summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/rebar_hex_repos.erl11
-rw-r--r--src/rebar_packages.erl38
2 files changed, 36 insertions, 13 deletions
diff --git a/src/rebar_hex_repos.erl b/src/rebar_hex_repos.erl
index ebee191..57b5bc8 100644
--- a/src/rebar_hex_repos.erl
+++ b/src/rebar_hex_repos.erl
@@ -21,7 +21,8 @@
api_key => binary(),
repo_url => binary(),
repo_public_key => binary(),
- repo_verify => binary()}.
+ repo_verify => binary(),
+ repo_verify_origin => binary()}.
from_state(BaseConfig, State) ->
HexConfig = rebar_state:get(State, hex, []),
@@ -104,7 +105,13 @@ update_repo_list(R, []) ->
default_repo() ->
HexDefaultConfig = hex_core:default_config(),
- HexDefaultConfig#{name => ?PUBLIC_HEX_REPO}.
+ HexDefaultConfig#{name => ?PUBLIC_HEX_REPO, repo_verify_origin => repo_verify_origin()}.
+
+repo_verify_origin() ->
+ case os:getenv("REBAR_NO_VERIFY_REPO_ORIGIN") of
+ "1" -> false;
+ _ -> true
+ end.
repo_list([]) ->
[];
diff --git a/src/rebar_packages.erl b/src/rebar_packages.erl
index 757eb86..f1bb53d 100644
--- a/src/rebar_packages.erl
+++ b/src/rebar_packages.erl
@@ -49,10 +49,10 @@ get(Config, Name) ->
-spec get_all_names(rebar_state:t()) -> [binary()].
-get_all_names(State) ->
+get_all_names(State) ->
verify_table(State),
lists:usort(ets:select(?PACKAGE_TABLE, [{#package{key={'$1', '_', '_'},
- _='_'},
+ _='_'},
[], ['$1']}])).
-spec get_package_versions(unicode:unicode_binary(), ec_semver:semver(),
@@ -101,14 +101,14 @@ load_and_verify_version(State) ->
?DEBUG("Package index version mismatch. Current version ~p, this rebar3 expecting ~p",
[V, ?PACKAGE_INDEX_VERSION]),
(catch ets:delete(?PACKAGE_TABLE)),
- new_package_table()
+ new_package_table()
end;
- _ ->
+ _ ->
new_package_table()
end.
handle_missing_package(PkgKey, Repo, State, Fun) ->
- Name =
+ Name =
case PkgKey of
{N, Vsn, _Repo} ->
?DEBUG("Package ~ts-~ts not found. Fetching registry updates for "
@@ -121,8 +121,8 @@ handle_missing_package(PkgKey, Repo, State, Fun) ->
end,
update_package(Name, Repo, State),
- try
- Fun(State)
+ try
+ Fun(State)
catch
_:_ ->
%% Even after an update the package is still missing, time to error out
@@ -220,7 +220,7 @@ verify_table(State) ->
ets:info(?PACKAGE_TABLE, named_table) =:= true orelse load_and_verify_version(State).
parse_deps(Deps) ->
- [{maps:get(app, D, Name), {pkg, Name, Constraint, undefined}}
+ [{maps:get(app, D, Name), {pkg, Name, Constraint, undefined}}
|| D=#{package := Name,
requirement := Constraint} <- Deps].
@@ -233,16 +233,19 @@ parse_checksum(Checksum) ->
update_package(Name, RepoConfig=#{name := Repo}, State) ->
?MODULE:verify_table(State),
- try hex_repo:get_package(RepoConfig#{repo_key => maps:get(read_key, RepoConfig, <<>>)}, Name) of
- {ok, {200, _Headers, #{releases := Releases}}} ->
+ try hex_repo:get_package(get_package_repo_config(RepoConfig), Name) of
+ {ok, {200, _Headers, Releases}} ->
_ = insert_releases(Name, Releases, Repo, ?PACKAGE_TABLE),
{ok, RegistryDir} = rebar_packages:registry_dir(State),
PackageIndex = filename:join(RegistryDir, ?INDEX_FILE),
ok = ets:tab2file(?PACKAGE_TABLE, PackageIndex);
- {ok, {403, _Headers, <<>>}} ->
+ {ok, {403, _Headers, _}} ->
not_found;
{ok, {404, _Headers, _}} ->
not_found;
+ {error, unverified} ->
+ ?WARN(unverified_repo_message(), [Repo]),
+ fail;
Error ->
?DEBUG("Hex get_package request failed: ~p", [Error]),
%% TODO: add better log message. hex_core should export a format_error
@@ -254,6 +257,19 @@ update_package(Name, RepoConfig=#{name := Repo}, State) ->
fail
end.
+get_package_repo_config(RepoConfig=#{mirror_of := Repo}) ->
+ get_package_repo_config(maps:remove(mirror_of, RepoConfig#{name => Repo}));
+get_package_repo_config(RepoConfig=#{read_key := Key}) ->
+ get_package_repo_config(maps:remove(read_key, RepoConfig#{repo_key => Key}));
+get_package_repo_config(RepoConfig) ->
+ RepoConfig.
+
+unverified_repo_message() ->
+ "Fetched deprecatated registry record version from repo ~ts, for security " ++
+ "reasons this registry version is no longer supported. The repository " ++
+ "you are using should update to fix the security reason. Set " ++
+ "REBAR_NO_VERIFY_REPO_ORIGIN=1 to disable this check.".
+
insert_releases(Name, Releases, Repo, Table) ->
[true = ets:insert(Table,
#package{key={Name, ec_semver:parse(Version), Repo},