search

sonatype-nexus-community / nexus-repository-cargo

Nexus Repository Cargo Format
Eclipse Public License 1.0
69 stars 19 forks source link

Missing `auth-required` for private registries #36

Open jocutajar opened 9 months ago

jocutajar commented 9 months ago

Publish a package to a private registry (requires auth to publish) that depends on another package in that private registry (requires auth to download).

Working with private registry

I think the registry needs to explicitly inform cargo that it requires auth (auth-required) in the config.json here: https://github.com/sonatype-nexus-community/nexus-repository-cargo/blob/57760b63228c1f821ec08320f3591c7f7bd1b1ef/src/main/java/org/sonatype/nexus/plugins/cargo/registry/CargoRegistryFacetImpl.java#L160

as per https://github.com/rust-lang/cargo/issues/10920 and https://doc.rust-lang.org/nightly/cargo/reference/registry-index.html#index-configuration

but only if it is a private registry. Public registries should have that set to false I guess.

I suppose we could make the registry accessible for read to anonymous users, that would work around the limitation.

Without the auth-required: true config value, cargo publish fails with:


Updating `my-registry` index
   Packaging my-crate v0.1.0 (/home/me/my-crate)
   Verifying my-crate v0.1.0 (/home/me/my-crate)
    Updating crates.io index
error: failed to verify package tarball

Caused by:
  failed to download from `https://nexus.example.com/repository/our-crates/api/v1/crates/my-dependency/0.1.0/download`

Caused by:
  failed to get successful HTTP response from `https://nexus.example.com/repository/our-crates/api/v1/crates/my-dependency/0.1.0/download` (1.2.3.4), got 401
  body: