Add support for repository authentication with bearer token (#4483)

Co-authored-by: nscuro <[email protected]>

Author: valentijnscholten

docs/_docs/datasources/repositories.md

@@ -61,8 +61,11 @@ for information on Package URL and the various ways it is used throughout Depend
 
 ### Authentication
 
+For each repository a Username and Password can be specified to perform Basic Authentication.
+To use Bearer Token authentication, leave the Username field empty and fill out the Token in the Password field.
+
 #### GitHub
 
 For GitHub repositories (`github.com` per default), the username should be the GitHub account's username,
 and the password should be a [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
-(PAT) with public access (no additional scopes).
+(PAT) with public access (no additional scopes).

src/main/java/org/dependencytrack/persistence/RepositoryQueryManager.java

@@ -18,17 +18,6 @@
  */
 package org.dependencytrack.persistence;
 
-import alpine.common.logging.Logger;
-import alpine.persistence.PaginatedResult;
-import alpine.resources.AlpineRequest;
-import alpine.security.crypto.DataEncryption;
-import org.apache.commons.lang3.StringUtils;
-import org.dependencytrack.model.Repository;
-import org.dependencytrack.model.RepositoryMetaComponent;
-import org.dependencytrack.model.RepositoryType;
-
-import javax.jdo.PersistenceManager;
-import javax.jdo.Query;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -37,6 +26,19 @@
 import java.util.Map;
 import java.util.UUID;
 
+import javax.jdo.PersistenceManager;
+import javax.jdo.Query;
+
+import org.apache.commons.lang3.StringUtils;
+import org.dependencytrack.model.Repository;
+import org.dependencytrack.model.RepositoryMetaComponent;
+import org.dependencytrack.model.RepositoryType;
+
+import alpine.common.logging.Logger;
+import alpine.persistence.PaginatedResult;
+import alpine.resources.AlpineRequest;
+import alpine.security.crypto.DataEncryption;
+
 public class RepositoryQueryManager extends QueryManager implements IQueryManager {
     private static final Logger LOGGER = Logger.getLogger(RepositoryQueryManager.class);
 

src/main/java/org/dependencytrack/tasks/repositories/AbstractMetaAnalyzer.java

@@ -117,8 +117,10 @@ protected CloseableHttpResponse processHttpRequest(String url) throws IOExceptio
             URIBuilder uriBuilder = new URIBuilder(url);
             final HttpUriRequest request = new HttpGet(uriBuilder.build().toString());
             request.addHeader("accept", "application/json");
-            if (username != null || password != null) {
+            if (!StringUtils.isEmpty(username)) { // for some reason there is a testcase for password being null
                 request.addHeader("Authorization", HttpUtil.basicAuthHeaderValue(username, password));
+            } else if (!StringUtils.isEmpty(password)) {
+                request.addHeader("Authorization", "Bearer " + password);
             }
             return HttpClientPool.getClient().execute(request);
         } catch (URISyntaxException ex) {

src/main/java/org/dependencytrack/util/HttpUtil.java

@@ -18,11 +18,11 @@
  */
 package org.dependencytrack.util;
 
+import static org.apache.http.HttpHeaders.AUTHORIZATION;
+
 import java.util.Base64;
 import java.util.Objects;
 
-import static org.apache.http.HttpHeaders.AUTHORIZATION;
-
 public final class HttpUtil {
 
     /**

src/test/java/org/dependencytrack/resources/v1/RepositoryResourceTest.java

@@ -172,7 +172,7 @@ void getRepositoryMetaUntrackedComponentTest() {
 
 
     @Test
-    void createRepositoryTest() {
+    void createRepositoryTestWithBasicAuth() {
         Repository repository = new Repository();
         repository.setAuthenticationRequired(true);
         repository.setEnabled(true);
@@ -202,6 +202,40 @@ void createRepositoryTest() {
         Assertions.assertTrue(json.getJsonObject(13).getBoolean("enabled"));
     }
 
+    @Test
+    public void createRepositoryTestWithBearerAuth() {
+        //Password field gets ignored during json serialization, so create the json ourselves
+        String repo = """
+            {
+                "identifier":"test2",
+                "url":"https://www.foobar2.com",
+                "internal":true,
+                "authenticationRequired":true,
+                "password":"letoken",
+                "enabled":true,
+                "type":"MAVEN"
+            }
+        """;
+
+        Response response = jersey.target(V1_REPOSITORY).request().header(X_API_KEY, apiKey)
+                .put(Entity.entity(repo, MediaType.APPLICATION_JSON));
+        Assertions.assertEquals(201, response.getStatus());
+
+        response = jersey.target(V1_REPOSITORY).request().header(X_API_KEY, apiKey).get(Response.class);
+        Assertions.assertEquals(200, response.getStatus(), 0);
+        Assertions.assertEquals(String.valueOf(18), response.getHeaderString(TOTAL_COUNT_HEADER));
+        JsonArray json = parseJsonArray(response);
+        Assertions.assertNotNull(json);
+        Assertions.assertEquals(18, json.size());
+        Assertions.assertEquals("MAVEN", json.getJsonObject(13).getString("type"));
+        Assertions.assertEquals("test2", json.getJsonObject(13).getString("identifier"));
+        Assertions.assertEquals("https://www.foobar2.com", json.getJsonObject(13).getString("url"));
+        Assertions.assertTrue(json.getJsonObject(13).getInt("resolutionOrder") > 0);
+        Assertions.assertTrue(json.getJsonObject(13).getBoolean("authenticationRequired"));
+        Assertions.assertFalse(json.getJsonObject(13).containsKey("username"));
+        Assertions.assertTrue(json.getJsonObject(13).getBoolean("enabled"));
+    }
+
     @Test
     void createNonInternalRepositoryTest() {
         Repository repository = new Repository();
@@ -261,7 +295,6 @@ void createRepositoryAuthFalseTest() {
         Assertions.assertTrue(json.getJsonObject(13).getInt("resolutionOrder") > 0);
         Assertions.assertFalse(json.getJsonObject(13).getBoolean("authenticationRequired"));
         Assertions.assertTrue(json.getJsonObject(13).getBoolean("enabled"));
-
     }
 
     @Test
@@ -297,6 +330,5 @@ void updateRepositoryTest() throws Exception {
                 }
             }
         }
-
     }
 }

src/test/java/org/dependencytrack/tasks/RepoMetaAnalysisTaskTest.java

@@ -27,6 +27,7 @@
 
 @WireMockTest
 class RepoMetaAnalysisTaskTest extends PersistenceCapableTest {
+
     private WireMockRuntimeInfo wmRuntimeInfo;
 
     @BeforeEach
@@ -67,7 +68,7 @@ void informTestNullPassword() throws Exception {
                                                                </versions>
                                                                <lastUpdated>20210213164433</lastUpdated>
                                                                </versioning>
-                                                               </metadata>     
+                                                               </metadata>
                                 """.getBytes(), new ContentTypeHeader(MediaType.APPLICATION_JSON))
                         )
                         .withHeader("X-CheckSum-MD5", "md5hash")
@@ -91,7 +92,7 @@ void informTestNullPassword() throws Exception {
 
     @Test
     void informTestNullUserName() throws Exception {
-        WireMock.stubFor(WireMock.get(WireMock.anyUrl()).withHeader("Authorization", containing("Basic"))
+        WireMock.stubFor(WireMock.get(WireMock.anyUrl()).withHeader("Authorization", containing("Bearer"))
                 .willReturn(WireMock.aResponse()
                         .withStatus(200)
                         .withResponseBody(Body.ofBinaryOrText("""
@@ -113,7 +114,7 @@ void informTestNullUserName() throws Exception {
                                                                </versions>
                                                                <lastUpdated>20210213164433</lastUpdated>
                                                                </versioning>
-                                                               </metadata>     
+                                                               </metadata>
                                 """.getBytes(), new ContentTypeHeader(MediaType.APPLICATION_JSON))
                         )
                         .withHeader("X-CheckSum-MD5", "md5hash")
@@ -159,7 +160,7 @@ void informTestNullUserNameAndPassword() throws Exception {
                                                                </versions>
                                                                <lastUpdated>20210213164433</lastUpdated>
                                                                </versioning>
-                                                               </metadata>     
+                                                               </metadata>
                                 """.getBytes(), new ContentTypeHeader(MediaType.APPLICATION_JSON))
                         )
                         .withHeader("X-CheckSum-MD5", "md5hash")
@@ -183,7 +184,7 @@ void informTestNullUserNameAndPassword() throws Exception {
 
     @Test
     void informTestUserNameAndPassword() throws Exception {
-        WireMock.stubFor(WireMock.get(WireMock.anyUrl())
+        WireMock.stubFor(WireMock.get(WireMock.anyUrl()).withHeader("Authorization", containing("Basic"))
                 .willReturn(WireMock.aResponse()
                         .withStatus(200)
                         .withResponseBody(Body.ofBinaryOrText("""
@@ -205,7 +206,7 @@ void informTestUserNameAndPassword() throws Exception {
                                                                </versions>
                                                                <lastUpdated>20210213164433</lastUpdated>
                                                                </versioning>
-                                                               </metadata>     
+                                                               </metadata>
                                 """.getBytes(), new ContentTypeHeader(MediaType.APPLICATION_JSON))
                         )
                         .withHeader("X-CheckSum-MD5", "md5hash")
@@ -226,4 +227,51 @@ void informTestUserNameAndPassword() throws Exception {
         qm.getPersistenceManager().refresh(metaComponent);
         assertThat(metaComponent.getLatestVersion()).isEqualTo("4.13.2");
     }
+
+    @Test
+    public void informTestBearerToken() throws Exception {
+        WireMock.stubFor(WireMock.get(WireMock.anyUrl()).withHeader("Authorization", containing("Bearer"))
+                .willReturn(WireMock.aResponse()
+                        .withStatus(200)
+                        .withResponseBody(Body.ofBinaryOrText("""
+                                                               <metadata>
+                                                               <groupId>test4</groupId>
+                                                               <artifactId>test4</artifactId>
+                                                               <versioning>
+                                                               <latest>5.13.2</latest>
+                                                               <release>5.13.2</release>
+                                                               <versions>
+                                                               <version>5.13-beta-1</version>
+                                                               <version>5.13-beta-2</version>
+                                                               <version>5.13-beta-3</version>
+                                                               <version>5.13-rc-1</version>
+                                                               <version>5.13-rc-2</version>
+                                                               <version>5.13</version>
+                                                               <version>5.13.1</version>
+                                                               <version>5.13.2</version>
+                                                               </versions>
+                                                               <lastUpdated>20210213164433</lastUpdated>
+                                                               </versioning>
+                                                               </metadata>
+                                """.getBytes(), new ContentTypeHeader(MediaType.APPLICATION_JSON))
+                        )
+                        .withHeader("X-CheckSum-MD5", "md5hash")
+                        .withHeader("X-Checksum-SHA1", "sha1hash")
+                        .withHeader("X-Checksum-SHA512", "sha512hash")
+                        .withHeader("X-Checksum-SHA256", "sha256hash")
+                        .withHeader("Last-Modified", "Thu, 07 Jul 2022 14:00:00 GMT")));
+        EventService.getInstance().subscribe(RepositoryMetaEvent.class, RepositoryMetaAnalyzerTask.class);
+        Project project = qm.createProject("Acme Example", null, "1.0", null, null, null, true, false);
+        Component component = new Component();
+        component.setProject(project);
+        component.setName("test3");
+        component.setPurl(new PackageURL("pkg:maven/test4/[email protected]"));
+        qm.createComponent(component, false);
+        qm.createRepository(RepositoryType.MAVEN, "test", wmRuntimeInfo.getHttpBaseUrl(), true, false, true, null, "testPassword");
+        new RepositoryMetaAnalyzerTask().inform(new RepositoryMetaEvent(List.of(component)));
+        RepositoryMetaComponent metaComponent = qm.getRepositoryMetaComponent(RepositoryType.MAVEN, "test4", "test4");
+        qm.getPersistenceManager().refresh(metaComponent);
+        assertThat(metaComponent.getLatestVersion()).isEqualTo("5.13.2");
+    }
+
 }

src/test/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzerTest.java

@@ -57,22 +57,22 @@ static void beforeClass() throws Exception {
     private static void setupMockServerClient(
             String path,
             String responseFile,
-            String encodedBasicHeader
+            String authHeader
     ) throws Exception {
-        setupMockServerClient(path, responseFile, encodedBasicHeader, "application/json", 200);
+        setupMockServerClient(path, responseFile, authHeader, "application/json", 200);
     }
 
     private static void setupMockServerClient(
             String path,
             String responseFile,
-            String encodedBasicHeader,
+            String authHeader,
             String contentType,
             int statusCode
     ) throws Exception {
 
         List<Header> headers = new ArrayList<>();
-        if (encodedBasicHeader != null) {
-            headers.add(new Header("Authorization", encodedBasicHeader));
+        if (authHeader != null) {
+            headers.add(new Header("Authorization", authHeader));
         }
 
         new MockServerClient("localhost", 1080)