Add publish.credentials config key, use it to publish

Author: alexarchambault

modules/cli/src/main/scala/scala/cli/commands/config/Config.scala

@@ -12,7 +12,14 @@ import scala.cli.commands.ScalaCommand
 import scala.cli.commands.publish.ConfigUtil.*
 import scala.cli.commands.util.CommonOps.*
 import scala.cli.commands.util.JvmUtils
-import scala.cli.config.{ConfigDb, Keys, PasswordOption, RepositoryCredentials, Secret}
+import scala.cli.config.{
+  ConfigDb,
+  Keys,
+  PasswordOption,
+  PublishCredentials,
+  RepositoryCredentials,
+  Secret
+}
 
 object Config extends ScalaCommand[ConfigOptions] {
   override def hidden       = true
@@ -188,6 +195,32 @@ object Config extends ScalaCommand[ConfigOptions] {
                       val newValue = credentials :: previousValueOpt.getOrElse(Nil)
                       db.set(Keys.repositoryCredentials, newValue)
                     }
+
+                  case Keys.publishCredentials =>
+                    val (host, rawUser, rawPassword, realmOpt) = values match {
+                      case Seq(host, rawUser, rawPassword) => (host, rawUser, rawPassword, None)
+                      case Seq(host, rawUser, rawPassword, realm) =>
+                        (host, rawUser, rawPassword, Some(realm))
+                      case _ =>
+                        System.err.println(
+                          s"Usage: $progName config ${Keys.publishCredentials.fullName} host user password [realm]"
+                        )
+                        System.err.println(
+                          "Note that user and password are assumed to be secrets, specified like value:... or env:ENV_VAR_NAME, see https://scala-cli.virtuslab.org/docs/reference/password-options for more details"
+                        )
+                        sys.exit(1)
+                    }
+                    val (userOpt, passwordOpt) = (parseSecret(rawUser), parseSecret(rawPassword))
+                      .traverseN
+                      .left.map(CompositeBuildException(_))
+                      .orExit(logger)
+                    val credentials =
+                      PublishCredentials(host, userOpt, passwordOpt, realm = realmOpt)
+                    val previousValueOpt =
+                      db.get(Keys.publishCredentials).wrapConfigException.orExit(logger)
+                    val newValue = credentials :: previousValueOpt.getOrElse(Nil)
+                    db.set(Keys.publishCredentials, newValue)
+
                   case _ =>
                     val finalValues =
                       if (options.passwordValue && entry.isPasswordOption)

modules/cli/src/main/scala/scala/cli/commands/publish/OptionChecks.scala

@@ -23,8 +23,8 @@ object OptionChecks {
       NameCheck(options, workspace, logger),
       ComputeVersionCheck(options, workspace, logger),
       RepositoryCheck(options, logger),
-      UserCheck(options, () => configDb, logger),
-      PasswordCheck(options, () => configDb, logger),
+      UserCheck(options, () => configDb, workspace, logger),
+      PasswordCheck(options, () => configDb, workspace, logger),
       PgpSecretKeyCheck(options, coursierCache, () => configDb, logger, backend),
       LicenseCheck(options, logger),
       UrlCheck(options, workspace, logger),

modules/cli/src/main/scala/scala/cli/commands/publish/Publish.scala

@@ -48,7 +48,7 @@ import scala.cli.commands.{
   SharedPythonOptions,
   WatchUtil
 }
-import scala.cli.config.{ConfigDb, Keys}
+import scala.cli.config.{ConfigDb, Keys, PublishCredentials}
 import scala.cli.errors.{
   FailedToSignFileError,
   MalformedChecksumsError,
@@ -688,29 +688,44 @@ object Publish extends ScalaCommand[PublishOptions] with BuildCommandHelpers {
     val ec = builds.head.options.finalCache.ec
 
     def authOpt(repo: String): Either[BuildException, Option[Authentication]] = either {
-      val hostOpt = {
+      val isHttps = {
         val uri = new URI(repo)
-        if (uri.getScheme == "https") Some(uri.getHost)
-        else None
+        uri.getScheme == "https"
+      }
+      val hostOpt = Option.when(isHttps)(new URI(repo).getHost)
+      val maybeCredentials: Either[BuildException, Option[PublishCredentials]] = hostOpt match {
+        case None => Right(None)
+        case Some(host) =>
+          configDb().get(Keys.publishCredentials).wrapConfigException.map { credListOpt =>
+            credListOpt.flatMap { credList =>
+              credList.find { cred =>
+                cred.host == host &&
+                (isHttps || cred.httpsOnly.contains(false))
+              }
+            }
+          }
       }
       val isSonatype =
         hostOpt.exists(host => host == "oss.sonatype.org" || host.endsWith(".oss.sonatype.org"))
       val passwordOpt = publishOptions.contextual(isCi).repoPassword match {
-        case None if isSonatype =>
-          value(configDb().get(Keys.sonatypePassword).wrapConfigException)
+        case None  => value(maybeCredentials).flatMap(_.password)
         case other => other.map(_.toConfig)
       }
       passwordOpt.map(_.get()) match {
         case None => None
         case Some(password) =>
           val userOpt = publishOptions.contextual(isCi).repoUser match {
-            case None if isSonatype =>
-              value(configDb().get(Keys.sonatypeUser).wrapConfigException)
+            case None  => value(maybeCredentials).flatMap(_.user)
             case other => other.map(_.toConfig)
           }
           val realmOpt = publishOptions.contextual(isCi).repoRealm match {
-            case None if isSonatype =>
-              Some("Sonatype Nexus Repository Manager")
+            case None =>
+              value(maybeCredentials)
+                .flatMap(_.realm)
+                .orElse {
+                  if (isSonatype) Some("Sonatype Nexus Repository Manager")
+                  else None
+                }
             case other => other
           }
           val auth = Authentication(userOpt.fold("")(_.get().value), password.value)

modules/cli/src/main/scala/scala/cli/commands/publish/checks/PasswordCheck.scala

@@ -1,39 +1,88 @@
 package scala.cli.commands.publish.checks
 
+import java.net.URI
+
 import scala.build.EitherCps.{either, value}
 import scala.build.Logger
 import scala.build.errors.BuildException
 import scala.build.options.{PublishOptions => BPublishOptions}
 import scala.cli.commands.publish.ConfigUtil._
-import scala.cli.commands.publish.{OptionCheck, PublishSetupOptions, SetSecret}
+import scala.cli.commands.publish.{OptionCheck, PublishSetupOptions, RepoParams, SetSecret}
 import scala.cli.config.{ConfigDb, Keys}
 import scala.cli.errors.MissingPublishOptionError
 
 final case class PasswordCheck(
   options: PublishSetupOptions,
   configDb: () => ConfigDb,
+  workspace: os.Path,
   logger: Logger
 ) extends OptionCheck {
   def kind          = OptionCheck.Kind.Repository
   def fieldName     = "password"
   def directivePath = "publish" + (if (options.publishParams.setupCi) ".ci" else "") + ".password"
 
+  private def hostOpt(pubOpt: BPublishOptions): Option[String] = {
+    val repo = pubOpt.contextual(options.publishParams.setupCi).repository.getOrElse(
+      RepositoryCheck.defaultRepository
+    )
+    RepoParams(
+      repo,
+      pubOpt.versionControl.map(_.url),
+      workspace,
+      None,
+      false,
+      null,
+      logger
+    ) match {
+      case Left(ex) =>
+        logger.debug("Caught exception when trying to compute host to check user credentials")
+        logger.debug(ex)
+        None
+      case Right(params) =>
+        Some(new URI(params.repo.snapshotRepo.root).getHost)
+    }
+  }
+
+  private def passwordOpt(pubOpt: BPublishOptions) = hostOpt(pubOpt) match {
+    case None => Right(None)
+    case Some(host) =>
+      configDb().get(Keys.publishCredentials).wrapConfigException.map { credListOpt =>
+        credListOpt.flatMap { credList =>
+          credList
+            .iterator
+            .filter(_.host == host)
+            .map(_.password)
+            .collectFirst {
+              case Some(p) => p
+            }
+        }
+      }
+  }
+
   def check(pubOpt: BPublishOptions): Boolean =
-    !options.publishParams.setupCi ||
-    pubOpt.retained(options.publishParams.setupCi).repoPassword.nonEmpty
+    pubOpt.retained(options.publishParams.setupCi).repoPassword.nonEmpty || {
+      !options.publishParams.setupCi && (passwordOpt(pubOpt) match {
+        case Left(ex) =>
+          logger.debug("Ignoring error while trying to get password from config")
+          logger.debug(ex)
+          true
+        case Right(valueOpt) =>
+          valueOpt.isDefined
+      })
+    }
 
   def defaultValue(pubOpt: BPublishOptions): Either[BuildException, OptionCheck.DefaultValue] =
     either {
+
       if (options.publishParams.setupCi) {
         val password = options.publishRepo.password match {
           case Some(password0) => password0.toConfig
           case None =>
-            val passwordOpt = value(configDb().get(Keys.sonatypePassword).wrapConfigException)
-            passwordOpt match {
+            value(passwordOpt(pubOpt)) match {
               case Some(password0) =>
-                logger.message("publish.password:")
+                logger.message("publish.credentials:")
                 logger.message(
-                  s"  using ${Keys.sonatypePassword.fullName} from Scala CLI configuration"
+                  s"  using ${Keys.publishCredentials.fullName} from Scala CLI configuration"
                 )
                 password0
               case None =>
@@ -42,8 +91,8 @@ final case class PasswordCheck(
                     new MissingPublishOptionError(
                       "publish password",
                       "--password",
-                      "publish.password",
-                      configKeys = Seq(Keys.sonatypePassword.fullName)
+                      "publish.credentials",
+                      configKeys = Seq(Keys.publishCredentials.fullName)
                     )
                   }
                 }
@@ -56,21 +105,30 @@ final case class PasswordCheck(
           Seq(SetSecret("PUBLISH_PASSWORD", password.get(), force = true))
         )
       }
-      else if (value(configDb().get(Keys.sonatypePassword).wrapConfigException).isDefined) {
-        logger.message("publish.password:")
-        logger.message(s"  found ${Keys.sonatypePassword.fullName} in Scala CLI configuration")
-        OptionCheck.DefaultValue.empty
-      }
       else
-        value {
-          Left {
-            new MissingPublishOptionError(
-              "publish password",
-              "",
-              "publish.password",
-              configKeys = Seq(Keys.sonatypePassword.fullName)
-            )
-          }
+        hostOpt(pubOpt) match {
+          case None =>
+            logger.debug("No host, not checking for publish repository password")
+            OptionCheck.DefaultValue.empty
+          case Some(host) =>
+            if (value(passwordOpt(pubOpt)).isDefined) {
+              logger.message("publish.password:")
+              logger.message(
+                s"  found password for $host in ${Keys.publishCredentials.fullName} in Scala CLI configuration"
+              )
+              OptionCheck.DefaultValue.empty
+            }
+            else
+              value {
+                Left {
+                  new MissingPublishOptionError(
+                    "publish password",
+                    "",
+                    "publish.credentials",
+                    configKeys = Seq(Keys.publishCredentials.fullName)
+                  )
+                }
+              }
         }
     }
 }