Update hex_core and add mirror_of repo config

author: Eric Meadows-Jönsson <eric.meadows.jonsson@gmail.com> 2018-12-29 15:57:19 +0100
committer: Eric Meadows-Jönsson <eric.meadows.jonsson@gmail.com> 2018-12-30 16:06:58 +0100
commit: 6a5ad07bc49a366ecc81ea87feb2de77c825771a (patch)
tree: 3b6ca817d2a97665314305f32b3682e7f881f664 /src
parent: 968458b43592ee112ea85addc674af3beb476da6 (diff)
2 files changed, 36 insertions, 13 deletions
diff --git a/src/rebar_hex_repos.erl b/src/rebar_hex_repos.erl
index ebee191..57b5bc8 100644
--- a/src/rebar_hex_repos.erl
+++ b/src/rebar_hex_repos.erl
@@ -21,7 +21,8 @@
                   api_key => binary(),
                   repo_url => binary(),
                   repo_public_key => binary(),
-                  repo_verify => binary()}.
+                  repo_verify => binary(),
+                  repo_verify_origin => binary()}.
 
 from_state(BaseConfig, State) ->
     HexConfig = rebar_state:get(State, hex, []),
@@ -104,7 +105,13 @@ update_repo_list(R, []) ->
 
 default_repo() ->
     HexDefaultConfig = hex_core:default_config(),
-    HexDefaultConfig#{name => ?PUBLIC_HEX_REPO}.
+    HexDefaultConfig#{name => ?PUBLIC_HEX_REPO, repo_verify_origin => repo_verify_origin()}.
+
+repo_verify_origin() ->
+    case os:getenv("REBAR_NO_VERIFY_REPO_ORIGIN") of
+        "1" -> false;
+        _ -> true
+    end.
 
 repo_list([]) ->
     [];
diff --git a/src/rebar_packages.erl b/src/rebar_packages.erl
index 757eb86..f1bb53d 100644
--- a/src/rebar_packages.erl
+++ b/src/rebar_packages.erl
@@ -49,10 +49,10 @@ get(Config, Name) ->
 
 
 -spec get_all_names(rebar_state:t()) -> [binary()].
-get_all_names(State) ->    
+get_all_names(State) ->
     verify_table(State),
     lists:usort(ets:select(?PACKAGE_TABLE, [{#package{key={'$1', '_', '_'},
-                                                      _='_'}, 
+                                                      _='_'},
                                              [], ['$1']}])).
 
 -spec get_package_versions(unicode:unicode_binary(), ec_semver:semver(),
@@ -101,14 +101,14 @@ load_and_verify_version(State) ->
                     ?DEBUG("Package index version mismatch. Current version ~p, this rebar3 expecting ~p",
                            [V, ?PACKAGE_INDEX_VERSION]),
                     (catch ets:delete(?PACKAGE_TABLE)),
-                    new_package_table()                    
+                    new_package_table()
             end;
-        _ ->            
+        _ ->
             new_package_table()
     end.
 
 handle_missing_package(PkgKey, Repo, State, Fun) ->
-    Name = 
+    Name =
         case PkgKey of
             {N, Vsn, _Repo} ->
                 ?DEBUG("Package ~ts-~ts not found. Fetching registry updates for "
@@ -121,8 +121,8 @@ handle_missing_package(PkgKey, Repo, State, Fun) ->
         end,
 
     update_package(Name, Repo, State),
-    try 
-        Fun(State) 
+    try
+        Fun(State)
     catch
         _:_ ->
             %% Even after an update the package is still missing, time to error out
@@ -220,7 +220,7 @@ verify_table(State) ->
     ets:info(?PACKAGE_TABLE, named_table) =:= true orelse load_and_verify_version(State).
 
 parse_deps(Deps) ->
-    [{maps:get(app, D, Name), {pkg, Name, Constraint, undefined}} 
+    [{maps:get(app, D, Name), {pkg, Name, Constraint, undefined}}
      || D=#{package := Name,
             requirement := Constraint} <- Deps].
 
@@ -233,16 +233,19 @@ parse_checksum(Checksum) ->
 
 update_package(Name, RepoConfig=#{name := Repo}, State) ->
     ?MODULE:verify_table(State),
-    try hex_repo:get_package(RepoConfig#{repo_key => maps:get(read_key, RepoConfig, <<>>)}, Name) of
-        {ok, {200, _Headers, #{releases := Releases}}} ->
+    try hex_repo:get_package(get_package_repo_config(RepoConfig), Name) of
+        {ok, {200, _Headers, Releases}} ->
             _ = insert_releases(Name, Releases, Repo, ?PACKAGE_TABLE),
             {ok, RegistryDir} = rebar_packages:registry_dir(State),
             PackageIndex = filename:join(RegistryDir, ?INDEX_FILE),
             ok = ets:tab2file(?PACKAGE_TABLE, PackageIndex);
-        {ok, {403, _Headers, <<>>}} ->
+        {ok, {403, _Headers, _}} ->
             not_found;
         {ok, {404, _Headers, _}} ->
             not_found;
+        {error, unverified} ->
+            ?WARN(unverified_repo_message(), [Repo]),
+            fail;
         Error ->
             ?DEBUG("Hex get_package request failed: ~p", [Error]),
             %% TODO: add better log message. hex_core should export a format_error
@@ -254,6 +257,19 @@ update_package(Name, RepoConfig=#{name := Repo}, State) ->
             fail
     end.
 
+get_package_repo_config(RepoConfig=#{mirror_of := Repo}) ->
+    get_package_repo_config(maps:remove(mirror_of, RepoConfig#{name => Repo}));
+get_package_repo_config(RepoConfig=#{read_key := Key}) ->
+    get_package_repo_config(maps:remove(read_key, RepoConfig#{repo_key => Key}));
+get_package_repo_config(RepoConfig) ->
+    RepoConfig.
+
+unverified_repo_message() ->
+    "Fetched deprecatated registry record version from repo ~ts, for security " ++
+        "reasons this registry version is no longer supported. The repository " ++
+        "you are using should update to fix the security reason. Set " ++
+        "REBAR_NO_VERIFY_REPO_ORIGIN=1 to disable this check.".
+
 insert_releases(Name, Releases, Repo, Table) ->
     [true = ets:insert(Table,
                        #package{key={Name, ec_semver:parse(Version), Repo},
author	Eric Meadows-Jönsson <eric.meadows.jonsson@gmail.com>	2018-12-29 15:57:19 +0100
committer	Eric Meadows-Jönsson <eric.meadows.jonsson@gmail.com>	2018-12-30 16:06:58 +0100
commit	6a5ad07bc49a366ecc81ea87feb2de77c825771a (patch)
tree	3b6ca817d2a97665314305f32b3682e7f881f664 /src
parent	968458b43592ee112ea85addc674af3beb476da6 (diff)