Add support for upstream auth with ENV variables

[CiTroNaK]

Description:

Allowing to set auth credentials for upstreams on the Gemstash instance with ENV variables (GEMSTASH_<HOST>), that can contain basic auth or API key.

This is mainly POC, and I will happily update the PR based on your feedback and add this to the docs.

Use case

The primary use case is to have only one place where the credentials for private/licensed sources are set without storing them inside the Gemfile or distributing them to all developers. That should significantly reduce the time needed to rotate or set (distribute) new credentials (for each developer in the team or CI and other services that need to access it). This also should help to prevent leaking the credentials.

Gemstash instance should be secured using (at least) basic authentication. With this setup, anyone could point their Gemfile to it and be able to fetch private/licensed gems. Developers would only set credentials to the Gemstash instance locally.

Example

Version 2.2.2 with this commit was used for testing.

Setup gemstash

GEMSTASH_GEMS__CONTRIBSYS__COM=user:pass gemstash start --no-daemonize --config-file config.yml.erb

Gemfile

With a gem under auth (Sidekiq Pro) without setting the credentials in the upstream.

source "http://localhost:9292/"

ruby "3.2.2"

source "http://localhost:9292/upstream/gems.contribsys.com" do
  gem "sidekiq-pro", "~> 5.5.7"
end

Bundle

➜ bundle install           
Fetching gem metadata from http://localhost:9292/upstream/gems.contribsys.com..
Fetching gem metadata from http://localhost:9292/............
Using bundler 2.4.10
Using connection_pool 2.4.1
Using rack 2.2.7
Using redis 4.8.1
Using sidekiq 6.5.9
Fetching sidekiq-pro 5.5.8
Installing sidekiq-pro 5.5.8
Bundle complete! 1 Gemfile dependency, 6 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

Next steps (if this PR will be accepted)

• Update changelog
• Update docs

[indirect]

I really like this approach to solve the gem licensing problem! Something like Tailscale could also offer an alternative to basic auth or other Gemstash credentials. I wonder if there's a way for us to make this less painful for RubyGems users generally... thanks for the inspiration, and I'll keep thinking about this general issue even after we finish and merge this change.

Would you feel ok about defaulting to https for upstream sources? So the URL could then be http://localhost:9292/upstream/gems.contribsys.com. Overall, I am happy with this and would be glad to merge it.

[CiTroNaK]

Hi @indirect, I am glad to read it 🙂 I've updated the PR with the default scheme, the changelog and docs, and squashed the commits.

Please, let me know if you find something that should be updated.

Thank you!

[hersha]

Just my 2 cents but why not just use the bundler envvar naming convention? Then I can just copy things wholesale from my local env and not have to worry about remembering to prefix it with gemstash.

[CiTroNaK]

@hersha Hi, it uses the same ENV naming conventions as Bundler, so you only need to replace the BUNDLE_ prefix with a GEMSTASH_.

We could add support for both, but it wouldn't be beneficial. Having correctly named ENV variables helps with their management. And who knows, maybe there is a case where having them set for Bundler on the same machine would not be desirable.

[olleolleolle]

Thanks for supporting Gemstash with this quality of life improver.

[CiTroNaK]

Hi @olleolleolle, thank you for the review. I rebased and updated the PR.

[olleolleolle]

Let's get this merged!

Thank you for being so patient and generous with your time, @CiTroNaK!

♥️ 💛 💚 💙 💜

[olleolleolle]

@CiTroNaK Now released as v2.5.0. Cheers!