UpdateMavenWrapper does not work when the distributionUrl requires credentials

[tylervangorder-8451]

What version of OpenRewrite are you using?

I am using

• OpenRewrite v8.44.1
• Maven Plugin 6.0.5

How are you running OpenRewrite?

Running maven plugin on a single pom.xml project.

The issue

We are attempting to use the UpdateMavenWrapper recipe to add/update the maven wrapper and specifying the follow:

type: specs.openrewrite.org/v1beta/recipe
name: com.recipe.name.Here
displayName: Add or Update Maven Wrapper
description: Add or update the Maven Wrapper for a project.
recipeList:
  - org.openrewrite.maven.UpdateMavenWrapper:
      wrapperDistribution: only-script
      wrapperVersion: 3.3.1
      addIfMissing: true
      distributionVersion: 3.9.x
      repositoryUrl: "https://company-hosted-artifactory-url"

We do not allow any downloads from Maven central and use an Artifactory mirror.

The problem with this recipe is that it is creating a Remote source file using repositoryUrl but has no knowledge of the credentials and fails here:

https://github.com/openrewrite/rewrite/blob/main/rewrite-maven/src/main/java/org/openrewrite/maven/utilities/MavenWrapper.java#L134-L135

This recipe really needs to be Maven Settings-aware (and probably should be using the MavenArtifactDownloader to download the distribution)

[shanman190]

Welcome back @tylervangorder-8451! 👋

Just to note, the download itself happens later when the org.openrewrite.remote.Remote#getInputStream is called (https://github.com/openrewrite/rewrite/blob/main/rewrite-core%2Fsrc%2Fmain%2Fjava%2Forg%2Fopenrewrite%2Fremote%2FRemote.java#L65-L70). Within those implemented methods, it's using a HttpSender to perform the presently unauthenticated request.

It seems like the Maven wrapper itself only supports basic authentication for pulling a distribution, so I'm assuming that if a wrapper were to have been installed into a repository, then you're configuring basic authentication to then pull the distribution as described here?

The UpdateMavenWrapper could definitely use with being updated to handle an authenticated source for the wrapper itself, but that does still leave you as a user needing to configure authentication for the distribution download. Just trying to think about how best to provide the initial authentication credentials. As you mentioned, one possible option would be to grab the Maven settings and then pull the credentials from those assuming that they were present. This could be a little more complicated to achieve in some execution scenarios though.

NOTE: the same issue is present for the UpdateGradleWrapper.

[tylervangorder-8451]

Hi @shanman190 ,

Sorry, I forgot to add context:

The stacktrace:

Caused by: java.lang.IllegalStateException: Failed to download https://redacted/org/apache/maven/wrapper/maven-wrapper/3.3.1/maven-wrapper-3.3.1.jar to artifact cache
    at org.openrewrite.remote.RemoteFile.getInputStream (RemoteFile.java:80)
    at org.openrewrite.Checksum.checksum (Checksum.java:105)
    at org.openrewrite.Checksum.sha256 (Checksum.java:93)
    at org.openrewrite.maven.utilities.MavenWrapper.create (MavenWrapper.java:134)
    at org.openrewrite.maven.UpdateMavenWrapper.getMavenWrapper (UpdateMavenWrapper.java:146)
    at org.openrewrite.maven.UpdateMavenWrapper.generate (UpdateMavenWrapper.java:283)
    at org.openrewrite.maven.UpdateMavenWrapper.generate (UpdateMavenWrapper.java:56)
    at org.openrewrite.ScanningRecipe.generate (ScanningRecipe.java:72)
    at org.openrewrite.scheduling.RecipeRunCycle.lambda$generateSources$5 (RecipeRunCycle.java:134)
    at org.openrewrite.scheduling.RecipeStack.reduce (RecipeStack.java:57)

• The checksum method is calling the getInputStream
• Yes, authentication is using basic auth. Downloading the wrapper via mvn wrapper:wrapper does work if we set the credentials via the two environment variables MVNW_USERNAME and MVNW_PASSWORD.

These are the same credentials we use in our ~/.m2/settings.xml file:

<settings>
  <mirrors>
    <mirror>
      <mirrorOf>*</mirrorOf>
      <url>https://some.repo.url.here</url>
      <id>mirror</id>
    </mirror>
  </mirrors>
  <servers>
    <server>
      <username>${env.MVNW_USERNAME}</username>
      <password>${env.MVNW_PASSWORD}</password>
      <id>mirror</id>
    </server>
  </servers>
</settings>

And, in fact, the Maven pom downloader is working when using version selectors to download the pom.xml files for the wrapper to pick up the correct, latest version.

As a user, It is a reasonable expectation for this to also work when downloading the actual wrapper when the repositoryUrl is specified and requires authentication.

That is why I was suggesting that the MavenArtifactDownloader could be used because it is settings.xml aware.

[shanman190]

So I've been thinking about this a little bit. I think unfortunately that in order to utilize MavenArtifactDownloader directly would essentially require recreating the Remote LST elements in rewrite-maven, so I think we're going to need to make Remote credential-aware, then update the UpdateMavenWrapper recipe to pass the credentials down to the generated Remote instance. This way the HttpSender can send the necessary Authorization header to make the authenticated request.