ffraenz / private-composer-installer

Composer install helper outsourcing sensitive keys from the package URL into environment variables
MIT License
227 stars 16 forks source link

Support EDD #45

Open drzraf opened 2 years ago

drzraf commented 2 years ago

Fix #22 by allowing a package URL indirection to take place.

PR supports:

May support out of the box (or with further tweaks):

Not supported (but could be implemented)

Not supported:

Configuration:

This is the extra property (at the package-level):

        "extra": {
            "private-composer-installer": {
            "indirection": {
                "http": { "method": "POST"},
                "parse": {"format": "json", "key": "download_link"}
            }
            }

For nested keys, it could be "key": {"foo": {"bar": "download_link"}}

A workflow is like:

(@junaidbhura? In case you think this PR, if generic enough, could make composer-wp-pro-plugins somehow redundant?)

szepeviktor commented 2 years ago

Hallo @drzraf! 👋🏻

The Gmail address you used in the commit is not registered here on GitHub.

drzraf commented 2 years ago

The Gmail address you used in the commit is not registered here on GitHub.

Sounds like GH decided to drop my +foobar delimiter from my email thus "breaking" the reference of all my commit. Does it cause any actual trouble?

szepeviktor commented 2 years ago

Does it cause any actual trouble?

No. Not at all. This is just one of my policies.

ffraenz commented 2 years ago

Hi @drzraf! Thank you for your pull request. I like the direction in which this is going. Here are some general considerations:

drzraf commented 2 years ago

People may use this Composer installer for multiple (unrelated) packages. So we need to find a way to target specific packages/dist URLs in extra.private-composer-in

But if is that already the case if the extra property lives at the package-level ?

* I don't like the way you provide the `key` location in the JSON payload using an object structure. I would go with a simple dot-notation string e.g. `foo.bar.0.download_url` to specify it.

Neither do I, but would you tolerate a dependency on https://symfony.com/doc/current/components/property_access.html ? Or prefer a custom accessor based on a dot notation ? Or something more powerful based on xpath or json-path?

Keep in mind that dist URLs without any placeholders should be ignored by this plugin to not alter unrelated packages. An indirection call must only be made if an indirection is actually configured (I think that's not the case right now in your code).

But an URL without placeholder may still legitimately make use of this feature, isn't?