Drop HTTP Basic auth from cassette-fetch path

jeandet · jeandet · commit ea15685a1dbb · 2026-05-11T20:39:44.000+02:00
The cassette hosting at sciqlop.lpp.polytechnique.fr/data/speasy_cassettes/
is now public-read. Cassettes are content-addressed by sha256 — URLs
are unguessable for outsiders and any tampering is caught on download
via the existing hash verification in _fetch_cassette.

Practical benefits:
- Fork PRs can run the cassette-replaying unit tier (previously
  blocked: GitHub Actions doesn't expose repo secrets to fork PRs).
- New contributors need no credential setup to run the tests.
- CI workflows lose the SPEASY_CASSETTE_FETCH_USER/PASSWORD env
  injection (no longer needed).

Cassettes are still scrubbed (Set-Cookie response headers and AMDA
auth.php hash response bodies) by the before_record_response callback
in vcr_config, so no session/credential material reaches the cassette
content itself.
diff --git a/.github/workflows/contract.yml b/.github/workflows/contract.yml
@@ -21,8 +21,6 @@ jobs:
       SPEASY_CORE_DISABLED_PROVIDERS: "cdpp3dview"
       SPEASY_CORE_HTTP_REWRITE_RULES: '{"https://thisserver_does_not_exists.lpp.polytechnique.fr/pub/":"http://sciqlop.lpp.polytechnique.fr/cdaweb-data/pub/"}'
       SPEASY_CORE_HTTP_USER_AGENT: "speasy-test-github-actions"
-      SPEASY_CASSETTE_FETCH_USER: ${{ secrets.SPEASY_CASSETTE_FETCH_USER }}
-      SPEASY_CASSETTE_FETCH_PASSWORD: ${{ secrets.SPEASY_CASSETTE_FETCH_PASSWORD }}
 
     steps:
     - uses: actions/checkout@v6
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -16,8 +16,6 @@ jobs:
       SPEASY_AMDA_USERNAME: ${{ secrets.SPEASY_AMDA_USERNAME }}
       SPEASY_AMDA_PASSWORD: ${{ secrets.SPEASY_AMDA_PASSWORD }}
       SPEASY_CORE_DISABLED_PROVIDERS: "cdpp3dview"
-      SPEASY_CASSETTE_FETCH_USER: ${{ secrets.SPEASY_CASSETTE_FETCH_USER }}
-      SPEASY_CASSETTE_FETCH_PASSWORD: ${{ secrets.SPEASY_CASSETTE_FETCH_PASSWORD }}
 
     runs-on: ${{ matrix.os }}
     strategy:
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -9,8 +9,6 @@ jobs:
   unit:
     env:
       SPEASY_CORE_DISABLED_PROVIDERS: "cdpp3dview"
-      SPEASY_CASSETTE_FETCH_USER: ${{ secrets.SPEASY_CASSETTE_FETCH_USER }}
-      SPEASY_CASSETTE_FETCH_PASSWORD: ${{ secrets.SPEASY_CASSETTE_FETCH_PASSWORD }}
 
     runs-on: ${{ matrix.os }}
     strategy:
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
@@ -110,13 +110,12 @@ Ready to contribute? Here's how to set up `Speasy` for local development.
    pytest's conftest reads ``tests/cassettes_manifest.json``, fetches
    any missing cassettes from
    ``https://sciqlop.lpp.polytechnique.fr/data/speasy_cassettes/``
-   (HTTP Basic auth, credentials in env vars
-   ``SPEASY_CASSETTE_FETCH_USER`` and ``SPEASY_CASSETTE_FETCH_PASSWORD``,
-   or ``~/.netrc``), and decompresses them to ``tests/cassettes/``.
+   (public read, no auth — files are content-addressed by sha256,
+   making the URLs unguessable for outsiders and tamper-evident on
+   download), and decompresses them to ``tests/cassettes/``.
 
-   To run the unit tier locally, set those env vars in your shell or
-   add a machine entry for ``sciqlop.lpp.polytechnique.fr`` to your
-   ``~/.netrc``. Ask a maintainer for read credentials.
+   To run the unit tier locally: no setup needed beyond a working
+   internet connection.
 
    To add or update a cassette (maintainer-only)::
 
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -31,7 +31,6 @@
 import numpy as np
 import pytest
 import requests
-from requests.auth import HTTPBasicAuth
 
 
 # ---------------------------------------------------------------------------
@@ -58,7 +57,12 @@
 
 
 def _fetch_cassette(sha: str) -> Path:
-    """Download a cassette by its content hash, cache locally, return path to .yaml.gz."""
+    """Download a cassette by its content hash, cache locally, return path to .yaml.gz.
+
+    Cassettes are served publicly (no auth) at CASSETTE_BASE_URL. Content
+    addressing (sha256) makes the file names unguessable for outsiders
+    and tamper-evident on download.
+    """
     cached = LOCAL_CACHE / f"{sha}.yaml.gz"
     if cached.exists():
         # Verify integrity (defensive — corrupted cache yields a clear error).
@@ -68,19 +72,9 @@ def _fetch_cassette(sha: str) -> Path:
             return cached
         cached.unlink()
 
-    user = os.environ.get("SPEASY_CASSETTE_FETCH_USER")
-    password = os.environ.get("SPEASY_CASSETTE_FETCH_PASSWORD")
-    if not user or not password:
-        raise RuntimeError(
-            f"Cannot fetch cassette {sha[:12]}...: "
-            "SPEASY_CASSETTE_FETCH_USER and SPEASY_CASSETTE_FETCH_PASSWORD env "
-            "vars must be set (or use ~/.netrc with a 'machine "
-            "sciqlop.lpp.polytechnique.fr' entry)."
-        )
-
     url = f"{CASSETTE_BASE_URL}/{sha}.yaml.gz"
     LOCAL_CACHE.mkdir(parents=True, exist_ok=True)
-    response = requests.get(url, auth=HTTPBasicAuth(user, password), timeout=60)
+    response = requests.get(url, timeout=60)
     response.raise_for_status()
 
     decompressed = gzip.decompress(response.content)
