Deploy mojo should use maven's encrypted password functionality

[paulprogrammer]

The maven's configuration allows for servers to include encrypted passwords as part of the config.

http://maven.apache.org/settings.html#Servers

We should update the plugin to read the encrypted profile data, to adhere to PCI and HIPAA rules, as well as just good operational practice.

[paulprogrammer]

See the following snippets of a deployer mojo that uses this functionality:

https://github.com/mojohaus/sql-maven-plugin/blob/447cacdcedfb8334f5ed287cba8b9ecd8f22872b/src/main/java/org/codehaus/mojo/sql/SqlExecMojo.java#L119

https://github.com/mojohaus/sql-maven-plugin/blob/447cacdcedfb8334f5ed287cba8b9ecd8f22872b/src/main/java/org/codehaus/mojo/sql/SqlExecMojo.java#L878

[ssvaidyanathan]

Hi @paulprogrammer
You can still do it using profiles within your settings.xml. Thats how I have been using.

In your project's pom.xml, say you have the following profile:

<profile>
    <id>test</id>
    <properties>
    <apigee.profile>test</apigee.profile>
    <apigee.env>test</apigee.env>
    <apigee.hosturl>https://api.enterprise.apigee.com</apigee.hosturl>
    <apigee.apiversion>v1</apigee.apiversion>
    <apigee.org>${org}</apigee.org>
    <apigee.username>${username}</apigee.username>
    <apigee.password>${password}</apigee.password>
    <apigee.options>update</apigee.options>
    <api.northbound.domain>${org}-test.apigee.net</api.northbound.domain>
    <api.testtag>~@wip</api.testtag>
   </properties>
 </profile>

You can include a settings.xml in your ~/.m2 directory and externalize all of these params so that you dont have to pass them

For example:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                      https://maven.apache.org/xsd/settings-1.0.0.xsd">
 
    <profiles>
       <profile>
            <id>test</id>
            <properties>
                <org>apigeeOrg</org>
                <username>test@test.com</username>
                <password>secret</password>
                <env>test</env>
            </properties>
        </profile> 
    </profiles>
    <activeProfiles>
        <activeProfile>test</activeProfile>
    </activeProfiles>

</settings>

Once you have this, you can just execute mvn clean install -Ptest . The properties are automatically picked from settings.xml and applied

Or else you can use OAuth tokens where these passwords are not needed to be passed

[ssvaidyanathan]

@paulprogrammer - will the above comment help or are you looking for anything in particular ? IF not, please close this issue

[paulprogrammer]

Sai, This helps, but it still requires the usernames and secrets are kept in cleartext on the developer's machine. Maven has a feature for encrypted passwords <https://maven.apache.org/guides/mini/guide-encryption.html> that would be a more complete solution to the problem. Paul Williams williamspaul@google.com Partner Certification and Enablement Google Cloud API Platform (Apigee) +1 408 805-9008 Learn why Telenor chose Apigee <https://www.youtube.com/watch?v=dcf_L1sEBAg&list=PLIXjuPlujxxyP30KyULXqEDutUCEaxLli&index=14> Check out how West Corp. views APIs as SKUs <https://www.youtube.com/watch?v=edf0y-a4FOo&index=8&list=PLIXjuPlujxxyP30KyULXqEDutUCEaxLli>

…

On Mon, Oct 8, 2018 at 7:53 PM Sai Saran Vaidyanathan < ***@***.***> wrote: @paulprogrammer <https://github.com/paulprogrammer> - will the above comment help or are you looking for anything in particular ? IF not, please close this issue — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#77 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD2uITDwnZLPMHTOA0oWoWSFFKXOpSeCks5ujAGUgaJpZM4PDNX0> .