Skip to content

[6.0] Use bearer auth for binaryTarget or packages from a package registry #7670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[6.0] Use bearer auth for binaryTarget or packages from a package registry #7670

wants to merge 1 commit into from

Conversation

pwallrich
Copy link
Contributor

@pwallrich pwallrich commented Jun 16, 2024
edited by MaxDesiatov
Loading

Explanation: Use bearer auth when pulling binary targets or a package from a package registry and the user is token. The issue is that package-registry and binaryArtifact have an auth logic that behaves differently.
Scope: Authorization Header generation when pulling dependencies
Original PR: #7662
Risk: Users named token can't use basic auth anymore
Testing: Unit Test for testing correct Auth Header is generated
Reviewer: @MaxDesiatov

@pwallrich
Fix: use bearer auth when pulling binaryTarget or packages from a pac…
02a2896 
…kage registry (swiftlang#7662)

Use bearer auth when pulling binary targets or a package from a package
registry and the user is `token`.

### Motivation:

When logging in to a package registry bearer auth works. However when
fetching binaryTargets or pulling packages from a registry basic auth is
used always.

This either breaks services that don't use basic auth or leads to nasty
workarounds like first creating a netrc file with "token" as the user
and after login changing the user back to the actual user. Assuming that
basic auth is allowed with an identiy token.


### Modifications:

Check if the user is `token` when creating the authorization header and
use Bearer auth in these cases.

### Result:

When the user is `token` the `Authorization` header will be set to
`Bearer {{access_token}}` instead of `Basic token:{{access_token}}`.

Before:
<img width="698" alt="Screenshot 2024-06-13 at 22 49 08"
src="https://github.com/apple/swift-package-manager/assets/13999931/0f3eef32-55e3-417f-b129-c138ca452b08">

After:
<img width="699" alt="Screenshot 2024-06-13 at 22 48 38"
src="https://github.com/apple/swift-package-manager/assets/13999931/d98daaa7-1535-40d0-96ea-a6736f5d1e3e">
@pwallrich pwallrich requested a review from a team as a code owner June 16, 2024 11:37
@pwallrich pwallrich changed the title Fix: use bearer auth when pulling binaryTarget or packages from a pac… [6.0] Bearer auth cherry picked Jun 16, 2024
@MaxDesiatov
Copy link
Contributor

MaxDesiatov commented Jun 16, 2024
edited
Loading

@pwallrich On a second read, would you be able to point out a place in either the registry spec or any bearer auth specs that specify that token user should work this way? At a glance I'm unable to find supporting documentation for this.

@MaxDesiatov
Copy link
Contributor

I assume it's this registry auth SE subsection, but waiting for a review from the SE author on the original PR to confirm that the behavior is correct.

@MaxDesiatov MaxDesiatov requested a review from yim-lee June 16, 2024 22:07
@MaxDesiatov MaxDesiatov changed the title [6.0] Bearer auth cherry picked [6.0] Use bearer auth when pulling binaryTarget or packages from a package registry Jun 17, 2024
@MaxDesiatov MaxDesiatov changed the title [6.0] Use bearer auth when pulling binaryTarget or packages from a package registry [6.0] Use bearer auth for binaryTarget or packages from a package registry Jun 17, 2024
@pwallrich
Copy link
Contributor Author

So the token as a username comes from swift package-registry login {{url}} --token {{access-token}} which creates a keychain or netrc entry that uses token as the user.

i.E

machine {{url}} login token password {{access-token}}

Fetching packages from the package-registry works, since the package-registry uses the configuration to decide whether Bearer or Basic Auth should be used.

If you try to pull a binaryTarget from the same server that your package-registry is on it won't work since it uses basic auth with the username token and there's no way to specify that bearer auth should be used afaik.

So basically the issue is that package-registry and binaryArtifact have an auth logic that behaves differently.

Sidenote:
What makes it even harder to test is that xcodebuild -resolvePackageDependencies seems to have a bug and ignores the type of auth from the package-registry completely and just uses basic auth.

@MaxDesiatov
Copy link
Contributor

MaxDesiatov commented Jun 18, 2024
edited
Loading

I think I've merged the original PR on main too soon, I would like your input in comments of #7662. If we don't get a clarification, we might need to revert it on main to restore the status quo in an abundance of caution.

@MaxDesiatov
Copy link
Contributor

Closing, as this is reverted on main until a better solution is found: #7811

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yim-lee yim-lee Awaiting requested review from yim-lee

Assignees

@bnbarham bnbarham

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pwallrich @MaxDesiatov @bnbarham