Authorization plugins
Warning
This feature is experimental and subject to breaking changes. See the Conan stability section for more information.
Regarding authorization, we have two plugins: one focused on remote Conan servers authorization, auth_remote.py
, and another focused on authorization for source file servers, auth_source.py
.
The idea behind these plugins is to create custom integrations with each user’s secrets managers.
Auth remote plugin
This first plugin is a Python script that receives a remote
object and an optional parameter: user
. If the user is provided, the expected output is the credentials that use that username. The output should be a tuple of the username that we want to use for that remote, or None
if no credentials are specified for that remote and we want Conan to follow the normal login flow.
This plugin is located at the path <CONAN_HOME>/extensions/plugins/auth_remote.py
and must be manually created with the name auth_remote.py
, containing a function named auth_remote_plugin(remote, user=None, **kwargs)
.
The order for retrieving credentials is as follows:
First, an attempt is made to obtain the credentials from the
auth_remote_plugin
.If it doesn’t exist or returns
None
, the next step is to checkcredentials.json
.After that, the environment variables are searched.
Finally, the credentials are obtained through an interactive prompt.
Here we can see an example of a plugin implementation.
def auth_remote_plugin(remote, user=None, **kwargs):
if remote.url.startswith("https://artifactory.my-org/"):
return "admin", "password"
Auth source plugin
This one is a Python script that receives an url
as a parameter and outputs a dictionary with the credentials or access token. It can also return None
to indicate that Conan should proceed with its normal login flow.
This plugin is located at the path <CONAN_HOME>/extensions/plugins/auth_source.py
and must be manually created with the name auth_source.py
, containing a function named auth_source_plugin(url, **kwargs)
.
The order for retrieving the credentials is as follows:
First, an attempt is made to obtain the credentials from the
auth_source_plugin
.If it doesn’t exist or returns
None
, an attempt is made to retrieve them fromsource_credentials.json
.
Here we can see an example of a plugin implementation.
def auth_source_plugin(url, **kwargs):
if url.startswith("https://my-sources-user-password.my-org/"):
return {'user': 'my-user', 'password': 'my-password'}
elif url.startswith("https://my-private-token-sources.my-org/"):
return {'token': 'my-secure-token'}
Note
These plugins can be shared and installed using conan config install
or conan config install-pkg
Important: Ensure that your plugins and configurations do not contain hardcoded secrets or sensitive data. Instead, passwords should be retrieved using your implementation with a secret manager.