Using Tidelift with JFrog Artifactory

Tidelift integrates with JFrog Artifactory to help your development teams stay safe and only use approved open source releases. The integration syncs the list of approved and denied releases in one of your Tidelift catalogs to an Artifactory repository. With this integration in place, developers will be unable to download denied releases from Artifactory.

Secondarily, this integration provides an alternate or additional way to enforce adherence to the catalog if CI/CD is not available. However, this method isn't the primary usage of this integration and we recommend CI as the best means to track your software bill of materials and measure project health. If you have questions about using this integration to block package access, please contact Support to learn more.

Technical requirements

The following are requirements to be able to successfully use this integration

Artifactory product and version Self-hosted 6.x or higher (7.x or higher preferred) with the ability to install Artifactory plugins
Artifactory repository types remote and local (virtual repositories are not supported)
Package ecosystems Javascript (npm), Java (maven, gradle), and Ruby (rubygems)  


If you are using an older version of Artifactory self-hosted, Artifactory Cloud, or require support for different ecosystems, please contact support@tidelift.com.



How the integration works

The Artifactory integration requires setting up webhooks and installing a plugin in Artifactory. Within Tidelift, you will associate Tidelift catalogs with one or more Artifactory repositories. An Artifactory repository can be synced with no more than one Tidelift catalog at a time.
 

The Tidelift plugin triggers based on two primary events within Artifactory:

afterCreate and download

When a new package is created within Artifactory ( afterCreate), the Artifactory webhook will make an asynchronous call to tidelift.com to request the package. The tidelift.status artifact property to pending (unless otherwise specified in a tidelift.config.json file). Similarly, when a developer requests a package through Tidelift, the artifact will be created in Artifactory with a tidelift.status property.
 

When a package release is approved or denied within the Tidelift catalog, then Tidelift will update the tidelift.status on that artifact in Artifactory to approved or denied, respectively, using a POST HTTP method.

The Tidelift plugin will then monitor all download events within Artifactory to block any artifacts with a tidelift.status of denied from being downloaded. The download hook fires on every download request regardless of whether or not the package is in Artifactory already.


Set-up instructions 

  1. Get the appropriate API key from Tidelift
    Request an Artifactory key by contacting support. We will respond via email with the appropriate key for Artifactory. This API Key is used in Step 4 below.

  2. Install Tidelift plugin in Artifactory
    Copy tidelift.groovy — the Tidelift Artifactory plugin — into  '$ARTIFACTORY_HOME/var/etc/plugins'

    Download Tidelift's Artifactory plugin.

  3. Add the tidelift.config.json file in Artifactory
    The 'tidelift.config.json' file should be placed in the /plugins folder of Artifactory. An example config file with default values set is below. Documentation for config values is below.
    { "statusOnCreate": "pending", "pluginUsers": ["tidelift", "admin"] }
  4. Setup webhooks in Artifactory

    For Artifactory 7.6+
    Set up a webhook in Artifactory for Tidelift in  'Administration > General > Webhooks' , with the following values:

    'Name: Tidelift URL: https://api.tidelift.com/external-api/artifactory/webhook Event: "Artifact was deployed" (and pick the Artifactory repositories you'll use for your Tidelift Catalog) Secret Token: <Tidelift API key from the first step>'

    For Artifactory <7.6
    Older versions of Artifactory don't support webhooks natively, so you'll need to install the Artifactory webhook plugin.

    Once you've installed the webhook plugin, enter your Tidelift API key from above into the included "webhook.config.json" file, and copy that config file into the same folder ( '$ARTIFACTORY_HOME/var/etc/plugins').

  5. Refresh the plugins
    Once the plugin is set up, Artifactory needs to refresh the install plugins to enable the integration.

    This can be accomplished by sending a web request to the Artifactory server as detailed on this JFrog webpage. Reload the webhook plugin 'curl -s -u admin:<admin password> -d "" $ARTIFACTORY_HOST/artifactory/api/plugins/reload'.

    In order to update the properties of each artifact in Artifactory, Tidelift needs to be able to make web requests to the on-premise Artifactory. Your network should be configured to expose a port externally for Artifactory so that the web requests can be made to update the Tidelift status of artifacts via the plugin.

    Once the network is configured for external access, the configuration within Tidelift should be updated to the correct URL and port on the Artifactory integration settings page. This step may require working with an Artifactory or network administrator.

  6. Set up the integration in Tidelift
    In the Tidelift dashboard, go to Settings > Integrations > Artifactory. Enter the Artifactory URL and API Key Once a connection has been established, you can link Artifactory repositories with Tidelift catalogs

  7. Testing the integration
    To make sure everything is working properly, you can run the following tests:
  • Request a package release in Tidelift, you should see this release show up as an artifact in Artifactory with the default 'tidelift.status'
  • Approve the request, you should see the artifact's 'tidelift.status' property update to approve.
  • Request another release and deny the request, you should see the artifact's 'tidelift.status' property update to deny.
  • Try to download this denied release from the Artifactory repository as a developer, you should receive a Forbidden 403 error message.


Tidelift configuration file documentation

A configuration file called tidelift.config.json should be stored in the /plugins folder of Artifactory (see Step 3 in Install Instructions). The following options can be configured.

statusOnCreate (default: pending)

The config file can be used to set the tidelift.status for newly created artifacts. Since artifacts are created in Artifactory as soon as a release is requested in Tidelift, this property is useful for changing whether or not developers can download the package while their request is pending. When "statusonCreate is set to pending or approved, new releases/artifacts will be available for download when requested. By setting statusOnCreate to denied, the releases/artifacts will not be available for download when requested. Users will not be able to download the releases until the releases are approved in Tidelift.

pluginUsers (default: ["tidelift", "admin"])

The config setting pluginUsers allows users to customize the Artifactory users that are allowed to hit the plugin endpoints.



In the Artifactory app

To get started, you'll need to create a user for Tidelift to use:

Next, you'll create a local repository:

Then, you'll give user permission to deploy/manage repository:

Finally, you'll logout of Artifactory, and log back in as the new user to grab the api key:

From here, copy the API key into the Artifactory integration settings page within your Tidelift account. Then test!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section