\Server\Server.csproj...
info :   GET https://api.nuget.org/v3-flatcontainer/microsoft.aspnetcore.all/index.json
info :   GET https://company.org/api/nuget/nuget-virtual/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0
info :   GET https://company.org/api/nuget/nuget-virtual-dev/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0
info :   CACHE https://company.org/api/nuget/rnd-nuget/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0
info :   Unauthorized https://company.org/api/nuget/nuget-virtual/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0 100ms
log  : Retrying 'FindPackagesByIdAsyncCore' for source 'https://company.org/api/nuget/nuget-virtual/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0'.
log  : Response status code does not indicate success: 401 (Unauthorized).
info :   GET https://company.org/api/nuget/nuget-virtual/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0
info :   Unauthorized https://company.org/api/nuget/nuget-virtual/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0 3ms
log  : Retrying 'FindPackagesByIdAsyncCore' for source 'https://company.org/api/nuget/nuget-virtual/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0'.
log  : Response status code does not indicate success: 401 (Unauthorized).
info :   GET https://company.org/api/nuget/nuget-virtual/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0
info :   Unauthorized https://company.org/api/nuget/nuget-virtual/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0 3ms
error: Failed to retrieve information about 'Microsoft.AspNetCore.All' from remote source 'https://company.org/api/nuget/nuget-virtual/FindPackagesById()?id='Microsoft.AspNetCore.All'&semVerLevel=2.0.0'.
error:   Response status code does not indicate success: 401 (Unauthorized).

Environment data

dotnet --info output:

.NET Command Line Tools (2.1.200)

Product Information:
 Version:            2.1.200
 Commit SHA-1 hash:  2edba8d7f1

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.17134
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\2.1.200\

Microsoft .NET Core Shared Framework Host

  Version  : 2.0.7
  Build    : 2d61d0b043915bc948ebf98836fefe9ba942be11

PS: I double checked that the sources in local config and in global one are the same.

Copied from original issue: dotnet/cli#9281
@mishra14
Copy link
Contributor

@evil-shrike Thanks for reporting the problem.

Can you try storing the password in clear text and try again?
nuget sources update -Name rnd-virtual-dev -UserName username -Password <password> -Storepasswordincleartext -configfile <global_nuget_config>

@mishra14 mishra14 added Platform:Xplat Area:Authentication WaitingForCustomer Applied when a NuGet triage person needs more info from the OP labels May 16, 2018
@mishra14 mishra14 added this to the Backlog milestone May 16, 2018
@evil-shrike
Copy link

@mishra14 I've tried with creds in cleartext - no changes, getting same 401 for the source specified in local nuget.config.

@mishra14 mishra14 added Triage:Investigate and removed WaitingForCustomer Applied when a NuGet triage person needs more info from the OP labels Jul 9, 2018
@nkolev92
Copy link
Member

Fixed in NuGet/NuGet.Client#2486

@nkolev92 nkolev92 modified the milestones: Backlog, 5.0 Nov 13, 2018
@rrelyea rrelyea changed the title dotnet add package won't use credentials from global config for a source specified in local config dotnet add package won't use credentials from global config for a source specified in local config Apr 3, 2019
@Luqswe
Copy link

Luqswe commented May 18, 2020
edited
Loading

im having this exact same issue on my system:

.NET Core SDK :
Version: 3.1.202
Commit: 6ea70c8dca

Runtime Environment:
OS Name: Windows
OS Version: 10.0.17763
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\3.1.202\

dotnet add package output:
error: Response status code does not indicate success: 401 (Unauthorized).

my NuGet.Config (also tried with encrypted password):

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
    <add key="Microsoft Visual Studio Offline Packages" value="C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\" />
    <add key="MyPrivateRepo" value="http://someurl:5100/v3/index.json" />
  </packageSources>
  <packageRestore>
    <add key="enabled" value="True" />
    <add key="automatic" value="True" />
  </packageRestore>
  <bindingRedirects>
    <add key="skip" value="False" />
  </bindingRedirects>
  <packageManagement>
    <add key="format" value="0" />
    <add key="disabled" value="False" />
  </packageManagement>
  <packageSourceCredentials>
    <MyPrivateRepo>
        <add key="Username" value="username" />
        <add key="ClearTextPassword" value="password" />
      </MyPrivateRepo>
  </packageSourceCredentials>
</configuration>

@Crono1981
Copy link

Crono1981 commented Sep 2, 2020
edited
Loading

Same issue here too. I have no choice but to specify no restore And it turns out that specifying the -n flag, which I assumed would turn off both package restoring AND any checks on remote sources, doesn't help with this.

I really hope package operations with dotnet CLI will receive some serious love soon. Right now I don't feel I can rely on it for anything serious.

@aortiz-msft
Copy link
Contributor

@Luqswe - I have reopened the issue based on your comments.

@Crono1981 - What version of the .NET SDK are you using?

@aortiz-msft aortiz-msft reopened this Sep 2, 2020
@Crono1981
Copy link

@aortiz-msft I'm on 3.1.401

@aortiz-msft aortiz-msft removed this from the 5.0 milestone Sep 2, 2020
@nkolev92 nkolev92 added Category:Quality Week Issues that should be considered for quality week Priority:2 Issues for the current backlog. Area:Settings NuGet.Config and related issues and removed Platform:Xplat labels Sep 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area:Authentication Area:Settings NuGet.Config and related issues Category:Quality Week Issues that should be considered for quality week Priority:2 Issues for the current backlog. Type:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@livarcocc @evil-shrike @nkolev92 @rrelyea @mishra14 @Luqswe @Crono1981 @heng-liu @aortiz-msft