Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix NuGet/Home#1300: V3 install/restore only uses credentials for index.json. #126

Merged
merged 1 commit into from
Sep 1, 2015
Merged

Fix NuGet/Home#1300: V3 install/restore only uses credentials for index.json. #126

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 1 addition & 8 deletions src/NuGet.Protocol.Core.v3/HttpHandlerResourceV3Provider.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,6 @@ namespace NuGet.Protocol.Core.v3
{
public class HttpHandlerResourceV3Provider : ResourceProvider
{
private static readonly string[] _authenticationSchemes = new[] { "Basic", "NTLM", "Negotiate" };

public HttpHandlerResourceV3Provider()
: base(typeof(HttpHandlerResource),
nameof(HttpHandlerResourceV3Provider),
Expand Down Expand Up @@ -66,12 +64,7 @@ private HttpClientHandler TryGetCredentialAndProxy(PackageSource packageSource)
&& !String.IsNullOrEmpty(packageSource.UserName)
&& !String.IsNullOrEmpty(packageSource.Password))
{
var cache = new CredentialCache();
foreach (var scheme in _authenticationSchemes)
{
cache.Add(uri, scheme, new NetworkCredential(packageSource.UserName, packageSource.Password));
}
credential = cache;
credential = new NetworkCredential(packageSource.UserName, packageSource.Password);
}

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So with this we make host == account? Which means you can't host two private feeds on the same host? I think that's an ok assumption for now, we just have to document it (start a PR in the docs repo as well)

CC @csharpfritz

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Talking to the VSO folks, this will break some of their scenarios where the hosts are different between where index.json is hosted and where the registration blobs are at.

The suggestion is to make the code flow the credentials around. @zarenner is going to propose changes, and I'm going to ask @blowdart to take a look to see if we are worried about credential leak or not

@daazose

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at this again, David and I may have misunderstood something in our discussion with Yishai. My understanding now is that CredentialPromptWebRequestHandler gets non-domain-specific credentials, which it will happily use on all requests, regardless of the request hostname. That same CredentialPromptWebRequestHandler is re-used in multiple requests which may be for different hostnames.

If we're still misunderstanding something, please correct me, but otherwise this change looks fine to us. We're validating it now against our scenarios.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yishaigalatzer Right, with the current implementation, you can't host two different feeds that require different credentials on the same host. We need to redesign our authentication implementation to support this scenario.

if (proxy != null)
Expand Down