From 8c13e9ae3fc758f5298d9e150ed404d7808a7f6e Mon Sep 17 00:00:00 2001 From: Arlo Siemsen Date: Thu, 24 Aug 2023 00:12:50 -0500 Subject: [PATCH] Create dedicated unstable flag for asymmetric-token --- src/cargo/core/features.rs | 4 +++- src/cargo/util/auth/mod.rs | 16 +++++++++------- src/doc/src/reference/unstable.md | 4 ++-- tests/testsuite/credential_process.rs | 4 ++-- tests/testsuite/login.rs | 14 +++++++------- tests/testsuite/owner.rs | 8 ++++---- tests/testsuite/publish.rs | 4 ++-- tests/testsuite/registry_auth.rs | 5 +++-- tests/testsuite/yank.rs | 8 ++++---- 9 files changed, 36 insertions(+), 31 deletions(-) diff --git a/src/cargo/core/features.rs b/src/cargo/core/features.rs index 9b99d5a1573..ea6560edea7 100644 --- a/src/cargo/core/features.rs +++ b/src/cargo/core/features.rs @@ -718,6 +718,7 @@ unstable_cli_options!( // All other unstable features. // Please keep this list lexicographically ordered. advanced_env: bool = (HIDDEN), + asymmetric_token: bool = ("Allows authenticating with asymmetric tokens"), avoid_dev_deps: bool = ("Avoid installing dev-dependencies if possible"), binary_dep_depinfo: bool = ("Track changes to dependency artifacts"), bindeps: bool = ("Allow Cargo packages to depend on bin, cdylib, and staticlib crates, and use the artifacts built by those crates"), @@ -744,7 +745,7 @@ unstable_cli_options!( panic_abort_tests: bool = ("Enable support to run tests with -Cpanic=abort"), profile_rustflags: bool = ("Enable the `rustflags` option in profiles in .cargo/config.toml file"), publish_timeout: bool = ("Enable the `publish.timeout` key in .cargo/config.toml file"), - registry_auth: bool = ("Authentication for alternative registries, and generate registry authentication tokens using asymmetric cryptography"), + registry_auth: bool = ("Authentication for alternative registries"), rustdoc_map: bool = ("Allow passing external documentation mappings to rustdoc"), rustdoc_scrape_examples: bool = ("Allows Rustdoc to scrape code examples from reverse-dependencies"), script: bool = ("Enable support for single-file, `.rs` packages"), @@ -1087,6 +1088,7 @@ impl CliUnstable { // Unstable features // Sorted alphabetically: "advanced-env" => self.advanced_env = parse_empty(k, v)?, + "asymmetric-token" => self.asymmetric_token = parse_empty(k, v)?, "avoid-dev-deps" => self.avoid_dev_deps = parse_empty(k, v)?, "binary-dep-depinfo" => self.binary_dep_depinfo = parse_empty(k, v)?, "bindeps" => self.bindeps = parse_empty(k, v)?, diff --git a/src/cargo/util/auth/mod.rs b/src/cargo/util/auth/mod.rs index 60a356fa093..91f55b7f9c0 100644 --- a/src/cargo/util/auth/mod.rs +++ b/src/cargo/util/auth/mod.rs @@ -76,9 +76,8 @@ impl RegistryConfigExtended { /// Get the list of credential providers for a registry source. fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult>> { let cfg = registry_credential_config_raw(config, sid)?; - let allow_cred_proc = config.cli_unstable().credential_process; let default_providers = || { - if allow_cred_proc { + if config.cli_unstable().asymmetric_token { // Enable the PASETO provider vec![ vec!["cargo:token".to_string()], @@ -90,7 +89,7 @@ fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult>>>("registry.global-credential-providers")? - .filter(|p| !p.is_empty() && allow_cred_proc) + .filter(|p| !p.is_empty() && config.cli_unstable().credential_process) .map(|p| { p.iter() .rev() @@ -108,7 +107,7 @@ fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult { + }) if config.cli_unstable().credential_process => { if let Some(token) = token { config.shell().warn(format!( "{sid} has a token configured in {} that will be ignored \ @@ -131,7 +130,7 @@ fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult { + }) if config.cli_unstable().asymmetric_token => { let token_pos = global_providers .iter() .position(|p| p.first().map(String::as_str) == Some("cargo:token")); @@ -182,7 +181,7 @@ fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult { + }) if config.cli_unstable().asymmetric_token => { if !global_providers .iter() .any(|p| p.first().map(String::as_str) == Some("cargo:paseto")) @@ -454,7 +453,10 @@ fn credential_action( tracing::debug!("attempting credential provider: {args:?}"); let provider: Box = match process { "cargo:token" => Box::new(TokenCredential::new(config)), - "cargo:paseto" => Box::new(PasetoCredential::new(config)), + "cargo:paseto" if config.cli_unstable().asymmetric_token => { + Box::new(PasetoCredential::new(config)) + } + "cargo:paseto" => bail!("cargo:paseto requires -Zasymmetric-token"), "cargo:token-from-stdout" => Box::new(BasicProcessCredential {}), "cargo:wincred" => Box::new(cargo_credential_wincred::WindowsCredential {}), "cargo:macos-keychain" => Box::new(cargo_credential_macos_keychain::MacKeychain {}), diff --git a/src/doc/src/reference/unstable.md b/src/doc/src/reference/unstable.md index 55084f88e64..f3a8f162974 100644 --- a/src/doc/src/reference/unstable.md +++ b/src/doc/src/reference/unstable.md @@ -989,7 +989,7 @@ can go to get a token. WWW-Authenticate: Cargo login_url="https://test-registry-login/me ``` -This same flag is also used to enable asymmetric authentication tokens. +### asymmetric-token * Tracking Issue: [10519](https://github.com/rust-lang/cargo/issues/10519) * RFC: [#3231](https://github.com/rust-lang/rfcs/pull/3231) @@ -1115,7 +1115,7 @@ executed within the Cargo process. They are identified with the `cargo:` prefix. * `CARGO_REGISTRY_INDEX_URL` --- The URL of the registry index. * `CARGO_REGISTRY_NAME_OPT` --- Optional name of the registry. Should not be used as a storage key. Not always available. -* `cargo:paseto` - implements asymmetric token support (RFC3231) as a credential provider. +* `cargo:paseto` - implements asymmetric token support (RFC3231) as a credential provider. Requires `-Zasymmetric-token`. `cargo-credential-1password` uses the 1password `op` CLI to store the token. You must diff --git a/tests/testsuite/credential_process.rs b/tests/testsuite/credential_process.rs index c010c01cd66..a5439039600 100644 --- a/tests/testsuite/credential_process.rs +++ b/tests/testsuite/credential_process.rs @@ -492,8 +492,8 @@ fn both_asymmetric_and_token() { ) .unwrap(); - cargo_process("login -Z credential-process -v abcdefg") - .masquerade_as_nightly_cargo(&["credential-process"]) + cargo_process("login -Zasymmetric-token -v abcdefg") + .masquerade_as_nightly_cargo(&["asymmetric-token"]) .replace_crates_io(server.index_url()) .with_stderr( r#"[UPDATING] [..] diff --git a/tests/testsuite/login.rs b/tests/testsuite/login.rs index 16bd29dce12..9b84c541e47 100644 --- a/tests/testsuite/login.rs +++ b/tests/testsuite/login.rs @@ -197,8 +197,8 @@ fn bad_asymmetric_token_args() { .build(); // These cases are kept brief as the implementation is covered by clap, so this is only smoke testing that we have clap configured correctly. - cargo_process("login -Zcredential-process -- --key-subject") - .masquerade_as_nightly_cargo(&["credential-process"]) + cargo_process("login -Zcredential-process -Zasymmetric-token -- --key-subject") + .masquerade_as_nightly_cargo(&["credential-process", "asymmetric-token"]) .replace_crates_io(registry.index_url()) .with_stderr_contains( " error: a value is required for '--key-subject ' but none was supplied", @@ -228,7 +228,7 @@ fn login_with_asymmetric_token_and_subject_on_stdin() { .no_configure_token() .build(); let credentials = credentials_toml(); - cargo_process("login -v -Z credential-process -- --key-subject=foo") + cargo_process("login -v -Z credential-process -Z asymmetric-token -- --key-subject=foo") .masquerade_as_nightly_cargo(&["credential-process"]) .replace_crates_io(registry.index_url()) .with_stderr_contains( @@ -286,8 +286,8 @@ fn login_with_asymmetric_token_on_stdin() { .no_configure_token() .build(); let credentials = credentials_toml(); - cargo_process("login -vZ credential-process --registry alternative") - .masquerade_as_nightly_cargo(&["credential-process"]) + cargo_process("login -vZ credential-process -Z asymmetric-token --registry alternative") + .masquerade_as_nightly_cargo(&["credential-process", "asymmetric-token"]) .with_stderr( "\ [UPDATING] [..] @@ -308,8 +308,8 @@ fn login_with_generate_asymmetric_token() { .no_configure_token() .build(); let credentials = credentials_toml(); - cargo_process("login -Z credential-process --registry alternative") - .masquerade_as_nightly_cargo(&["credential-process"]) + cargo_process("login -Z credential-process -Z asymmetric-token --registry alternative") + .masquerade_as_nightly_cargo(&["credential-process", "asymmetric-token"]) .with_stderr("[UPDATING] `alternative` index\nk3.public.[..]") .run(); let credentials = fs::read_to_string(&credentials).unwrap(); diff --git a/tests/testsuite/owner.rs b/tests/testsuite/owner.rs index 7b38bcc5ebb..fc0e0b5c4e2 100644 --- a/tests/testsuite/owner.rs +++ b/tests/testsuite/owner.rs @@ -117,8 +117,8 @@ fn simple_add_with_asymmetric() { // The http_api server will check that the authorization is correct. // If the authorization was not sent then we would get an unauthorized error. p.cargo("owner -a username") - .arg("-Zcredential-process") - .masquerade_as_nightly_cargo(&["credential-process"]) + .arg("-Zasymmetric-token") + .masquerade_as_nightly_cargo(&["asymmetric-token"]) .replace_crates_io(registry.index_url()) .with_status(0) .run(); @@ -184,9 +184,9 @@ fn simple_remove_with_asymmetric() { // The http_api server will check that the authorization is correct. // If the authorization was not sent then we would get an unauthorized error. p.cargo("owner -r username") - .arg("-Zcredential-process") + .arg("-Zasymmetric-token") .replace_crates_io(registry.index_url()) - .masquerade_as_nightly_cargo(&["credential-process"]) + .masquerade_as_nightly_cargo(&["asymmetric-token"]) .with_status(0) .run(); } diff --git a/tests/testsuite/publish.rs b/tests/testsuite/publish.rs index 50ad697d59f..91e212fe259 100644 --- a/tests/testsuite/publish.rs +++ b/tests/testsuite/publish.rs @@ -194,8 +194,8 @@ fn simple_publish_with_asymmetric() { .file("src/main.rs", "fn main() {}") .build(); - p.cargo("publish --no-verify -Zcredential-process --registry dummy-registry") - .masquerade_as_nightly_cargo(&["credential-process"]) + p.cargo("publish --no-verify -Zasymmetric-token --registry dummy-registry") + .masquerade_as_nightly_cargo(&["asymmetric-token"]) .with_stderr( "\ [UPDATING] `dummy-registry` index diff --git a/tests/testsuite/registry_auth.rs b/tests/testsuite/registry_auth.rs index 4422c638a16..9f127669df3 100644 --- a/tests/testsuite/registry_auth.rs +++ b/tests/testsuite/registry_auth.rs @@ -6,9 +6,10 @@ use cargo_test_support::{project, Execs, Project}; fn cargo(p: &Project, s: &str) -> Execs { let mut e = p.cargo(s); - e.masquerade_as_nightly_cargo(&["registry-auth", "credential-process"]) + e.masquerade_as_nightly_cargo(&["registry-auth", "credential-process", "asymmetric-token"]) .arg("-Zregistry-auth") - .arg("-Zcredential-process"); + .arg("-Zcredential-process") + .arg("-Zasymmetric-token"); e } diff --git a/tests/testsuite/yank.rs b/tests/testsuite/yank.rs index c0bd2477600..9aff2fc8421 100644 --- a/tests/testsuite/yank.rs +++ b/tests/testsuite/yank.rs @@ -76,14 +76,14 @@ fn explicit_version_with_asymmetric() { // The http_api server will check that the authorization is correct. // If the authorization was not sent then we would get an unauthorized error. p.cargo("yank --version 0.0.1") - .arg("-Zcredential-process") - .masquerade_as_nightly_cargo(&["credential-process"]) + .arg("-Zasymmetric-token") + .masquerade_as_nightly_cargo(&["asymmetric-token"]) .replace_crates_io(registry.index_url()) .run(); p.cargo("yank --undo --version 0.0.1") - .arg("-Zcredential-process") - .masquerade_as_nightly_cargo(&["credential-process"]) + .arg("-Zasymmetric-token") + .masquerade_as_nightly_cargo(&["asymmetric-token"]) .replace_crates_io(registry.index_url()) .run(); }