(#3565 #2421) Avoid credential bleed from saved sources with the same hostname #3568
Conversation
gep13
changed the title
Previously we looked up any available sources in the config by the hostname, before falling back to trying an exact match if we had collisions. This still allowed credentials to be reused in situations where we don't actually know if they're applicable; many repository servers will support different credentials for individual repositories, so we cannot and should not assume that credentials for one repository will actually match another repository, nor that users want the credentials to be shared for both. It also led to the possibility of users storing one repository first, and then later specifying a different repository on the same server, and choco would try to use the stored credentials for the first repository for the explicitly-entered URL which is nowhere in config. Instead, we should only match the whole URL (which can be done with Uri. Equals to ensure that we match hostnames case-insensitively, but routes case-sensitively), and expect users to provide credentials if they provide a URL that is not explicitly in the sources. Additionally, we try to ensure that if a user has named a specific source, rather than themselves providing a URL at the command line, we prioritise finding that in the already-configured sources and use that source if the URL matches the current URL that NuGet requires a credential for.
These tests ensure that the use cases we expect to handle in the credential provider are appropriately handled according to our expectations, based on the user-provided input and the transformed input that is left in configuration.Sources once the credential provider typically gets queried.
|
Converting this PR to draft while I add and validate Pester tests. |
Add Pester tests to ensure we don't inadvertently bleed configured credentials into scenarios where they should not be used.
|
I've updated the Pester tests once I got them sorted in Test Kitchen. This is once again ready for review. |
| [OneTimeSetUp] | ||
| public async Task OneTimeSetup() | ||
| { | ||
| await With(); | ||
| } |
There was a problem hiding this comment.
This should be a Because clause, not a separate OneTimeSetup.
There are no guarantee in what order a OneTimeSetup will be ran when multiple ones are specified (both Context and Because is in a single OneTimeSetup).
| [OneTimeSetUp] | |
| public async Task OneTimeSetup() | |
| { | |
| await With(); | |
| } | |
| public override void Because() | |
| { | |
| With().Wait(); | |
| } | |
At some point, if we want to test async code more often, then we should think about introducing an async TinySpec instead of doing this (You can look at the AyncTinySpec class I created for Agent).
| public override void Because() | ||
| { | ||
| Configuration.Sources = Configuration.ExplicitSources = TargetSourceUrl; | ||
| Configuration.SourceCommand.Username = "user"; | ||
| Configuration.SourceCommand.Password = "totally_secure_password!!!"; | ||
| } |
There was a problem hiding this comment.
This is part of the setup, not the actual run of a code. As such this should be in a Context method.
| public override void Because() | |
| { | |
| Configuration.Sources = Configuration.ExplicitSources = TargetSourceUrl; | |
| Configuration.SourceCommand.Username = "user"; | |
| Configuration.SourceCommand.Password = "totally_secure_password!!!"; | |
| } | |
| public override void Context() | |
| { | |
| base.Context(); | |
| Configuration.Sources = Configuration.ExplicitSources = TargetSourceUrl; | |
| Configuration.SourceCommand.Username = "user"; | |
| Configuration.SourceCommand.Password = "totally_secure_password!!!"; | |
| } | |
| [Fact] | ||
| public void Creates_a_valid_credential() | ||
| { | ||
| Result.Should().NotBeNull(); | ||
| } |
There was a problem hiding this comment.
This does not test if the credentials are valid, just that they were created.
We also commonly have prefixed assertions with Should_ (this part is also true for all other methods created in this file, I am just not commenting on it right now). Additionally, each word should have the first letter in uppercase (it wasn't done when converting to FluentAssertion due to the amount of time it would take).
| [Fact] | |
| public void Creates_a_valid_credential() | |
| { | |
| Result.Should().NotBeNull(); | |
| } | |
| [Fact] | |
| public void Should_Create_Credentials() | |
| { | |
| Result.Should().NotBeNull(); | |
| } | |
| public override void Because() | ||
| { | ||
| Configuration.Sources = TargetSourceUrl; | ||
| Configuration.ExplicitSources = TargetSourceName; | ||
| } |
There was a problem hiding this comment.
This should be part of the context (ie the setup), not the because method.
| public override void Because() | |
| { | |
| Configuration.Sources = TargetSourceUrl; | |
| Configuration.ExplicitSources = TargetSourceName; | |
| } | |
| public override void Context() | |
| { | |
| base.Context(); | |
| Configuration.Sources = TargetSourceUrl; | |
| Configuration.ExplicitSources = TargetSourceName; | |
| } | |
| public override void Because() | ||
| { | ||
| Configuration.Sources = Configuration.ExplicitSources = TargetSourceUrl; | ||
| } |
There was a problem hiding this comment.
Again, should be Context.
| public override void Because() | |
| { | |
| Configuration.Sources = Configuration.ExplicitSources = TargetSourceUrl; | |
| } | |
| public override void Context() | |
| { | |
| base.Context(); | |
| Configuration.Sources = Configuration.ExplicitSources = TargetSourceUrl; | |
| } | |
| configuration.Sources = configuration.ExplicitSources = option.UnquoteSafe(); | ||
| configuration.ListCommand.ExplicitSource = true; |
There was a problem hiding this comment.
Why are we storing a Source and an ExplicitSource, at the same time that we are setting a boolean property called ExplicitSource?
Also, what happens if the source that is passed is the named source of a configuration? Or one of the alternative sources?
Should that also be considered an explicit source?
| .ToList(); | ||
| if (namedExplicitSources?.Count > 0) |
There was a problem hiding this comment.
Should be a newline here.
| .ToList(); | |
| if (namedExplicitSources?.Count > 0) | |
| .ToList(); | |
| if (namedExplicitSources?.Count > 0) | |
| source = _config.MachineSources | ||
| .Where(s => namedExplicitSources.Contains(s.Name) && new Uri(s.Key.TrimEnd('/')) == trimmedTargetUri) | ||
| .FirstOrDefault(); |
There was a problem hiding this comment.
Why are we doing case sensitive checking here?
The Contains method is case sensitive, and as the comment says it does a case sensitive match on the url (just not the hostname).
That do not make sense, and I would think it is a case insensitive match we would want.
| // Note: This behaviour remains as removing it would be a breaking change, but we may want | ||
| // to remove this in a future version, as specifying an explicit URL should potentially |
There was a problem hiding this comment.
If there has been a decision to remove this, or potentially removing it, we would need an issue to be created to keep track of this.
| .Where(s => !string.IsNullOrWhiteSpace(s.Username) | ||
| && !string.IsNullOrWhiteSpace(s.EncryptedPassword) | ||
| && Uri.TryCreate(s.Key.TrimEnd('/'), UriKind.Absolute, out var trimmedSourceUri) | ||
| && trimmedSourceUri == trimmedTargetUri) |
There was a problem hiding this comment.
Coming back to the comment further up, if this is doing a case-sensitive match on the URL (except the hostname), then this type of comparison is probably not what we would want.
Description Of Changes
--sourceon the command line are, and start making use of it here to aid with looking up source credentials.Motivation and Context
See #3565 - the credentials are being reused in places that they shouldn't.
Testing
Unit tests! :3 Including a regression test specifically for #3565
Open VS and run the tests in the
chocolatey.testsproject and make sure they pass.Cory added: Ran
CredentialProvidertag in Test Kitchen.Operating Systems Testing
Win10
Change Types Made
Change Checklist
Related Issue
Fixes #3565
Fixes #2421 (different symptom, same issue, likely somewhat duplicate issue)