ТЕМА: West Jordan : azure devops visual studio - Eduard Kabrinskiy

West Jordan : azure devops visual studio - Eduard Kabrinskiy 2 років 10 місяців тому #30262

Кабринский Эдуард - Teamcity azure devops - Kabrinskiy Eduard


<h1>Teamcity azure devops</h1>
<p>[youtube]</p>
Teamcity azure devops <a href="remmont.com">Current news update</a> Teamcity azure devops
<h1>Consume Azure DevOps feed in TeamCity</h1>
<p><strong>Azure DevOps has an integrated feed management you can use for nuget, npm, etc; the feed is private and only authorized users can download / upload packages.</strong> Today I had a little problem setting up a build in Team City that uses a feed in Azure Devops, because it failed with 201 (unauthorized)</p>
<blockquote><p>The problem with Azure DevOps NuGet feeds, is how to authenticate other toolchain or build server.</p></blockquote>
<p>This project still have some old build in TeamCity, but when it starts consuming packages published in Azure Devops, TeamCity builds start failing due 401 (unauthorized) error. The question is: How can I consume an Azure DevOps nuget feed from agent or tools that are not related to Azure Devops site itself?</p>
<p>I must admit that this information is scattered in various resources and Azure DevOps, simply tells you to add a nuget.config in your project and you are ready to go, but this is true only if we are using Visual Studio connected to the account.</p>
<p style="clear: both"><img src="www.codewrecks.com/blog/wp-content/uploa...12/image_thumb-1.png" /></p>
<p><strong>Figure 1:</strong> <em>Standard configuration for nuget config to point to the new feed</em></p>
<p><strong>Basic documentation forget to mention authentication, except from Get The Tool instruction, where you are suggested to download the Credential Provider if you do not have Visual Studio</strong>.</p>
<p style="clear: both"><img src="www.codewrecks.com/blog/wp-content/uploa...12/image_thumb-2.png" /></p>
<p><strong>Figure 2:</strong> <em>Instruction to get NuGet and Credential Provider</em></p>
<p>Credential provider is useful, but is really not the solution, because I want a more Nuget Friendly solution, the goal is: when the agent in TeamCity is issuing a Nuget restore, it should just work.</p>
<p><strong>A better alternative is to use standard NuGet authentication mechanism, where you simply add a source with both user and password.</strong> Lets start from the basic, if I use NuGet command line to list packages for my private source I got prompted for a user.</p>
<p style="clear: both"><img src="www.codewrecks.com/blog/wp-content/uploa...12/image_thumb-3.png" /></p>
<p><strong>Figure 3:</strong> <em>NuGet asking for credential to access a feed</em></p>
<p>Now, as for everything that involves Azure DevOps, when you are asked for credential, <strong>you can use anything for the username and provide an Access Token as a password.</strong></p>
<p style="clear: both"><img src="www.codewrecks.com/blog/wp-content/uploa...12/image_thumb-4.png" /></p>
<p><strong>Figure 4:</strong> <em>Specifying anything for user and my accesstoken I can read the feed.</em></p>
<p>This the easiest and more secure way to login in Azure DevOps with command line tools, especially because to access the feed I’ve generated a token that have a really reduced permission.</p>
<p style="clear: both"><img src="www.codewrecks.com/blog/wp-content/uploa...TML2160fc9_thumb.png" /></p>
<p><strong>Figure 5:</strong> <em>Access token with only packaging read permission</em></p>
<p><strong>As you can see in Figure 5, I created a token that has only read access to packaging, if someone stoles it, he/she can only access packages and nothing more.</strong></p>
<p>Now the question is: how can I made TeamCity agent to use that token? Actually TeamCity has some special section where you can specify username and password, or where you can add external feed, but I want a general way to solve for every external tool, not only for Team City. It is time to understand how nuget configuration is done.</p>
<blockquote><p>Nuget can be configured with nuget.config files placed in some special directories, to specify configuration for current user or for the entire computer</p></blockquote>
<p>Standard Microsoft documentation states we <strong>can have three levels of nuget.config for a solution</strong>, one file located in the same directory as solution file, then another one with user scope and is located at %appdata%/Nuget/nuget.config, finally we can have settings for all operation for entire computer in %programfiles(x86)%/nuget/config/nuget.config.</p>
<p><strong>You need to know also,</strong> <strong>from the standard nuget.config reference documentation</strong><strong>, that you can add credentials directly into nuget.config file</strong>, because you can specify username and password for each package source. Now I can place, for each computer with an active TeamCity agent, a nuget.config at computer level to specify credential for my private package and the game is done. I created just a file and uploaded in all Team City computers with agents.</p>
<p><strong>The real problem with this approach is that the token is included in clear form in config.file located in c:\program files (x86)/nuget/config.</strong></p>
<p>At this point you can hit this issue github.com/NuGet/Home/issues/3245 if you include clear text password in nuget.config password field, you will get a strange “The parameter is incorrect” error, because clear text password should be specified in ClearTextPassword parameter. After all, who write a clear text password in an file?</p>
<p>This leads to the final and most secure solution, in your computer, download latest nuget version in a folder, then issue this command</p>
<p>This command will add, for current user, a feed named proximo, that points to the correct source with username and password. After you added the source, you can simply go to %appdata%/nuget/ folder and open the nuget.config file.</p>
<p style="clear: both"><img src="www.codewrecks.com/blog/wp-content/uploa...12/image_thumb-6.png" /></p>
<p><strong>Figure 6:</strong> <em>Encrypted credentials stored inside nuget.config file.</em></p>
<p>As you can see, in your user configuration nuget.exe stored an encrypted version of your token, <strong>if you issue again a nuget list –source xxxxx you can verify that nuget is able to automatically log without any problem because it is using credentials in config file.</strong></p>
<p>The real problem of this approach is that <strong>credentials are encrypted only for the machine and the user that issued the command, you cannot reuse in different machine or in the same machine with a different user.</strong></p>
<blockquote><p><strong>Nuget password encryption cannot be shared between different users or different computers, making it works only for current user in current computer.</strong></p></blockquote>
<p style="clear: both"><img src="www.codewrecks.com/blog/wp-content/uploa...12/image_thumb-7.png" /></p>
<p><strong>Figure 7:</strong> <em>Include clear text password in machine nuget.config to made every user being able to access that specific feed</em></p>
<p>To conclude you have two options: you can generate a token and include in clear text in nuget.config and copy it to all of your TeamCity build servers. If you do not like clear text tokens <strong>in files, have the agent runs under a specific build user , login in agent machine with that specific build user and issue nuged add to have token being encrypted for that user.</strong></p>
<p>In both cases you need to renew the configuration each year (token last for at maximum one year). (You can automate this process with a special build that calls nuget sources add).</p>
<h2>Published by</h2>
<h3>Ricci Gian Maria</h3>
<p>.Net programmer, User group and community enthusiast, programmer - aspiring architect - and guitar player :). Visual Studio ALM MVP View all posts by Ricci Gian Maria </p>
<h2>Teamcity azure devops</h2>

<h3>Teamcity azure devops</h3>
<p>[youtube]</p>
Teamcity azure devops <a href="remmont.com">Latest news</a> Teamcity azure devops
<h4>Teamcity azure devops</h4>
Consume Azure DevOps feed in TeamCity Azure DevOps has an integrated feed management you can use for nuget, npm, etc; the feed is private and only authorized users can download / upload
<h5>Teamcity azure devops</h5>
Teamcity azure devops <a href="remmont.com">Teamcity azure devops</a> Teamcity azure devops
SOURCE: <h6>Teamcity azure devops</h6> <a href="dev-ops.engineer/">Teamcity azure devops</a> Teamcity azure devops
#tags#[replace: -,-Teamcity azure devops] Teamcity azure devops#tags#

Эдуард Кабринский
breaking news today
  • GEORGIADal
  • GEORGIADal аватар
  • Немає на сайті
  • Платиновий учасник
  • Дописи: 1059
  • Репутація: -1
Адміністратор заборонив доступ на запис.
Час відкриття сторінки: 0.046 секунд