Do not implicitly load registry.token with --index.

The intent is to avoid leaking the crates.io token to other servers.

Author: ehuss

src/cargo/ops/registry.rs

@@ -378,7 +378,26 @@ fn registry(
         token: token_config,
         index: index_config,
     } = registry_configuration(config, registry.clone())?;
-    let token = token.or(token_config);
+    let token = match (&index, &token, &token_config) {
+        // No token.
+        (None, None, None) => {
+            if validate_token {
+                bail!("no upload token found, please run `cargo login` or pass `--token`");
+            }
+            None
+        }
+        // Token on command-line.
+        (_, Some(_), _) => token,
+        // Token in config, no --index, loading from config is OK for crates.io.
+        (None, None, Some(_)) => token_config,
+        // --index, no --token
+        (Some(_), None, _) => {
+            if validate_token {
+                bail!("command-line argument --index requires --token to be specified")
+            }
+            None
+        }
+    };
     let sid = get_source_id(config, index_config.or(index), registry)?;
     if !sid.is_remote_registry() {
         bail!(
@@ -408,9 +427,6 @@ fn registry(
             .ok_or_else(|| format_err!("{} does not support API commands", sid))?
     };
     let handle = http_handle(config)?;
-    if validate_token && token.is_none() {
-        bail!("no upload token found, please run `cargo login`");
-    };
     Ok((Registry::new_handle(api_host, token, handle), sid))
 }
 

tests/testsuite/alt_registry.rs

@@ -298,7 +298,7 @@ fn cannot_publish_to_crates_io_with_registry_dependency() {
         .with_stderr_contains("[ERROR] crates cannot be published to crates.io[..]")
         .run();
 
-    p.cargo("publish --index")
+    p.cargo("publish --token sekrit --index")
         .arg(fakeio_url.to_string())
         .with_status(101)
         .with_stderr_contains("[ERROR] crates cannot be published to crates.io[..]")
@@ -413,17 +413,18 @@ fn alt_registry_and_crates_io_deps() {
 
 #[cargo_test]
 fn block_publish_due_to_no_token() {
-    let p = project().file("src/main.rs", "fn main() {}").build();
-
-    // Setup the registry by publishing a package
-    Package::new("bar", "0.0.1").alternative(true).publish();
+    registry::init();
+    let p = project().file("src/lib.rs", "").build();
 
     fs::remove_file(paths::home().join(".cargo/credentials")).unwrap();
 
     // Now perform the actual publish
     p.cargo("publish --registry alternative")
         .with_status(101)
-        .with_stderr_contains("error: no upload token found, please run `cargo login`")
+        .with_stderr_contains(
+            "error: no upload token found, \
+            please run `cargo login` or pass `--token`",
+        )
         .run();
 }
 

tests/testsuite/cargo_features.rs

@@ -323,8 +323,7 @@ fn publish_allowed() {
         )
         .file("src/lib.rs", "")
         .build();
-    p.cargo("publish --index")
-        .arg(registry::registry_url().to_string())
+    p.cargo("publish --token sekrit")
         .masquerade_as_nightly_cargo()
         .run();
 }

tests/testsuite/cross_publish.rs

@@ -97,8 +97,7 @@ fn publish_with_target() {
 
     let target = cross_compile::alternate();
 
-    p.cargo("publish --index")
-        .arg(registry::registry_url().to_string())
+    p.cargo("publish --token sekrit")
         .arg("--target")
         .arg(&target)
         .with_stderr(&format!(

tests/testsuite/owner.rs

@@ -4,7 +4,7 @@ use std::fs;
 
 use cargo_test_support::paths::CargoPathExt;
 use cargo_test_support::project;
-use cargo_test_support::registry::{self, api_path, registry_url};
+use cargo_test_support::registry::{self, api_path};
 
 fn setup(name: &str, content: Option<&str>) {
     let dir = api_path().join(format!("api/v1/crates/{}", name));
@@ -43,9 +43,7 @@ fn simple_list() {
         .file("src/main.rs", "fn main() {}")
         .build();
 
-    p.cargo("owner -l --index")
-        .arg(registry_url().to_string())
-        .run();
+    p.cargo("owner -l --token sekrit").run();
 }
 
 #[cargo_test]
@@ -68,8 +66,7 @@ fn simple_add() {
         .file("src/main.rs", "fn main() {}")
         .build();
 
-    p.cargo("owner -a username --index")
-        .arg(registry_url().to_string())
+    p.cargo("owner -a username --token sekrit")
         .with_status(101)
         .with_stderr(
             "    Updating `[..]` index
@@ -98,8 +95,7 @@ fn simple_remove() {
         .file("src/main.rs", "fn main() {}")
         .build();
 
-    p.cargo("owner -r username --index")
-        .arg(registry_url().to_string())
+    p.cargo("owner -r username --token sekrit")
         .with_status(101)
         .with_stderr(
             "    Updating `[..]` index