fix: Remove hard-code and implement real behavior

mattkram · mattkram · commit 3c1f39fad689 · 2025-12-10T22:54:57.000-06:00
diff --git a/src/anaconda_auth/_conda/auth_handler.py b/src/anaconda_auth/_conda/auth_handler.py
@@ -4,6 +4,7 @@
 
 """
 
+from fnmatch import fnmatch
 from functools import lru_cache
 from typing import Any
 from typing import NamedTuple
@@ -12,6 +13,7 @@
 from urllib.parse import urlparse
 
 from conda import CondaError
+from conda.base.context import context as conda_context
 from conda.plugins.types import ChannelAuthBase
 from requests import PreparedRequest
 from requests import Response
@@ -41,7 +43,47 @@ class AnacondaAuthError(CondaError):
 
 
 def _load_channel_settings(channel_name: str) -> dict[str, Any]:
-    return {"auth_domain": "auth.some-domain.com"}
+    """Find the correct channel settings from conda's configuration."""
+    # TODO(mattkram): Open conda issue to see if we can pass this into the AuthHandler
+    #                 as part of the plugin protocol.
+
+    # Since the conda logic uses a url, we derive a url from the channel name
+    # this will not work for multi_channels like "defaults", but we restrict the
+    # extra fields we need to URL-based channel_settings, which should be sufficient.
+    url = channel_name
+    if not url.endswith("/"):
+        url += "/"
+
+    parsed_url = urlparse(url)
+    if not parsed_url.scheme or not parsed_url.netloc:
+        return {}
+
+    # The following implementation has mostly been copied from conda, with one noted exception.
+    # Ideally, we can receive the settings in the plugin instantiation.
+    # See: https://github.com/conda/conda/blob/2af8e0f7255e1d06ea0bfcb6076c7427d101feee/conda/gateways/connection/session.py#L91-L112
+
+    # We ensure here if there are duplicates defined, we choose the last one
+    channel_settings = {}
+    for settings in conda_context.channel_settings:
+        channel = settings.get("channel", "")
+        if channel == channel_name:
+            # First we check for exact match
+            channel_settings = settings
+            continue
+
+        parsed_setting = urlparse(channel)
+
+        # We require that the schemes must be identical to prevent downgrade attacks.
+        # This includes the case of a scheme-less pattern like "*", which is not allowed.
+        if parsed_setting.scheme != parsed_url.scheme:
+            continue
+
+        url_without_schema = parsed_url.netloc + parsed_url.path
+        pattern = parsed_setting.netloc + parsed_setting.path
+        if fnmatch(url_without_schema, pattern):
+            channel_settings = settings
+
+    return channel_settings
 
 
 class AnacondaAuthHandler(ChannelAuthBase):
diff --git a/src/anaconda_auth/_conda/condarc.py b/src/anaconda_auth/_conda/condarc.py
@@ -56,14 +56,17 @@ def update_channel_settings(
         """
         Update the condarc file's "channel_settings" section
         """
-        if username is None:
-            updated_settings = {"channel": channel, "auth": auth_type}
-        else:
-            updated_settings = {
-                "channel": channel,
-                "auth": auth_type,
-                "username": username,
-            }
+        updated_settings = {
+            "channel": channel,
+            "auth": auth_type,
+            "username": username,
+            "auth_domain": auth_domain,
+        }
+
+        # Filter out any None values
+        updated_settings = {
+            key: value for key, value in updated_settings.items() if value is not None
+        }
 
         channel_settings = self._loaded_yaml.get("channel_settings", []) or []
 
