Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create dedicated unstable flag for asymmetric-token #12551

Merged
merged 1 commit into from
Aug 24, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/cargo/core/features.rs
Original file line number Diff line number Diff line change
Expand Up @@ -718,6 +718,7 @@ unstable_cli_options!(
// All other unstable features.
// Please keep this list lexicographically ordered.
advanced_env: bool = (HIDDEN),
asymmetric_token: bool = ("Allows authenticating with asymmetric tokens"),
avoid_dev_deps: bool = ("Avoid installing dev-dependencies if possible"),
binary_dep_depinfo: bool = ("Track changes to dependency artifacts"),
bindeps: bool = ("Allow Cargo packages to depend on bin, cdylib, and staticlib crates, and use the artifacts built by those crates"),
Expand All @@ -744,7 +745,7 @@ unstable_cli_options!(
panic_abort_tests: bool = ("Enable support to run tests with -Cpanic=abort"),
profile_rustflags: bool = ("Enable the `rustflags` option in profiles in .cargo/config.toml file"),
publish_timeout: bool = ("Enable the `publish.timeout` key in .cargo/config.toml file"),
registry_auth: bool = ("Authentication for alternative registries, and generate registry authentication tokens using asymmetric cryptography"),
registry_auth: bool = ("Authentication for alternative registries"),
rustdoc_map: bool = ("Allow passing external documentation mappings to rustdoc"),
rustdoc_scrape_examples: bool = ("Allows Rustdoc to scrape code examples from reverse-dependencies"),
script: bool = ("Enable support for single-file, `.rs` packages"),
Expand Down Expand Up @@ -1087,6 +1088,7 @@ impl CliUnstable {
// Unstable features
// Sorted alphabetically:
"advanced-env" => self.advanced_env = parse_empty(k, v)?,
"asymmetric-token" => self.asymmetric_token = parse_empty(k, v)?,
"avoid-dev-deps" => self.avoid_dev_deps = parse_empty(k, v)?,
"binary-dep-depinfo" => self.binary_dep_depinfo = parse_empty(k, v)?,
"bindeps" => self.bindeps = parse_empty(k, v)?,
Expand Down
16 changes: 9 additions & 7 deletions src/cargo/util/auth/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,8 @@ impl RegistryConfigExtended {
/// Get the list of credential providers for a registry source.
fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult<Vec<Vec<String>>> {
let cfg = registry_credential_config_raw(config, sid)?;
let allow_cred_proc = config.cli_unstable().credential_process;
let default_providers = || {
if allow_cred_proc {
if config.cli_unstable().asymmetric_token {
// Enable the PASETO provider
vec![
vec!["cargo:token".to_string()],
Expand All @@ -90,7 +89,7 @@ fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult<Vec<Vec<S
};
let global_providers = config
.get::<Option<Vec<Value<String>>>>("registry.global-credential-providers")?
.filter(|p| !p.is_empty() && allow_cred_proc)
.filter(|p| !p.is_empty() && config.cli_unstable().credential_process)
.map(|p| {
p.iter()
.rev()
Expand All @@ -108,7 +107,7 @@ fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult<Vec<Vec<S
token,
secret_key,
..
}) if allow_cred_proc => {
}) if config.cli_unstable().credential_process => {
if let Some(token) = token {
config.shell().warn(format!(
"{sid} has a token configured in {} that will be ignored \
Expand All @@ -131,7 +130,7 @@ fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult<Vec<Vec<S
token: Some(token),
secret_key: Some(secret_key),
..
}) if allow_cred_proc => {
}) if config.cli_unstable().asymmetric_token => {
let token_pos = global_providers
.iter()
.position(|p| p.first().map(String::as_str) == Some("cargo:token"));
Expand Down Expand Up @@ -182,7 +181,7 @@ fn credential_provider(config: &Config, sid: &SourceId) -> CargoResult<Vec<Vec<S
Some(RegistryConfig {
secret_key: Some(token),
..
}) if allow_cred_proc => {
}) if config.cli_unstable().asymmetric_token => {
if !global_providers
.iter()
.any(|p| p.first().map(String::as_str) == Some("cargo:paseto"))
Expand Down Expand Up @@ -454,7 +453,10 @@ fn credential_action(
tracing::debug!("attempting credential provider: {args:?}");
let provider: Box<dyn Credential> = match process {
"cargo:token" => Box::new(TokenCredential::new(config)),
"cargo:paseto" => Box::new(PasetoCredential::new(config)),
"cargo:paseto" if config.cli_unstable().asymmetric_token => {
Box::new(PasetoCredential::new(config))
}
"cargo:paseto" => bail!("cargo:paseto requires -Zasymmetric-token"),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also decide to silently skip it rather than error here.

"cargo:token-from-stdout" => Box::new(BasicProcessCredential {}),
"cargo:wincred" => Box::new(cargo_credential_wincred::WindowsCredential {}),
"cargo:macos-keychain" => Box::new(cargo_credential_macos_keychain::MacKeychain {}),
Expand Down
4 changes: 2 additions & 2 deletions src/doc/src/reference/unstable.md
Original file line number Diff line number Diff line change
Expand Up @@ -989,7 +989,7 @@ can go to get a token.
WWW-Authenticate: Cargo login_url="https://test-registry-login/me
```

This same flag is also used to enable asymmetric authentication tokens.
### asymmetric-token
* Tracking Issue: [10519](https://github.com/rust-lang/cargo/issues/10519)
* RFC: [#3231](https://github.com/rust-lang/rfcs/pull/3231)

Expand Down Expand Up @@ -1115,7 +1115,7 @@ executed within the Cargo process. They are identified with the `cargo:` prefix.
* `CARGO_REGISTRY_INDEX_URL` --- The URL of the registry index.
* `CARGO_REGISTRY_NAME_OPT` --- Optional name of the registry. Should not be used as a storage key. Not always available.

* `cargo:paseto` - implements asymmetric token support (RFC3231) as a credential provider.
* `cargo:paseto` - implements asymmetric token support (RFC3231) as a credential provider. Requires `-Zasymmetric-token`.


`cargo-credential-1password` uses the 1password `op` CLI to store the token. You must
Expand Down
4 changes: 2 additions & 2 deletions tests/testsuite/credential_process.rs
Original file line number Diff line number Diff line change
Expand Up @@ -492,8 +492,8 @@ fn both_asymmetric_and_token() {
)
.unwrap();

cargo_process("login -Z credential-process -v abcdefg")
.masquerade_as_nightly_cargo(&["credential-process"])
cargo_process("login -Zasymmetric-token -v abcdefg")
.masquerade_as_nightly_cargo(&["asymmetric-token"])
.replace_crates_io(server.index_url())
.with_stderr(
r#"[UPDATING] [..]
Expand Down
14 changes: 7 additions & 7 deletions tests/testsuite/login.rs
Original file line number Diff line number Diff line change
Expand Up @@ -197,8 +197,8 @@ fn bad_asymmetric_token_args() {
.build();

// These cases are kept brief as the implementation is covered by clap, so this is only smoke testing that we have clap configured correctly.
cargo_process("login -Zcredential-process -- --key-subject")
.masquerade_as_nightly_cargo(&["credential-process"])
cargo_process("login -Zcredential-process -Zasymmetric-token -- --key-subject")
.masquerade_as_nightly_cargo(&["credential-process", "asymmetric-token"])
.replace_crates_io(registry.index_url())
.with_stderr_contains(
" error: a value is required for '--key-subject <SUBJECT>' but none was supplied",
Expand Down Expand Up @@ -228,7 +228,7 @@ fn login_with_asymmetric_token_and_subject_on_stdin() {
.no_configure_token()
.build();
let credentials = credentials_toml();
cargo_process("login -v -Z credential-process -- --key-subject=foo")
cargo_process("login -v -Z credential-process -Z asymmetric-token -- --key-subject=foo")
.masquerade_as_nightly_cargo(&["credential-process"])
.replace_crates_io(registry.index_url())
.with_stderr_contains(
Expand Down Expand Up @@ -286,8 +286,8 @@ fn login_with_asymmetric_token_on_stdin() {
.no_configure_token()
.build();
let credentials = credentials_toml();
cargo_process("login -vZ credential-process --registry alternative")
.masquerade_as_nightly_cargo(&["credential-process"])
cargo_process("login -vZ credential-process -Z asymmetric-token --registry alternative")
.masquerade_as_nightly_cargo(&["credential-process", "asymmetric-token"])
.with_stderr(
"\
[UPDATING] [..]
Expand All @@ -308,8 +308,8 @@ fn login_with_generate_asymmetric_token() {
.no_configure_token()
.build();
let credentials = credentials_toml();
cargo_process("login -Z credential-process --registry alternative")
.masquerade_as_nightly_cargo(&["credential-process"])
cargo_process("login -Z credential-process -Z asymmetric-token --registry alternative")
.masquerade_as_nightly_cargo(&["credential-process", "asymmetric-token"])
.with_stderr("[UPDATING] `alternative` index\nk3.public.[..]")
.run();
let credentials = fs::read_to_string(&credentials).unwrap();
Expand Down
8 changes: 4 additions & 4 deletions tests/testsuite/owner.rs
Original file line number Diff line number Diff line change
Expand Up @@ -117,8 +117,8 @@ fn simple_add_with_asymmetric() {
// The http_api server will check that the authorization is correct.
// If the authorization was not sent then we would get an unauthorized error.
p.cargo("owner -a username")
.arg("-Zcredential-process")
.masquerade_as_nightly_cargo(&["credential-process"])
.arg("-Zasymmetric-token")
.masquerade_as_nightly_cargo(&["asymmetric-token"])
.replace_crates_io(registry.index_url())
.with_status(0)
.run();
Expand Down Expand Up @@ -184,9 +184,9 @@ fn simple_remove_with_asymmetric() {
// The http_api server will check that the authorization is correct.
// If the authorization was not sent then we would get an unauthorized error.
p.cargo("owner -r username")
.arg("-Zcredential-process")
.arg("-Zasymmetric-token")
.replace_crates_io(registry.index_url())
.masquerade_as_nightly_cargo(&["credential-process"])
.masquerade_as_nightly_cargo(&["asymmetric-token"])
.with_status(0)
.run();
}
4 changes: 2 additions & 2 deletions tests/testsuite/publish.rs
Original file line number Diff line number Diff line change
Expand Up @@ -194,8 +194,8 @@ fn simple_publish_with_asymmetric() {
.file("src/main.rs", "fn main() {}")
.build();

p.cargo("publish --no-verify -Zcredential-process --registry dummy-registry")
.masquerade_as_nightly_cargo(&["credential-process"])
p.cargo("publish --no-verify -Zasymmetric-token --registry dummy-registry")
.masquerade_as_nightly_cargo(&["asymmetric-token"])
.with_stderr(
"\
[UPDATING] `dummy-registry` index
Expand Down
5 changes: 3 additions & 2 deletions tests/testsuite/registry_auth.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,10 @@ use cargo_test_support::{project, Execs, Project};

fn cargo(p: &Project, s: &str) -> Execs {
let mut e = p.cargo(s);
e.masquerade_as_nightly_cargo(&["registry-auth", "credential-process"])
e.masquerade_as_nightly_cargo(&["registry-auth", "credential-process", "asymmetric-token"])
.arg("-Zregistry-auth")
.arg("-Zcredential-process");
.arg("-Zcredential-process")
.arg("-Zasymmetric-token");
e
}

Expand Down
8 changes: 4 additions & 4 deletions tests/testsuite/yank.rs
Original file line number Diff line number Diff line change
Expand Up @@ -76,14 +76,14 @@ fn explicit_version_with_asymmetric() {
// The http_api server will check that the authorization is correct.
// If the authorization was not sent then we would get an unauthorized error.
p.cargo("yank --version 0.0.1")
.arg("-Zcredential-process")
.masquerade_as_nightly_cargo(&["credential-process"])
.arg("-Zasymmetric-token")
.masquerade_as_nightly_cargo(&["asymmetric-token"])
.replace_crates_io(registry.index_url())
.run();

p.cargo("yank --undo --version 0.0.1")
.arg("-Zcredential-process")
.masquerade_as_nightly_cargo(&["credential-process"])
.arg("-Zasymmetric-token")
.masquerade_as_nightly_cargo(&["asymmetric-token"])
.replace_crates_io(registry.index_url())
.run();
}
Expand Down