internal/cueconfig: validate logins.json on load

This is a minor improvement to validate the access_token in logins.json, in order to avoid sending an invalid Authorization header to the registry and a cryptic error "oauth2: token expired and refresh token is not set". Fixes #3038 Change-Id: Ie5a239e8877e578cb78a033bb7b4b9b38c27f303 Signed-off-by: Rustam Abdullaev <rustamabd@gmail.com> Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1193244 TryBot-Result: CUEcueckoo <cueckoo@cuelang.org> Unity-Result: CUE porcuepine <cue.porcuepine@gmail.com> Reviewed-by: Roger Peppe <rogpeppe@gmail.com>
cue-lang · Apr 18, 2024 · aadc5ad · aadc5ad
1 parent f8d0998
commit aadc5ad
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/internal/cueconfig/config.go b/internal/cueconfig/config.go
@@ -85,6 +85,12 @@ func ReadLogins(path string) (*Logins, error) {
 	if err := json.Unmarshal(body, logins); err != nil {
 		return nil, err
 	}
+	// Sanity-check the read data.
+	for regName, regLogin := range logins.Registries {
+		if regLogin.AccessToken == "" {
+			return nil, fmt.Errorf("invalid %s: missing access_token for registry %s", path, regName)
+		}
+	}
 	return logins, nil
 }
 

diff --git a/mod/modconfig/modconfig_test.go b/mod/modconfig/modconfig_test.go
@@ -248,6 +248,14 @@ package bar
 	err := os.MkdirAll(configDir, 0o777)
 	qt.Assert(t, qt.IsNil(err))
 
+	// Check logins.json validation.
+	logins.Registries["blank"] = cueconfig.RegistryLogin{TokenType: "Bearer"}
+	err = cueconfig.WriteLogins(filepath.Join(configDir, "logins.json"), logins)
+	delete(logins.Registries, "blank")
+	qt.Assert(t, qt.IsNil(err))
+	_, err = cueconfig.ReadLogins(filepath.Join(configDir, "logins.json"))
+	qt.Assert(t, qt.ErrorMatches(err, "invalid .*logins.json: missing access_token for registry blank"))
+
 	// Check write-read round-trip.
 	err = cueconfig.WriteLogins(filepath.Join(configDir, "logins.json"), logins)
 	qt.Assert(t, qt.IsNil(err))