add CredentialCacheValue

src/cargo/util/auth.rs

@@ -19,6 +19,8 @@ use url::Url;
 use crate::core::SourceId;
 use crate::ops::RegistryCredentialConfig;
 
+use super::config::CredentialCacheValue;
+
 /// Get the credential configuration for a `SourceId`.
 pub fn registry_credential_config(
     config: &Config,
@@ -298,9 +300,13 @@ my-registry = {{ index = "{}" }}
 // Store a token in the cache for future calls.
 pub fn cache_token(config: &Config, sid: &SourceId, token: &str) {
     let url = sid.canonical_url();
-    config
-        .credential_cache()
-        .insert(url.clone(), (true, token.to_string()));
+    config.credential_cache().insert(
+        url.clone(),
+        CredentialCacheValue {
+            from_commandline: true,
+            token_value: token.to_string(),
+        },
+    );
 }
 
 /// Returns the token to use for the given registry.
@@ -332,11 +338,11 @@ fn auth_token_optional(
     let mut cache = config.credential_cache();
     let url = sid.canonical_url();
 
-    if let Some((overridden_on_commandline, token)) = cache.get(url) {
+    if let Some(cache_token_value) = cache.get(url) {
         // Tokens for endpoints that do not involve a mutation can always be reused.
         // If the value is put in the cach by the command line, then we reuse it without looking at the configuration.
-        if *overridden_on_commandline || mutation.is_none() {
-            return Ok(Some(token.clone()));
+        if cache_token_value.from_commandline || mutation.is_none() {
+            return Ok(Some(cache_token_value.token_value.clone()));
         }
     }
 
@@ -417,7 +423,13 @@ fn auth_token_optional(
     };
 
     if mutation.is_none() {
-        cache.insert(url.clone(), (false, token.clone()));
+        cache.insert(
+            url.clone(),
+            CredentialCacheValue {
+                from_commandline: false,
+                token_value: token.to_string(),
+            },
+        );
     }
     Ok(Some(token))
 }

src/cargo/util/config/mod.rs

@@ -136,6 +136,24 @@ enum WhyLoad {
     FileDiscovery,
 }
 
+/// A previously generated authentication token and the data needed to determine if it can be reused.
+pub struct CredentialCacheValue {
+    /// If the command line was used to override the token then it must always be reused,
+    /// even if reading the configuration files would lead to a different value.
+    pub from_commandline: bool,
+    pub token_value: String,
+}
+
+impl fmt::Debug for CredentialCacheValue {
+    /// This manual implementation helps ensure that the token value is redacted from all logs.
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("CredentialCacheValue")
+            .field("from_commandline", &self.from_commandline)
+            .field("token_value", &"REDACTED")
+            .finish()
+    }
+}
+
 /// Configuration information for cargo. This is not specific to a build, it is information
 /// relating to cargo itself.
 #[derive(Debug)]
@@ -193,7 +211,7 @@ pub struct Config {
     updated_sources: LazyCell<RefCell<HashSet<SourceId>>>,
     /// Cache of credentials from configuration or credential providers.
     /// Maps from url to credential value.
-    credential_cache: LazyCell<RefCell<HashMap<CanonicalUrl, (bool, String)>>>,
+    credential_cache: LazyCell<RefCell<HashMap<CanonicalUrl, CredentialCacheValue>>>,
     /// Lock, if held, of the global package cache along with the number of
     /// acquisitions so far.
     package_cache_lock: RefCell<Option<(Option<FileLock>, usize)>>,
@@ -468,7 +486,7 @@ impl Config {
     }
 
     /// Cached credentials from credential providers or configuration.
-    pub fn credential_cache(&self) -> RefMut<'_, HashMap<CanonicalUrl, (bool, String)>> {
+    pub fn credential_cache(&self) -> RefMut<'_, HashMap<CanonicalUrl, CredentialCacheValue>> {
         self.credential_cache
             .borrow_with(|| RefCell::new(HashMap::new()))
             .borrow_mut()