feat: Copy in lookup logic from conda (temporarily)

mattkram · mattkram · commit 15bdaa9d65f0 · 2025-12-10T10:32:29.000-06:00
diff --git a/src/anaconda_auth/_conda/auth_handler.py b/src/anaconda_auth/_conda/auth_handler.py
@@ -4,6 +4,7 @@
 
 """
 
+from fnmatch import fnmatch
 from functools import lru_cache
 from typing import Any
 from typing import Optional
@@ -39,18 +40,38 @@ def _load_settings_for_channel(channel_name: str) -> dict[str, Any]:
     """Find the correct channel settings from conda's configuration."""
     # TODO(mattkram): Open conda issue to see if we can pass this into the AuthHandler
     #                 as part of the plugin protocol.
-    for settings in global_context.channel_settings:
-        settings_channel = settings.get("channel")
 
-        # TODO(mattkram): This is not robust as it assumes the glob pattern
-        if settings_channel.endswith("/*"):
-            prefix = settings_channel[:-2]
-            if channel_name.startswith(prefix):
-                return settings
+    # The following implementation has been copied from conda. Ideally, we can receive
+    # the settings in the plugin instantiation.
 
-    # TODO(mattkram): How should we handle this?
-    return {}
-    raise ValueError(f"Couldn't find the settings for channel {channel_name}")
+    # We ensure here if there are duplicates defined, we choose the last one
+    channel_settings = {}
+    for settings in global_context.channel_settings:
+        channel = settings.get("channel", "")
+        if channel == channel_name:
+            # First we check for exact match
+            channel_settings = settings
+            continue
+
+        # If we don't have an exact match, we attempt to match a URL pattern
+        # The following was adjusted since we have channel name and not a URL
+        parsed_url = urlparse(channel_name)
+        if not parsed_url.scheme or not parsed_url.netloc:
+            continue
+
+        parsed_setting = urlparse(channel)
+
+        # We require that the schemes must be identical to prevent downgrade attacks.
+        # This includes the case of a scheme-less pattern like "*", which is not allowed.
+        if parsed_setting.scheme != parsed_url.scheme:
+            continue
+
+        url_without_schema = parsed_url.netloc + parsed_url.path
+        pattern = parsed_setting.netloc + parsed_setting.path
+        if fnmatch(url_without_schema, pattern):
+            channel_settings = settings
+
+    return channel_settings
 
 
 class AnacondaAuthHandlerOverrides(BaseModel):
