Remove support for authentication and .netrc

Fixes #9327 Closes #9343. PiperOrigin-RevId: 267568221
bazelbuild · Sep 6, 2019 · a0e3bb2 · a0e3bb2
1 parent 255650c
commit a0e3bb2
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 462 deletions.
diff --git a/...java/com/google/devtools/build/lib/bazel/repository/skylark/SkylarkRepositoryContext.java b/...java/com/google/devtools/build/lib/bazel/repository/skylark/SkylarkRepositoryContext.java
@@ -80,7 +80,6 @@
 import java.nio.charset.StandardCharsets;
 import java.time.Duration;
 import java.util.ArrayList;
-import java.util.Base64;
 import java.util.List;
 import java.util.Map;
 
@@ -965,7 +964,9 @@ public void enforceLabelAttributes() throws EvalException, InterruptedException
   }
 
   /**
-   * From an authentication dict extract a map of headers.
+   * From an authentication dict extract a map of headers. Due to
+   * https://github.com/bazelbuild/bazel/issues/9327, this fucntion does the validation of the
+   * <code>auth</code> map, but always returns an empty set of headers.
    *
    * <p>Given a dict as provided as "auth" argument, compute a map specifying for each URI provided
    * which additional headers (as usual, represented as a map from Strings to Strings) should
@@ -976,7 +977,6 @@ public void enforceLabelAttributes() throws EvalException, InterruptedException
   private static Map<URI, Map<String, String>> getAuthHeaders(
       SkylarkDict<String, SkylarkDict<Object, Object>> auth)
       throws RepositoryFunctionException, EvalException {
-    ImmutableMap.Builder<URI, Map<String, String>> headers = new ImmutableMap.Builder<>();
     for (Map.Entry<String, SkylarkDict<Object, Object>> entry : auth.entrySet()) {
       try {
         URL url = new URL(entry.getKey());
@@ -990,14 +990,7 @@ private static Map<URI, Map<String, String>> getAuthHeaders(
                       + entry.getKey()
                       + " without 'login' and 'password' being provided.");
             }
-            String credentials = authMap.get("login") + ":" + authMap.get("password");
-            headers.put(
-                url.toURI(),
-                ImmutableMap.<String, String>of(
-                    "Authorization",
-                    "Basic "
-                        + Base64.getEncoder()
-                            .encodeToString(credentials.getBytes(StandardCharsets.UTF_8))));
+            url.toURI(); // for URL validation.
           }
         }
       } catch (MalformedURLException e) {
@@ -1006,6 +999,7 @@ private static Map<URI, Map<String, String>> getAuthHeaders(
         throw new EvalException(null, e.getMessage());
       }
     }
-    return headers.build();
+    // TODO(https://github.com/bazelbuild/bazel/issues/9327)
+    return ImmutableMap.of();
   }
 }
diff --git a/...com/google/devtools/build/lib/skylarkbuildapi/repository/SkylarkRepositoryContextApi.java b/...com/google/devtools/build/lib/skylarkbuildapi/repository/SkylarkRepositoryContextApi.java
@@ -405,7 +405,7 @@ public void patch(Object patchFile, Integer strip, Location location)
             type = SkylarkDict.class,
             defaultValue = "{}",
             named = true,
-            doc = "An optional dict specifying authentication information for some of the URLs."),
+            doc = "Has no effect; do not use."),
         @Param(
             name = "integrity",
             type = String.class,
@@ -560,7 +560,7 @@ public void extract(Object archive, Object output, String stripPrefix, Location
             type = SkylarkDict.class,
             defaultValue = "{}",
             named = true,
-            doc = "An optional dict specifying authentication information for some of the URLs."),
+            doc = "Has no effect; do not use."),
         @Param(
             name = "integrity",
             type = String.class,

diff --git a/src/test/shell/bazel/skylark_repository_test.sh b/src/test/shell/bazel/skylark_repository_test.sh
@@ -1551,226 +1551,6 @@ EOF
   expect_log "//:b.bzl"
 }
 
-function test_auth_provided() {
-  mkdir x
-  echo 'exports_files(["file.txt"])' > x/BUILD
-  echo 'Hello World' > x/file.txt
-  tar cvf x.tar x
-  sha256="$(sha256sum x.tar | head -c 64)"
-  serve_file_auth x.tar
-  cat >> $(create_workspace_with_default_repos WORKSPACE) <<EOF
-load("//:auth.bzl", "with_auth")
-with_auth(
-  name="ext",
-  url = "http://127.0.0.1:$nc_port/x.tar",
-  sha256 = "$sha256",
-)
-EOF
-  cat > auth.bzl <<'EOF'
-def _impl(ctx):
-  ctx.download_and_extract(
-    url = ctx.attr.url,
-    sha256 = ctx.attr.sha256,
-    # Use the username/password pair hard-coded
-    # in the testing server.
-    auth = {ctx.attr.url : { "type": "basic",
-                            "login" : "foo",
-                            "password" : "bar"}}
-  )
-
-with_auth = repository_rule(
-  implementation = _impl,
-  attrs = { "url" : attr.string(), "sha256" : attr.string() }
-)
-EOF
-  cat > BUILD <<'EOF'
-genrule(
-  name = "it",
-  srcs = ["@ext//x:file.txt"],
-  outs = ["it.txt"],
-  cmd = "cp $< $@",
-)
-EOF
-  bazel build //:it \
-      || fail "Expected success despite needing a file behind basic auth"
-}
-
-function test_netrc_reading() {
-  # Write a badly formated, but correct, .netrc file
-  cat > .netrc <<'EOF'
-machine ftp.example.com
-macdef init
-cd pub
-mget *
-quit
-
-machine example.com login
-myusername password mysecret default
-login anonymous password myusername@example.com
-EOF
-  # We expect that `read_netrc` can parse this file...
-  cat > def.bzl <<'EOF'
-load("@bazel_tools//tools/build_defs/repo:utils.bzl", "read_netrc")
-def _impl(ctx):
-  rc = read_netrc(ctx, ctx.attr.path)
-  ctx.file("data.bzl", "netrc = %s" % (rc,))
-  ctx.file("BUILD", "")
-  ctx.file("WORKSPACE", "")
-
-netrcrepo = repository_rule(
-  implementation = _impl,
-  attrs = {"path": attr.string()},
-)
-EOF
-  cat >> $(create_workspace_with_default_repos WORKSPACE) <<EOF
-load("//:def.bzl", "netrcrepo")
-
-netrcrepo(name = "netrc", path="$(pwd)/.netrc")
-EOF
-  # ...and that from the parse result, we can read off the
-  # credentials for example.com.
-  cat > BUILD <<'EOF'
-load("@netrc//:data.bzl", "netrc")
-
-[genrule(
-  name = name,
-  outs = [ "%s.txt" % (name,)],
-  cmd = "echo %s > $@" % (netrc["example.com"][name],),
-) for name in ["login", "password"]]
-EOF
-  bazel build //:login //:password
-  grep 'myusername' `bazel info bazel-genfiles`/login.txt \
-       || fail "Username not parsed correctly"
-  grep 'mysecret' `bazel info bazel-genfiles`/password.txt \
-       || fail "Password not parsed correctly"
-
-  # Also check the precise value of parsed file
-  cat > expected.bzl <<'EOF'
-expected = {
-  "ftp.example.com" : { "macdef init" : "cd pub\nmget *\nquit\n" },
-  "example.com" : { "login" : "myusername",
-                    "password" : "mysecret",
-                  },
-  "" : { "login": "anonymous",
-          "password" : "myusername@example.com" },
-}
-EOF
-  cat > verify.bzl <<'EOF'
-load("@netrc//:data.bzl", "netrc")
-load("//:expected.bzl", "expected")
-
-def check_equal_expected():
-  print("Parsed value:   %s" % (netrc,))
-  print("Expected value: %s" % (expected,))
-  if netrc == expected:
-    return "OK"
-  else:
-    return "BAD"
-EOF
-  cat > BUILD <<'EOF'
-load ("//:verify.bzl", "check_equal_expected")
-genrule(
-  name = "check_expected",
-  outs = ["check_expected.txt"],
-  cmd = "echo %s > $@" % (check_equal_expected(),)
-)
-EOF
-  bazel build //:check_expected
-  grep 'OK' `bazel info bazel-genfiles`/check_expected.txt \
-       || fail "Parsed dict not equal to expected value"
-}
-
-function test_use_netrc() {
-    # Test the starlark utility function use_netrc.
-  cat > .netrc <<'EOF'
-machine foo.example.org
-login foousername
-password foopass
-
-machine bar.example.org
-login barusername
-password passbar
-EOF
-  # Read a given .netrc file and combine it with a list of URL,
-  # and write the obtained authentication dicionary to disk; this
-  # is not the intended way of using, but makes testing easy.
-  cat > def.bzl <<'EOF'
-load("@bazel_tools//tools/build_defs/repo:utils.bzl", "read_netrc", "use_netrc")
-def _impl(ctx):
-  rc = read_netrc(ctx, ctx.attr.path)
-  auth = use_netrc(rc, ctx.attr.urls)
-  ctx.file("data.bzl", "auth = %s" % (auth,))
-  ctx.file("BUILD", "")
-  ctx.file("WORKSPACE", "")
-
-authrepo = repository_rule(
-  implementation = _impl,
-  attrs = {"path": attr.string(),
-           "urls": attr.string_list()
-  },
-)
-EOF
-  cat >> $(create_workspace_with_default_repos WORKSPACE) <<EOF
-load("//:def.bzl", "authrepo")
-
-authrepo(
-  name = "auth",
-  path="$(pwd)/.netrc",
-  urls = [
-    "http://example.org/public/null.tar",
-    "https://foo.example.org/file1.tar",
-    "https://foo.example.org:8080/file2.tar",
-    "https://bar.example.org/file3.tar",
-    "https://evil.com/bar.example.org/file4.tar",
-  ],
-)
-EOF
-  # Here dicts give us the correct notion of equality, so we can simply
-  # compare against the expected value.
-  cat > expected.bzl <<'EOF'
-expected = {
-    "https://foo.example.org/file1.tar" : {
-      "type" : "basic",
-      "login": "foousername",
-      "password" : "foopass",
-    },
-    "https://foo.example.org:8080/file2.tar" : {
-      "type" : "basic",
-      "login": "foousername",
-      "password" : "foopass",
-    },
-    "https://bar.example.org/file3.tar" : {
-      "type" : "basic",
-      "login": "barusername",
-      "password" : "passbar",
-    },
-}
-EOF
-  cat > verify.bzl <<'EOF'
-load("@auth//:data.bzl", "auth")
-load("//:expected.bzl", "expected")
-
-def check_equal_expected():
-  print("Computed value: %s" % (auth,))
-  print("Expected value: %s" % (expected,))
-  if auth == expected:
-    return "OK"
-  else:
-    return "BAD"
-EOF
-  cat > BUILD <<'EOF'
-load ("//:verify.bzl", "check_equal_expected")
-genrule(
-  name = "check_expected",
-  outs = ["check_expected.txt"],
-  cmd = "echo %s > $@" % (check_equal_expected(),)
-)
-EOF
-  bazel build //:check_expected
-  grep 'OK' `bazel info bazel-genfiles`/check_expected.txt \
-       || fail "Authentication merged incorrectly"
-}
-
 function test_disallow_unverified_http() {
   mkdir x
   echo 'exports_files(["file.txt"])' > x/BUILD
@@ -1819,74 +1599,4 @@ function tear_down() {
   true
 }
 
-function test_http_archive_netrc() {
-  mkdir x
-  echo 'exports_files(["file.txt"])' > x/BUILD
-  echo 'Hello World' > x/file.txt
-  tar cvf x.tar x
-  sha256=$(sha256sum x.tar | head -c 64)
-  serve_file_auth x.tar
-  cat > WORKSPACE <<EOF
-load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
-http_archive(
-  name="ext",
-  url = "http://127.0.0.1:$nc_port/x.tar",
-  netrc = "$(pwd)/.netrc",
-  sha256="$sha256",
-)
-EOF
-  cat > .netrc <<'EOF'
-machine 127.0.0.1
-login foo
-password bar
-EOF
-  cat > BUILD <<'EOF'
-genrule(
-  name = "it",
-  srcs = ["@ext//x:file.txt"],
-  outs = ["it.txt"],
-  cmd = "cp $< $@",
-)
-EOF
-  bazel build //:it \
-      || fail "Expected success despite needing a file behind basic auth"
-}
-
-function test_implicit_netrc() {
-  mkdir x
-  echo 'exports_files(["file.txt"])' > x/BUILD
-  echo 'Hello World' > x/file.txt
-  tar cvf x.tar x
-  sha256=$(sha256sum x.tar | head -c 64)
-  serve_file_auth x.tar
-
-  export HOME=`pwd`
-  cat > .netrc <<'EOF'
-machine 127.0.0.1
-login foo
-password bar
-EOF
-
-  mkdir main
-  cd main
-  cat > WORKSPACE <<EOF
-load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
-http_archive(
-  name="ext",
-  url = "http://127.0.0.1:$nc_port/x.tar",
-  sha256="$sha256",
-)
-EOF
-  cat > BUILD <<'EOF'
-genrule(
-  name = "it",
-  srcs = ["@ext//x:file.txt"],
-  outs = ["it.txt"],
-  cmd = "cp $< $@",
-)
-EOF
-  bazel build //:it \
-      || fail "Expected success despite needing a file behind basic auth"
-}
-
 run_suite "local repository tests"