[1.3.0] Nexus repo credentials not used when downloading dependencies/custom plugin

[francisdb]

(issue exists since sbt 1.3.0-RC1)
switching from sbt 1.2.8 with sbt-coursier 1.0.2 to sbt 1.3.0 without sbt-coursier plugin

We have a custom sbt plugin that fails to download from nexus:

plugins.sbt

resolvers += "Company repository" at "https://nexus.company.com/repository/maven-releases"
credentials += Credentials("Sonatype Nexus Repository Manager", "nexus.company.com", "user", "pwd")

addSbtPlugin("com.company" % "our-sbt-plugin" % "1.2.0")

sbt.librarymanagement.ResolveException: Error downloading com.company:our-sbt-plugin;sbtVersion=1.0;scalaVersion=2.12:1.2.0
...
unauthorized: https://nexus.company.com/repository/maven-releases/com/company/our-sbt-plugin_2.12_1.0/1.2.0/our-sbt-plugin-1.2.0.pom

Same problem if credentials are added in ~/.sbt/1.0/global.sbt
Same problem happens with normal dependencies (not sbt plugins)
Same problem happens when using sbt 1.2.x with sbt-coursier 2.0.0-RC3-2

Is there a way to show what credentials sbt is using to go to that nexus?

workaround

Add this in plugins.sbt (meta buid) and build.sbt

ThisBuild / useCoursier := false

[eed3si9n]

@francisdb Thanks for the report. I think it's a duplicate of #4802

[francisdb]

@eed3si9n Since #4802 is closed but this issue is still there. I would like to see this re-opened.

Projects that work on 1.2.x (even without coursier 1.2.x) give unauthorized on 1.3.0-RC3 when downloading sbt plugin dependencies from nexus. Normal dependencies and plugin dependencies.

This could be related to #4932, however it's not very likely as I see sbt trying do download from our nexus, just not using the correct credentials

Could also be related to coursier/coursier#1319

[francisdb]

@sbrunk can you confirm this? Anything special about your setup?

[eed3si9n]

In #4855 I added a task called allCredentials. If you run show allCredentials, does your credentials show up?

[sbrunk]

@francisdb I can confirm that downloading of a custom sbt plugin fails in the same way you've described above.

When adding the plugin manually to the coursier cache, downloading normal dependencies in the main build works fine in my case though.

show allCredentials shows credentials for our Nexus in the main build as well as in the meta build (reload plugins).

[francisdb]

Looks like downloading normal dependencies works now after clearing the cache rm -rf /~/.coursier/cache/v1/https/myuser%40my.nexus.server

So that indeed only leaves the downloading of custom sbt plugins failing on sbt startup, are the credentials registered at a later time?

[pmpfr]

Another datapoint for this under sbt1.3.0-RC3, though I think it merely confirms what has already been said here.

I have an addSbtPlugin(...) line in project/plugins.sbt which needs an authenticated resolver. Using ThisBuild / useCoursier := true in project/plugins.sbt (or just letting it default) I get an authentication error. But setting ThisBuild / useCoursier := false (i.e. reverting to ivy) it works fine. I have valid credentials := Seq(Credentials(...)) in project/plugins.sbt. The error happens just invoking interactive sbt in bash (i.e. no compile).

Removing the plugin directive allows it to continue (under useCoursier := true). Doing that and running show allCredentials does list the valid credentials, but I think that is "too late" in the process, so that may be a red herring.

[SethTisue]

should this be on the 1.3 milestone?

[eed3si9n]

@SethTisue I don't think it's a blocker to ship next RC4.

[francisdb]

Just a small remark, I guess this can be used for testing these issues: https://github.com/features/package-registry (free for now)

Also confirming that this is still broken in 1.3.0-RC4

[eed3si9n]

It would be an awesome contribution if you or someone else could come up with a public repro :)

[francisdb]

I'll have a look if I can come up with something but looks like I will have to wait for access

You’ve been added to the waitlist for the beta and will be notified when you've gained access`

[eed3si9n]

I've been testing sbt 1.3.0-RCs with Bintray's private repo that requires authentication, and it works fine, so maybe we need actual Nexus for testing.

[eed3si9n]

Created https://issues.sonatype.org/browse/OSSRH-50975.

[francisdb]

Setting up a Nexus with docker is quite trivial, might have a go at that

[francisdb]

I set up a nexus and a test project, see the instructions there

https://github.com/francisdb/sbt-plugin-test

---

something is fishy though, 1.3.0-RC4 complains about deprecated http repo but then continues even if it could not find the plugin causing it to fail later on when referencing the plugin

[info] Loading settings for project testproject-build from plugins.sbt ...
[warn] insecure HTTP request is deprecated 'http://167.71.68.47:8081/repository/maven-snapshots'; switch to HTTPS
[info] Loading project definition from xxx/sbt-plugin-test/testproject/project
xxx/sbt-plugin-test/testproject/build.sbt:9: error: not found: value HelloPlugin
  .enablePlugins(HelloPlugin)

moved this issue to #4984, somehow that issue was fixed by removing the target folder, now I see the unauthorized resolution failure on 1.3.0-RC4 (works correctly on 1.2.8)

[error] (update) sbt.librarymanagement.ResolveException: Error downloading com.example:sbt-plugin-test;sbtVersion=1.0;scalaVersion=2.12:0.1.0-SNAPSHOT
[error]   Not found
[error]   not found: https://repo1.maven.org/maven2/com/example/sbt-plugin-test_2.12_1.0/0.1.0-SNAPSHOT/sbt-plugin-test-0.1.0-SNAPSHOT.pom
[error]   not found: ~/.ivy2/local/com.example/sbt-plugin-test/scala_2.12/sbt_1.0/0.1.0-SNAPSHOT/ivys/ivy.xml
[error]   unauthorized: http://167.71.68.47:8081/repository/maven-snapshots/com/example/sbt-plugin-test_2.12_1.0/0.1.0-SNAPSHOT/sbt-plugin-test-0.1.0-SNAPSHOT.pom
...

[francisdb]

@eed3si9n have you been able to reproduce the issue using my private nexus mentioned above?

[eed3si9n]

Yes, I get the unauthorized. I am guessing this is an upstream Coursier issue? coursier/coursier#1319

[error]   unauthorized: http://167.71.68.47:8081/repository/maven-snapshots/com/example/sbt-plugin-test_2.12_1.0/0.1.0-SNAPSHOT/sbt-plugin-test-0.1.0-SNAPSHOT.pom

$ sbt
[info] Loading settings for project global-plugins from idea.sbt,vimquit.sbt,plugins.sbt,metals.sbt,pgp.sbt ...
[info] Loading global plugins from /Users/eed3si9n/.sbt/1.0/plugins
[info] Loading settings for project testproject-build from plugins.sbt ...
[warn] insecure HTTP request is deprecated 'http://167.71.68.47:8081/repository/maven-snapshots'; switch to HTTPS
[info] Loading project definition from /private/tmp/sbt-plugin-test/testproject/project
[info] Updating
[info] Resolved  dependencies
[warn]
[warn] 	Note: Some unresolved dependencies have extra attributes.  Check that these dependencies exist with the requested attributes.
[warn] 		com.example:sbt-plugin-test:0.1.0-SNAPSHOT (sbtVersion=1.0, scalaVersion=2.12)
[warn]
[warn] 	Note: Unresolved dependencies path:
[error] sbt.librarymanagement.ResolveException: Error downloading com.example:sbt-plugin-test;sbtVersion=1.0;scalaVersion=2.12:0.1.0-SNAPSHOT
[error]   Not found
[error]   Not found
[error]   not found: https://repo1.maven.org/maven2/com/example/sbt-plugin-test_2.12_1.0/0.1.0-SNAPSHOT/sbt-plugin-test-0.1.0-SNAPSHOT.pom
[error]   not found: /Users/eed3si9n/.ivy2/local/com.example/sbt-plugin-test/scala_2.12/sbt_1.0/0.1.0-SNAPSHOT/ivys/ivy.xml
[error]   unauthorized: http://167.71.68.47:8081/repository/maven-snapshots/com/example/sbt-plugin-test_2.12_1.0/0.1.0-SNAPSHOT/sbt-plugin-test-0.1.0-SNAPSHOT.pom
[error]   not found: https://repo.scala-sbt.org/scalasbt/sbt-plugin-releases/com.example/sbt-plugin-test/scala_2.12/sbt_1.0/0.1.0-SNAPSHOT/ivys/ivy.xml
[error]   not found: https://repo.typesafe.com/typesafe/ivy-releases/com.example/sbt-plugin-test/scala_2.12/sbt_1.0/0.1.0-SNAPSHOT/ivys/ivy.xml
[error] 	at lmcoursier.CoursierDependencyResolution.unresolvedWarningOrThrow(CoursierDependencyResolution.scala:245)
[error] 	at lmcoursier.CoursierDependencyResolution.$anonfun$update$34(CoursierDependencyResolution.scala:214)
[error] 	at scala.util.Either$LeftProjection.map(Either.scala:573)
[error] 	at lmcoursier.CoursierDependencyResolution.update(CoursierDependencyResolution.scala:214)
[error] 	at sbt.librarymanagement.DependencyResolution.update(DependencyResolution.scala:60)
[error] 	at sbt.internal.LibraryManagement$.resolve$1(LibraryManagement.scala:52)
[error] 	at sbt.internal.LibraryManagement$.$anonfun$cachedUpdate$12(LibraryManagement.scala:102)
[error] 	at sbt.util.Tracked$.$anonfun$lastOutput$1(Tracked.scala:69)
[error] 	at sbt.internal.LibraryManagement$.$anonfun$cachedUpdate$20(LibraryManagement.scala:115)
[error] 	at scala.util.control.Exception$Catch.apply(Exception.scala:228)
[error] 	at sbt.internal.LibraryManagement$.$anonfun$cachedUpdate$11(LibraryManagement.scala:115)
[error] 	at sbt.internal.LibraryManagement$.$anonfun$cachedUpdate$11$adapted(LibraryManagement.scala:96)
[error] 	at sbt.util.Tracked$.$anonfun$inputChanged$1(Tracked.scala:150)
[error] 	at sbt.internal.LibraryManagement$.cachedUpdate(LibraryManagement.scala:129)
[error] 	at sbt.Classpaths$.$anonfun$updateTask0$5(Defaults.scala:2877)
[error] 	at scala.Function1.$anonfun$compose$1(Function1.scala:49)
[error] 	at sbt.internal.util.$tilde$greater.$anonfun$$u2219$1(TypeFunctions.scala:62)
[error] 	at sbt.std.Transform$$anon$4.work(Transform.scala:67)
[error] 	at sbt.Execute.$anonfun$submit$2(Execute.scala:280)
[error] 	at sbt.internal.util.ErrorHandling$.wideConvert(ErrorHandling.scala:19)
[error] 	at sbt.Execute.work(Execute.scala:289)
[error] 	at sbt.Execute.$anonfun$submit$1(Execute.scala:280)
[error] 	at sbt.ConcurrentRestrictions$$anon$4.$anonfun$submitValid$1(ConcurrentRestrictions.scala:178)
[error] 	at sbt.CompletionService$$anon$2.call(CompletionService.scala:37)
[error] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[error] 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[error] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[error] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[error] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[error] 	at java.lang.Thread.run(Thread.java:748)
[error] (update) sbt.librarymanagement.ResolveException: Error downloading com.example:sbt-plugin-test;sbtVersion=1.0;scalaVersion=2.12:0.1.0-SNAPSHOT
[error]   Not found
[error]   Not found
[error]   not found: https://repo1.maven.org/maven2/com/example/sbt-plugin-test_2.12_1.0/0.1.0-SNAPSHOT/sbt-plugin-test-0.1.0-SNAPSHOT.pom
[error]   not found: /Users/eed3si9n/.ivy2/local/com.example/sbt-plugin-test/scala_2.12/sbt_1.0/0.1.0-SNAPSHOT/ivys/ivy.xml
[error]   unauthorized: http://167.71.68.47:8081/repository/maven-snapshots/com/example/sbt-plugin-test_2.12_1.0/0.1.0-SNAPSHOT/sbt-plugin-test-0.1.0-SNAPSHOT.pom
[error]   not found: https://repo.scala-sbt.org/scalasbt/sbt-plugin-releases/com.example/sbt-plugin-test/scala_2.12/sbt_1.0/0.1.0-SNAPSHOT/ivys/ivy.xml
[error]   not found: https://repo.typesafe.com/typesafe/ivy-releases/com.example/sbt-plugin-test/scala_2.12/sbt_1.0/0.1.0-SNAPSHOT/ivys/ivy.xml
Project loading failed: (r)etry, (q)uit, (l)ast, or (i)gnore?

[francisdb]

With 1.3.0-RC4 I only have this issue for plugins, normal project dependencies seem to download correctly. Might also add a test case for that on that project.

Seems like the above is not correct, I thought having seen that in previous testing though 😕

[francisdb]

Workaround

Add this in plugins.sbt (meta buid) and build.sbt

ThisBuild / useCoursier := false

[Krever]

Do we have any workaround that allows to keep using coursier? Like specifying credentials in some specific way?

[francisdb]

@Krever a pull request that fixes this on the coursier side has been submitted at so might be fixed soon in 1.3.1

[jsoref]

@Krever: If you have a proxy that sits in front of nexus and can have it rewrite the www-authenticate: BASIC realm="..." header, that should work as a workaround.

I don't have the energy to do that today. We're using nginx, so I think we could simply (conditional on the presence of a first header) add a second www-authenticate: Basic realm="Sonatype Nexus Repository Manager" -- the www-authenticate header is special in that one is allowed to send multiple independent challenges and clients are welcome to pick one they can answer.

[TimPigden]

I have the same issue using 1.3.3. I've reverted to 1.2.8 and problem has gone. Was it actually fixed?

[francisdb]

what exact issue do you have, for us all issues have been fixed in 1.3.1

[TimPigden]

Hi, I opened a new bug report for it with full description in #5200

[bomgar]

This doesn't work for me.

Does the setup require more than this?

credentials += Credentials("nexus private", "repository.test.org", "21re-reader", "*****")
resolvers += "nexus private" at "https://repository.test.org/repository/private"

I still get unauthorized: https://...

[francisdb]

@bomgar The credentials need the correct realm: Sonatype Nexus Repository Manager instead of the name you gave the resolver. Matching is done by that and the domain.

If I remember correctly sbt 1.3.3 gives a warning about this during the build.

[bomgar]

Thanks that works. Is this documented anywhere?

[francisdb]

Looks like indeed the docs are a bit lacking here
https://www.scala-sbt.org/1.x/docs/Publishing.html#Credentials
(also does not mention the option to use ~/.sbt/1.0/global.sbt)

https://stackoverflow.com/a/4351222/42198

[chibby0ne]

To generalize on what @francisdb mentioned about the credentials' realm for any other repository:
The correct realm is the HTTP WWW-Authenticate header's realm directive, which is returned by servers for HTTP Basic Authentication
For a given repository, this can be found using by reading all the headers received:

curl -D - REPOSITORY_URL

I hope this is added to the documentation page so that people don't have to scour the web searching for this closed issue to find the answer to this rather common situation.

[fernanluyano]

I'm having this issue still. Has it been fixed (private Artifactory)?