Skip to content

Commit

Permalink
Readd support for authentication and .netrc
Browse files Browse the repository at this point in the history
Now that the root cause of #9327 is fixed in e38d838.

This reverts commit a0e3bb2.

Closes #9388.

PiperOrigin-RevId: 270263985
  • Loading branch information
aehlig authored and copybara-github committed Sep 20, 2019
1 parent 40fa815 commit c3d73f7
Show file tree
Hide file tree
Showing 5 changed files with 462 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.Map;

Expand Down Expand Up @@ -964,9 +965,7 @@ public void enforceLabelAttributes() throws EvalException, InterruptedException
}

/**
* From an authentication dict extract a map of headers. Due to
* https://github.com/bazelbuild/bazel/issues/9327, this fucntion does the validation of the
* <code>auth</code> map, but always returns an empty set of headers.
* From an authentication dict extract a map of headers.
*
* <p>Given a dict as provided as "auth" argument, compute a map specifying for each URI provided
* which additional headers (as usual, represented as a map from Strings to Strings) should
Expand All @@ -977,6 +976,7 @@ public void enforceLabelAttributes() throws EvalException, InterruptedException
private static Map<URI, Map<String, String>> getAuthHeaders(
SkylarkDict<String, SkylarkDict<Object, Object>> auth)
throws RepositoryFunctionException, EvalException {
ImmutableMap.Builder<URI, Map<String, String>> headers = new ImmutableMap.Builder<>();
for (Map.Entry<String, SkylarkDict<Object, Object>> entry : auth.entrySet()) {
try {
URL url = new URL(entry.getKey());
Expand All @@ -990,7 +990,14 @@ private static Map<URI, Map<String, String>> getAuthHeaders(
+ entry.getKey()
+ " without 'login' and 'password' being provided.");
}
url.toURI(); // for URL validation.
String credentials = authMap.get("login") + ":" + authMap.get("password");
headers.put(
url.toURI(),
ImmutableMap.<String, String>of(
"Authorization",
"Basic "
+ Base64.getEncoder()
.encodeToString(credentials.getBytes(StandardCharsets.UTF_8))));
}
}
} catch (MalformedURLException e) {
Expand All @@ -999,7 +1006,6 @@ private static Map<URI, Map<String, String>> getAuthHeaders(
throw new EvalException(null, e.getMessage());
}
}
// TODO(https://github.com/bazelbuild/bazel/issues/9327)
return ImmutableMap.of();
return headers.build();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -405,7 +405,7 @@ public void patch(Object patchFile, Integer strip, Location location)
type = SkylarkDict.class,
defaultValue = "{}",
named = true,
doc = "Has no effect; do not use."),
doc = "An optional dict specifying authentication information for some of the URLs."),
@Param(
name = "integrity",
type = String.class,
Expand Down Expand Up @@ -560,7 +560,7 @@ public void extract(Object archive, Object output, String stripPrefix, Location
type = SkylarkDict.class,
defaultValue = "{}",
named = true,
doc = "Has no effect; do not use."),
doc = "An optional dict specifying authentication information for some of the URLs."),
@Param(
name = "integrity",
type = String.class,
Expand Down
290 changes: 290 additions & 0 deletions src/test/shell/bazel/skylark_repository_test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -1551,6 +1551,226 @@ EOF
expect_log "//:b.bzl"
}

function test_auth_provided() {
mkdir x
echo 'exports_files(["file.txt"])' > x/BUILD
echo 'Hello World' > x/file.txt
tar cvf x.tar x
sha256="$(sha256sum x.tar | head -c 64)"
serve_file_auth x.tar
cat >> $(create_workspace_with_default_repos WORKSPACE) <<EOF
load("//:auth.bzl", "with_auth")
with_auth(
name="ext",
url = "http://127.0.0.1:$nc_port/x.tar",
sha256 = "$sha256",
)
EOF
cat > auth.bzl <<'EOF'
def _impl(ctx):
ctx.download_and_extract(
url = ctx.attr.url,
sha256 = ctx.attr.sha256,
# Use the username/password pair hard-coded
# in the testing server.
auth = {ctx.attr.url : { "type": "basic",
"login" : "foo",
"password" : "bar"}}
)
with_auth = repository_rule(
implementation = _impl,
attrs = { "url" : attr.string(), "sha256" : attr.string() }
)
EOF
cat > BUILD <<'EOF'
genrule(
name = "it",
srcs = ["@ext//x:file.txt"],
outs = ["it.txt"],
cmd = "cp $< $@",
)
EOF
bazel build //:it \
|| fail "Expected success despite needing a file behind basic auth"
}

function test_netrc_reading() {
# Write a badly formated, but correct, .netrc file
cat > .netrc <<'EOF'
machine ftp.example.com
macdef init
cd pub
mget *
quit
machine example.com login
myusername password mysecret default
login anonymous password [email protected]
EOF
# We expect that `read_netrc` can parse this file...
cat > def.bzl <<'EOF'
load("@bazel_tools//tools/build_defs/repo:utils.bzl", "read_netrc")
def _impl(ctx):
rc = read_netrc(ctx, ctx.attr.path)
ctx.file("data.bzl", "netrc = %s" % (rc,))
ctx.file("BUILD", "")
ctx.file("WORKSPACE", "")
netrcrepo = repository_rule(
implementation = _impl,
attrs = {"path": attr.string()},
)
EOF
cat >> $(create_workspace_with_default_repos WORKSPACE) <<EOF
load("//:def.bzl", "netrcrepo")
netrcrepo(name = "netrc", path="$(pwd)/.netrc")
EOF
# ...and that from the parse result, we can read off the
# credentials for example.com.
cat > BUILD <<'EOF'
load("@netrc//:data.bzl", "netrc")
[genrule(
name = name,
outs = [ "%s.txt" % (name,)],
cmd = "echo %s > $@" % (netrc["example.com"][name],),
) for name in ["login", "password"]]
EOF
bazel build //:login //:password
grep 'myusername' `bazel info bazel-genfiles`/login.txt \
|| fail "Username not parsed correctly"
grep 'mysecret' `bazel info bazel-genfiles`/password.txt \
|| fail "Password not parsed correctly"

# Also check the precise value of parsed file
cat > expected.bzl <<'EOF'
expected = {
"ftp.example.com" : { "macdef init" : "cd pub\nmget *\nquit\n" },
"example.com" : { "login" : "myusername",
"password" : "mysecret",
},
"" : { "login": "anonymous",
"password" : "[email protected]" },
}
EOF
cat > verify.bzl <<'EOF'
load("@netrc//:data.bzl", "netrc")
load("//:expected.bzl", "expected")
def check_equal_expected():
print("Parsed value: %s" % (netrc,))
print("Expected value: %s" % (expected,))
if netrc == expected:
return "OK"
else:
return "BAD"
EOF
cat > BUILD <<'EOF'
load ("//:verify.bzl", "check_equal_expected")
genrule(
name = "check_expected",
outs = ["check_expected.txt"],
cmd = "echo %s > $@" % (check_equal_expected(),)
)
EOF
bazel build //:check_expected
grep 'OK' `bazel info bazel-genfiles`/check_expected.txt \
|| fail "Parsed dict not equal to expected value"
}

function test_use_netrc() {
# Test the starlark utility function use_netrc.
cat > .netrc <<'EOF'
machine foo.example.org
login foousername
password foopass
machine bar.example.org
login barusername
password passbar
EOF
# Read a given .netrc file and combine it with a list of URL,
# and write the obtained authentication dicionary to disk; this
# is not the intended way of using, but makes testing easy.
cat > def.bzl <<'EOF'
load("@bazel_tools//tools/build_defs/repo:utils.bzl", "read_netrc", "use_netrc")
def _impl(ctx):
rc = read_netrc(ctx, ctx.attr.path)
auth = use_netrc(rc, ctx.attr.urls)
ctx.file("data.bzl", "auth = %s" % (auth,))
ctx.file("BUILD", "")
ctx.file("WORKSPACE", "")
authrepo = repository_rule(
implementation = _impl,
attrs = {"path": attr.string(),
"urls": attr.string_list()
},
)
EOF
cat >> $(create_workspace_with_default_repos WORKSPACE) <<EOF
load("//:def.bzl", "authrepo")
authrepo(
name = "auth",
path="$(pwd)/.netrc",
urls = [
"http://example.org/public/null.tar",
"https://foo.example.org/file1.tar",
"https://foo.example.org:8080/file2.tar",
"https://bar.example.org/file3.tar",
"https://evil.com/bar.example.org/file4.tar",
],
)
EOF
# Here dicts give us the correct notion of equality, so we can simply
# compare against the expected value.
cat > expected.bzl <<'EOF'
expected = {
"https://foo.example.org/file1.tar" : {
"type" : "basic",
"login": "foousername",
"password" : "foopass",
},
"https://foo.example.org:8080/file2.tar" : {
"type" : "basic",
"login": "foousername",
"password" : "foopass",
},
"https://bar.example.org/file3.tar" : {
"type" : "basic",
"login": "barusername",
"password" : "passbar",
},
}
EOF
cat > verify.bzl <<'EOF'
load("@auth//:data.bzl", "auth")
load("//:expected.bzl", "expected")
def check_equal_expected():
print("Computed value: %s" % (auth,))
print("Expected value: %s" % (expected,))
if auth == expected:
return "OK"
else:
return "BAD"
EOF
cat > BUILD <<'EOF'
load ("//:verify.bzl", "check_equal_expected")
genrule(
name = "check_expected",
outs = ["check_expected.txt"],
cmd = "echo %s > $@" % (check_equal_expected(),)
)
EOF
bazel build //:check_expected
grep 'OK' `bazel info bazel-genfiles`/check_expected.txt \
|| fail "Authentication merged incorrectly"
}

function test_disallow_unverified_http() {
mkdir x
echo 'exports_files(["file.txt"])' > x/BUILD
Expand Down Expand Up @@ -1599,4 +1819,74 @@ function tear_down() {
true
}

function test_http_archive_netrc() {
mkdir x
echo 'exports_files(["file.txt"])' > x/BUILD
echo 'Hello World' > x/file.txt
tar cvf x.tar x
sha256=$(sha256sum x.tar | head -c 64)
serve_file_auth x.tar
cat > WORKSPACE <<EOF
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
http_archive(
name="ext",
url = "http://127.0.0.1:$nc_port/x.tar",
netrc = "$(pwd)/.netrc",
sha256="$sha256",
)
EOF
cat > .netrc <<'EOF'
machine 127.0.0.1
login foo
password bar
EOF
cat > BUILD <<'EOF'
genrule(
name = "it",
srcs = ["@ext//x:file.txt"],
outs = ["it.txt"],
cmd = "cp $< $@",
)
EOF
bazel build //:it \
|| fail "Expected success despite needing a file behind basic auth"
}

function test_implicit_netrc() {
mkdir x
echo 'exports_files(["file.txt"])' > x/BUILD
echo 'Hello World' > x/file.txt
tar cvf x.tar x
sha256=$(sha256sum x.tar | head -c 64)
serve_file_auth x.tar

export HOME=`pwd`
cat > .netrc <<'EOF'
machine 127.0.0.1
login foo
password bar
EOF

mkdir main
cd main
cat > WORKSPACE <<EOF
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
http_archive(
name="ext",
url = "http://127.0.0.1:$nc_port/x.tar",
sha256="$sha256",
)
EOF
cat > BUILD <<'EOF'
genrule(
name = "it",
srcs = ["@ext//x:file.txt"],
outs = ["it.txt"],
cmd = "cp $< $@",
)
EOF
bazel build //:it \
|| fail "Expected success despite needing a file behind basic auth"
}

run_suite "local repository tests"
Loading

0 comments on commit c3d73f7

Please sign in to comment.