Using Tidelift with JFrog Artifactory self-hosted

This article references our self-hosted Artifactory integration. Cloud documentation is available here.

Our self-hosted integration currently works with JFrog Artifactory versions 7 (preferred) and 6.x. If you are using an older version of JFrog Artifactory, please contact support@tidelift.com.

Download Tidelift's Artifactory plugin.

Overview

Tidelift integrates with JFrog Artifactory to help you keep only known-good open source approved in your Artifactory repositories.

The purpose of the Artifactory integration is to sync the list of approved releases in one of your Tidelift catalogs to an Artifactory repository. When using Artifactory self-hosted, approving a release in the catalog will set the tidelift.status property to approved, while denying a release will set the property to denied. An Artifactory plugin will block the download of denied artifacts.

The Artifactory repository you choose to sync must be a remote or local repository, not a virtual repository.

You can connect a catalog to multiple repositories (for example, one for each package manager covered by the catalog), but connecting multiple catalogs to one repository will not work (since the catalogs might disagree on what's approved).

It's also possible to import the contents of an Artifactory repository to initially populate a catalog.

How the Tidelift + Artifactory integration works

Tidelift's Artifactory plugin has two components: Artifactory webhooks, and Tidelift's plugin.

Artifactory webhooks

Users can enable webhooks within their Artifactory instance to trigger automatically based on pre-defined events in Artifactory. 

Tidelift plugin

The Tidelift plugin triggers based on two primary events within Artifactory: afterCreate and download. 
When a new package is created within Artifactory (afterCreate), the Artifactory webhook will make an asynchronous call to tidelift.com and set the tidelift.status artifact property to pending.
If a user decides that a package release is approved or denied within their Tidelift catalog, then Tidelift will update the tidelift.status on that artifact in Artifactory to Approved or Denied, respectively, using a POST HTTP method.

The Tidelift plugin will monitor all download events within Artifactory to block any artifacts with a tidelift.status of Denied from being downloaded. The download hook fires on every download request regardless of whether or not the package is in Artifactory already.

Download Tidelift's Artifactory plugin.

Tidelift configuration file

A tidelift configuration file called tidelift.config.json can be stored in the /plugins folder of Artifactory.

The config file can be used to set the tidelift.status for newly created artifacts. Since artifacts are created in Artifactory as soon as a release is requested in Tidelift, this property is useful for changing whether or not developers can download the package while their request is pending. 

{
    "statusOnCreate": "pending"
}

When "statusonCreate" is set to "pending" or "approved", new releases/artifacts will be available for download when requested. Users will be able to download the artifacts until the releases are denied in Tidelift.

By setting "statusOnCreate" is set to "denied", the releases/artifacts will not be available for download when requested. Users will not be able to download the releases until the releases are approved in Tidelift.

Setting up the Tidelift + Artifactory integration

Installation

You'll need to setup an Artifactory webhook and point it to Tidelift:
tidelift.groovy

First, request a Tidelift API key for Artifactory by emailing support@tidelift.com. We will respond via email with your Tidelift API key.

Copy tidelift.groovy—the Tidelift Artifactory plugin—into  $ARTIFACTORY_HOME/var/etc/plugins

Webhook Setup

For Artifactory 7.6+
Set up a webhook in Artifactory for Tidelift in   Administration > General > Webhooks , with the following values: 
Name: Tidelift
URL: https://api.tidelift.com/external-api/artifactory/webhook
Event: "Artifact was deployed" (and pick the Artifactory repositories you'll use for your Tidelift Catalog)
Secret Token: <Tidelift API key from the first step><br>
For Artifactory <7.6
Older versions of Artifactory don't support webhooks natively, so you'll need to install the Artifactory webhook plugin.
Once you've installed the webhook plugin, enter your Tidelift API key from above into the included "webhook.config.json" file, and copy that config file into the same folder ( $ARTIFACTORY_HOME/var/etc/plugins).

Once the plugin is set up, Artifactory needs to refresh the install plugins to enable the integration. This accomplished by sending a web request to the Artifactory server as detailed here https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API#ArtifactoryRESTAPI-ReloadPlugins

Reload the webhook plugin curl -s -u admin:<admin password> -d "" $ARTIFACTORY_HOST/artifactory/api/plugins/reload

Webhook Setup

In order to update the properties of each artifact in Artifactory, Tidelift needs to be able to make web requests to the on-premise Artifactory. Your network should be configured to expose a port externally for Artifactory so that the web requests can be made to update the Tidelift status of artifacts via the plugin. Once the network is configured for external access, the configuration within Tidelift should be updated to the correct URL and port on the Artifactory integration settings page.

Getting start with the Tidelift + Artifactory integration 

Setting up your catalog with JFrog Artifactory
Updating your Artifactory instance from Tidelift catalogs