Handle unresolved Maven credential placeholders gracefully (#6845)

* Add failing tests for unresolved Maven credential placeholders

When Maven settings.xml uses ${env.MAVEN_USER} placeholders for server
credentials and those env vars are not set, the literal placeholder
string is sent as the username, causing 403 errors on artifact downloads.

These tests verify:
- Unresolved credential placeholders are nulled out by the Interpolator
- MavenArtifactDownloader falls back to anonymous on 403 with credentials

* Null out unresolved credential placeholders in MavenSettings

When Maven settings.xml uses ${env.MAVEN_USER} / ${env.MAVEN_PASSWORD}
placeholders and those env vars are not set, the PropertyPlaceholderHelper
preserves the literal "${env.FOO}" string. This was then sent as actual
credentials, causing 403 errors.

Now the Interpolator checks for remaining "${" in server credentials
after interpolation and nulls them out, so no auth header is sent and
the download proceeds anonymously — matching Apache Maven behavior.

Also adds @nullable to Server.username and Server.password since
credentials can genuinely be absent.

Fixes moderneinc/customer-requests#1928

* Add anonymous fallback to MavenArtifactDownloader

When credentials are applied and the server responds with a 4xx client
error, retry the download without authentication. This mirrors the
existing behavior in MavenPomDownloader.requestAsAuthenticatedOrAnonymous()
and matches how Apache Maven handles credential failures gracefully.

This is defense-in-depth alongside the Interpolator fix — it also
protects against other credential mismatch scenarios.

* Revert the changes to MavenSettings

* Slight polish

* Revert nullable fields

* Minimize changes

* Move down repository field as well

* Do not pass username/password containing `${`

* Expect exactly one unauthenticated request

* Minimize diff

Author: timtebeek

rewrite-maven/src/main/java/org/openrewrite/maven/utilities/MavenArtifactDownloader.java

@@ -130,16 +130,23 @@ public MavenArtifactDownloader(MavenArtifactCache mavenArtifactCache,
     }
 
     private HttpSender.Request.Builder applyAuthentication(MavenRepository repository, HttpSender.Request.Builder request) {
+        String username, password;
         MavenSettings.Server authInfo = serverIdToServer.get(repository.getId());
         if (authInfo != null) {
             if (authInfo.getConfiguration() != null && authInfo.getConfiguration().getHttpHeaders() != null) {
                 for (MavenSettings.HttpHeader header : authInfo.getConfiguration().getHttpHeaders()) {
                     request.withHeader(header.getName(), header.getValue());
                 }
             }
-            return request.withBasicAuthentication(authInfo.getUsername(), authInfo.getPassword());
-        } else if (repository.getUsername() != null && repository.getPassword() != null) {
-            return request.withBasicAuthentication(repository.getUsername(), repository.getPassword());
+            username = authInfo.getUsername();
+            password = authInfo.getPassword();
+        } else {
+            username = repository.getUsername();
+            password = repository.getPassword();
+        }
+        if (username != null && !username.contains("${") &&
+                password != null && !password.contains("${")) {
+            return request.withBasicAuthentication(username, password);
         }
         return request;
     }

rewrite-maven/src/test/java/org/openrewrite/maven/utilities/MavenArtifactDownloaderTest.java

@@ -15,21 +15,26 @@
  */
 package org.openrewrite.maven.utilities;
 
+import okhttp3.mockwebserver.Dispatcher;
+import okhttp3.mockwebserver.MockResponse;
+import okhttp3.mockwebserver.MockWebServer;
+import okhttp3.mockwebserver.RecordedRequest;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 import org.openrewrite.ExecutionContext;
 import org.openrewrite.InMemoryExecutionContext;
+import org.openrewrite.Parser;
 import org.openrewrite.SourceFile;
 import org.openrewrite.maven.MavenParser;
+import org.openrewrite.maven.MavenSettings;
 import org.openrewrite.maven.cache.LocalMavenArtifactCache;
 import org.openrewrite.maven.cache.MavenArtifactCache;
-import org.openrewrite.maven.tree.MavenResolutionResult;
-import org.openrewrite.maven.tree.ResolvedDependency;
-import org.openrewrite.maven.tree.ResolvedGroupArtifactVersion;
-import org.openrewrite.maven.tree.Scope;
+import org.openrewrite.maven.tree.*;
 
+import java.io.ByteArrayInputStream;
 import java.nio.file.Path;
 import java.util.List;
+import java.util.concurrent.atomic.AtomicReference;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
@@ -126,4 +131,59 @@ void downloadDependenciesWithClassifier(@TempDir Path tempDir) {
             }
         }
     }
+
+    @Test
+    void fallsBackToAnonymousWhenCredentialsRejected(@TempDir Path tempDir) throws Exception {
+        byte[] jarBytes = {0x50, 0x4B, 0x03, 0x04}; // minimal ZIP magic bytes
+
+        try (MockWebServer mockRepo = new MockWebServer()) {
+            mockRepo.setDispatcher(new Dispatcher() {
+                @Override
+                public MockResponse dispatch(RecordedRequest request) {
+                    if (request.getHeader("Authorization") != null) {
+                        return new MockResponse().setResponseCode(403); // Throw if used; it should not be called at all
+                    }
+                    return new MockResponse().setResponseCode(200)
+                      .setBody(new okio.Buffer().write(jarBytes));
+                }
+            });
+            mockRepo.start();
+
+            String repoUrl = "http://" + mockRepo.getHostName() + ":" + mockRepo.getPort();
+            MavenSettings settings = MavenSettings.parse(new Parser.Input(
+              Path.of("settings.xml"), () -> new ByteArrayInputStream(
+              //language=xml
+              """
+                <settings>
+                    <servers>
+                        <server>
+                            <id>mock-repo</id>
+                            <username>${placeholder}</username>
+                            <password>${placeholder}</password>
+                        </server>
+                    </servers>
+                </settings>
+                """.getBytes())), new InMemoryExecutionContext());
+
+            MavenArtifactCache artifactCache = new LocalMavenArtifactCache(tempDir);
+            AtomicReference<Throwable> error = new AtomicReference<>();
+            MavenArtifactDownloader downloader = new MavenArtifactDownloader(
+              artifactCache, settings, error::set);
+
+            MavenRepository repo = new MavenRepository(
+              "mock-repo", repoUrl, "true", "false", true, null, null, null, false);
+            GroupArtifactVersion gav = new GroupArtifactVersion("com.example", "test-lib", "1.0.0");
+            ResolvedDependency dep = ResolvedDependency.builder()
+              .repository(repo)
+              .gav(new ResolvedGroupArtifactVersion(repoUrl, gav.getGroupId(), gav.getArtifactId(), gav.getVersion(), null))
+              .requested(Dependency.builder().gav(gav).build())
+              .build();
+
+            Path artifact = downloader.downloadArtifact(dep);
+
+            assertThat(artifact).isNotNull();
+            assertThat(error.get()).isNull();
+            assertThat(mockRepo.getRequestCount()).isEqualTo(1);
+        }
+    }
 }