pip install for an anonymous user asks for credentials when the artifact is blocked for download by Xray due to the option of Block unscanned artifact. The response should be that pip install should receive a 403 error. Steps to reproduce
1. Configure pip to resolve from Artifactory, added the following in pip.conf
[global]
index-url = http://RESTRICTED_IP:8081/artifactory/api/pypi/pypi/simple
2. Checked "Allow Anonymous Access" in Artifactory-> Security configuration
3. Configure a watch with the pypi-remote repository as a resource. Add a policy to it with the rule and enable "Block download" and "Block unscanned artifacts" in it.
4. Perform a pip install and it asks for the user details as shown below :
pip install r53 --trusted-host RESTRICTED_IP
Looking in indexes: http://RESTRICTED_IP:8081/artifactory/api/pypi/pypi/simple
Collecting r53
User for RESTRICTED_IP:8081:
5. On adding the credentials I get the 403 error as shown below :
ERROR: HTTP error 403 while getting http://RESTRICTED_IP:8081/artifactory/api/pypi/pypi/packages/packages/f9/6c/ef08eaff88d31aa47280032ace3932d1f99be980792afff34898c033eb91/r53-0.4.tar.gz#sha256=d3145407f03c4b9a6c5e7906765e94712325d37254453bb971985b41854a704a (from http://RESTRICTED_IP:8081/artifactory/api/pypi/pypi/simple/r53/)
The behavior should be that this 403 error should be shown on pip install and there should not be a prompt to add user credentials
This should give a 403 error.
- duplicates
-
RTFACT-17708 Artifactory returns 401 unauthorized message instead of 403 when artifact is being blocked by Xray
- Done