fix: keep conan auth out of client and relax nuget idle timeout

Author: iseki0

module/conan/conan_cmd.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"github.com/murphysecurity/murphysec/errors"
 	"github.com/murphysecurity/murphysec/infra/logctx"
@@ -13,7 +12,6 @@ import (
 	"go.uber.org/zap"
 	"io"
 	"math/rand"
-	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -116,41 +114,30 @@ func ExecuteConanInfoCmd(ctx context.Context, cmdInfo *CmdInfo, dir string) (str
 	}
 	jsonP := getConanInfoJsonPath()
 	major := ConanMajorVersion(cmdInfo.Version)
-	remoteCreds, credErr := getConanRemoteCredentialsFromConfig(major)
-	if credErr != nil {
-		logger.Warn("Conan remote credential precheck failed when reading config", zap.Error(credErr))
-	}
 	logger.Sugar().Infof("Conan detected: path=%s version=%s major=%d", cmdInfo.Path, cmdInfo.Version, major)
 	logger.Sugar().Infof("Conan verbose mode: -v %s", conanVerboseArg)
 	logConanRemoteConfigPaths(logger, major)
-	loginWarnings := ensureConanRemoteLogin(ctx, cmdInfo.Path, major, remoteCreds)
 	logger.Sugar().Debugf("temp file: %s", jsonP)
 	if major >= 2 {
-		if e := ensureConan2DefaultProfile(ctx, cmdInfo.Path, major, remoteCreds); e != nil {
+		if e := ensureConan2DefaultProfile(ctx, cmdInfo.Path); e != nil {
 			return "", "", e
 		}
 		logger.Info("Conan mode selected: graph")
-		if e := executeConanGraphInfoCmd(ctx, cmdInfo.Path, dir, jsonP, major, remoteCreds); e != nil {
-			if len(loginWarnings) > 0 {
-				return "", "", fmt.Errorf("%w; login warnings: %s", e, strings.Join(loginWarnings, " | "))
-			}
+		if e := executeConanGraphInfoCmd(ctx, cmdInfo.Path, dir, jsonP); e != nil {
 			return "", "", e
 		}
 		logger.Info("Conan command completed with graph mode")
 		return jsonP, ConanJsonKindGraph, nil
 	}
 	logger.Info("Conan mode selected: info")
-	if e := executeConanInfoCmd(ctx, cmdInfo.Path, dir, jsonP, major, remoteCreds); e != nil {
-		if len(loginWarnings) > 0 {
-			return "", "", fmt.Errorf("%w; login warnings: %s", e, strings.Join(loginWarnings, " | "))
-		}
+	if e := executeConanInfoCmd(ctx, cmdInfo.Path, dir, jsonP); e != nil {
 		return "", "", e
 	}
 	logger.Info("Conan command completed with info mode")
 	return jsonP, ConanJsonKindInfo, nil
 }
 
-func ensureConan2DefaultProfile(ctx context.Context, conanPath string, major int, remoteCreds []conanRemoteCredential) error {
+func ensureConan2DefaultProfile(ctx context.Context, conanPath string) error {
 	logger := logctx.Use(ctx)
 	home, err := os.UserHomeDir()
 	if err != nil || home == "" {
@@ -166,10 +153,10 @@ func ensureConan2DefaultProfile(ctx context.Context, conanPath string, major int
 	}
 
 	logger.Sugar().Infof("Conan default profile missing: %s, running detect", profilePath)
-	args := conanArgs(major, "profile", "detect", "--force")
+	args := conanArgs("profile", "detect", "--force")
 	c := exec.CommandContext(ctx, conanPath, args...)
 	logger.Sugar().Infof("Command: %s", c.String())
-	c.Env = getEnvForConan(major, remoteCreds)
+	c.Env = getEnvForConan()
 	start := time.Now()
 	sb := suffixbuf.NewSize(1024)
 	logPipe := logpipe.New(logger, "conan")
@@ -189,12 +176,12 @@ func ensureConan2DefaultProfile(ctx context.Context, conanPath string, major int
 	return nil
 }
 
-func executeConanInfoCmd(ctx context.Context, conanPath string, dir string, jsonP string, major int, remoteCreds []conanRemoteCredential) error {
+func executeConanInfoCmd(ctx context.Context, conanPath string, dir string, jsonP string) error {
 	logger := logctx.Use(ctx)
-	args := conanArgs(major, "info", ".", "-j", jsonP)
+	args := conanArgs("info", ".", "-j", jsonP)
 	c := exec.Command(conanPath, args...)
 	logger.Sugar().Infof("Command: %s", c.String())
-	c.Env = getEnvForConan(major, remoteCreds)
+	c.Env = getEnvForConan()
 	c.Dir = dir
 	start := time.Now()
 	sb := suffixbuf.NewSize(1024)
@@ -210,12 +197,12 @@ func executeConanInfoCmd(ctx context.Context, conanPath string, dir string, json
 	return nil
 }
 
-func executeConanGraphInfoCmd(ctx context.Context, conanPath string, dir string, jsonP string, major int, remoteCreds []conanRemoteCredential) error {
+func executeConanGraphInfoCmd(ctx context.Context, conanPath string, dir string, jsonP string) error {
 	logger := logctx.Use(ctx)
-	args := conanArgs(major, "graph", "info", ".", "--format=json")
+	args := conanArgs("graph", "info", ".", "--format=json")
 	c := exec.Command(conanPath, args...)
 	logger.Sugar().Infof("Command: %s", c.String())
-	c.Env = getEnvForConan(major, remoteCreds)
+	c.Env = getEnvForConan()
 	c.Dir = dir
 	start := time.Now()
 	sb := suffixbuf.NewSize(1024)
@@ -235,105 +222,7 @@ func executeConanGraphInfoCmd(ctx context.Context, conanPath string, dir string,
 	return nil
 }
 
-type conanRemoteCredential struct {
-	Name     string
-	Username string
-	Password string
-}
-
-func ensureConanRemoteLogin(ctx context.Context, conanPath string, major int, creds []conanRemoteCredential) []string {
-	warnings := make([]string, 0)
-	if major < 2 {
-		return warnings
-	}
-	logger := logctx.Use(ctx)
-	if len(creds) == 0 {
-		logger.Info("Conan remote login skipped: no credentials found in remote URLs")
-		return warnings
-	}
-	for _, cred := range creds {
-		args := conanArgs(major, "remote", "auth", cred.Name, "--force")
-		c := exec.CommandContext(ctx, conanPath, args...)
-		c.Env = getEnvForConan(major, []conanRemoteCredential{cred})
-		sb := suffixbuf.NewSize(1024)
-		logPipe := logpipe.New(logger, "conan")
-		logger.Sugar().Infof("Command: %s remote auth %s --force (credentials from env)", conanPath, cred.Name)
-		c.Stdout = io.MultiWriter(sb, logPipe)
-		c.Stderr = io.MultiWriter(sb, logPipe)
-		if runErr := c.Run(); runErr != nil {
-			logPipe.Close()
-			msg := fmt.Sprintf("conan remote auth failed for %s(user=%s): %v, details: %s", cred.Name, cred.Username, runErr, strings.TrimSpace(string(sb.Bytes())))
-			logger.Warn(msg)
-			warnings = append(warnings, msg)
-			continue
-		}
-		logPipe.Close()
-		logger.Sugar().Infof("Conan remote auth completed: remote=%s user=%s", cred.Name, cred.Username)
-	}
-	return warnings
-}
-
-type conanRemotesFile struct {
-	Remotes []struct {
-		Name string `json:"name"`
-		URL  string `json:"url"`
-	} `json:"remotes"`
-}
-
-func getConanRemoteCredentialsFromConfig(major int) ([]conanRemoteCredential, error) {
-	path, err := conanRemotesConfigPath(major)
-	if err != nil {
-		return nil, err
-	}
-	data, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-	var cfg conanRemotesFile
-	if err = json.Unmarshal(data, &cfg); err != nil {
-		return nil, fmt.Errorf("parse remotes config failed: %w", err)
-	}
-	rs := make([]conanRemoteCredential, 0)
-	seen := make(map[string]struct{})
-	for _, remote := range cfg.Remotes {
-		u, parseErr := url.Parse(strings.TrimSpace(remote.URL))
-		if parseErr != nil || u.User == nil {
-			continue
-		}
-		username := u.User.Username()
-		password, ok := u.User.Password()
-		if username == "" || !ok || password == "" {
-			continue
-		}
-		key := remote.Name + "|" + username
-		if _, exists := seen[key]; exists {
-			continue
-		}
-		seen[key] = struct{}{}
-		rs = append(rs, conanRemoteCredential{
-			Name:     remote.Name,
-			Username: username,
-			Password: password,
-		})
-	}
-	return rs, nil
-}
-
-func conanRemotesConfigPath(major int) (string, error) {
-	home, err := os.UserHomeDir()
-	if err != nil || home == "" {
-		return "", fmt.Errorf("cannot determine user home: %w", err)
-	}
-	if major >= 2 {
-		return filepath.Join(home, ".conan2", "remotes.json"), nil
-	}
-	return filepath.Join(home, ".conan", "remotes.json"), nil
-}
-
-func conanArgs(major int, args ...string) []string {
-	if major >= 2 {
-		args = append(args, "-cc", "core:non_interactive=True")
-	}
+func conanArgs(args ...string) []string {
 	return append(args, "-v", conanVerboseArg)
 }
 
@@ -351,7 +240,7 @@ func LocateConan(ctx context.Context) (string, error) {
 
 func GetConanVersion(ctx context.Context, conanPath string) (string, error) {
 	c := exec.CommandContext(ctx, conanPath, "-v")
-	c.Env = getBaseEnvForConan()
+	c.Env = getEnvForConan()
 	if data, e := c.Output(); e != nil {
 		return "", errors.WithCause(ErrGetConanVersionFail, e)
 	} else {
@@ -369,46 +258,9 @@ func ConanMajorVersion(version string) int {
 	return v
 }
 
-func getBaseEnvForConan() []string {
+func getEnvForConan() []string {
 	osEnv := os.Environ()
 	var rs = make([]string, 0, len(osEnv)+3)
 	rs = append(rs, osEnv...)
 	return append(rs, "CONAN_NON_INTERACTIVE=1", "NO_COLOR=1", "CLICOLOR=0")
 }
-
-func getEnvForConan(major int, remoteCreds []conanRemoteCredential) []string {
-	rs := getBaseEnvForConan()
-	if major < 1 || len(remoteCreds) == 0 {
-		return rs
-	}
-	for _, cred := range remoteCreds {
-		suffix := conanRemoteEnvVarSuffix(cred.Name)
-		if suffix == "" || cred.Username == "" || cred.Password == "" {
-			continue
-		}
-		rs = append(rs,
-			fmt.Sprintf("CONAN_LOGIN_USERNAME_%s=%s", suffix, cred.Username),
-			fmt.Sprintf("CONAN_PASSWORD_%s=%s", suffix, cred.Password),
-		)
-	}
-	return rs
-}
-
-func conanRemoteEnvVarSuffix(remoteName string) string {
-	remoteName = strings.TrimSpace(remoteName)
-	if remoteName == "" {
-		return ""
-	}
-	var b strings.Builder
-	for _, r := range remoteName {
-		switch {
-		case r >= 'a' && r <= 'z':
-			b.WriteRune(r - ('a' - 'A'))
-		case (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9'):
-			b.WriteRune(r)
-		default:
-			b.WriteRune('_')
-		}
-	}
-	return b.String()
-}

module/conan/conan_cmd_test.go

@@ -5,7 +5,6 @@ import (
 	"github.com/murphysecurity/murphysec/utils/must"
 	"github.com/pkg/errors"
 	"os/exec"
-	"strings"
 	"testing"
 )
 
@@ -17,40 +16,3 @@ func TestGetConanVersion(t *testing.T) {
 	}
 	t.Log(GetConanVersion(context.TODO(), must.A(LocateConan(context.TODO()))))
 }
-
-func TestConanArgsV1DoesNotForceCoreNonInteractive(t *testing.T) {
-	args := conanArgs(1, "info", ".")
-	got := strings.Join(args, " ")
-	if strings.Contains(got, "core:non_interactive=True") {
-		t.Fatalf("unexpected v1 core:non_interactive flag in args: %v", args)
-	}
-}
-
-func TestConanArgsV2ForcesCoreNonInteractive(t *testing.T) {
-	args := conanArgs(2, "graph", "info", ".")
-	got := strings.Join(args, " ")
-	if !strings.Contains(got, "core:non_interactive=True") {
-		t.Fatalf("missing v2 core:non_interactive flag in args: %v", args)
-	}
-}
-
-func TestConanRemoteEnvVarSuffix(t *testing.T) {
-	if got := conanRemoteEnvVarSuffix("conan-center.prod"); got != "CONAN_CENTER_PROD" {
-		t.Fatalf("unexpected env suffix: %q", got)
-	}
-}
-
-func TestGetEnvForConanAddsRemoteCredentialEnv(t *testing.T) {
-	env := getEnvForConan(2, []conanRemoteCredential{{
-		Name:     "conan-center",
-		Username: "alice",
-		Password: "secret",
-	}})
-	joined := strings.Join(env, "\n")
-	if !strings.Contains(joined, "CONAN_LOGIN_USERNAME_CONAN_CENTER=alice") {
-		t.Fatalf("missing username env, env=%v", env)
-	}
-	if !strings.Contains(joined, "CONAN_PASSWORD_CONAN_CENTER=secret") {
-		t.Fatalf("missing password env, env=%v", env)
-	}
-}

module/nuget/nuget_cmd_build.go

@@ -37,7 +37,7 @@ var _ErrDotnetNotFound = errors.New("dotnet not found")
 
 const (
 	nugetBuildMaxTimeout    = 6 * time.Hour
-	nugetCommandIdleTimeout = 30 * time.Second
+	nugetCommandIdleTimeout = 60 * time.Second
 	nugetPreflightTimeout   = 8 * time.Second
 	nugetRestoreBinlogDir   = ".murphysec"
 	nugetTmpBinlogDir       = "murphysec-nuget-binlogs"