Add Repository Bearer Authentication

[valentijnscholten]

Description

Add Bearer authentication support for repositories.

Addressed Issue

Some repositories require authentication with a Bearer token, for example https://packages.shopware.com and other (private) packagist.com repositories.

Additional Details

FrontEnd PR will be done as soon as API PR is agreed.

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have added corresponding update logic
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[valentijnscholten]

@nscure I didn't go the full monty to add another Enum to configure authentication type, but just implemented an if statement where a Bearer token gets priority over Basic auth. I could go even simpler and just instruct users to use the Password field for the bearer token and avoid having to add an extra column and remove the bearerToken field from the PR. Let me know what you think.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
Report missing for 19ca5541	✅ 100.00% (target: 70.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (19ca554)	Report Missing	Report Missing	Report Missing
Head commit (aa77e20)	24511	19939	81.35%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#4483)	3	3	100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Footnotes

1. Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct. ↩

[nscuro]

I could go even simpler and just instruct users to use the Password field for the bearer token and avoid having to add an extra column and remove the bearerToken field from the PR.

That would be best for now IMO. I don't think having a column for each credential type makes a lot of sense. If we get more variety of credentials (e.g. API keys, certificates, OIDC) we'll need to re-think this anyway.

[valentijnscholten]

@nscuro changed the PR to do just that: send a Bearer token if username is null but password is populated.
There was test case for that scenario that expected a Basic Auth style header, but I don't think that's a valid scenario, basic auth with null username?

[valentijnscholten]

@AbdelHajou I can see a NuGetMetaAnalyzerTest that is asserting that a Basic Auth header is sent when the username is null but the password is present. Is this a valid use case for NuGet repositories?

https://github.com/DependencyTrack/dependency-track/blob/master/src/test/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzerTest.java#L164

Could only find documentation on how to authenticate but not what types/styles of authentication are supported: https://learn.microsoft.com/en-us/nuget/consume-packages/consuming-packages-authenticated-feeds

I don't think it is valid: https://stackoverflow.com/questions/49580896/http-authentication-without-username

EDIT: I have updated the test case to test for Bearer token instead of Basic Auth when username is null.

[valentijnscholten]

@nscuro What's the plan for this? I'm happy to resolve the conflicts, but would like to do it only once when a review/merge is near.

[nscuro]

Sorry this sat so long @valentijnscholten. Looks good to me, I'll resolve the conflicts and raise a cleaned up PR likely tomorrow.

[owasp-dt-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[valentijnscholten]

Thanks @nscuro . I think you also need to merge DependencyTrack/frontend#1128 to make it usable from the frontend.

[valentijnscholten]

Thanks @nscuro . I think you also need to merge DependencyTrack/frontend#1128 to make it usable from the frontend.