Invalid GitHub token in `.netrc` not reported properly with http_repository

guw commented 1 year ago

Description of the bug:

Prerequisites:

workspace using http_repository to fetch from authentication protected https source (eg. GitHub Enterprise)
.netrc set up and used by Bazel to authenticate with protected source
empty repository cache
invalid token for authentication source in .netrc file

The Bazel output is:

INFO: Repository foo instantiated at:
 /home/me/git/bar/WORKSPACE:199:13: in <toplevel>
Repository rule http_archive defined at:
 /home/me/.cache/bazel/sha/external/bazel_tools/tools/build_defs/repo/http.bzl:372:31: in <toplevel>
WARNING: Download from https://github.enterprise/bazel/foo-repo/archive/sha.zip failed: class com.google.devtools.build.lib.bazel.repository.downloader.UnrecoverableHttpException Checksum was 1234567890 but wanted 0987654321
ERROR: An error occurred during the fetch of repository ‘foo’:
  Traceback (most recent call last):
    File “/home/me/.cache/bazel/sha/external/bazel_tools/tools/build_defs/repo/http.bzl”, line 132, column 45, in _http_archive_impl
        download_info = ctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error downloading [https://github.enterprise/bazel/foo-repo/archive/sha.zip] to ... Checksum was 1234567890 but wanted 0987654321

What happens is that when you hit the protected source it redirect to a login page.

> curl -L -H "Authorization: token badtoken" -I https://github.enterprise/bazel/foo-repo/archive/sha.zip
HTTP/2 302 
server: GitHub.com
content-type: text/html; charset=utf-8
location: https://github.enterprise/login?return...
...

HTTP/2 200 
server: GitHub.com
content-type: text/html; charset=utf-8
...

I think this is where Bazel forgets to check the content-type. If http_repository is configured to a .zip file text/html is wrong.

Two things come to my mind:

Bazel could check for proper content-type header. If this is a miss then the download should be aborted.
Bazel could inspect the redirect location url for keywords such as login.

The SHA mismatch error is leading to a lot confused Bazel users and increasing support load.

Expected Behavior:

Bazel should report an error that gives better hint that:

the server response is unexpected and
the user should check the authentication credential

Which operating system are you running Bazel on?

Linux

What is the output of `bazel info release`?

6.1.1

ShreeM01 commented 1 year ago

Hi @guw! It would be really helpful if you can provide a minimal reproduce case with sample code, thank you!

guw commented 1 year ago

@kshyanashree This requires setting up a GitHub Enterprise instance with SAML redirect to reproduce. It's not trivial and cannot be shared "in code". We are interested in contributing a fix. We are awaiting guidance from Bazel team how a fix should look like.

bazelbuild / bazel