dependabot-cargo 0.382.0 → 0.383.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 51d4f61feae4b16e9007ba3a114ca34893d7232eb3786c88b9333917f064db35
-  data.tar.gz: 3ce4da7afe9eb34a9adf4db1a1a6e4f8d9cfe7f77e2ea116eae2c05aedca4341
+  metadata.gz: 831d75a3d5aca6586046341e260170112f8a7fed6251ac1ce576aecef8fad47e
+  data.tar.gz: 7c8249256489d87075843aac3019f7087212e6d85c0e61fe4427ba0770c1e344
 SHA512:
-  metadata.gz: 9c2eec9ce3b6ccea662a43c7576ba823ebde9156e36bcb0a5dc36e06b3da125e2caa7961b329e6bed364675249f8b084127c4b1c53b2a1e00a1b6a163cb9c604
-  data.tar.gz: 642f355d2a781ef02157dc33fabde13f5fbedca6ff7ec198a6d7b7575d320796b41c837b245f1d448bc0ea9117b1088fb5a4a38f1b7bde42e31d08e3f25da2f1
+  metadata.gz: 79460ed1999684cebd656f087c5108a5df3babf70ee7b1a2b69b0fb9b95d599195a4fac2a1c5e61be58c1502573f98e56298fec1dbb4dbd7c4393774c11633c6
+  data.tar.gz: aa3392bcabac9f0ff8771a4cf24021165b5234e08654b4929c6afe303363e4a7cdf9f4a393722b7ed4d13d2bd3e69643b623741ade2a7eebd8f46801b22b99c0

data/lib/dependabot/cargo/file_updater/lockfile_updater.rb

@@ -88,7 +88,7 @@ module Dependabot
         sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
 
-        sig { returns(T::Array[T.untyped]) }
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
 
         # Currently, there will only be a single updated dependency
@@ -217,10 +217,7 @@ module Dependabot
         def run_cargo_command(command, fingerprint:)
           start = Time.now
           command = SharedHelpers.escape_command(command)
-          Helpers.bypass_cargo_credential_providers
-          # Pass through any cargo registry configuration via environment variables
-          # (e.g. CARGO_REGISTRIES_CRATES_IO_PROTOCOL, CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS).
-          env = ENV.select { |key, _value| key.match(/^CARGO_REGISTR(Y|IES)_/) }
+          env = Helpers.cargo_command_env(dependency_files, credentials)
           stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start
 

data/lib/dependabot/cargo/helpers.rb

@@ -1,27 +1,15 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "uri"
 require "toml-rb"
+require "dependabot/experiments"
 
 module Dependabot
   module Cargo
     module Helpers
       extend T::Sig
 
-      # Disable Cargo's *global* credential providers so that Cargo does not attempt to look up registry tokens
-      # on its own. The dependabot proxy (https://github.com/dependabot/proxy/) handles all registry authentication
-      # transparently by intercepting HTTP requests and injecting the appropriate credentials.
-      #
-      # Note: this only affects the global/default credential provider. Per-registry `credential-provider` settings
-      # in .cargo/config.toml override this env var, so those are stripped separately by `sanitize_cargo_config`.
-      #
-      # Uses ||= so developers can override by setting CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS=cargo:token in their
-      # shell (along with the appropriate CARGO_REGISTRIES_{NAME}_TOKEN vars) for local development without the proxy.
-      sig { void }
-      def self.bypass_cargo_credential_providers
-        ENV["CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS"] ||= ""
-      end
-
       # Strip per-registry `credential-provider` settings from .cargo/config.toml.
       #
       # Users may have entries like:
@@ -56,6 +44,98 @@ module Dependabot
           "Failed to parse Cargo config file: #{e.message}"
         )
       end
+
+      # Parses cargo config content and returns the names of custom registries
+      # whose index URL matches a credential host or url.
+      sig { params(config_content: String, credentials: T::Array[Dependabot::Credential]).returns(T::Array[String]) }
+      def self.custom_registry_names(config_content, credentials)
+        parsed = TomlRB.parse(config_content)
+        registries = parsed["registries"]
+        return [] unless registries.is_a?(Hash)
+
+        credential_hosts = credentials.filter_map { |cred| cred["host"] }.to_set
+        credential_urls = credentials.filter_map { |cred| cred["url"]&.delete_suffix("/") }.to_set
+
+        registries.select do |_name, config|
+          config.is_a?(Hash) && registry_index_matches?(config, credential_hosts, credential_urls)
+        end.keys
+      rescue TomlRB::Error, URI::InvalidURIError => e
+        Dependabot.logger.warn("Failed to parse cargo config for registry names: #{e.message}")
+        []
+      end
+
+      sig do
+        params(
+          config: T::Hash[String, String],
+          credential_hosts: T::Set[String],
+          credential_urls: T::Set[String]
+        ).returns(T::Boolean)
+      end
+      def self.registry_index_matches?(config, credential_hosts, credential_urls)
+        index = config["index"]
+        return false unless index.is_a?(String)
+
+        # Index URLs may have a scheme prefix like "sparse+" before the actual URL
+        url = index.sub(/^[a-z]+\+/, "")
+        host = URI.parse(url).host
+
+        (host && credential_hosts.include?(host)) ||
+          credential_urls.include?(url.delete_suffix("/"))
+      end
+
+      # Builds a hash of environment variables for Cargo registry token auth.
+      # Returns env vars like CARGO_REGISTRIES_<NAME>_TOKEN=garbage_token for each
+      # matched registry, plus CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS=cargo:token.
+      sig do
+        params(config_content: String, credentials: T::Array[Dependabot::Credential])
+          .returns(T::Hash[String, String])
+      end
+      def self.registry_token_env(config_content, credentials)
+        registry_names = custom_registry_names(config_content, credentials)
+        return {} if registry_names.empty?
+
+        registry_names.each_with_object({}) do |name, hash|
+          key = "CARGO_REGISTRIES_#{name.upcase.tr('-', '_')}_TOKEN"
+          hash[key] = "garbage_token"
+        end
+      end
+
+      # Convenience method: extracts .cargo/config.toml from dependency files and
+      # builds registry token env vars. Returns an empty hash if no config file exists.
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[Dependabot::Credential]
+        ).returns(T::Hash[String, String])
+      end
+      def self.registry_token_env_from_files(dependency_files, credentials)
+        config_file = dependency_files.find { |f| f.name == ".cargo/config.toml" }
+        return {} unless config_file
+
+        registry_token_env(T.must(config_file.content), credentials)
+      end
+
+      # Builds the complete environment variable hash for running cargo commands:
+      # 1. Sets CARGO_REGISTRIES_<NAME>_TOKEN for each matched custom registry
+      # 2. Merges real CARGO_REGISTR(Y|IES)_* vars from the process environment
+      # 3. Sets CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS=cargo:token
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[Dependabot::Credential]
+        ).returns(T::Hash[String, String])
+      end
+      def self.cargo_command_env(dependency_files, credentials)
+        ENV["CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS"] ||= ""
+        return {} unless ENV.fetch("DEPENDABOT", nil) == "true"
+        return {} unless Dependabot::Experiments.enabled?(:cargo_set_registry_token_auth)
+
+        env = registry_token_env_from_files(dependency_files, credentials)
+        Dependabot.logger.info("Setting registry token env vars: #{env.keys.join(', ')}") unless env.empty?
+        env.merge!(ENV.select { |key, _value| key.match(/^CARGO_REGISTR(Y|IES)_/) })
+        env["CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS"] = "cargo:token"
+        env
+      end
     end
   end
 end

data/lib/dependabot/cargo/update_checker/requirements_updater.rb

@@ -12,6 +12,7 @@ require "sorbet-runtime"
 require "dependabot/cargo/update_checker"
 require "dependabot/cargo/requirement"
 require "dependabot/cargo/version"
+require "dependabot/dependency_requirement"
 require "dependabot/requirements_update_strategy"
 
 module Dependabot
@@ -34,7 +35,7 @@ module Dependabot
 
         sig do
           params(
-            requirements: T::Array[T::Hash[Symbol, T.untyped]],
+            requirements: T::Array[Dependabot::DependencyRequirement],
             updated_source: T.nilable(T::Hash[T.any(String, Symbol), T.untyped]),
             update_strategy: Dependabot::RequirementsUpdateStrategy,
             target_version: T.nilable(T.any(String, Gem::Version))
@@ -46,7 +47,10 @@ module Dependabot
           update_strategy:,
           target_version:
         )
-          @requirements = T.let(requirements, T::Array[T::Hash[Symbol, T.untyped]])
+          @requirements = T.let(
+            requirements.map { |req| Dependabot::DependencyRequirement.create(req) },
+            T::Array[Dependabot::DependencyRequirement]
+          )
           @updated_source = T.let(updated_source, T.nilable(T::Hash[T.any(String, Symbol), T.untyped]))
           @update_strategy = T.let(update_strategy, Dependabot::RequirementsUpdateStrategy)
 
@@ -57,7 +61,7 @@ module Dependabot
           @target_version = T.let(version_class.new(target_version), Gem::Version)
         end
 
-        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        sig { returns(T::Array[Dependabot::DependencyRequirement]) }
         def updated_requirements
           return requirements if update_strategy.lockfile_only?
 
@@ -65,7 +69,7 @@ module Dependabot
           # requirement at index `i` to correspond to the previous requirement
           # at the same index.
           requirements.map do |req|
-            req = req.merge(source: updated_source)
+            req = Dependabot::DependencyRequirement.create(req.merge(source: updated_source))
             next req unless target_version
             next req if req[:requirement].nil?
 
@@ -80,7 +84,7 @@ module Dependabot
 
         private
 
-        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        sig { returns(T::Array[Dependabot::DependencyRequirement]) }
         attr_reader :requirements
 
         sig { returns(T.nilable(T::Hash[T.any(String, Symbol), T.untyped])) }
@@ -99,7 +103,7 @@ module Dependabot
           raise "Unknown update strategy: #{update_strategy}"
         end
 
-        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+        sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
         def update_version_requirement(req)
           string_reqs = req[:requirement].split(",").map(&:strip)
 
@@ -119,10 +123,10 @@ module Dependabot
               update_range_requirements(string_reqs)
             end
 
-          req.merge(requirement: new_requirement)
+          Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
         end
 
-        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+        sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
         def update_version_requirement_if_needed(req)
           string_reqs = req[:requirement].split(",").map(&:strip)
           ruby_reqs = string_reqs.map { |r| Dependabot::Cargo::Requirement.new(r) }

data/lib/dependabot/cargo/update_checker/version_resolver.rb

@@ -187,10 +187,7 @@ module Dependabot
         def run_cargo_command(command, fingerprint: nil)
           start = Time.now
           command = SharedHelpers.escape_command(command)
-          Helpers.bypass_cargo_credential_providers
-          # Pass through any cargo registry configuration via environment variables
-          # (e.g. CARGO_REGISTRIES_CRATES_IO_PROTOCOL, CARGO_REGISTRY_GLOBAL_CREDENTIAL_PROVIDERS).
-          env = ENV.select { |key, _value| key.match(/^CARGO_REGISTR(Y|IES)_/) }
+          env = Helpers.cargo_command_env(original_dependency_files, credentials)
 
           stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start

data/lib/dependabot/cargo/update_checker.rb

@@ -90,14 +90,12 @@ module Dependabot
 
       sig { override.returns(T::Array[Dependabot::DependencyRequirement]) }
       def updated_requirements
-        wrap_requirements(
-          RequirementsUpdater.new(
-            requirements: dependency.requirements,
-            updated_source: updated_source,
-            target_version: target_version,
-            update_strategy: requirements_update_strategy
-          ).updated_requirements
-        )
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          updated_source: updated_source,
+          target_version: target_version,
+          update_strategy: requirements_update_strategy
+        ).updated_requirements
       end
 
       sig { override.returns(T::Boolean) }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-cargo
 version: !ruby/object:Gem::Version
-  version: 0.382.0
+  version: 0.383.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -266,7 +266,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
 rdoc_options: []
 require_paths:
 - lib