dependabot-cargo 0.363.0 → 0.364.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/cargo/file_updater/lockfile_updater.rb +8 -5
  3. data/lib/dependabot/cargo/helpers.rb +46 -14
  4. data/lib/dependabot/cargo/package/package_details_fetcher.rb +4 -4
  5. data/lib/dependabot/cargo/update_checker/version_resolver.rb +8 -7
  6. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4503bf35b3f16b8ebb48564283460cfff9b114908045bf1b6a624173ae112c29
4
- data.tar.gz: 495a6f4235a61d2fb5e1f8935f146ede3d8e11bd1093fd7cff04fbaa2f479b69
3
+ metadata.gz: 35e95d570366ab801a6d567d4688200304ac1dce0047e8565f1e2146c40fa65a
4
+ data.tar.gz: aac79f42481c94ac999a5c7b913ad5f9f7caebbe1e5455261d4be33606048f10
5
5
  SHA512:
6
- metadata.gz: 645dbc0316c71a144916874d629bd75fc61120f96741de67186eb5ed83b213fcd35a9caaa8786d6bf77c8e08799f56bcba63a1c6148ec520be04aa7e4b583176
7
- data.tar.gz: 69382ae33532748f982575fc84daa287cbbe5f44e757332cba9bce5850441844c83c948b77528b7ed95eb4d60a5e85a8228c7090628a5c9878269554340d40d1
6
+ metadata.gz: a0f0eeb6e1bea7acc19ab4e905740a8a876306444ed18cca36d2132eb29365a7d1a322f040fcbd006352117aba986f37f1b95015d2f90f321524f8c24d934ddf
7
+ data.tar.gz: 8f9eb615de4723e4a15713ba7b5053ea104a07153ec87f6cff60360c32d8fde3884d73bfc58acf118679d309f33de7edff3b63c608bdaf014808ffd5527877de
data/lib/dependabot/cargo/file_updater/lockfile_updater.rb CHANGED
@@ -217,8 +217,10 @@ module Dependabot
217
217
  def run_cargo_command(command, fingerprint:)
218
218
  start = Time.now
219
219
  command = SharedHelpers.escape_command(command)
220
- Helpers.setup_credentials_in_environment(credentials)
221
- env = ENV.select { |key, _value| key.match(/^CARGO_REGISTRIES_/) }
220
+ Helpers.bypass_cargo_credential_providers
221
+ # Pass through any cargo registry configuration via environment variables
222
+ # (e.g. CARGO_REGISTRIES_CRATES_IO_PROTOCOL, CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS).
223
+ env = ENV.select { |key, _value| key.match(/^CARGO_REGISTR(Y|IES)_/) }
222
224
  stdout, process = Open3.capture2e(env, command)
223
225
  time_taken = Time.now - start
224
226
 
@@ -302,10 +304,11 @@ module Dependabot
302
304
 
303
305
  File.write(lockfile.name, lockfile.content)
304
306
  File.write(T.must(toolchain).name, T.must(toolchain).content) if toolchain
305
- return unless config
307
+ config_file = config
308
+ return unless config_file
306
309
 
307
- FileUtils.mkdir_p(File.dirname(T.must(config).name))
308
- File.write(T.must(config).name, T.must(config).content)
310
+ FileUtils.mkdir_p(File.dirname(config_file.name))
311
+ File.write(config_file.name, Helpers.sanitize_cargo_config(T.must(config_file.content)))
309
312
  end
310
313
 
311
314
  sig { void }
data/lib/dependabot/cargo/helpers.rb CHANGED
@@ -1,28 +1,60 @@
1
- # typed: strong
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
- require "yaml"
4
+ require "toml-rb"
5
5
 
6
6
  module Dependabot
7
7
  module Cargo
8
8
  module Helpers
9
9
  extend T::Sig
10
10
 
11
- sig { params(credentials: T::Array[Dependabot::Credential]).void }
12
- def self.setup_credentials_in_environment(credentials)
13
- credentials.each do |cred|
14
- next if cred["type"] != "cargo_registry"
15
- next if cred["registry"].nil? # this will not be present for org-level registries
16
- next if cred["token"].nil?
11
+ # Disable Cargo's *global* credential providers so that Cargo does not attempt to look up registry tokens
12
+ # on its own. The dependabot proxy (https://github.com/dependabot/proxy/) handles all registry authentication
13
+ # transparently by intercepting HTTP requests and injecting the appropriate credentials.
14
+ #
15
+ # Note: this only affects the global/default credential provider. Per-registry `credential-provider` settings
16
+ # in .cargo/config.toml override this env var, so those are stripped separately by `sanitize_cargo_config`.
17
+ #
18
+ # Uses ||= so developers can override by setting CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS=cargo:token in their
19
+ # shell (along with the appropriate CARGO_REGISTRIES_{NAME}_TOKEN vars) for local development without the proxy.
20
+ sig { void }
21
+ def self.bypass_cargo_credential_providers
22
+ ENV["CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS"] ||= ""
23
+ end
24
+
25
+ # Strip per-registry `credential-provider` settings from .cargo/config.toml.
26
+ #
27
+ # Users may have entries like:
28
+ # [registries.my-registry]
29
+ # credential-provider = "cargo:token"
30
+ #
31
+ # These per-registry settings override the global CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS env var,
32
+ # causing Cargo to look up tokens locally. Since the dependabot proxy handles all registry authentication
33
+ # transparently, we remove these so Cargo makes plain unauthenticated requests that the proxy can intercept.
34
+ sig { params(config_content: String).returns(String) }
35
+ def self.sanitize_cargo_config(config_content)
36
+ parsed = TomlRB.parse(config_content)
37
+ return config_content unless parsed.is_a?(Hash)
17
38
 
18
- # If there is a 'token' property, then apply it.
19
- # In production Dependabot-Action or Dependabot-CLI will inject the real token via the Proxy.
20
- token_env_var = "CARGO_REGISTRIES_#{T.must(cred['registry']).upcase.tr('-', '_')}_TOKEN"
21
- ENV[token_env_var] ||= cred["token"]
39
+ registries = parsed["registries"]
40
+ if registries.is_a?(Hash)
41
+ registries.each_value do |registry_config|
42
+ registry_config.delete("credential-provider") if registry_config.is_a?(Hash)
43
+ end
22
44
  end
23
45
 
24
- # And set CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS here as well, so Cargo will expect tokens
25
- ENV["CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS"] ||= "cargo:token"
46
+ # Also strip credential-provider from [registry] (crates.io default registry). Users who `cargo publish`
47
+ # from CI may have this set. It's a per-registry override that takes precedence over the global env var,
48
+ # so we need to remove it to prevent Cargo from trying to look up a token.
49
+ registry = parsed["registry"]
50
+ registry.delete("credential-provider") if registry.is_a?(Hash)
51
+
52
+ TomlRB.dump(parsed)
53
+ rescue TomlRB::Error => e
54
+ raise Dependabot::DependencyFileNotParseable.new(
55
+ ".cargo/config.toml",
56
+ "Failed to parse Cargo config file: #{e.message}"
57
+ )
26
58
  end
27
59
  end
28
60
  end
data/lib/dependabot/cargo/package/package_details_fetcher.rb CHANGED
@@ -137,10 +137,10 @@ module Dependabot
137
137
  .map(&:strip)
138
138
  .reject(&:empty?)
139
139
  .filter_map do |line|
140
- JSON.parse(line)
141
- rescue JSON::ParserError => e
142
- Dependabot.logger.warn("Failed to parse line in sparse index: #{e.message}")
143
- nil
140
+ JSON.parse(line)
141
+ rescue JSON::ParserError => e
142
+ Dependabot.logger.warn("Failed to parse line in sparse index: #{e.message}")
143
+ nil
144
144
  end
145
145
 
146
146
  { "versions" => parsed_response }
data/lib/dependabot/cargo/update_checker/version_resolver.rb CHANGED
@@ -186,10 +186,10 @@ module Dependabot
186
186
  def run_cargo_command(command, fingerprint: nil)
187
187
  start = Time.now
188
188
  command = SharedHelpers.escape_command(command)
189
- Helpers.setup_credentials_in_environment(credentials)
190
- # Pass through any registry tokens supplied via CARGO_REGISTRIES_...
191
- # environment variables, and also any CARGO_REGISTRY_... configuration.
192
- env = ENV.select { |key, _value| key.match(/^(CARGO_REGISTRY|CARGO_REGISTRIES)_/) }
189
+ Helpers.bypass_cargo_credential_providers
190
+ # Pass through any cargo registry configuration via environment variables
191
+ # (e.g. CARGO_REGISTRIES_CRATES_IO_PROTOCOL, CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS).
192
+ env = ENV.select { |key, _value| key.match(/^CARGO_REGISTR(Y|IES)_/) }
193
193
 
194
194
  stdout, process = Open3.capture2e(env, command)
195
195
  time_taken = Time.now - start
@@ -215,10 +215,11 @@ module Dependabot
215
215
 
216
216
  File.write(T.must(lockfile).name, T.must(lockfile).content) if lockfile
217
217
  File.write(T.must(toolchain).name, T.must(toolchain).content) if toolchain
218
- return unless config
218
+ config_file = config
219
+ return unless config_file
219
220
 
220
- FileUtils.mkdir_p(File.dirname(T.must(config).name))
221
- File.write(T.must(config).name, T.must(config).content)
221
+ FileUtils.mkdir_p(File.dirname(config_file.name))
222
+ File.write(config_file.name, Helpers.sanitize_cargo_config(T.must(config_file.content)))
222
223
  end
223
224
 
224
225
  sig { void }
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-cargo
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.363.0
4
+ version: 0.364.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.363.0
18
+ version: 0.364.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.363.0
25
+ version: 0.364.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: debug
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -266,7 +266,7 @@ licenses:
266
266
  - MIT
267
267
  metadata:
268
268
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
269
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.363.0
269
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.364.0
270
270
  rdoc_options: []
271
271
  require_paths:
272
272
  - lib