config.json access on sites that require auth but return 400 without auth #11460
Comments
Eh2406
added
C-feature-request
|
I am reluctant to add this, as it provides an easy way for a user to accidentally send tokens to a url/registry that knows nothing about this RFC. That being said, if this over time turns out to be a real user need we can design and add it. |
|
Fair enough. I am a bit confused about that easy way thing - I mean, any HTTP server that provides an auth challenge can harvest the token IF our configuration language permits tokens to be send to their URL, so I'm not sure how prior knowledge permission adds to that risk. |
|
I think a website has to be actively malicious to return 401 while keeping track of Auth headers. Whereas someone only needs to be careless to throw together a read-only registry (or for that matter any other website someone accidentally puts in their config.toml) that logs all inputs. |
ehuss
added
the
A-registry-authentication
|
I know the RFC 3139 does not really specify what I'm asking now for, but IMO it is very important to have. As a user I would like to control the behavior of cargo, so that I can force-overwrite the flag The background for this is, that some of the commercial vendors, like JFrog / Artifactory support registries that are protected by an Auth-token, but they lack the flexibility to change the Additionally as a user I might want to be in control of wether my Auth-token is not send over to a specific registry or not. In order to empower the user to force overwrite the very flag that is dictated by the registry it would require a to extend the config file ( It was already mentioned that other package managers in other languages offer such control to users by changing local configuration. |
|
@Eh2406 I would even contribute if that is going to be accepted, just let me know. |
|
So if I'm reading the discussion correctly there are two arguments for a As to 1. I don't yet feel justified in adding functionality to cargo to work around bugs in registries. I might be talked into a separate permanently unstable flag, if it really is the only way to get testing on the feature. It certainly true that if we require asymmetric tokens we cannot accommodate all the ways servers could implement it wrong. As to 2. I don't fully understand the design you have intended. Can you specify the full 3x3 matrix of configurations and what should happen in each one?
Also can you give some information on what use cases the user gets to opt into by having this new flag? What practical "more control" does this provide? |
The suggestion with the separate unstable flag, to send an auth header always sounds fair enough to me.
What I had in mind was like this:
But to be honest, the more I'm thinking about it I see the potential confusion that it could cause. So maybe your suggestion with a separate unstable flag would be a less confusing thing then. |
|
FWIW I've worked around this by implementing a small HTTPS proxy to transform the Jfrog responses while JFrog work on the bug. I note that https://orth.uk/cargo-registry-authentication/ is another way to workaround this, just using different tooling. Also going to ping @AsafZalcman-jfrog for visibility. |
Which endpoint returns 400? (Nadav from JFrog) |
|
@nadav-yo Interestingly, X-JFrog-Version: Artifactory/7.47.12 74712900 |
|
@ykitamura-mdsol Artifactory have a special handling of cargo endpoints, to allow anonymous requests to bypass the filter on very specific endpoints, as the client did not send credentials. so you get a semi-elevated permissions, only for that endpoint. We've made a change on Artifactory 7.50 to NOT mask Cargo anonymous response statuses. You actually got 403 on the backend, but it was masked as 400. Anyway, I've adjusted Artifactory code and it will now return 401 as intended (removed this special handling all in all if the anoymous flag is turned off) . doing my best to make it to the next minor version. |
|
Hi @nadav-yo currently we get 403 (not 401) on first request to This is a new local registry, auth required, sparse enabled, fully indexed. So yes, I think that your latest change will fix it. |
|
@rbtcollins makes sense, that's the behavior after the first fix I've mentioned. (not masking the responses) Anyway, my fix has been merged, So I think starting from next minor we will be fully compatible with this nightly auth feature. |
|
It seems to me that artifactory with sparse registry returns Edit: this might be due to our internal setup... |
|
@Fishrock123 That looks like either the Artifactory Cargo repo anonymous download/search is turned off, or you didn't configured the client to authenticate with the registry-auth nightly flag (whichever apply) |
This is a misconception, the cargo nightly flag for registry-auth, does not turn the authentication on. All it does is it would accept if the server has turned authentication on like this: # config.json
{
"dl": "https://artifactory.x.x/artifactory/api/cargo/x/v1/crates",
"api": "https://artifactory.x.x/artifactory/api/cargo/x",
"auth-required": true
}But if this |
|
@sassman Artifactory does send "auth-required": true if it set up correctly. So, that looks like either the Artifactory Cargo repo anonymous download/search is enabled (which will make artifactory not send the |
|
@qartik Did you add |
|
Interesting, I was certainly curious why that was mentioned in the docs. But indeed adding that helped. |
|
@qartik it's not artifactory, that's the exact authorization header cargo client will send artifactory. From https://rust-lang.github.io/rfcs/3139-cargo-alternative-registry-auth.html - Authorization: token As the authorization header always requires to send the authorization schema, Bearer need to be added |
|
@nadav-yo thanks! Another issue I am facing is that our cloud-hosted Artifactory doesn't have Cargo among the types for a virtual repo. Hence, there doesn't seem to be any way to use Artifactory for both local uploads and external (crates.io) downloads. Is that something you are aware of as an existing issue? |
|
@qartik yeah, there is currently no virtual cargo repo support, basically because of some limitation on cargo side, as we see it. |
|
Yeah, even though most of the development is done on our side, there is no virtual repository support for cargo, because of limitation on cargo client as we see it. See https://rust-lang.github.io/rfcs/3139-cargo-alternative-registry-auth.html However, if you'll read our documentation see that this could mostly be achieved with the replace-with. |
|
Thanks! I wish the documentation was clearer and updated. For example, I don't see the requirement to use nightly features such as Further the marketing page does say "aggregate local and remote resources under a single virtual Cargo repository to access all your Rust crates from a single URL" (emphasis mine). Coming back to the issue of using local and remote together. I don't see a clear way just yet. I know Are you just suggesting developers pass the name of the repo in all their |
|
You are correct, I don't know who wrote that, probably they copy pasted by mistake from other repository but I'll tell the team to fix that next week. Regarding your question, the way I use it is - while the config.toml has |
I believe I have the same setup. But, what happens when you issue let's say In my case, I get: |
|
By client limitations, you will have to specify the registry unfortunately |
|
Got it, that much seemed clear enough. I was curious to see that in your example:
you have and hence the following with an unnecessary registry annotation (being a mirror of crates.io) in Cargo.toml:
Perhaps cargo just needs to add an option to choose whether a user wants that name recorded. |
|
Yeah, I honestly don't use cargo add myself, and prefer to edit the toml myself. In this example both of the dependencies were added manually |
@nadav-y could you please elaborate on the Artifactory options you have set or unset? |
|
@Fishrock123 Then, in my cargo remote and local repositories I have If anything changed, or the base URL has changed, a reindex is required |
weihanglo
removed
the
Z-asymmetric-token
|
Seeing a similar but different issue where Artifactory is sending a 401 to the cargo CLI on the initial request, if multiple cargo requests happen at the same time with the same credentials they can rate limit themselves: #13574 |
|
If I understand the discussion here, the implemented behaviour is:
This assumes that If so, I can think of three ways to fix this:
|
|
That's actually incorrect - Artifactory can get *some* endpoints without
authentication, like terraform discovery API, npm login (start of the npm
auth flow), or this config.json.
…On Fri, Jun 7, 2024, 17:09 Wichert Akkerman ***@***.***> wrote:
If I understand the discussion here, the implemented behaviour is:
1. fetch config.json
2. if config.json contains "auth-required": true, allow other requests
will use authentication
This assumes that config.json can always be retrieved without
authentication. This is not true for Artifactory: that requires
authentication for *all* requests (unless the repository is public). Is
that a correct summary?
If so, I can think of three ways to fix this:
1. require a registry to serve config.json without authentication.
That would mean an update in section 3.13.2.1 of the cargo book
<https://doc.rust-lang.org/nightly/cargo/reference/registry-index.html#index-configuration>,
and convincing jFrog to update Artifactory.
2. support a registries.<name>.auth-required config option, which if
set to true makes cargo include auth headers for all requests, including
fetching config.json
3. modify cargo to always send credentials if they are configured for
the registry.
—
Reply to this email directly, view it on GitHub
<#11460 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACO4J6OJIUPCX7CL6ZT4MZDZGG5LJAVCNFSM6AAAAAASVXHJR2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJUHEZDONZQGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@nadav-yo Perhaps it can, but the artifactory I am dealing with does not it seems. Ignoring artifactory, is my understanding of cargo behavior correct? |
|
@wichert No, your understanding of cargo behavior is not correct. The implemented behaviour is:
The problem reported in this issue is that the registry responds with |
|
@Eh2406 In my case the registry returns a |
|
@wichert the current behavior, as planned in the RFC and as spelled out in our documentation and as implemented in codechecks explicitly for We have needed to loosen similar checks in the past, when experts in the HTTP specification point out we are being overly strict. But the documentation I'm seeing is pretty specific that https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403
|
Problem
This is a usability papercut on the new registry authentication feature in nightly.
The merged code depends on a GET -> 401 -> GET-with-auth -> 200 sequence for config.json.
That doesn't work (today) for JFrog Artifactory cargo registries: they return 400 for the first request.
Obviously this is a thing that they'll fix eventually, but perhaps an option to allow prior-knowledge of auth tokens being required would be helpful, since I doubt they'll be the only site to do this weirdly.
Steps
No response
Possible Solution(s)
No response
Notes
No response
Version
No response
The text was updated successfully, but these errors were encountered: