feat(crates-io): expose HTTP headers and Error type #12310
Conversation
|
r? @ehuss (rustbot has picked a reviewer for you, use r? to override) |
rustbot
added
A-interacts-with-crates.io
|
cc @Eh2406 |
weihanglo
changed the title
www-authenticate challenge www-authenticate header
| "percent-encoding", | ||
| "serde", | ||
| "serde_json", | ||
| "thiserror", |
There was a problem hiding this comment.
thiserror is already in the dependency graph. Just do we want it to appear as a direct dependency or not.
crates/crates-io/Cargo.toml
Outdated
| @@ -1,6 +1,6 @@ | |||
| [package] | |||
| name = "crates-io" | |||
| version = "0.36.1" | |||
| version = "0.37.0" | |||
There was a problem hiding this comment.
Side note: the version bump check in CI didn't work, since the new version in beta hasn't yet published. But in reality, the script should treat any version in beta as “published”.
weihanglo
force-pushed
the
asymmetric-challenge
branch
from
397b41d
to
53521cd
Compare
|
This looks good to me. @arlosi, what are your thoughts? |
|
I don't think so. At least not at this moment? This PR doesn't implement the flow mentioned above. It just pokes the return type of BTW, in this PR
Sorry I am forgetting the details of the fantastic overhaul of credential providers, could you share the doc or the working branch again? BTW if cargo unifies the interface by providing the |
According to the asymmetric tokens RFC as written, yes. (Which is not to say that it will happen in this PR.) Of course, if we discover during implementation that this is a bad idea... Implementation and RFC do not have to match. I would expect that only the most paranoid registries will intentionally use a challenge for read/index endpoints. On the other hand, implementing auth would only be made more complicated by requiring registries to have a different scheme for GET vs PUSH.
Passing along the entire header allows registries to use standards cargo doesn't know about, or invent their own. It seems like the most flexible way to provide the data. It is entirely compatible with cargo passing the data it parsed in separate fields for credential providers that are using asymmetric tokens and do not want to do their own parsing. |
Does this imply that we should just add a new field |
|
That seams reasonable. |
weihanglo
force-pushed
the
asymmetric-challenge
branch
from
53521cd
to
966a89b
Compare
weihanglo
changed the title
www-authenticate header
|
@Eh2406 thanks for the reply. This is now ready for another review! |
|
@Eh2406 Do you want to take assignment for this review? I'm happy to do a final review if you want. |
|
Sorry for the delay. This looks good. Happy to have Eric do the honours. (We need to keep the API brake in mind.) |
In response to RFC 3231 [^1], our registry client need to return headers to caller, so that the caller (cargo binary) can continue parsing challenge headers. [^1]: https://rust-lang.github.io/rfcs/3231-cargo-asymmetric-tokens.html#the-authentication-process
This removes the dependency `anyhow` and uses our own custom Error enum, so that crates-io consumer can access `Error::API::challenge` field.
Optionally use `thiserror` to reduce boilerplates but this part can be dropped if we don't want.
weihanglo
force-pushed
the
asymmetric-challenge
branch
from
966a89b
to
31b500c
Compare
|
Thanks for the reminder! Bumped to 0.38.0. |
|
@bors r=Eh2406 |
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-actions |
Update cargo 8 commits in 1b15556767f4b78a64e868eedf4073c423f02b93..7ac9416d82cd4fc5e707c9ec3574d22dff6466e5 2023-07-18 14:44:47 +0000 to 2023-07-24 14:29:38 +0000 - fix(cargo-credential): should enable feature `serde/derive` (rust-lang/cargo#12396) - fix: encode URL params correctly for SourceId in Cargo.lock (rust-lang/cargo#12280) - docs: format config override caveat as a note (rust-lang/cargo#12392) - credential provider implementation (rust-lang/cargo#12334) - feat(crates-io): expose HTTP headers and Error type (rust-lang/cargo#12310) - chore: Don't update test data (rust-lang/cargo#12380) - fix: only skip mtime check on `~/.cargo/{git,registry}` (rust-lang/cargo#12369) - Update docs for artifact JSON debuginfo levels. (rust-lang/cargo#12376) Since rust-lang/cargo#12334 makes built-in credential providers part of the cargo binary, it's no longer needed to build them in bootstrap.
Update cargo 8 commits in 1b15556767f4b78a64e868eedf4073c423f02b93..7ac9416d82cd4fc5e707c9ec3574d22dff6466e5 2023-07-18 14:44:47 +0000 to 2023-07-24 14:29:38 +0000 - fix(cargo-credential): should enable feature `serde/derive` (rust-lang/cargo#12396) - fix: encode URL params correctly for SourceId in Cargo.lock (rust-lang/cargo#12280) - docs: format config override caveat as a note (rust-lang/cargo#12392) - credential provider implementation (rust-lang/cargo#12334) - feat(crates-io): expose HTTP headers and Error type (rust-lang/cargo#12310) - chore: Don't update test data (rust-lang/cargo#12380) - fix: only skip mtime check on `~/.cargo/{git,registry}` (rust-lang/cargo#12369) - Update docs for artifact JSON debuginfo levels. (rust-lang/cargo#12376) Since rust-lang/cargo#12334 makes built-in credential providers part of the cargo binary, it's no longer needed to build them in bootstrap.
What does this PR try to resolve?
This is part of #11521.
RFC 3231 mentions the authentication process could have an additional challenge-response mechanism to prevent potential replay attacks. The challenge usually comes from HTTP
www-authenticateheader as a opaque string. When a client gets a 401/403 response with such a challenge, it may attach thechallengeto the payload and request again to anwser the challenge.However,
crates-iocrate doesn't expose HTTP headers. There is no access towww-authenticateheader.This PR make it expose HTTP headers and the custom
Errortype, socargocan access and do further on the authentication process.How should we test and review this PR?
By commit.
This removes the dependency
anyhowand uses our own customErrorenum, so thatcrates-ioconsumer can accessError::API::challengefield. It optionally usesthiserrorto reduce boilerplates but this part can be dropped if we don't want.