-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Readd support for authentication and .netrc
Now that the root cause of #9327 is fixed in e38d838. This reverts commit a0e3bb2. Closes #9388. PiperOrigin-RevId: 270263985
- Loading branch information
1 parent
40fa815
commit c3d73f7
Showing
5 changed files
with
462 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1551,6 +1551,226 @@ EOF | |
expect_log "//:b.bzl" | ||
} | ||
|
||
function test_auth_provided() { | ||
mkdir x | ||
echo 'exports_files(["file.txt"])' > x/BUILD | ||
echo 'Hello World' > x/file.txt | ||
tar cvf x.tar x | ||
sha256="$(sha256sum x.tar | head -c 64)" | ||
serve_file_auth x.tar | ||
cat >> $(create_workspace_with_default_repos WORKSPACE) <<EOF | ||
load("//:auth.bzl", "with_auth") | ||
with_auth( | ||
name="ext", | ||
url = "http://127.0.0.1:$nc_port/x.tar", | ||
sha256 = "$sha256", | ||
) | ||
EOF | ||
cat > auth.bzl <<'EOF' | ||
def _impl(ctx): | ||
ctx.download_and_extract( | ||
url = ctx.attr.url, | ||
sha256 = ctx.attr.sha256, | ||
# Use the username/password pair hard-coded | ||
# in the testing server. | ||
auth = {ctx.attr.url : { "type": "basic", | ||
"login" : "foo", | ||
"password" : "bar"}} | ||
) | ||
with_auth = repository_rule( | ||
implementation = _impl, | ||
attrs = { "url" : attr.string(), "sha256" : attr.string() } | ||
) | ||
EOF | ||
cat > BUILD <<'EOF' | ||
genrule( | ||
name = "it", | ||
srcs = ["@ext//x:file.txt"], | ||
outs = ["it.txt"], | ||
cmd = "cp $< $@", | ||
) | ||
EOF | ||
bazel build //:it \ | ||
|| fail "Expected success despite needing a file behind basic auth" | ||
} | ||
|
||
function test_netrc_reading() { | ||
# Write a badly formated, but correct, .netrc file | ||
cat > .netrc <<'EOF' | ||
machine ftp.example.com | ||
macdef init | ||
cd pub | ||
mget * | ||
quit | ||
machine example.com login | ||
myusername password mysecret default | ||
login anonymous password [email protected] | ||
EOF | ||
# We expect that `read_netrc` can parse this file... | ||
cat > def.bzl <<'EOF' | ||
load("@bazel_tools//tools/build_defs/repo:utils.bzl", "read_netrc") | ||
def _impl(ctx): | ||
rc = read_netrc(ctx, ctx.attr.path) | ||
ctx.file("data.bzl", "netrc = %s" % (rc,)) | ||
ctx.file("BUILD", "") | ||
ctx.file("WORKSPACE", "") | ||
netrcrepo = repository_rule( | ||
implementation = _impl, | ||
attrs = {"path": attr.string()}, | ||
) | ||
EOF | ||
cat >> $(create_workspace_with_default_repos WORKSPACE) <<EOF | ||
load("//:def.bzl", "netrcrepo") | ||
netrcrepo(name = "netrc", path="$(pwd)/.netrc") | ||
EOF | ||
# ...and that from the parse result, we can read off the | ||
# credentials for example.com. | ||
cat > BUILD <<'EOF' | ||
load("@netrc//:data.bzl", "netrc") | ||
[genrule( | ||
name = name, | ||
outs = [ "%s.txt" % (name,)], | ||
cmd = "echo %s > $@" % (netrc["example.com"][name],), | ||
) for name in ["login", "password"]] | ||
EOF | ||
bazel build //:login //:password | ||
grep 'myusername' `bazel info bazel-genfiles`/login.txt \ | ||
|| fail "Username not parsed correctly" | ||
grep 'mysecret' `bazel info bazel-genfiles`/password.txt \ | ||
|| fail "Password not parsed correctly" | ||
|
||
# Also check the precise value of parsed file | ||
cat > expected.bzl <<'EOF' | ||
expected = { | ||
"ftp.example.com" : { "macdef init" : "cd pub\nmget *\nquit\n" }, | ||
"example.com" : { "login" : "myusername", | ||
"password" : "mysecret", | ||
}, | ||
"" : { "login": "anonymous", | ||
"password" : "[email protected]" }, | ||
} | ||
EOF | ||
cat > verify.bzl <<'EOF' | ||
load("@netrc//:data.bzl", "netrc") | ||
load("//:expected.bzl", "expected") | ||
def check_equal_expected(): | ||
print("Parsed value: %s" % (netrc,)) | ||
print("Expected value: %s" % (expected,)) | ||
if netrc == expected: | ||
return "OK" | ||
else: | ||
return "BAD" | ||
EOF | ||
cat > BUILD <<'EOF' | ||
load ("//:verify.bzl", "check_equal_expected") | ||
genrule( | ||
name = "check_expected", | ||
outs = ["check_expected.txt"], | ||
cmd = "echo %s > $@" % (check_equal_expected(),) | ||
) | ||
EOF | ||
bazel build //:check_expected | ||
grep 'OK' `bazel info bazel-genfiles`/check_expected.txt \ | ||
|| fail "Parsed dict not equal to expected value" | ||
} | ||
|
||
function test_use_netrc() { | ||
# Test the starlark utility function use_netrc. | ||
cat > .netrc <<'EOF' | ||
machine foo.example.org | ||
login foousername | ||
password foopass | ||
machine bar.example.org | ||
login barusername | ||
password passbar | ||
EOF | ||
# Read a given .netrc file and combine it with a list of URL, | ||
# and write the obtained authentication dicionary to disk; this | ||
# is not the intended way of using, but makes testing easy. | ||
cat > def.bzl <<'EOF' | ||
load("@bazel_tools//tools/build_defs/repo:utils.bzl", "read_netrc", "use_netrc") | ||
def _impl(ctx): | ||
rc = read_netrc(ctx, ctx.attr.path) | ||
auth = use_netrc(rc, ctx.attr.urls) | ||
ctx.file("data.bzl", "auth = %s" % (auth,)) | ||
ctx.file("BUILD", "") | ||
ctx.file("WORKSPACE", "") | ||
authrepo = repository_rule( | ||
implementation = _impl, | ||
attrs = {"path": attr.string(), | ||
"urls": attr.string_list() | ||
}, | ||
) | ||
EOF | ||
cat >> $(create_workspace_with_default_repos WORKSPACE) <<EOF | ||
load("//:def.bzl", "authrepo") | ||
authrepo( | ||
name = "auth", | ||
path="$(pwd)/.netrc", | ||
urls = [ | ||
"http://example.org/public/null.tar", | ||
"https://foo.example.org/file1.tar", | ||
"https://foo.example.org:8080/file2.tar", | ||
"https://bar.example.org/file3.tar", | ||
"https://evil.com/bar.example.org/file4.tar", | ||
], | ||
) | ||
EOF | ||
# Here dicts give us the correct notion of equality, so we can simply | ||
# compare against the expected value. | ||
cat > expected.bzl <<'EOF' | ||
expected = { | ||
"https://foo.example.org/file1.tar" : { | ||
"type" : "basic", | ||
"login": "foousername", | ||
"password" : "foopass", | ||
}, | ||
"https://foo.example.org:8080/file2.tar" : { | ||
"type" : "basic", | ||
"login": "foousername", | ||
"password" : "foopass", | ||
}, | ||
"https://bar.example.org/file3.tar" : { | ||
"type" : "basic", | ||
"login": "barusername", | ||
"password" : "passbar", | ||
}, | ||
} | ||
EOF | ||
cat > verify.bzl <<'EOF' | ||
load("@auth//:data.bzl", "auth") | ||
load("//:expected.bzl", "expected") | ||
def check_equal_expected(): | ||
print("Computed value: %s" % (auth,)) | ||
print("Expected value: %s" % (expected,)) | ||
if auth == expected: | ||
return "OK" | ||
else: | ||
return "BAD" | ||
EOF | ||
cat > BUILD <<'EOF' | ||
load ("//:verify.bzl", "check_equal_expected") | ||
genrule( | ||
name = "check_expected", | ||
outs = ["check_expected.txt"], | ||
cmd = "echo %s > $@" % (check_equal_expected(),) | ||
) | ||
EOF | ||
bazel build //:check_expected | ||
grep 'OK' `bazel info bazel-genfiles`/check_expected.txt \ | ||
|| fail "Authentication merged incorrectly" | ||
} | ||
|
||
function test_disallow_unverified_http() { | ||
mkdir x | ||
echo 'exports_files(["file.txt"])' > x/BUILD | ||
|
@@ -1599,4 +1819,74 @@ function tear_down() { | |
true | ||
} | ||
|
||
function test_http_archive_netrc() { | ||
mkdir x | ||
echo 'exports_files(["file.txt"])' > x/BUILD | ||
echo 'Hello World' > x/file.txt | ||
tar cvf x.tar x | ||
sha256=$(sha256sum x.tar | head -c 64) | ||
serve_file_auth x.tar | ||
cat > WORKSPACE <<EOF | ||
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") | ||
http_archive( | ||
name="ext", | ||
url = "http://127.0.0.1:$nc_port/x.tar", | ||
netrc = "$(pwd)/.netrc", | ||
sha256="$sha256", | ||
) | ||
EOF | ||
cat > .netrc <<'EOF' | ||
machine 127.0.0.1 | ||
login foo | ||
password bar | ||
EOF | ||
cat > BUILD <<'EOF' | ||
genrule( | ||
name = "it", | ||
srcs = ["@ext//x:file.txt"], | ||
outs = ["it.txt"], | ||
cmd = "cp $< $@", | ||
) | ||
EOF | ||
bazel build //:it \ | ||
|| fail "Expected success despite needing a file behind basic auth" | ||
} | ||
|
||
function test_implicit_netrc() { | ||
mkdir x | ||
echo 'exports_files(["file.txt"])' > x/BUILD | ||
echo 'Hello World' > x/file.txt | ||
tar cvf x.tar x | ||
sha256=$(sha256sum x.tar | head -c 64) | ||
serve_file_auth x.tar | ||
|
||
export HOME=`pwd` | ||
cat > .netrc <<'EOF' | ||
machine 127.0.0.1 | ||
login foo | ||
password bar | ||
EOF | ||
|
||
mkdir main | ||
cd main | ||
cat > WORKSPACE <<EOF | ||
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") | ||
http_archive( | ||
name="ext", | ||
url = "http://127.0.0.1:$nc_port/x.tar", | ||
sha256="$sha256", | ||
) | ||
EOF | ||
cat > BUILD <<'EOF' | ||
genrule( | ||
name = "it", | ||
srcs = ["@ext//x:file.txt"], | ||
outs = ["it.txt"], | ||
cmd = "cp $< $@", | ||
) | ||
EOF | ||
bazel build //:it \ | ||
|| fail "Expected success despite needing a file behind basic auth" | ||
} | ||
|
||
run_suite "local repository tests" |
Oops, something went wrong.