From b8954030e36b69508f3aa6747b9af04f1efaad92 Mon Sep 17 00:00:00 2001 From: yahavi Date: Sun, 25 Jul 2021 08:41:30 +0300 Subject: [PATCH 1/4] Add support for private registry --- Library/Homebrew/download_strategy.rb | 7 +++++-- Library/Homebrew/env_config.rb | 4 ++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb index eb739212ab..911218353c 100644 --- a/Library/Homebrew/download_strategy.rb +++ b/Library/Homebrew/download_strategy.rb @@ -449,7 +449,7 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy return @resolved_info_cache[url] if @resolved_info_cache.include?(url) if (domain = Homebrew::EnvConfig.artifact_domain) - url = url.sub(%r{^((ht|f)tps?://)?}, "#{domain.chomp("/")}/") + url = url.sub(%r{^((ht|f)tps?://ghcr.io/)?}, "#{domain.chomp("/")}/") end out, _, status= curl_output("--location", "--silent", "--head", "--request", "GET", url.to_s, timeout: timeout) @@ -528,6 +528,8 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy def _curl_args args = [] + args += ["-L"] if Homebrew::EnvConfig.artifact_domain + args += ["-b", meta.fetch(:cookies).map { |k, v| "#{k}=#{v}" }.join(";")] if meta.key?(:cookies) args += ["-e", meta.fetch(:referer)] if meta.key?(:referer) @@ -564,7 +566,8 @@ class CurlGitHubPackagesDownloadStrategy < CurlDownloadStrategy def initialize(url, name, version, **meta) meta ||= {} meta[:headers] ||= [] - meta[:headers] << ["Authorization: Bearer QQ=="] + token = ENV.fetch("HOMEBREW_REGISTRY_ACCESS_TOKEN", "QQ==") + meta[:headers] << ["Authorization: Bearer #{token}"] super(url, name, version, meta) end diff --git a/Library/Homebrew/env_config.rb b/Library/Homebrew/env_config.rb index 1a0aae3a4d..a97a96b57d 100644 --- a/Library/Homebrew/env_config.rb +++ b/Library/Homebrew/env_config.rb @@ -170,6 +170,10 @@ module Homebrew description: "Use this GitHub personal access token when accessing the GitHub Packages Registry "\ "(where bottles may be stored).", }, + HOMEBREW_REGISTRY_ACCESS_TOKEN: { + description: "Use this bearer token for authenticating with a private registry proxying GitHub "\ + "Packages Registry.", + }, HOMEBREW_GITHUB_PACKAGES_USER: { description: "Use this username when accessing the GitHub Packages Registry (where bottles may be stored).", }, From cc12738f8e31b5a674057a2945fdbda7c2c12825 Mon Sep 17 00:00:00 2001 From: yahavi Date: Mon, 26 Jul 2021 09:58:34 +0300 Subject: [PATCH 2/4] Allow anonymous access in private registries --- Library/Homebrew/download_strategy.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb index 911218353c..203630da7e 100644 --- a/Library/Homebrew/download_strategy.rb +++ b/Library/Homebrew/download_strategy.rb @@ -566,8 +566,8 @@ class CurlGitHubPackagesDownloadStrategy < CurlDownloadStrategy def initialize(url, name, version, **meta) meta ||= {} meta[:headers] ||= [] - token = ENV.fetch("HOMEBREW_REGISTRY_ACCESS_TOKEN", "QQ==") - meta[:headers] << ["Authorization: Bearer #{token}"] + token = Homebrew::EnvConfig.artifact_domain ? ENV.fetch("HOMEBREW_REGISTRY_ACCESS_TOKEN", "") : "QQ==" + meta[:headers] << ["Authorization: Bearer #{token}"] unless token.empty? super(url, name, version, meta) end From 0335d8c0bc03a69fdbad26e9e2c14c433501eb79 Mon Sep 17 00:00:00 2001 From: yahavi Date: Mon, 26 Jul 2021 19:07:23 +0300 Subject: [PATCH 3/4] Fix code review comments + disable authorization on redirections --- Library/Homebrew/download_strategy.rb | 16 +++++++++------- Library/Homebrew/env_config.rb | 5 ++--- Library/Homebrew/github_packages.rb | 2 +- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb index 203630da7e..71db2744f9 100644 --- a/Library/Homebrew/download_strategy.rb +++ b/Library/Homebrew/download_strategy.rb @@ -388,7 +388,9 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy ohai "Downloading #{url}" - resolved_url, _, url_time, = resolve_url_basename_time_file_size(url, timeout: end_time&.remaining!) + resolved_url, _, url_time, _, is_redirection = + resolve_url_basename_time_file_size(url, timeout: end_time&.remaining!) + meta[:headers].delete_if { |header| header[0].start_with?("Authorization") } if is_redirection fresh = if cached_location.exist? && url_time url_time <= cached_location.mtime @@ -449,7 +451,7 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy return @resolved_info_cache[url] if @resolved_info_cache.include?(url) if (domain = Homebrew::EnvConfig.artifact_domain) - url = url.sub(%r{^((ht|f)tps?://ghcr.io/)?}, "#{domain.chomp("/")}/") + url = url.sub(%r{^(https?://#{GitHubPackages::URL_DOMAIN}/)?}o, "#{domain.chomp("/")}/") end out, _, status= curl_output("--location", "--silent", "--head", "--request", "GET", url.to_s, timeout: timeout) @@ -507,8 +509,9 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy .last basename = filenames.last || parse_basename(redirect_url) + is_redirection = url != redirect_url - @resolved_info_cache[url] = [redirect_url, basename, time, file_size] + @resolved_info_cache[url] = [redirect_url, basename, time, file_size, is_redirection] end def _fetch(url:, resolved_url:, timeout:) @@ -528,8 +531,6 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy def _curl_args args = [] - args += ["-L"] if Homebrew::EnvConfig.artifact_domain - args += ["-b", meta.fetch(:cookies).map { |k, v| "#{k}=#{v}" }.join(";")] if meta.key?(:cookies) args += ["-e", meta.fetch(:referer)] if meta.key?(:referer) @@ -566,8 +567,9 @@ class CurlGitHubPackagesDownloadStrategy < CurlDownloadStrategy def initialize(url, name, version, **meta) meta ||= {} meta[:headers] ||= [] - token = Homebrew::EnvConfig.artifact_domain ? ENV.fetch("HOMEBREW_REGISTRY_ACCESS_TOKEN", "") : "QQ==" - meta[:headers] << ["Authorization: Bearer #{token}"] unless token.empty? + token = Homebrew::EnvConfig.docker_registry_token + token ||= "QQ==" + meta[:headers] << ["Authorization: Bearer #{token}"] if token.present? super(url, name, version, meta) end diff --git a/Library/Homebrew/env_config.rb b/Library/Homebrew/env_config.rb index a97a96b57d..233decbdf9 100644 --- a/Library/Homebrew/env_config.rb +++ b/Library/Homebrew/env_config.rb @@ -170,9 +170,8 @@ module Homebrew description: "Use this GitHub personal access token when accessing the GitHub Packages Registry "\ "(where bottles may be stored).", }, - HOMEBREW_REGISTRY_ACCESS_TOKEN: { - description: "Use this bearer token for authenticating with a private registry proxying GitHub "\ - "Packages Registry.", + HOMEBREW_DOCKER_REGISTRY_TOKEN: { + description: "Use this bearer token for authenticating with a Docker registry proxying GitHub Packages.", }, HOMEBREW_GITHUB_PACKAGES_USER: { description: "Use this username when accessing the GitHub Packages Registry (where bottles may be stored).", diff --git a/Library/Homebrew/github_packages.rb b/Library/Homebrew/github_packages.rb index c85c73d3ba..cb9265ad14 100644 --- a/Library/Homebrew/github_packages.rb +++ b/Library/Homebrew/github_packages.rb @@ -15,7 +15,7 @@ class GitHubPackages URL_DOMAIN = "ghcr.io" URL_PREFIX = "https://#{URL_DOMAIN}/v2/" DOCKER_PREFIX = "docker://#{URL_DOMAIN}/" - private_constant :URL_DOMAIN + public_constant :URL_DOMAIN private_constant :URL_PREFIX private_constant :DOCKER_PREFIX From 11165805020a0245338a2cd7353ffb6ca5edf82f Mon Sep 17 00:00:00 2001 From: yahavi Date: Tue, 27 Jul 2021 09:55:22 +0300 Subject: [PATCH 4/4] Implement code review comment --- Library/Homebrew/download_strategy.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb index 71db2744f9..0ee946872b 100644 --- a/Library/Homebrew/download_strategy.rb +++ b/Library/Homebrew/download_strategy.rb @@ -390,7 +390,8 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy resolved_url, _, url_time, _, is_redirection = resolve_url_basename_time_file_size(url, timeout: end_time&.remaining!) - meta[:headers].delete_if { |header| header[0].start_with?("Authorization") } if is_redirection + # Authorization is no longer valid after redirects + meta[:headers].delete_if { |header| header.first&.start_with?("Authorization") } if is_redirection fresh = if cached_location.exist? && url_time url_time <= cached_location.mtime