http_archive rule now has an ability to authenticate to github using .netrc file as storage for credentials #7978
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here (e.g. What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
.netrc file as storage for credentials
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
| private static final Map<String, AuthorizationProtocol> TYPE_TO_PROTOCOL = new HashMap<>(); | ||
|
|
||
| public AuthorizationHeaderProvider() { | ||
| TYPE_TO_PROTOCOL.put("github", new GithubAuthorizationProtocol()); |
There was a problem hiding this comment.
So the "github" authentication protocol is just sticking "token " in front of the password? And that is only necessary because the .netrc format does not allow to quote spaces?
Is that something generic (so that changing the name would be appropriate) or something really used by github only? What I'm worried about is that, over time, we might accumulate special casing for each and every hosting site.
There was a problem hiding this comment.
So the "github" authentication protocol is just sticking "token " in front of the password? And that is only necessary because the
.netrcformat does not allow to quote spaces?
That is right
There was a problem hiding this comment.
Is that something generic (so that changing the name would be appropriate) or something really used by github only? What I'm worried about is that, over time, we might accumulate special casing for each and every hosting site.
Unfortunately, github uses a non-standard Authorization protocol, so this is specific for github.
OAuth2 states:
Authorization: Bearer <token>
Github states:
Authorization: token <token>
It is possible in future to add generic protocols, such as OAuth2, Basic authentication, etc.
There was a problem hiding this comment.
So the "github" authentication protocol is just sticking "token " in front of the password? And that is only necessary because the
.netrcformat does not allow to quote spaces?That is right
Thanks for clarifying. That does not improve my opinion on the .netrc format, but if it is popular, we'll have to support it.
There was a problem hiding this comment.
Unfortunately, github uses a non-standard Authorization protocol, so this is specific for github.
OAuth2 states:
Authorization: Bearer <token>Github states:
Authorization: token <token>
OK, so we have to special case it, unless we define a parametric WithPrefixAuthenticationProtocol.
It is possible in future to add generic protocols, such as OAuth2, Basic authentication, etc.
I would appreciate if bazel wouldn't add authentication for GitHub only.
|
|
||
| Optional<Credentials> getCredentials(String host); | ||
|
|
||
| class Credentials { |
There was a problem hiding this comment.
Are Credentials always user name and pasword? I.e., will a credential provide always be limited to essentially basic auth?
There was a problem hiding this comment.
At the moment I am not aware of more information needed for authentication and authorization either than user/pass or api key (token - which we use password to state in netrc file).
However, if would be required, the interface can be evolved using default methods
| @@ -27,6 +25,9 @@ | |||
| import com.google.devtools.build.lib.events.Event; | |||
| import com.google.devtools.build.lib.events.EventHandler; | |||
| import com.google.devtools.build.lib.util.Sleeper; | |||
|
|
|||
| import javax.annotation.Nullable; | |||
| import javax.annotation.concurrent.GuardedBy; | |||
| import java.io.IOException; | |||
There was a problem hiding this comment.
This rearrangement of imports seems unrelated (and will be changed back anyway upon import into the authoritative repository).
That's just FYI, there is nothing to do on your side.
| @@ -459,6 +461,24 @@ public void extract(Object archive, Object output, String stripPrefix, Location | |||
| + " <code>build_file</code>, this field can be used to strip it from extracted" | |||
| + " files."), | |||
| @Param( | |||
There was a problem hiding this comment.
This is a change of a public Starlark build API interface, for which the bazel policy requires a design discussion; see https://github.com/bazelbuild/proposals/
There was a problem hiding this comment.
Will post one, thanks :)
Thanks. So I'll wait for that design document being written and discussed before processing with this pull request.
There was a problem hiding this comment.
@aehlig added the proposal: bazelbuild/proposals#115
Should I assign you as a reviewer?
| @@ -459,6 +461,24 @@ public void extract(Object archive, Object output, String stripPrefix, Location | |||
| + " <code>build_file</code>, this field can be used to strip it from extracted" | |||
| + " files."), | |||
| @Param( | |||
| name = "is_netrc_auth_enabled", | |||
There was a problem hiding this comment.
Isn't that flag implicit by whether or not the appropriate key is found in netrc_domain_auth_types?
| type = SkylarkDict.class, | ||
| defaultValue = "{}", | ||
| named = true, | ||
| doc = "the authorization type which is the host in netrc file for now support \"github\""), |
There was a problem hiding this comment.
What about true basic auth? Isn't that provided by the default authorization protocol anyway?
There was a problem hiding this comment.
We can add a BasicAuthenticationProtocol implementation by type basic if needed. I might be missing, is there another implementation for basic authentication already?
| private static final Map<String, AuthorizationProtocol> TYPE_TO_PROTOCOL = new HashMap<>(); | ||
|
|
||
| public AuthorizationHeaderProvider() { | ||
| TYPE_TO_PROTOCOL.put("github", new GithubAuthorizationProtocol()); |
There was a problem hiding this comment.
So the "github" authentication protocol is just sticking "token " in front of the password? And that is only necessary because the
.netrcformat does not allow to quote spaces?
That is right
| private static final Map<String, AuthorizationProtocol> TYPE_TO_PROTOCOL = new HashMap<>(); | ||
|
|
||
| public AuthorizationHeaderProvider() { | ||
| TYPE_TO_PROTOCOL.put("github", new GithubAuthorizationProtocol()); |
There was a problem hiding this comment.
Is that something generic (so that changing the name would be appropriate) or something really used by github only? What I'm worried about is that, over time, we might accumulate special casing for each and every hosting site.
Unfortunately, github uses a non-standard Authorization protocol, so this is specific for github.
OAuth2 states:
Authorization: Bearer <token>
Github states:
Authorization: token <token>
It is possible in future to add generic protocols, such as OAuth2, Basic authentication, etc.
|
|
||
| Optional<Credentials> getCredentials(String host); | ||
|
|
||
| class Credentials { |
There was a problem hiding this comment.
At the moment I am not aware of more information needed for authentication and authorization either than user/pass or api key (token - which we use password to state in netrc file).
However, if would be required, the interface can be evolved using default methods
| @@ -459,6 +461,24 @@ public void extract(Object archive, Object output, String stripPrefix, Location | |||
| + " <code>build_file</code>, this field can be used to strip it from extracted" | |||
| + " files."), | |||
| @Param( | |||
| @@ -459,6 +461,24 @@ public void extract(Object archive, Object output, String stripPrefix, Location | |||
| + " <code>build_file</code>, this field can be used to strip it from extracted" | |||
| + " files."), | |||
| @Param( | |||
| name = "is_netrc_auth_enabled", | |||
| type = SkylarkDict.class, | ||
| defaultValue = "{}", | ||
| named = true, | ||
| doc = "the authorization type which is the host in netrc file for now support \"github\""), |
There was a problem hiding this comment.
We can add a BasicAuthenticationProtocol implementation by type basic if needed. I might be missing, is there another implementation for basic authentication already?
| @@ -78,6 +90,7 @@ public void setDistdir(List<Path> distdir) { | |||
| * @param clientEnv environment variables in shell issuing this command | |||
| * @param repo the name of the external repository for which the file was fetched; used only for | |||
| * reporting | |||
| * @param authorization TBD | |||
|
Is this blocked on a proposal? |
|
I am changing the implementation according to comments, which seems like also changing the api a bit, then will send a proposal for api |
|
proposal submitted: bazelbuild/proposals#115 |
|
only now saw that there is an issue for that already, which this PR tries to solve: #7770 |
|
@aehlig (thanks to you :) ) we have already a solution for http_archive rule will respect by default .netrc stored credentials and use HTTP basic authentication for the related domain/host which will be available at version 0.29. |
Hi.
Need an opinion for the general direction.
It is still missing the default path for .netrc file to be set to home directory, which is now set as root directory