-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(crates-io): expose HTTP headers and Error type #12310
Conversation
r? @ehuss (rustbot has picked a reviewer for you, use r? to override) |
cc @Eh2406 |
www-authenticate
challenge www-authenticate
header
"percent-encoding", | ||
"serde", | ||
"serde_json", | ||
"thiserror", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thiserror
is already in the dependency graph. Just do we want it to appear as a direct dependency or not.
crates/crates-io/Cargo.toml
Outdated
@@ -1,6 +1,6 @@ | |||
[package] | |||
name = "crates-io" | |||
version = "0.36.1" | |||
version = "0.37.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Side note: the version bump check in CI didn't work, since the new version in beta hasn't yet published. But in reality, the script should treat any version in beta as “published”.
397b41d
to
53521cd
Compare
This looks good to me. @arlosi, what are your thoughts? |
|
I don't think so. At least not at this moment? This PR doesn't implement the flow mentioned above. It just pokes the return type of BTW, in this PR
Sorry I am forgetting the details of the fantastic overhaul of credential providers, could you share the doc or the working branch again? BTW if cargo unifies the interface by providing the |
According to the asymmetric tokens RFC as written, yes. (Which is not to say that it will happen in this PR.) Of course, if we discover during implementation that this is a bad idea... Implementation and RFC do not have to match. I would expect that only the most paranoid registries will intentionally use a challenge for read/index endpoints. On the other hand, implementing auth would only be made more complicated by requiring registries to have a different scheme for GET vs PUSH.
Passing along the entire header allows registries to use standards cargo doesn't know about, or invent their own. It seems like the most flexible way to provide the data. It is entirely compatible with cargo passing the data it parsed in separate fields for credential providers that are using asymmetric tokens and do not want to do their own parsing. |
Does this imply that we should just add a new field |
That seams reasonable. |
53521cd
to
966a89b
Compare
www-authenticate
header
@Eh2406 thanks for the reply. This is now ready for another review! |
@Eh2406 Do you want to take assignment for this review? I'm happy to do a final review if you want. |
Sorry for the delay. This looks good. Happy to have Eric do the honours. (We need to keep the API brake in mind.) |
In response to RFC 3231 [^1], our registry client need to return headers to caller, so that the caller (cargo binary) can continue parsing challenge headers. [^1]: https://rust-lang.github.io/rfcs/3231-cargo-asymmetric-tokens.html#the-authentication-process
This removes the dependency `anyhow` and uses our own custom Error enum, so that crates-io consumer can access `Error::API::challenge` field.
Optionally use `thiserror` to reduce boilerplates but this part can be dropped if we don't want.
966a89b
to
31b500c
Compare
Thanks for the reminder! Bumped to 0.38.0. |
@bors r=Eh2406 |
☀️ Test successful - checks-actions |
Update cargo 8 commits in 1b15556767f4b78a64e868eedf4073c423f02b93..7ac9416d82cd4fc5e707c9ec3574d22dff6466e5 2023-07-18 14:44:47 +0000 to 2023-07-24 14:29:38 +0000 - fix(cargo-credential): should enable feature `serde/derive` (rust-lang/cargo#12396) - fix: encode URL params correctly for SourceId in Cargo.lock (rust-lang/cargo#12280) - docs: format config override caveat as a note (rust-lang/cargo#12392) - credential provider implementation (rust-lang/cargo#12334) - feat(crates-io): expose HTTP headers and Error type (rust-lang/cargo#12310) - chore: Don't update test data (rust-lang/cargo#12380) - fix: only skip mtime check on `~/.cargo/{git,registry}` (rust-lang/cargo#12369) - Update docs for artifact JSON debuginfo levels. (rust-lang/cargo#12376) Since rust-lang/cargo#12334 makes built-in credential providers part of the cargo binary, it's no longer needed to build them in bootstrap.
Update cargo 8 commits in 1b15556767f4b78a64e868eedf4073c423f02b93..7ac9416d82cd4fc5e707c9ec3574d22dff6466e5 2023-07-18 14:44:47 +0000 to 2023-07-24 14:29:38 +0000 - fix(cargo-credential): should enable feature `serde/derive` (rust-lang/cargo#12396) - fix: encode URL params correctly for SourceId in Cargo.lock (rust-lang/cargo#12280) - docs: format config override caveat as a note (rust-lang/cargo#12392) - credential provider implementation (rust-lang/cargo#12334) - feat(crates-io): expose HTTP headers and Error type (rust-lang/cargo#12310) - chore: Don't update test data (rust-lang/cargo#12380) - fix: only skip mtime check on `~/.cargo/{git,registry}` (rust-lang/cargo#12369) - Update docs for artifact JSON debuginfo levels. (rust-lang/cargo#12376) Since rust-lang/cargo#12334 makes built-in credential providers part of the cargo binary, it's no longer needed to build them in bootstrap.
What does this PR try to resolve?
This is part of #11521.
RFC 3231 mentions the authentication process could have an additional challenge-response mechanism to prevent potential replay attacks. The challenge usually comes from HTTP
www-authenticate
header as a opaque string. When a client gets a 401/403 response with such a challenge, it may attach thechallenge
to the payload and request again to anwser the challenge.However,
crates-io
crate doesn't expose HTTP headers. There is no access towww-authenticate
header.This PR make it expose HTTP headers and the custom
Error
type, socargo
can access and do further on the authentication process.How should we test and review this PR?
By commit.
This removes the dependency
anyhow
and uses our own customError
enum, so thatcrates-io
consumer can accessError::API::challenge
field. It optionally usesthiserror
to reduce boilerplates but this part can be dropped if we don't want.