Banno hosts an JFrog Artifactory instance at Banno Artifactory
Artifactory is used for all types of artifact storage: Java JARs used by Scala and Android builds, Docker images, NPM JS modules, Android APK’s, iOS Bundles, and any sort of generic artifact that needs released and distributed. We also use Artifactory for proxying external dependencies e.g. Maven Central and the Docker Hub. Proxying external repositories allows for reproducability and inventory tracking.
We also integrate Banno Artifactory into Xray which can scan artifacts as they are published and proxied. This Xray instance is accessible at Banno Xray This scanning will look for vulnerable versions of libraries and dependencies which have published CVE’s or security advisories. Then after an initial scan, Xray will continaully get updated security advisories and alert for artifacts it knows about that are affected.
Setup
First Time Logging In
Visitors to https://artifactory.banno-tools.com will be automatically redirected to Google authentication. This authentication only supports banno.com and jackhenry.com accounts. Visitors can also authenticate with jhacorp accounts by visiting https://artifactory.banno-tools.com/artifactory/webapp/#/login and choosing the Azure AD option.
Upon first time login, users will not see any packages. After logging in make a ticket via the #org-apollo team channel; info found in the canvas in the channel header.
Identity Token
Setting artifactory up locally is dependent on the build tool that you want to use. For all of them however, you will need to use your Artifcatory Identity Token. To get this token log into Banno Artifactory. After logging in, click on the User menu in the upper right-hand portion of the page which shows an icon of your first initial. Select “Edit Profile” and you’ll be taken to your User Profile. On this page you can click Generate an Identity Token to create a new one.
Banno Certificate Authority
You will also need to configure your terminal to accept the Banno certificate authority. Fortunately, we already have a tool that will do this for you at https://github.com/Banno/homebrew-tap. Simply run:
brew tap Banno/tap git@github.com:Banno/homebrew-tap.git
brew install banno-ca
banno-ca-add
to install it. If you use SDKMan, the following script will update your SDK-man JVM’s
#!/bin/bash
KEYTOOL=(keytool -keypass changeit -storepass changeit -noprompt)
function delete-cert-if-exists () {
local keystore="$1" cert="$2"
if "${KEYTOOL[@]}" -list -alias "$cert" -keystore "$keystore" &>/dev/null; then
"${KEYTOOL[@]}" -delete -alias "$cert" -keystore "$keystore"
fi
}
find ~/.sdkman/candidates/java -name cacerts -print0 |
while read -rd '' keystore
do
# Cleanup the old alias (need a more flexible one now that there's more than one cert in the tap)
delete-cert-if-exists "$keystore" bannoCA
find "$(brew --prefix)/share/banno-ca-certs/" -iname '*.pem' -print0 |
while read -rd '' cert
do
cert_alias=$(basename "$cert" | perl -nle '@f=split(/\./); pop @f; print(join(":", @f))')
# Adding certs isn't idempotent, so we have to do some cleanup first
delete-cert-if-exists "$keystore" "$cert_alias"
"${KEYTOOL[@]}" -import -alias "$cert_alias" -keystore "$keystore" -file "$cert" &&
printf >&2 ' :: Stored %s in %s\n' "$cert_alias" "$keystore"
done
done
cargo setup
Add the following to your ~/.cargo/credentials.toml file:
[registries.artifactory]
token = "Bearer ARTIFACTORY_IDENTITY_TOKEN_HERE"
[registries.artifactory-remote]
token = "Bearer ARTIFACTORY_IDENTITY_TOKEN_HERE"
sbt setup
For sbt, there are a few files you need to setup locally to both be able to authenticate to artifactory. For all of them ~ refers to your home directory on your laptop. There is more information on sbt and depedency proxying, see https://www.scala-sbt.org/1.x/docs/Proxy-Repositories.html
- create or append the following to:
~/.sbt/repositories:[repositories] local ivy-releases: https://artifactory.banno-tools.com/artifactory/ivy-releases/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext] libs-release: https://artifactory.banno-tools.com/artifactory/libs-release/ - create or append the following to:
~/.ivy2/.credentials. ReplaceBANNO_EMAIL_HEREwith your Banno email address, andARTIFACTORY_IDENTITY_TOKEN_HEREwith your Identity Token mentioned above. Environment variables will not work in this instance, these must be the literal strings of your email/key AS THEY APPEAR in your artifactory profile.realm=Artifactory Realm host=artifactory.banno-tools.com user=BANNO_EMAIL_HERE password=ARTIFACTORY_IDENTITY_TOKEN_HERE - create or append to the following 4 files:
~/.sbt/0.13/global.sbt,~/.sbt/1.0/global.sbt,~/.sbt/0.13/plugins/build.sbt, and~/.sbt/1.0/plugins/build.sbt. This line adds the Artifactory credentials to all builds. The location of this is dependent on where you put the credentials file in the previous step.ThisBuild / credentials += Credentials(Path.userHome / ".ivy2" / ".credentials") - Set an environmental variable
SBT_CREDENTIALS(typically in~/.zshrcor~/.bash_profile) to point to the$HOME/.ivy2/.credentialsfile. This is necessary for the SBT launcher to bootstrap itself.export SBT_CREDENTIALS="$HOME/.ivy2/.credentials"
sbt troubleshooting
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Follow the steps here to install the Banno Root CA to your Java Keystore and Mac Keychain.
- Note: if you use jenv (have multiple Java versions installed) you need to run this for each version. These steps must be repeated if you go to install a new JDK version in the future.
jenv global 1.8 banno-ca-add # repeat the process for other JDK versions, if present... jenv global 17 banno-ca-add # newer JDK versions here
- Note: if you use jenv (have multiple Java versions installed) you need to run this for each version. These steps must be repeated if you go to install a new JDK version in the future.
- Make sure you’re connected to the dca.jhavpn.com VPN. The corp.jhavpn.com connection does web filtering (MITM’ing network traffic) that will cause certificate validation to fail.
- Follow the steps here to install the Banno Root CA to your Java Keystore and Mac Keychain.
sbt project setup
- update banno-sbt-plugin to latest version (11.X adds artifactory support) in plugins.sbt
addSbtPlugin("com.banno" % "banno-sbt-plugin" % "11.0.1")
- add the arficatory lib releases to plugins.sbt in order to be able to resolve banno-sbt-plugin itself
resolvers += "Banno Artifactory Lib Releases" at "https://artifactory.banno-tools.com/artifactory/libs-release"
- update sbt version to 1.X in build.properties
sbt.version=1.3.8
- update the version of scala you are using to the latest patch version:
scalaVersion in ThisBuild := "2.12.11"
- if running integration tests during post deployment phase then update the Jenkinsfile to add writeSbtLocalConfigForProxyingAndAuth and withEnv as shown below (note: the function input changed from env to envName to not shadow the global env and the if statement uses envName now instead of env)
postDeploymentCheck: { envName ->
if (envName == "staging-2") {
node("agent") {
checkout scm
def sbtHome = tool("sbt")
writeSbtLocalConfigForProxyingAndAuth()
withEnv(["SBT_CREDENTIALS=${env.HOME}/.ivy2/.credentials"]) {
sh "${sbtHome}/bin/sbt \"; project core; it:test\""
}
// In the event that the above integration tests fail, then it will throw and fail the staging build.
return true
}
} else {
return true
}
}
docker setup
All docker images that use our artifactory will have the base url as docker.artifactory.banno-tools.com i.e. docker.artifactory.banno-tools.com/java:11
To pull and push images from Artifactory:
Get your Identity Token from https://jackhenry.jfrog.io/ui/user_profile
docker login docker.artifactory.banno-tools.com and login using your email and the Identity Token from your artifactory profile.
docker login -u <ARTIFACTORY_EMAIL_ADDRESS> -p <IDENTITY_TOKEN> docker.artifactory.banno-tools.com
NPM Setup
If you use NPM locally you’ll need to follow the NPM Artifactory Setup Steps.