Skip to content

Private registry authorization stops working when Cargo's HTTP settings are changed #12524

New issue
New issue
Open
Open
Private registry authorization stops working when Cargo's HTTP settings are changed#12524
Labels
A-gitArea: anything dealing with gitA-registry-authenticationArea: registry authentication and authorization (authn authz)C-bugCategory: bugS-blocked-externalStatus: ❌ blocked on something out of the direct control of the Cargo project, e.g., upstream fix
@babinskiy

Description

@babinskiy
babinskiy
opened on Aug 18, 2023

Problem

In our current setup, we have a private registry hosted on cloudsmith.io, and we utilize git-credentials authorization to access the repository successfully. However, we have encountered a couple of issues that we need to address.

When we attempt to modify some Cargo parameters, the authorization process stops working.

user@ubuntu2204-amd64-build:~/repo$ cargo fetch
    Updating crates.io index
    Updating `private` index
warning: spurious network error (50 tries remaining): failed to receive HTTP 200 response: got 401; class=Net (12)
warning: spurious network error (49 tries remaining): failed to receive HTTP 200 response: got 401; class=Net (12)

Steps

  1. Add a private registry that requires authentication:
...
[registries.private]
index = "https://dl.cloudsmith.io/basic/myacc/private/cargo/index.git"
...
  1. Configure cloudsmith.io authentication as described here: https://help.cloudsmith.io/docs/cargo-registry#registry-setup
git config --global credential.helper store
echo "https://USERNAME:API-KEY@dl.cloudsmith.io" > ~/.git-credentials
  1. Change some default parameters. I have only tried a few, and I'm not sure if any of these parameters will break the authentication. Parameters can be added in different ways, either in config.toml or as an environment variable:
[http]
timeout = 10

or

export CARGO_HTTP_TIMEOUT=10
  1. run cargo fetch:
ubuntu@ubuntu2204-amd64-build:~/repo$ cargo fetch
    Updating crates.io index
    Updating `private` index
warning: spurious network error (50 tries remaining): failed to receive HTTP 200 response: got 401; class=Net (12)
warning: spurious network error (49 tries remaining): failed to receive HTTP 200 response: got 401; class=Net (12)
^C

Possible Solution(s)

There is a workaround - putting the authentication token in repo's URL, as described here: https://help.cloudsmith.io/docs/cargo-registry#registry-setup

[registries.OWNER-REPOSITORY]
index = "https://dl.cloudsmith.io/TOKEN/OWNER/REPOSITORY/cargo/"

However, it is important to note that this approach is insecure and may result in token leakage

Notes

I played with different parameters:

  • http.timeout
  • http.multiplexing
  • http.debug
    Always it breaks authentication.

Version

cargo 1.71.0 (cfd3bbd8f 2023-06-08)
release: 1.71.0
commit-hash: cfd3bbd8fe4fd92074dfad04b7eb9a923646839f
commit-date: 2023-06-08
host: x86_64-unknown-linux-gnu
libgit2: 1.6.4 (sys:0.17.1 vendored)
libcurl: 8.0.1-DEV (sys:0.4.61+curl-8.0.1 vendored ssl:OpenSSL/1.1.1t)
ssl: OpenSSL 1.1.1t  7 Feb 2023
os: Ubuntu 22.04 (jammy) [64-bit]

Metadata

Assignees

No one assigned

    Labels

    A-gitArea: anything dealing with gitA-registry-authenticationArea: registry authentication and authorization (authn authz)C-bugCategory: bugS-blocked-externalStatus: ❌ blocked on something out of the direct control of the Cargo project, e.g., upstream fix

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions