Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: Authenticating With GOPROXY #27132

Closed
marwan-at-work opened this issue Aug 21, 2018 · 6 comments

Comments

Projects
None yet
5 participants
@marwan-at-work
Copy link
Contributor

commented Aug 21, 2018

Summary

The Go command should be able to pass an Authorization Header to the GOPROXY URL. Either through Authorization: Bearer <token> or a custom header such as x-go-proxy-token.

Intro:

The current Go command has two ways to authenticate with a Proxy:

  1. Basic Authentication: by inlining the username/password in the URL i.e. GOPROXY=https://user:password@example.com go build

  2. Running the Proxy behind a VPN: blocking access to anyone outside of it.

The first one is not secure while the second one is complex.

We should have a more canonical way of providing user authorization where clients can acquire a token and pass it to the Go command whether through env vars such as GOPROXY_AUTH or through a file along the lines of ~/.netrc and the Go command can then pass it as an HTTP Header to the Download Protocol requests.

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go1.11-rc

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/208581/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/208581/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/n4/35bgdnkd6vlgqrdzbyl0x1ycmhcndx/T/go-build555238269=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Tried to install dependencies with a private proxy.

What did you expect to see?

I expect a token-based authentication mechanism.

What did you see instead?

Options are either insecure (inlining basic auth) or complex (setting up a vpn)

@thepudds

This comment has been minimized.

Copy link

commented Aug 22, 2018

@gopherbot, please add label modules

@gopherbot gopherbot added the modules label Aug 22, 2018

@bcmills

This comment has been minimized.

Copy link
Member

commented Sep 17, 2018

@bcmills bcmills added this to the Go1.12 milestone Sep 17, 2018

@FiloSottile

This comment has been minimized.

Copy link
Member

commented Sep 17, 2018

Why is basic auth less secure than a bearer token? They both get transmitted unhashed within the secure TLS connection.

Anyway, I think adding client authentication mechanisms to GOPROXY without widespread server implementations is premature.

@marwan-at-work

This comment has been minimized.

Copy link
Contributor Author

commented Sep 18, 2018

@FiloSottile do you have a suggestion other than a bearer token that is more secure? Thanks!

As for basic auth, embedding the user/password in the URL makes it more susceptible for human error to expose the credentials since people can over look that there are credentials in the URL itself.

@bcmills

This comment has been minimized.

Copy link
Member

commented Sep 18, 2018

embedding the user/password in the URL makes it more susceptible for human error

In particular, consider that GOPROXY will generally appear in go env output attached to bug reports.

@bcmills

This comment has been minimized.

Copy link
Member

commented Oct 24, 2018

Closing as duplicate of #26232.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.