Fixing Auth With Redirects #25385
Open
Fixing Auth With Redirects #25385
+130
−7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This addresses an issue where HTTP redirects for `ctx.download()`/`ctx.download_and_extract()` do not properly forward auth headers after an HTTP redirect (3** status code). This was due to auth headers being tied to the exact URL given in the `urls` parameter. This PR addresses this by additionally tying auth data to the host name (matching what is given in `auth`). This is backwards compatible with existing "exact URL matching" functionality by having the host auth functionality largely function as a fallback. For more detail see: bazelbuild#25068 Changes: * Updating `use_netrc()` in `tools/build_defs/repo/utils.bzl`. * The resultant dict contains keys for both exact urls (just as it did before) and the protocol + hosts to match to `patterns` dict. * Must include protocol because Java-side converts these strings to `URL`s (requires protocol). * This does not include hosts from `patterns` which do not appear in the `urls` at all (so redirects would need to be still among the same set of hosts). * Updating `Returns` section of doc string to mention the pattern hosts. * This will affect/fix functionality for repo rules such as `http_archive()` and others which use `use_netrc()` (possibly through `get_auth()`) for generating auth data. * Updating `HttpConnectorMultiplexer.getHeaderFunction()` in `src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/HttpConnectorMultiplexer.java`. * Adding host-based fallback checks. * This will check the given `credentials` for both the exact URI and a URI of only the host, where the host is a fallback (overridden by the exact URI). * The host fallback URI must include protocol, due to elsewhere converting String->URL->URI (`URL` requires protocol). * This will pick up the auth data originating from `use_netrc()` (and passed through various functions/transformations). * If the host name is not given (for some other call to download functionality), then the exact URI will be used only (just like the existing flow). * Updating `download()` and `download_and_extract()` doc strings in `src/main/java/com/google/devtools/build/lib/bazel/repository/starlark/StarlarkBaseExternalContext.java`. * Updating tests. * Updating `test_use_netrc` test case in `src/test/shell/bazel/starlark_repository_test.sh`. * Adding hosts (with protocol) into `expected` dict auth data. * Adding test assertions for auth header logic for `testHeaderComputationFunction()` in `src/test/java/com/google/devtools/build/lib/bazel/repository/downloader/HttpConnectorMultiplexerTest.java`. Fixes bazelbuild#25068.
github-actions
bot
added
team-ExternalDeps
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This addresses an issue where HTTP redirects for
ctx.download()/ctx.download_and_extract()do not properly forward auth headers after an HTTP redirect (3** status code). This was due to auth headers being tied to the exact URL given in theurlsparameter.This PR addresses this by additionally tying auth data to the host name (matching what is given in
auth). This is backwards compatible with existing "exact URL matching" functionality by having the host auth functionality largely function as a fallback.For more detail see: #25068
Changes:
use_netrc()intools/build_defs/repo/utils.bzl.patternsdict.URLs (requires protocol).patternswhich do not appear in theurlsat all (so redirects would need to be still among the same set of hosts).Returnssection of doc string to mention the pattern hosts.http_archive()and others which useuse_netrc()(possibly throughget_auth()) for generating auth data.HttpConnectorMultiplexer.getHeaderFunction()insrc/main/java/com/google/devtools/build/lib/bazel/repository/downloader/HttpConnectorMultiplexer.java.credentialsfor both the exact URI and a URI of only the host, where the host is a fallback (overridden by the exact URI).URLrequires protocol).use_netrc()(and passed through various functions/transformations).download()anddownload_and_extract()doc strings insrc/main/java/com/google/devtools/build/lib/bazel/repository/starlark/StarlarkBaseExternalContext.java.test_use_netrctest case insrc/test/shell/bazel/starlark_repository_test.sh.expecteddict auth data.testHeaderComputationFunction()insrc/test/java/com/google/devtools/build/lib/bazel/repository/downloader/HttpConnectorMultiplexerTest.java.Fixes #25068.