Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get api key in chocolateyinstall.ps1 script #3101

Closed
2 tasks done
romandolinsky opened this issue Apr 4, 2023 · 7 comments
Closed
2 tasks done

Get api key in chocolateyinstall.ps1 script #3101

romandolinsky opened this issue Apr 4, 2023 · 7 comments
Labels
Invalid / Not Issue / No repro / Not Implementing

Comments

@romandolinsky
Copy link

Checklist

  • I have verified this is the correct repository for opening this issue.
  • I have verified no other issues exist related to my request.

Is Your Feature Request Related To A Problem? Please describe.

I cannot download package related files from some repository protected by password without storing "apikeys" in scripts or package parameters.
Missing function for chocolateyinstall.ps1 to get already defined api keys.

When I want to download file from eg. artifactory I must store apikey in script.

$options =@{
  Headers = @{
    Accept = '*/*';
    'X-JFrog-Art-Api'='AKCp5....';
  }
}
Get-WebFile -Url $url -fileName "$toolsDir/thefile.exe" -Options $options

or use package parameters which are necessary always set.

$pp = Get-PackageParameters
$options =@{
  Headers = @{
    Accept = '*/*';
    '$pp.ApikeyForSomeService';
  }
}
Get-WebFile -Url $url -fileName "$toolsDir/thefile.exe" -Options $options

Describe The Solution. Why is it needed?

Reason why:
Developers in companies often use protected repos, not only for packages but also for data downloaded during package installation(transferring big data). Funcion will avoid storing apikeys in script or always add apikeys like package parameters.

"One source of information / better credentials handling"

Example how solution/feature can work.
Define apikey for repo choco apikey -s "https://<domain>.com/" -k='X-JFrog-Art-Api:AKCp5dK4oN.....'
In helpers have get-apikey script and in chocolateyinstall.ps1 call "get-apikey function"

$key = get-apikey("https://<domain>.com/")

and use that for downloading file

Get-ChocolateyWebFile -PackageName 'package' -FileFullPath "$toolsDir/thefile.exe" -Url 'https://<domain>.com/thefile.exe' -credentials $key

or like header

Get-ChocolateyWebFile -PackageName 'package' -FileFullPath "$toolsDir/thefile.exe" -Url 'https://<domain>.com/thefile.exe' -header $key

Additional Context

No response

Related Issues

No response
@pauby
Copy link
Member

pauby commented Apr 4, 2023

If you are using a binary store (which it sounds like you have) then you need to ensure there are no required credentials.

@TheCakeIsNaOH
Copy link
Member

If you are using a binary store (which it sounds like you have) then you need to ensure there are no required credentials.

If I understand correctly, binary stores need to be password protected (or other authentication required) due to organizational requirements. So @romandolinsky is using headers to add support for authentication to Get-ChocolateyWebFile, which is why a better way to get credentials into an install script is being requested.

Define apikey for repo choco apikey -s

The problem with using apikey for storing other credentials is that the stored apikeys are intended to be used for storing credentials for pushing packages.

However, I think it would be possible to store credentials in choco config. There is already an issue to add a helper to get config values in scripts: #2864

One downside with using config is that the credentials would not be obfuscated on disk.

@romandolinsky
Copy link
Author

Yes we have nugget and bin repo in cloud. For cloud authentication for nugget repo we can use choco apikey but for authentication inside script(bin repo) we must store apikey in install script. Which can be possible security risk. For that reason we want have only one location for setting apikeys.

@pauby
Copy link
Member

pauby commented Apr 5, 2023
edited
Loading

If I understand correctly, binary stores need to be password protected (or other authentication required) due to organizational requirements. So @romandolinsky is using headers to add support for authentication to Get-ChocolateyWebFile, which is why a better way to get credentials into an install script is being requested.

I understand the use case. I was pointing to the docs to confirm Chocolatey CLI doesn't support binary stores with authentication.

@romandolinsky
Copy link
Author

romandolinsky commented Apr 5, 2023
edited
Loading

Yes I understand. Main goal for me is get credentials from stored apikeys. Is function possible ? Or how may I decode stored credentials/apikeys in config file?

@pauby
Copy link
Member

pauby commented Apr 5, 2023
edited
Loading

It's not possible to get credentials from stored API keys. Stored API keys are used by Chocolatey CLI and not for external use.

@pauby pauby mentioned this issue May 11, 2023
Open
2 tasks
@pauby
Copy link
Member

pauby commented May 11, 2023

If we were to add a feature for accessing the API keys, then its use case would be for organizations, and therefore it would be a Licensed feature.

I've opened chocolatey/chocolatey-licensed-issues#346 for this and will close this issue just now. We can always re-open it later.

@pauby pauby closed this as not planned Won't fix, can't repro, duplicate, stale May 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Invalid / Not Issue / No repro / Not Implementing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pauby @TheCakeIsNaOH @romandolinsky