Add option to allow HTTP (not HTTPS) registries (#7204)

Footpad · web-flow · commit a1b4ad7cbc81 · 2024-02-15T11:39:24.000-08:00
Addresses #7170: this adds an option to the `package-registry` `set` and `publish` commands to allow using an HTTP registry endpoint, bypassing the existing requirement that package registries use HTTPS. ### Motivation: In short, the motivation is to allow publishing to a registry that is hosted on a local machine. It is difficult to host a fully TLS-compliant HTTPS endpoint on developer machines at scale. See more detail in #7170 ### Modifications: * Adds a new `allowInsecureHTTP` flag to the Registry model. * Adds a new `--allow-insecure-http` flag to the `package-registry` `set` and `publish` commands. * Adds tests that validate the behavior of the model and command additions. * Adds tests that validate the requested constraints in #7170 regarding HTTP endpoints, such as not being able to publish to an HTTP endpoint if there is authentication configured for it, and `login` command requiring HTTPS. ### Result: We will be able to use the `swift` CLI to publish to our HTTP registries locally hosted on our development machines. As a result, we will be able to migrate to the official tooling instead of needing to continue using home-rolled publish tooling.
diff --git a/Sources/PackageRegistry/RegistryConfiguration.swift b/Sources/PackageRegistry/RegistryConfiguration.swift
@@ -405,9 +405,9 @@ extension PackageModel.Registry: Codable {
 
     public init(from decoder: Decoder) throws {
         let container = try decoder.container(keyedBy: CodingKeys.self)
-        self.init(
-            url: try container.decode(URL.self, forKey: .url),
-            supportsAvailability: try container.decodeIfPresent(Bool.self, forKey: .supportsAvailability) ?? false
+        try self.init(
+            url: container.decode(URL.self, forKey: .url),
+            supportsAvailability: container.decodeIfPresent(Bool.self, forKey: .supportsAvailability) ?? false
         )
     }
 
diff --git a/Sources/PackageRegistryTool/PackageRegistryTool+Publish.swift b/Sources/PackageRegistryTool/PackageRegistryTool+Publish.swift
@@ -82,6 +82,9 @@ extension SwiftPackageRegistryTool {
         )
         var certificateChainPaths: [AbsolutePath] = []
 
+        @Flag(name: .customLong("allow-insecure-http"), help: "Allow using a non-HTTPS registry URL")
+        var allowInsecureHTTP: Bool = false
+
         @Flag(help: "Dry run only; prepare the archive and sign it but do not publish to the registry.")
         var dryRun: Bool = false
 
@@ -106,7 +109,8 @@ extension SwiftPackageRegistryTool {
                 throw ValidationError.unknownRegistry
             }
 
-            try registryURL.validateRegistryURL()
+            let allowHTTP = try self.allowInsecureHTTP && (configuration.authentication(for: registryURL) == nil)
+            try registryURL.validateRegistryURL(allowHTTP: allowHTTP)
 
             // validate working directory path
             if let customWorkingDirectory {
diff --git a/Sources/PackageRegistryTool/PackageRegistryTool.swift b/Sources/PackageRegistryTool/PackageRegistryTool.swift
@@ -54,6 +54,9 @@ public struct SwiftPackageRegistryTool: AsyncParsableCommand {
         @Option(help: "Associate the registry with a given scope")
         var scope: String?
 
+        @Flag(name: .customLong("allow-insecure-http"), help: "Allow using a non-HTTPS registry URL")
+        var allowInsecureHTTP: Bool = false
+
         @Argument(help: "The registry URL")
         var url: URL
 
@@ -62,15 +65,16 @@ public struct SwiftPackageRegistryTool: AsyncParsableCommand {
         }
 
         func run(_ swiftTool: SwiftTool) async throws {
-            try self.registryURL.validateRegistryURL()
+            try self.registryURL.validateRegistryURL(allowHTTP: self.allowInsecureHTTP)
 
             let scope = try scope.map(PackageIdentity.Scope.init(validating:))
 
             let set: (inout RegistryConfiguration) throws -> Void = { configuration in
+                let registry = Registry(url: self.registryURL, supportsAvailability: false)
                 if let scope {
-                    configuration.scopedRegistries[scope] = .init(url: self.registryURL, supportsAvailability: false)
+                    configuration.scopedRegistries[scope] = registry
                 } else {
-                    configuration.defaultRegistry = .init(url: self.registryURL, supportsAvailability: false)
+                    configuration.defaultRegistry = registry
                 }
             }
 
@@ -161,8 +165,8 @@ public struct SwiftPackageRegistryTool: AsyncParsableCommand {
 }
 
 extension URL {
-    func validateRegistryURL() throws {
-        guard self.scheme == "https" else {
+    func validateRegistryURL(allowHTTP: Bool = false) throws {
+        guard self.scheme == "https" || (self.scheme == "http" && allowHTTP) else {
             throw SwiftPackageRegistryTool.ValidationError.invalidURL(self)
         }
     }
diff --git a/Tests/CommandsTests/PackageRegistryToolTests.swift b/Tests/CommandsTests/PackageRegistryToolTests.swift
@@ -15,6 +15,7 @@ import Commands
 import Foundation
 import PackageLoading
 import PackageModel
+import PackageRegistry
 @testable import PackageRegistryTool
 import PackageSigning
 import SPMTestSupport
@@ -117,6 +118,19 @@ final class PackageRegistryToolTests: CommandsTestCase {
                 XCTAssertEqual(json["version"], .int(1))
             }
 
+            // Set default registry with allow-insecure-http option
+            do {
+                try execute(["set", "\(customRegistryBaseURL)", "--allow-insecure-http"], packagePath: packageRoot)
+
+                let json = try JSON(data: localFileSystem.readFileContents(configurationFilePath))
+                XCTAssertEqual(json["registries"]?.dictionary?.count, 1)
+                XCTAssertEqual(
+                    json["registries"]?.dictionary?["[default]"]?.dictionary?["url"]?.string,
+                    "\(customRegistryBaseURL)"
+                )
+                XCTAssertEqual(json["version"], .int(1))
+            }
+
             // Unset default registry
             do {
                 try execute(["unset"], packagePath: packageRoot)
@@ -215,6 +229,40 @@ final class PackageRegistryToolTests: CommandsTestCase {
         }
     }
 
+    func testSetInsecureURL() throws {
+        try fixture(name: "DependencyResolution/External/Simple") { fixturePath in
+            let packageRoot = fixturePath.appending("Bar")
+            let configurationFilePath = AbsolutePath(
+                ".swiftpm/configuration/registries.json",
+                relativeTo: packageRoot
+            )
+
+            XCTAssertFalse(localFileSystem.exists(configurationFilePath))
+
+            // Set default registry
+            XCTAssertThrowsError(try execute(["set", "http://package.example.com"], packagePath: packageRoot))
+
+            XCTAssertFalse(localFileSystem.exists(configurationFilePath))
+        }
+    }
+
+    func testSetAllowedInsecureURL() throws {
+        try fixture(name: "DependencyResolution/External/Simple") { fixturePath in
+            let packageRoot = fixturePath.appending("Bar")
+            let configurationFilePath = AbsolutePath(
+                ".swiftpm/configuration/registries.json",
+                relativeTo: packageRoot
+            )
+
+            XCTAssertFalse(localFileSystem.exists(configurationFilePath))
+
+            // Set default registry
+            try execute(["set", "http://package.example.com", "--allow-insecure-http"], packagePath: packageRoot)
+
+            XCTAssertTrue(localFileSystem.exists(configurationFilePath))
+        }
+    }
+
     func testSetInvalidScope() throws {
         try fixture(name: "DependencyResolution/External/Simple") { fixturePath in
             let packageRoot = fixturePath.appending("Bar")
@@ -402,6 +450,133 @@ final class PackageRegistryToolTests: CommandsTestCase {
         }
     }
 
+    func testPublishingToHTTPRegistry() throws {
+        #if os(Linux)
+        // needed for archiving
+        guard SPM_posix_spawn_file_actions_addchdir_np_supported() else {
+            throw XCTSkip("working directory not supported on this platform")
+        }
+        #endif
+
+        let packageIdentity = "test.my-package"
+        let version = "0.1.0"
+        let registryURL = "http://packages.example.com"
+
+        _ = try withTemporaryDirectory { temporaryDirectory in
+            let packageDirectory = temporaryDirectory.appending("MyPackage")
+            try localFileSystem.createDirectory(packageDirectory)
+
+            let initPackage = try InitPackage(
+                name: "MyPackage",
+                packageType: .executable,
+                destinationPath: packageDirectory,
+                fileSystem: localFileSystem
+            )
+            try initPackage.writePackageStructure()
+            XCTAssertFileExists(packageDirectory.appending("Package.swift"))
+
+            let workingDirectory = temporaryDirectory.appending(component: UUID().uuidString)
+            try localFileSystem.createDirectory(workingDirectory)
+
+            XCTAssertThrowsError(try SwiftPM.Registry.execute(
+                [
+                    "publish",
+                    packageIdentity,
+                    version,
+                    "--url=\(registryURL)",
+                    "--scratch-directory=\(workingDirectory.pathString)",
+                    "--package-path=\(packageDirectory.pathString)",
+                    "--dry-run",
+                ]
+            ))
+        }
+    }
+
+    func testPublishingToAllowedHTTPRegistry() throws {
+        #if os(Linux)
+        // needed for archiving
+        guard SPM_posix_spawn_file_actions_addchdir_np_supported() else {
+            throw XCTSkip("working directory not supported on this platform")
+        }
+        #endif
+
+        let packageIdentity = "test.my-package"
+        let version = "0.1.0"
+        let registryURL = "http://packages.example.com"
+
+        // with no authentication configured for registry
+        _ = try withTemporaryDirectory { temporaryDirectory in
+            let packageDirectory = temporaryDirectory.appending("MyPackage")
+            try localFileSystem.createDirectory(packageDirectory)
+
+            let initPackage = try InitPackage(
+                name: "MyPackage",
+                packageType: .executable,
+                destinationPath: packageDirectory,
+                fileSystem: localFileSystem
+            )
+            try initPackage.writePackageStructure()
+            XCTAssertFileExists(packageDirectory.appending("Package.swift"))
+
+            let workingDirectory = temporaryDirectory.appending(component: UUID().uuidString)
+            try localFileSystem.createDirectory(workingDirectory)
+
+            try SwiftPM.Registry.execute(
+                [
+                    "publish",
+                    packageIdentity,
+                    version,
+                    "--url=\(registryURL)",
+                    "--scratch-directory=\(workingDirectory.pathString)",
+                    "--package-path=\(packageDirectory.pathString)",
+                    "--allow-insecure-http",
+                    "--dry-run",
+                ]
+            )
+        }
+
+        // with authentication configured for registry
+        _ = try withTemporaryDirectory { temporaryDirectory in
+            let packageDirectory = temporaryDirectory.appending("MyPackage")
+            try localFileSystem.createDirectory(packageDirectory)
+
+            let initPackage = try InitPackage(
+                name: "MyPackage",
+                packageType: .executable,
+                destinationPath: packageDirectory,
+                fileSystem: localFileSystem
+            )
+            try initPackage.writePackageStructure()
+            XCTAssertFileExists(packageDirectory.appending("Package.swift"))
+
+            let workingDirectory = temporaryDirectory.appending(component: UUID().uuidString)
+            try localFileSystem.createDirectory(workingDirectory)
+
+            let configurationFilePath = AbsolutePath(
+                ".swiftpm/configuration/registries.json",
+                relativeTo: packageDirectory
+            )
+
+            try localFileSystem.createDirectory(configurationFilePath.parentDirectory, recursive: true)
+            var configuration = RegistryConfiguration()
+            try configuration.add(authentication: .init(type: .basic), for: URL(registryURL))
+            try localFileSystem.writeFileContents(configurationFilePath, data: JSONEncoder().encode(configuration))
+
+            XCTAssertThrowsError(try SwiftPM.Registry.execute(
+                [
+                    "publish",
+                    packageIdentity,
+                    version,
+                    "--url=\(registryURL)",
+                    "--scratch-directory=\(workingDirectory.pathString)",
+                    "--package-path=\(packageDirectory.pathString)",
+                    "--allow-insecure-http",
+                    "--dry-run",
+                ]
+            ))
+        }
+    }
+
     func testPublishingUnsignedPackage() throws {
         #if os(Linux)
         // needed for archiving
@@ -903,13 +1078,18 @@ final class PackageRegistryToolTests: CommandsTestCase {
         }
     }
 
+    func testLoginRequiresHTTPS() {
+        let registryURL = URL(string: "http://packages.example.com")!
+
+        XCTAssertThrowsError(try SwiftPM.Registry.execute(["login", "--url", registryURL.absoluteString]))
+    }
+
     func testCreateLoginURL() {
         let registryURL = URL(string: "https://packages.example.com")!
 
         XCTAssertEqual(try SwiftPackageRegistryTool.Login.loginURL(from: registryURL, loginAPIPath: nil).absoluteString, "https://packages.example.com/login")
 
         XCTAssertEqual(try SwiftPackageRegistryTool.Login.loginURL(from: registryURL, loginAPIPath: "/secret-sign-in").absoluteString, "https://packages.example.com/secret-sign-in")
-
     }
 
     func testCreateLoginURLMaintainsPort() {
@@ -920,6 +1100,18 @@ final class PackageRegistryToolTests: CommandsTestCase {
         XCTAssertEqual(try SwiftPackageRegistryTool.Login.loginURL(from: registryURL, loginAPIPath: "/secret-sign-in").absoluteString, "https://packages.example.com:8081/secret-sign-in")
     }
 
+    func testValidateRegistryURL() throws {
+        // Valid
+        try URL(string: "https://packages.example.com")!.validateRegistryURL()
+        try URL(string: "http://packages.example.com")!.validateRegistryURL(allowHTTP: true)
+
+        // Invalid
+        XCTAssertThrowsError(try URL(string: "http://packages.example.com")!.validateRegistryURL())
+        XCTAssertThrowsError(try URL(string: "http://packages.example.com")!.validateRegistryURL(allowHTTP: false))
+        XCTAssertThrowsError(try URL(string: "ssh://packages.example.com")!.validateRegistryURL())
+        XCTAssertThrowsError(try URL(string: "ftp://packages.example.com")!.validateRegistryURL(allowHTTP: true))
+    }
+
     private func testRoots() throws -> [[UInt8]] {
         try fixture(name: "Signing", createGitRepo: false) { fixturePath in
             let rootCA = try localFileSystem
diff --git a/Tests/PackageRegistryTests/RegistryConfigurationTests.swift b/Tests/PackageRegistryTests/RegistryConfigurationTests.swift
@@ -138,7 +138,7 @@ final class RegistryConfigurationTests: XCTestCase {
                 },
                 "bar": {
                     "url": "\#(customRegistryBaseURL)"
-                },
+                }
             },
             "authentication": {
                 "packages.example.com": {

Original file line number	Diff line number	Diff line change
`@@ -405,9 +405,9 @@ extension PackageModel.Registry: Codable {`
`405`	`405`
`406`	`406`	`public init(from decoder: Decoder) throws {`
`407`	`407`	`let container = try decoder.container(keyedBy: CodingKeys.self)`
`408`		`- self.init(`
`409`		`- url: try container.decode(URL.self, forKey: .url),`
`410`		`- supportsAvailability: try container.decodeIfPresent(Bool.self, forKey: .supportsAvailability) ?? false`
	`408`	`+ try self.init(`
	`409`	`+ url: container.decode(URL.self, forKey: .url),`
	`410`	`+ supportsAvailability: container.decodeIfPresent(Bool.self, forKey: .supportsAvailability) ?? false`
`411`	`411`	`)`
`412`	`412`	`}`
`413`	`413`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,9 @@ public struct SwiftPackageRegistryTool: AsyncParsableCommand {`
`54`	`54`	`@Option(help: "Associate the registry with a given scope")`
`55`	`55`	`var scope: String?`
`56`	`56`
	`57`	`+ @Flag(name: .customLong("allow-insecure-http"), help: "Allow using a non-HTTPS registry URL")`
	`58`	`+ var allowInsecureHTTP: Bool = false`
	`59`	`+`
`57`	`60`	`@Argument(help: "The registry URL")`
`58`	`61`	`var url: URL`
`59`	`62`
`@@ -62,15 +65,16 @@ public struct SwiftPackageRegistryTool: AsyncParsableCommand {`
`62`	`65`	`}`
`63`	`66`
`64`	`67`	`func run(_ swiftTool: SwiftTool) async throws {`
`65`		`- try self.registryURL.validateRegistryURL()`
	`68`	`+ try self.registryURL.validateRegistryURL(allowHTTP: self.allowInsecureHTTP)`
`66`	`69`
`67`	`70`	`let scope = try scope.map(PackageIdentity.Scope.init(validating:))`
`68`	`71`
`69`	`72`	`let set: (inout RegistryConfiguration) throws -> Void = { configuration in`
	`73`	`+ let registry = Registry(url: self.registryURL, supportsAvailability: false)`
`70`	`74`	`if let scope {`
`71`		`- configuration.scopedRegistries[scope] = .init(url: self.registryURL, supportsAvailability: false)`
	`75`	`+ configuration.scopedRegistries[scope] = registry`
`72`	`76`	`} else {`
`73`		`- configuration.defaultRegistry = .init(url: self.registryURL, supportsAvailability: false)`
	`77`	`+ configuration.defaultRegistry = registry`
`74`	`78`	`}`
`75`	`79`	`}`
`76`	`80`
`@@ -161,8 +165,8 @@ public struct SwiftPackageRegistryTool: AsyncParsableCommand {`
`161`	`165`	`}`
`162`	`166`
`163`	`167`	`extension URL {`
`164`		`- func validateRegistryURL() throws {`
`165`		`- guard self.scheme == "https" else {`
	`168`	`+ func validateRegistryURL(allowHTTP: Bool = false) throws {`
	`169`	`+ guard self.scheme == "https" \|\| (self.scheme == "http" && allowHTTP) else {`
`166`	`170`	`throw SwiftPackageRegistryTool.ValidationError.invalidURL(self)`
`167`	`171`	`}`
`168`	`172`	`}`