diff --git a/apps/rebar/src/rebar.app.src.script b/apps/rebar/src/rebar.app.src.script
index 36ae2dd45..afae095c1 100644
--- a/apps/rebar/src/rebar.app.src.script
+++ b/apps/rebar/src/rebar.app.src.script
@@ -17,6 +17,7 @@
common_test,
dialyzer,
public_key,
+ ssh,
edoc,
snmp,
getopt,
diff --git a/apps/rebar/src/rebar_hex_auth.erl b/apps/rebar/src/rebar_hex_auth.erl
new file mode 100644
index 000000000..0a166e037
--- /dev/null
+++ b/apps/rebar/src/rebar_hex_auth.erl
@@ -0,0 +1,211 @@
+%% -*- erlang-indent-level: 4;indent-tabs-mode: nil -*-
+%% ex: ts=4 sw=4 et
+%% @doc
+%% Authentication wrapper for Hex package manager.
+%%
+%% This module provides rebar3-specific callbacks for r3_hex_cli_auth.
+%% See r3_hex_cli_auth for auth resolution order and details.
+%% @end
+-module(rebar_hex_auth).
+
+-export([with_api/5, with_repo/4]).
+
+%% OAuth utilities
+-export([client_id/0, global_oauth_key/0, persist_tokens/4]).
+
+
+-include("rebar.hrl").
+-include_lib("providers/include/providers.hrl").
+
+-define(GLOBAL_OAUTH_KEY, <<"$oauth">>).
+-define(OAUTH_CLIENT_ID, <<"b9721cf5-be2f-4a65-bfa5-141698b4b9cf">>).
+
+%% @doc Execute an API call with authentication handling.
+%% @see r3_hex_cli_auth:with_api/5
+-spec with_api(Permission, Config, State, Opts, Callback) -> Result when
+ Permission :: r3_hex_cli_auth:permission(),
+ Config :: rebar_hex_repos:repo(),
+ State :: rebar_state:t(),
+ Opts :: r3_hex_cli_auth:opts(),
+ Callback :: fun((rebar_hex_repos:repo()) -> Result),
+ Result :: term().
+with_api(Permission, Config, State, Opts, Callback) when Permission =:= read; Permission =:= write ->
+ Callbacks = make_callbacks(State),
+ HexConfig = to_hex_config(Config),
+ r3_hex_cli_auth:with_api(Callbacks, Permission, HexConfig, Callback, Opts).
+
+%% @doc Execute a repository call with authentication handling.
+%% @see r3_hex_cli_auth:with_repo/4
+-spec with_repo(Config, State, Opts, Callback) -> Result when
+ Config :: rebar_hex_repos:repo(),
+ State :: rebar_state:t(),
+ Opts :: r3_hex_cli_auth:opts(),
+ Callback :: fun((rebar_hex_repos:repo()) -> Result),
+ Result :: term().
+with_repo(Config, State, Opts, Callback) ->
+ Callbacks = make_callbacks(State),
+ HexConfig = to_hex_config(Config),
+ r3_hex_cli_auth:with_repo(Callbacks, HexConfig, Callback, Opts).
+
+%% @private
+%% Strip rebar3-specific fields from repo config before passing to hex_core.
+-spec to_hex_config(rebar_hex_repos:repo()) -> r3_hex_core:config().
+to_hex_config(Config) ->
+ maps:without([name, parent, mirror_of], Config).
+
+%%====================================================================
+%% OAuth utilities
+%%====================================================================
+
+%% @doc Returns the OAuth client ID for Hex.
+-spec client_id() -> binary().
+client_id() -> ?OAUTH_CLIENT_ID.
+
+%% @doc Returns the key used for global OAuth storage in hex.config.
+-spec global_oauth_key() -> binary().
+global_oauth_key() -> ?GLOBAL_OAUTH_KEY.
+
+%% @doc Persist the global OAuth tokens to hex.config.
+-spec persist_tokens(AccessToken, RefreshToken, ExpiresAt, State) -> ok when
+ AccessToken :: binary(),
+ RefreshToken :: binary() | undefined,
+ ExpiresAt :: integer(),
+ State :: rebar_state:t().
+persist_tokens(AccessToken, RefreshToken, ExpiresAt, State) ->
+ Updates = #{
+ ?GLOBAL_OAUTH_KEY => #{
+ access_token => AccessToken,
+ refresh_token => RefreshToken,
+ expires_at => ExpiresAt
+ }
+ },
+ rebar_hex_repos:update_auth_config(Updates, State),
+ ?DEBUG("Updated global OAuth tokens", []),
+ ok.
+
+%%====================================================================
+%% Callbacks builder
+%%====================================================================
+
+%% @private
+%% Build the callbacks map required by r3_hex_cli_auth.
+-spec make_callbacks(rebar_state:t()) -> r3_hex_cli_auth:callbacks().
+make_callbacks(State) ->
+ #{
+ get_auth_config => fun(RepoName) ->
+ get_repo_auth_config(RepoName, State)
+ end,
+
+ get_oauth_tokens => fun() ->
+ get_global_oauth_tokens(State)
+ end,
+
+ persist_oauth_tokens => fun(Scope, AccessToken, RefreshToken, ExpiresAt) ->
+ persist_oauth_tokens(Scope, AccessToken, RefreshToken, ExpiresAt, State)
+ end,
+
+ prompt_otp => fun(Message) ->
+ prompt_otp(Message)
+ end,
+
+ should_authenticate => fun(Reason) ->
+ should_authenticate(Reason)
+ end,
+
+ get_client_id => fun() ->
+ client_id()
+ end
+ }.
+
+%%====================================================================
+%% Helper functions for callbacks
+%%====================================================================
+
+%% @private
+%% Get auth config for a specific repo from hex.config.
+-spec get_repo_auth_config(RepoName, State) -> r3_hex_cli_auth:repo_auth_config() | undefined when
+ RepoName :: unicode:unicode_binary(),
+ State :: rebar_state:t().
+get_repo_auth_config(RepoName, State) ->
+ rebar_hex_repos:get_repo_auth_config(RepoName, State).
+
+%% @private
+%% Get global OAuth tokens from auth config.
+-spec get_global_oauth_tokens(rebar_state:t()) -> {ok, map()} | error.
+get_global_oauth_tokens(State) ->
+ case rebar_hex_repos:get_repo_auth_config(?GLOBAL_OAUTH_KEY, State) of
+ #{access_token := _, expires_at := _} = Tokens ->
+ {ok, Tokens};
+ _ ->
+ error
+ end.
+
+%% @private
+%% Persist OAuth tokens. Scope can be 'global' or a repo name binary.
+-spec persist_oauth_tokens(Scope, AccessToken, RefreshToken, ExpiresAt, State) -> ok when
+ Scope :: global | unicode:unicode_binary(),
+ AccessToken :: binary(),
+ RefreshToken :: binary() | undefined,
+ ExpiresAt :: integer(),
+ State :: rebar_state:t().
+persist_oauth_tokens(global, AccessToken, RefreshToken, ExpiresAt, State) ->
+ OAuthTokens = #{
+ access_token => AccessToken,
+ refresh_token => RefreshToken,
+ expires_at => ExpiresAt
+ },
+ rebar_hex_repos:update_repo_auth_config(OAuthTokens, ?GLOBAL_OAUTH_KEY, State),
+ ?DEBUG("Updated global OAuth tokens", []),
+ ok;
+persist_oauth_tokens(RepoName, AccessToken, RefreshToken, ExpiresAt, State) ->
+ OAuthTokens = #{
+ oauth_token => #{
+ access_token => AccessToken,
+ refresh_token => RefreshToken,
+ expires_at => ExpiresAt
+ }
+ },
+ rebar_hex_repos:update_repo_auth_config(OAuthTokens, RepoName, State),
+ ?DEBUG("Updated OAuth tokens for ~ts", [RepoName]),
+ ok.
+
+%% @private
+%% Prompt user for OTP code.
+-spec prompt_otp(binary()) -> {ok, binary()} | cancelled.
+prompt_otp(Message) ->
+ ?CONSOLE("~ts", [Message]),
+ case io:get_line("OTP code: ") of
+ eof -> cancelled;
+ {error, _} -> cancelled;
+ Line ->
+ case string:trim(Line) of
+ "" -> cancelled;
+ Code -> {ok, list_to_binary(Code)}
+ end
+ end.
+
+%% @private
+%% Ask user if they want to authenticate.
+-spec should_authenticate(r3_hex_cli_auth:auth_prompt_reason()) -> boolean().
+should_authenticate(no_credentials) ->
+ ?CONSOLE("No Hex credentials found. Would you like to authenticate?", []),
+ prompt_yes_no();
+should_authenticate(token_refresh_failed) ->
+ ?CONSOLE("Hex token refresh failed. Would you like to re-authenticate?", []),
+ prompt_yes_no().
+
+%% @private
+-spec prompt_yes_no() -> boolean().
+prompt_yes_no() ->
+ case io:get_line("[Y/n]: ") of
+ eof -> false;
+ {error, _} -> false;
+ Line ->
+ case string:lowercase(string:trim(Line)) of
+ "" -> true; % Default to yes
+ "y" -> true;
+ "yes" -> true;
+ _ -> false
+ end
+ end.
+
diff --git a/apps/rebar/src/rebar_hex_repos.erl b/apps/rebar/src/rebar_hex_repos.erl
index 04cdf6870..35886cf71 100644
--- a/apps/rebar/src/rebar_hex_repos.erl
+++ b/apps/rebar/src/rebar_hex_repos.erl
@@ -3,11 +3,14 @@
-export([from_state/2,
get_repo_config/2,
auth_config/1,
+ get_repo_auth_config/2,
+ update_repo_auth_config/3,
remove_from_auth_config/2,
update_auth_config/2,
format_error/1,
anon_repo_config/1,
- format_repo/1
+ format_repo/1,
+ apply_env_overrides/1
]).
-ifdef(TEST).
@@ -20,16 +23,38 @@
-export_type([repo/0]).
--type repo() :: #{name => unicode:unicode_binary(),
- api_url => binary(),
- api_key => binary(),
- repo_url => binary(),
- repo_key => binary(),
- repo_public_key => binary(),
- repo_verify => binary(),
- repo_verify_origin => binary(),
- mirror_of => _ % legacy field getting stripped
- }.
+%% repo() extends r3_hex_core:config() with rebar3-specific fields
+-type repo() :: #{
+ %% rebar3-specific fields
+ name => unicode:unicode_binary(),
+ repo_name => unicode:unicode_binary(),
+ parent => unicode:unicode_binary(),
+ mirror_of => term(),
+ %% r3_hex_core:config() fields
+ api_key => binary() | undefined,
+ api_otp => binary() | undefined,
+ api_organization => binary() | undefined,
+ api_repository => binary() | undefined,
+ api_url => binary(),
+ http_adapter => {module(), map()},
+ http_etag => binary() | undefined,
+ http_headers => map(),
+ http_user_agent_fragment => binary(),
+ repo_key => binary() | undefined,
+ repo_public_key => binary(),
+ repo_url => binary(),
+ repo_organization => binary() | undefined,
+ repo_verify => boolean(),
+ repo_verify_origin => boolean(),
+ send_100_continue => boolean(),
+ tarball_max_size => pos_integer() | infinity,
+ tarball_max_uncompressed_size => pos_integer() | infinity,
+ docs_tarball_max_size => pos_integer() | infinity,
+ docs_tarball_max_uncompressed_size => pos_integer() | infinity,
+ trusted => boolean(),
+ oauth_exchange => boolean(),
+ oauth_exchange_url => binary() | undefined
+}.
from_state(BaseConfig, State) ->
HexConfig = rebar_state:get(State, hex, []),
@@ -39,22 +64,49 @@ from_state(BaseConfig, State) ->
%% add base config entries that are specific to use by rebar3 and not overridable
Repos1 = merge_with_base_and_auth(Repos, BaseConfig, Auth),
%% merge organizations parent repo options into each oraganization repo
- update_organizations(maybe_override_default_repo_url(Repos1, State)).
+ Repos2 = update_organizations(maybe_override_default_repo_url(Repos1, State)),
+ %% apply environment variable overrides to all repos
+ [apply_env_overrides(Repo) || Repo <- Repos2].
-spec get_repo_config(unicode:unicode_binary(), rebar_state:t() | [repo()])
- -> {ok, repo()} | error.
+ -> {ok, repo()}.
get_repo_config(RepoName, Repos) when is_list(Repos) ->
case ec_lists:find(fun(#{name := N}) -> N =:= RepoName end, Repos) of
- error ->
- throw(?PRV_ERROR({repo_not_found, RepoName}));
{ok, RepoConfig} ->
- {ok, RepoConfig}
+ {ok, RepoConfig};
+ error ->
+ maybe_create_org_config(RepoName, Repos)
end;
get_repo_config(RepoName, State) ->
Resources = rebar_state:resources(State),
#{repos := Repos} = rebar_resource_v2:find_resource_state(pkg, Resources),
get_repo_config(RepoName, Repos).
+%% @private
+%% Create a repo config for "parent:org" format repos.
+%% Only succeeds if parent repo exists, otherwise throws repo_not_found.
+-spec maybe_create_org_config(unicode:unicode_binary(), [repo()]) -> {ok, repo()}.
+maybe_create_org_config(RepoName, Repos) ->
+ case rebar_string:split(RepoName, <<":">>) of
+ [ParentName, Org] ->
+ case ec_lists:find(fun(#{name := N}) -> N =:= ParentName end, Repos) of
+ {ok, ParentConfig} ->
+ OrgConfig = ParentConfig#{
+ name => RepoName,
+ repo_name => ParentName,
+ repo_organization => Org,
+ api_organization => Org,
+ api_repository => Org,
+ parent => ParentName
+ },
+ {ok, apply_env_overrides(OrgConfig)};
+ error ->
+ throw(?PRV_ERROR({repo_not_found, RepoName}))
+ end;
+ _ ->
+ throw(?PRV_ERROR({repo_not_found, RepoName}))
+ end.
+
-spec anon_repo_config(repo()) ->
#{api_url := _, name := _, repo_name => _, repo_organization => _,
repo_url := _, repo_verify => _, repo_verify_origin => _,
@@ -106,7 +158,7 @@ merge_repos(Repos) ->
%% We set the repo_organization and api_organization to org
%% for fetching and publishing private packages.
update_repo_list(R#{name => Name,
- repo_name => Org,
+ repo_name => Repo,
repo_organization => Org,
api_organization => Org,
api_repository => Org,
@@ -193,6 +245,25 @@ auth_config(State) ->
?ABORT("Error found in repos auth config (~ts) at line ~ts", [AuthFile, Reason])
end.
+-spec get_repo_auth_config(unicode:unicode_binary(), rebar_state:t()) -> map() | undefined.
+get_repo_auth_config(RepoName, State) ->
+ AuthConfig = auth_config(State),
+ case maps:find(RepoName, AuthConfig) of
+ {ok, RepoAuth} when is_map(RepoAuth) ->
+ RepoAuth;
+ _ ->
+ undefined
+ end.
+
+-spec update_repo_auth_config(map(), unicode:unicode_binary(), rebar_state:t()) -> ok.
+update_repo_auth_config(Updates, RepoName, State) ->
+ ExistingRepoAuth = case get_repo_auth_config(RepoName, State) of
+ undefined -> #{};
+ Auth -> Auth
+ end,
+ UpdatedRepoAuth = maps:merge(ExistingRepoAuth, Updates),
+ update_auth_config(#{RepoName => UpdatedRepoAuth}, State).
+
-spec remove_from_auth_config(term(), rebar_state:t()) -> ok.
remove_from_auth_config(Key, State) ->
Updated = maps:remove(Key, auth_config(State)),
@@ -209,3 +280,103 @@ write_auth_config(Config, State) ->
NewConfig = iolist_to_binary(["%% coding: utf-8", io_lib:nl(),
io_lib:print(Config), ".", io_lib:nl()]),
ok = file:write_file(AuthConfigFile, NewConfig, [{encoding, utf8}]).
+
+%% Environment variable overrides
+%% These follow the same pattern as the Elixir hex package
+
+-spec apply_env_overrides(repo()) -> repo().
+apply_env_overrides(Config) ->
+ lists:foldl(fun(F, C) -> F(C) end, Config, [
+ fun apply_api_key_override/1,
+ fun apply_api_url_override/1,
+ fun apply_otp_override/1,
+ fun apply_repos_key_override/1,
+ fun apply_unsafe_registry_override/1,
+ fun apply_no_verify_repo_origin_override/1,
+ fun apply_mirror_override/1
+ ]).
+
+apply_api_key_override(Config) ->
+ case os:getenv("HEX_API_KEY") of
+ false -> Config;
+ "" -> Config;
+ ApiKey -> Config#{api_key => list_to_binary(ApiKey)}
+ end.
+
+apply_api_url_override(Config) ->
+ case os:getenv("HEX_API_URL") of
+ false ->
+ case os:getenv("HEX_API") of
+ false -> Config;
+ "" -> Config;
+ ApiUrl -> Config#{api_url => list_to_binary(ApiUrl)}
+ end;
+ "" -> Config;
+ ApiUrl -> Config#{api_url => list_to_binary(ApiUrl)}
+ end.
+
+apply_otp_override(Config) ->
+ case os:getenv("HEX_OTP") of
+ false -> Config;
+ "" -> Config;
+ Otp -> Config#{api_otp => list_to_binary(Otp)}
+ end.
+
+apply_repos_key_override(Config) ->
+ case os:getenv("HEX_REPOS_KEY") of
+ false -> Config;
+ "" -> Config;
+ Key -> Config#{repo_key => list_to_binary(Key)}
+ end.
+
+apply_unsafe_registry_override(Config) ->
+ case os:getenv("HEX_UNSAFE_REGISTRY") of
+ "1" -> Config#{repo_verify => false};
+ "true" -> Config#{repo_verify => false};
+ _ -> Config
+ end.
+
+apply_no_verify_repo_origin_override(Config) ->
+ case os:getenv("HEX_NO_VERIFY_REPO_ORIGIN") of
+ "1" -> Config#{repo_verify_origin => false};
+ "true" -> Config#{repo_verify_origin => false};
+ _ -> Config
+ end.
+
+apply_mirror_override(Config) ->
+ %% HEX_TRUSTED_MIRROR_URL takes precedence (trusted = auth credentials sent)
+ %% HEX_MIRROR_URL is untrusted (no auth credentials sent, no signature verification)
+ case os:getenv("HEX_TRUSTED_MIRROR_URL") of
+ false ->
+ case os:getenv("HEX_TRUSTED_MIRROR") of
+ false -> apply_untrusted_mirror_override(Config);
+ "" -> apply_untrusted_mirror_override(Config);
+ TrustedMirrorUrl ->
+ Config#{repo_url => list_to_binary(TrustedMirrorUrl),
+ trusted => true}
+ end;
+ "" -> apply_untrusted_mirror_override(Config);
+ TrustedMirrorUrl ->
+ Config#{repo_url => list_to_binary(TrustedMirrorUrl),
+ trusted => true}
+ end.
+
+apply_untrusted_mirror_override(Config) ->
+ case os:getenv("HEX_MIRROR_URL") of
+ false ->
+ case os:getenv("HEX_MIRROR") of
+ false -> Config;
+ "" -> Config;
+ MirrorUrl ->
+ Config#{repo_url => list_to_binary(MirrorUrl),
+ trusted => false,
+ repo_verify => false,
+ repo_verify_origin => false}
+ end;
+ "" -> Config;
+ MirrorUrl ->
+ Config#{repo_url => list_to_binary(MirrorUrl),
+ trusted => false,
+ repo_verify => false,
+ repo_verify_origin => false}
+ end.
diff --git a/apps/rebar/src/rebar_packages.erl b/apps/rebar/src/rebar_packages.erl
index 9f47911f6..dc4e9f990 100644
--- a/apps/rebar/src/rebar_packages.erl
+++ b/apps/rebar/src/rebar_packages.erl
@@ -1,6 +1,6 @@
-module(rebar_packages).
--export([get/2
+-export([get/3
,get_all_names/1
,registry_dir/1
,package_dir/2
@@ -29,9 +29,14 @@ format_error({missing_package, Name, Vsn}) ->
format_error({missing_package, Pkg}) ->
io_lib:format("Package not found in any repo: ~p", [Pkg]).
--spec get(rebar_hex_repos:repo(), binary()) -> {ok, map()} | {error, term()}.
-get(Config, Name) ->
- try r3_hex_api_package:get(Config, Name) of
+-spec get(rebar_hex_repos:repo(), binary(), rebar_state:t()) -> {ok, map()} | {error, term()}.
+get(Config, Name, State) ->
+ handle_get_result(rebar_hex_auth:with_api(read, Config, State, [{optional, true}], fun(AuthConfig) ->
+ r3_hex_api_package:get(AuthConfig, Name)
+ end)).
+
+handle_get_result(Result) ->
+ try Result of
{ok, {200, _Headers, PkgInfo}} ->
{ok, PkgInfo};
{ok, {404, _, _}} ->
@@ -227,7 +232,9 @@ update_package(Name, RepoConfig=#{name := Repo}, State) ->
?MODULE:verify_table(State),
?DEBUG("Getting definition for package ~ts from repo ~ts",
[Name, rebar_hex_repos:format_repo(RepoConfig)]),
- try r3_hex_repo:get_package(get_package_repo_config(RepoConfig), Name) of
+ try rebar_hex_auth:with_repo(RepoConfig, State, [], fun(AuthConfig) ->
+ r3_hex_repo:get_package(get_package_repo_config(AuthConfig), Name)
+ end) of
{ok, {200, _Headers, Package}} ->
#{releases := Releases} = Package,
_ = insert_releases(Name, Releases, Repo, ?PACKAGE_TABLE),
diff --git a/apps/rebar/src/rebar_pkg_resource.erl b/apps/rebar/src/rebar_pkg_resource.erl
index d7d4f25a1..594debca7 100644
--- a/apps/rebar/src/rebar_pkg_resource.erl
+++ b/apps/rebar/src/rebar_pkg_resource.erl
@@ -138,11 +138,13 @@ format_error({bad_registry_checksum, Name, Vsn, Expected, Found}) ->
%% {ok, Contents, NewEtag}, otherwise if some error occurred return error.
%% @end
%%------------------------------------------------------------------------------
--spec request(rebar_hex_repos:repo(), binary(), binary(), binary() | undefined)
+-spec request(rebar_hex_repos:repo(), binary(), binary(), binary() | undefined, rebar_state:t())
-> {ok, cached} | {ok, binary(), binary()} | error.
-request(Config, Name, Version, ETag) ->
- Config1 = Config#{http_etag => ETag},
- try r3_hex_repo:get_tarball(Config1, Name, Version) of
+request(Config, Name, Version, ETag, State) ->
+ try rebar_hex_auth:with_repo(Config, State, [], fun(AuthConfig) ->
+ Config1 = AuthConfig#{http_etag => ETag},
+ r3_hex_repo:get_tarball(Config1, Name, Version)
+ end) of
{ok, {200, #{<<"etag">> := ETag1}, Tarball}} ->
{ok, Tarball, ETag1};
{ok, {304, _Headers, _}} ->
@@ -210,11 +212,11 @@ store_etag_in_cache(Path, ETag) ->
UpdateETag :: boolean(),
Res :: ok | {unexpected_hash, integer(), integer()} | {fetch_fail, binary(), binary()}
| {bad_registry_checksum, integer(), integer()} | {error, _}.
-cached_download(TmpDir, CachePath, Pkg={pkg, Name, Vsn, _OldHash, _Hash, RepoConfig}, _State, ETag,
+cached_download(TmpDir, CachePath, Pkg={pkg, Name, Vsn, _OldHash, _Hash, RepoConfig}, State, ETag,
ETagPath, UpdateETag) ->
?DEBUG("Making request to get package ~ts from repo ~ts",
[Name, rebar_hex_repos:format_repo(RepoConfig)]),
- case request(RepoConfig, Name, Vsn, ETag) of
+ case request(RepoConfig, Name, Vsn, ETag, State) of
{ok, cached} ->
?DEBUG("Version cached at ~ts is up to date, reusing it", [CachePath]),
serve_from_cache(TmpDir, CachePath, Pkg);
diff --git a/apps/rebar/src/rebar_prv_packages.erl b/apps/rebar/src/rebar_prv_packages.erl
index a6a2c81b0..4456b48fb 100644
--- a/apps/rebar/src/rebar_prv_packages.erl
+++ b/apps/rebar/src/rebar_prv_packages.erl
@@ -36,7 +36,7 @@ do(State) ->
Name ->
Resources = rebar_state:resources(State),
#{repos := Repos} = rebar_resource_v2:find_resource_state(pkg, Resources),
- Results = get_package(rebar_utils:to_binary(Name), Repos),
+ Results = get_package(rebar_utils:to_binary(Name), Repos, State),
case lists:all(fun({_, {error, not_found}}) -> true; (_) -> false end, Results) of
true ->
?PRV_ERROR({not_found, Name});
@@ -46,10 +46,10 @@ do(State) ->
end
end.
--spec get_package(binary(), [map()]) -> [{binary(), {ok, map()} | {error, term()}}].
-get_package(Name, Repos) ->
+-spec get_package(binary(), [map()], rebar_state:t()) -> [{binary(), {ok, map()} | {error, term()}}].
+get_package(Name, Repos, State) ->
lists:foldl(fun(RepoConfig, Acc) ->
- [{maps:get(name, RepoConfig), rebar_packages:get(RepoConfig, Name)} | Acc]
+ [{maps:get(name, RepoConfig), rebar_packages:get(RepoConfig, Name, State)} | Acc]
end, [], Repos).
diff --git a/apps/rebar/src/vendored/r3_hex_api.erl b/apps/rebar/src/vendored/r3_hex_api.erl
index e99cfb868..126d45ccc 100644
--- a/apps/rebar/src/vendored/r3_hex_api.erl
+++ b/apps/rebar/src/vendored/r3_hex_api.erl
@@ -19,7 +19,8 @@
-export_type([response/0]).
-type response() :: {ok, {r3_hex_http:status(), r3_hex_http:headers(), body() | nil}} | {error, term()}.
--type body() :: [body()] | #{binary() => body() | binary()}.
+-type body() :: #{binary() => value()} | [#{binary() => value()}].
+-type value() :: binary() | boolean() | nil | number() | [value()] | #{binary() => value()}.
%% @private
get(Config, Path) ->
diff --git a/apps/rebar/src/vendored/r3_hex_api_oauth.erl b/apps/rebar/src/vendored/r3_hex_api_oauth.erl
index 9b7dba5e4..9035592cf 100644
--- a/apps/rebar/src/vendored/r3_hex_api_oauth.erl
+++ b/apps/rebar/src/vendored/r3_hex_api_oauth.erl
@@ -6,6 +6,8 @@
-export([
device_authorization/3,
device_authorization/4,
+ device_auth_flow/4,
+ device_auth_flow/5,
poll_device_token/3,
refresh_token/3,
revoke_token/3,
@@ -13,6 +15,21 @@
client_credentials_token/5
]).
+-export_type([oauth_tokens/0, device_auth_error/0]).
+
+-type oauth_tokens() :: #{
+ access_token := binary(),
+ refresh_token => binary() | undefined,
+ expires_at := integer()
+}.
+
+-type device_auth_error() ::
+ timeout
+ | {access_denied, Status :: non_neg_integer(), Body :: term()}
+ | {device_auth_failed, Status :: non_neg_integer(), Body :: term()}
+ | {poll_failed, Status :: non_neg_integer(), Body :: term()}
+ | term().
+
%% @doc
%% Initiates the OAuth device authorization flow.
%%
@@ -28,7 +45,7 @@ device_authorization(Config, ClientId, Scope) ->
%% Returns device code, user code, and verification URIs for user authentication.
%%
%% Options:
-%% * `name' - A name to identify the token (e.g., hostname of the device)
+%% * `name' - A name to identify the token (defaults to the machine's hostname)
%%
%% Examples:
%%
@@ -51,17 +68,141 @@ device_authorization(Config, ClientId, Scope) ->
r3_hex_api:response().
device_authorization(Config, ClientId, Scope, Opts) ->
Path = <<"oauth/device_authorization">>,
- Params0 = #{
- <<"client_id">> => ClientId,
- <<"scope">> => Scope
- },
- Params =
+ Name =
case proplists:get_value(name, Opts) of
- undefined -> Params0;
- Name -> Params0#{<<"name">> => Name}
+ undefined -> get_hostname();
+ N -> N
end,
+ Params = #{
+ <<"client_id">> => ClientId,
+ <<"scope">> => Scope,
+ <<"name">> => Name
+ },
r3_hex_api:post(Config, Path, Params).
+%% @doc
+%% Runs the complete OAuth device authorization flow.
+%%
+%% @see device_auth_flow/5
+%% @end
+-spec device_auth_flow(
+ r3_hex_core:config(),
+ ClientId :: binary(),
+ Scope :: binary(),
+ PromptUser :: fun((VerificationUri :: binary(), UserCode :: binary()) -> ok)
+) -> {ok, oauth_tokens()} | {error, device_auth_error()}.
+device_auth_flow(Config, ClientId, Scope, PromptUser) ->
+ device_auth_flow(Config, ClientId, Scope, PromptUser, []).
+
+%% @doc
+%% Runs the complete OAuth device authorization flow with options.
+%%
+%% This function handles the entire device authorization flow:
+%% 1. Requests a device code from the server
+%% 2. Calls `PromptUser' callback with the verification URI and user code
+%% 3. Optionally opens the browser for the user (when `open_browser' is true)
+%% 4. Polls the token endpoint until authorization completes or times out
+%%
+%% The `PromptUser' callback is responsible for displaying the verification URI
+%% and user code to the user (e.g., printing to console).
+%%
+%% Options:
+%% * `name' - A name to identify the token (defaults to the machine's hostname)
+%% * `open_browser' - When `true', automatically opens the browser
+%% to the verification URI. When `false' (default), only the callback is invoked.
+%%
+%% Returns:
+%% - `{ok, Tokens}' - Authorization successful, returns access token and optional refresh token
+%% - `{error, timeout}' - Device code expired before user completed authorization
+%% - `{error, {access_denied, Status, Body}}' - User denied the authorization request
+%% - `{error, {device_auth_failed, Status, Body}}' - Initial device authorization request failed
+%% - `{error, {poll_failed, Status, Body}}' - Unexpected error during polling
+%%
+%% Examples:
+%%
+%% ```
+%% 1> Config = r3_hex_core:default_config().
+%% 2> PromptUser = fun(Uri, Code) ->
+%% io:format("Visit ~s and enter code: ~s~n", [Uri, Code])
+%% end.
+%% 3> r3_hex_api_oauth:device_auth_flow(Config, <<"cli">>, <<"api:write">>, PromptUser).
+%% {ok, #{
+%% access_token => <<"...">>,
+%% refresh_token => <<"...">>,
+%% expires_at => 1234567890
+%% }}
+%% '''
+%% @end
+-spec device_auth_flow(
+ r3_hex_core:config(),
+ ClientId :: binary(),
+ Scope :: binary(),
+ PromptUser :: fun((VerificationUri :: binary(), UserCode :: binary()) -> ok),
+ proplists:proplist()
+) -> {ok, oauth_tokens()} | {error, device_auth_error()}.
+device_auth_flow(Config, ClientId, Scope, PromptUser, Opts) ->
+ case device_authorization(Config, ClientId, Scope, Opts) of
+ {ok, {200, _, DeviceResponse}} when is_map(DeviceResponse) ->
+ #{
+ <<"device_code">> := DeviceCode,
+ <<"user_code">> := UserCode,
+ <<"verification_uri_complete">> := VerificationUri,
+ <<"expires_in">> := ExpiresIn,
+ <<"interval">> := IntervalSeconds
+ } = DeviceResponse,
+ ok = PromptUser(VerificationUri, UserCode),
+ OpenBrowser = proplists:get_value(open_browser, Opts, false),
+ case OpenBrowser of
+ true -> open_browser(VerificationUri);
+ false -> ok
+ end,
+ ExpiresAt = erlang:system_time(second) + ExpiresIn,
+ poll_for_token_loop(Config, ClientId, DeviceCode, IntervalSeconds, ExpiresAt);
+ {ok, {Status, _, Body}} ->
+ {error, {device_auth_failed, Status, Body}};
+ {error, Reason} ->
+ {error, Reason}
+ end.
+
+%% @private
+poll_for_token_loop(Config, ClientId, DeviceCode, IntervalSeconds, ExpiresAt) ->
+ Now = erlang:system_time(second),
+ case Now >= ExpiresAt of
+ true ->
+ {error, timeout};
+ false ->
+ timer:sleep(IntervalSeconds * 1000),
+ case poll_device_token(Config, ClientId, DeviceCode) of
+ {ok, {200, _, TokenResponse}} when is_map(TokenResponse) ->
+ #{
+ <<"access_token">> := AccessToken,
+ <<"expires_in">> := ExpiresIn
+ } = TokenResponse,
+ RefreshToken = maps:get(<<"refresh_token">>, TokenResponse, undefined),
+ TokenExpiresAt = erlang:system_time(second) + ExpiresIn,
+ {ok, #{
+ access_token => AccessToken,
+ refresh_token => RefreshToken,
+ expires_at => TokenExpiresAt
+ }};
+ {ok, {400, _, #{<<"error">> := <<"authorization_pending">>}}} ->
+ poll_for_token_loop(Config, ClientId, DeviceCode, IntervalSeconds, ExpiresAt);
+ {ok, {400, _, #{<<"error">> := <<"slow_down">>}}} ->
+ %% Increase polling interval as requested by server
+ poll_for_token_loop(
+ Config, ClientId, DeviceCode, IntervalSeconds + 5, ExpiresAt
+ );
+ {ok, {400, _, #{<<"error">> := <<"expired_token">>}}} ->
+ {error, timeout};
+ {ok, {Status, _, #{<<"error">> := <<"access_denied">>} = Body}} ->
+ {error, {access_denied, Status, Body}};
+ {ok, {Status, _, Body}} ->
+ {error, {poll_failed, Status, Body}};
+ {error, Reason} ->
+ {error, Reason}
+ end
+ end.
+
%% @doc
%% Polls the OAuth token endpoint for device authorization completion.
%%
@@ -201,3 +342,44 @@ revoke_token(Config, ClientId, Token) ->
<<"client_id">> => ClientId
},
r3_hex_api:post(Config, Path, Params).
+
+%%====================================================================
+%% Internal functions
+%%====================================================================
+
+%% @private
+%% Open a URL in the default browser.
+%% Uses platform-specific commands: open (macOS), xdg-open (Linux), start (Windows).
+-spec open_browser(binary()) -> ok.
+open_browser(Url) when is_binary(Url) ->
+ ok = ensure_valid_http_url(Url),
+ UrlStr = binary_to_list(Url),
+ {Cmd, Args} =
+ case os:type() of
+ {unix, darwin} ->
+ {"open", [UrlStr]};
+ {unix, _} ->
+ {"xdg-open", [UrlStr]};
+ {win32, _} ->
+ {"cmd", ["/c", "start", "", UrlStr]}
+ end,
+ Port = open_port({spawn_executable, os:find_executable(Cmd)}, [{args, Args}]),
+ port_close(Port),
+ ok.
+
+%% @private
+%% Validates that a URL uses http:// or https:// scheme.
+-spec ensure_valid_http_url(binary()) -> ok.
+ensure_valid_http_url(Url) when is_binary(Url) ->
+ case uri_string:parse(Url) of
+ #{scheme := <<"https">>} -> ok;
+ #{scheme := <<"http">>} -> ok;
+ _ -> throw({invalid_url, Url})
+ end.
+
+%% @private
+%% Get the hostname of the current machine.
+-spec get_hostname() -> binary().
+get_hostname() ->
+ {ok, Hostname} = inet:gethostname(),
+ list_to_binary(Hostname).
diff --git a/apps/rebar/src/vendored/r3_hex_cli_auth.erl b/apps/rebar/src/vendored/r3_hex_cli_auth.erl
new file mode 100644
index 000000000..ce32be601
--- /dev/null
+++ b/apps/rebar/src/vendored/r3_hex_cli_auth.erl
@@ -0,0 +1,705 @@
+%% Vendored from hex_core v0.15.0, do not edit manually
+
+%% @doc
+%% Authentication handling with callback functions for build-tool-specific operations.
+%%
+%% This module provides generic authentication handling that allows both rebar3
+%% and Elixir Hex (and future build tools) to share the common auth logic while
+%% customizing prompting, persistence, and configuration retrieval.
+%%
+%% == Callbacks ==
+%%
+%% The caller provides a callbacks map with these functions (all required):
+%%
+%% ```
+%% #{
+%% %% Auth configuration for a specific repo
+%% get_auth_config => fun((RepoName :: binary()) ->
+%% #{api_key => binary(),
+%% auth_key => binary(),
+%% oauth_exchange => boolean(),
+%% oauth_exchange_url => binary()} | undefined),
+%%
+%% %% Global OAuth tokens - storage and retrieval
+%% get_oauth_tokens => fun(() -> {ok, #{access_token := binary(),
+%% refresh_token => binary(),
+%% expires_at := integer()}} | error),
+%% persist_oauth_tokens => fun((Scope :: global | binary(),
+%% AccessToken :: binary(),
+%% RefreshToken :: binary() | undefined,
+%% ExpiresAt :: integer()) -> ok),
+%%
+%% %% User interaction
+%% prompt_otp => fun((Message :: binary()) -> {ok, OtpCode :: binary()} | cancelled),
+%% should_authenticate => fun((Reason :: no_credentials | token_refresh_failed) -> boolean()),
+%%
+%% %% OAuth client configuration
+%% get_client_id => fun(() -> binary())
+%% }
+%% '''
+%%
+%% == Auth Resolution Order ==
+%%
+%% For API calls:
+%%
+%% - Per-repo `api_key' from config (with optional OAuth exchange for hex.pm)
+%% - Parent repo `api_key' (for "hexpm:org" organizations)
+%% - Global OAuth token (refreshed if expired)
+%% - Device auth flow (for write operations only)
+%%
+%%
+%% For repo calls:
+%%
+%% - Per-repo `auth_key' with optional OAuth exchange (default true for hex.pm)
+%% - Parent repo `auth_key'
+%% - Global OAuth token
+%%
+%%
+%% == OAuth Exchange ==
+%%
+%% For hex.pm URLs, `api_key' and `auth_key' are exchanged for short-lived OAuth
+%% tokens via the client credentials grant. This behavior can be controlled per-repo
+%% via the `oauth_exchange' option in the repo config (defaults to `true' for hex.pm).
+%%
+%% == Auth Context ==
+%%
+%% Internally, authentication resolution tracks context via `auth_context()':
+%%
+%% - `source' - Where the credentials came from (`env', `config', or `oauth')
+%% - `has_refresh_token' - Whether token refresh is possible on 401
+%%
+%%
+%% == Token Format ==
+%%
+%% OAuth access tokens are automatically prefixed with `<<"Bearer ">>' when used
+%% as `api_key' or `repo_key' in the config.
+-module(r3_hex_cli_auth).
+
+-export([
+ with_api/4,
+ with_api/5,
+ with_repo/3,
+ with_repo/4,
+ resolve_api_auth/3,
+ resolve_repo_auth/2
+]).
+
+-export_type([
+ callbacks/0,
+ permission/0,
+ auth_error/0,
+ auth_context/0,
+ repo_auth_config/0,
+ auth_prompt_reason/0,
+ opts/0
+]).
+
+%% 5 minute buffer before expiry
+-define(EXPIRY_BUFFER_SECONDS, 300).
+
+%% Maximum OTP retry attempts
+-define(MAX_OTP_RETRIES, 3).
+
+-type permission() :: read | write.
+
+-type callbacks() :: #{
+ get_auth_config := fun((RepoName :: binary()) -> repo_auth_config() | undefined),
+ get_oauth_tokens := fun(() -> {ok, oauth_tokens()} | error),
+ persist_oauth_tokens := fun(
+ (
+ Scope :: global | binary(),
+ AccessToken :: binary(),
+ RefreshToken :: binary() | undefined,
+ ExpiresAt :: integer()
+ ) -> ok
+ ),
+ prompt_otp := fun((Message :: binary()) -> {ok, OtpCode :: binary()} | cancelled),
+ should_authenticate := fun((Reason :: auth_prompt_reason()) -> boolean()),
+ get_client_id := fun(() -> binary())
+}.
+
+-type auth_prompt_reason() ::
+ no_credentials
+ | token_refresh_failed.
+
+-type repo_auth_config() :: #{
+ api_key => binary(),
+ repo_key => binary(),
+ auth_key => binary(),
+ oauth_token => oauth_tokens()
+}.
+
+-type oauth_tokens() :: #{
+ access_token := binary(),
+ refresh_token => binary(),
+ expires_at := integer()
+}.
+
+-type auth_error() ::
+ {auth_error, no_credentials}
+ | {auth_error, otp_cancelled}
+ | {auth_error, otp_max_retries}
+ | {auth_error, token_refresh_failed}
+ | {auth_error, device_auth_timeout}
+ | {auth_error, device_auth_denied}
+ | {auth_error, oauth_exchange_failed}
+ | {auth_error, term()}.
+
+-type auth_context() :: #{
+ source => env | config | oauth,
+ has_refresh_token => boolean()
+}.
+
+-type opts() :: [
+ {optional, boolean()}
+ | {auth_inline, boolean()}
+ | {oauth_open_browser, boolean()}
+].
+
+%%====================================================================
+%% API functions
+%%====================================================================
+
+%% @doc
+%% Execute a function with API authentication.
+%%
+%% Equivalent to `with_api(Callbacks, Permission, Config, Fun, [])'.
+%%
+%% @see with_api/5
+-spec with_api(callbacks(), permission(), r3_hex_core:config(), fun((r3_hex_core:config()) -> Result)) ->
+ Result | {error, auth_error()}
+when
+ Result :: term().
+with_api(Callbacks, Permission, BaseConfig, Fun) ->
+ with_api(Callbacks, Permission, BaseConfig, Fun, []).
+
+%% @doc
+%% Execute a function with API authentication.
+%%
+%% Resolves credentials in this order:
+%%
+%% - Per-repo `api_key' from config (with optional OAuth exchange for hex.pm)
+%% - Parent repo `api_key' (for "hexpm:org" organizations)
+%% - Global OAuth token (refreshed if expired)
+%% - Device auth flow (when `should_authenticate' callback returns true)
+%%
+%%
+%% On 401 responses, handles OTP prompts and token refresh automatically.
+%%
+%% The repository name is taken from the config (`repo_name' or `repo_organization').
+%%
+%% Options:
+%%
+%% - `optional' - When `true', if no credentials are found, executes the function
+%% without authentication first. If the server returns 401, triggers auth
+%% (respecting `auth_inline'). When `false' (default), missing credentials
+%% immediately triggers the `should_authenticate' callback.
+%% - `auth_inline' - When `true' (default), prompts the user via `should_authenticate'
+%% callback when authentication is needed. When `false', returns
+%% `{error, {auth_error, no_credentials}}' instead of prompting.
+%% - `oauth_open_browser' - When `true' (default), automatically opens the browser
+%% during device auth flow. When `false', only prints the URL for the user.
+%%
+%%
+%% Example:
+%% ```
+%% r3_hex_cli_auth:with_api(Callbacks, write, Config, fun(C) ->
+%% r3_hex_api_release:publish(C, Tarball)
+%% end, [{optional, false}, {auth_inline, true}]).
+%% '''
+-spec with_api(
+ callbacks(),
+ permission(),
+ r3_hex_core:config(),
+ fun((r3_hex_core:config()) -> Result),
+ opts()
+) ->
+ Result | {error, auth_error()}
+when
+ Result :: term().
+with_api(Callbacks, Permission, BaseConfig, Fun, Opts) ->
+ Optional = proplists:get_value(optional, Opts, false),
+ AuthInline = proplists:get_value(auth_inline, Opts, true),
+ case resolve_api_auth(Callbacks, Permission, BaseConfig) of
+ {ok, ApiKey, AuthContext} ->
+ Config = BaseConfig#{api_key => ApiKey},
+ execute_with_retry(Callbacks, Config, Fun, AuthContext, 0, undefined);
+ {error, no_auth} when Optional =:= true ->
+ %% Auth is optional, try without credentials first
+ execute_optional_with_retry(Callbacks, BaseConfig, Fun, Opts);
+ {error, no_auth} when AuthInline =:= true ->
+ %% No auth found, ask user if they want to authenticate
+ maybe_authenticate_and_retry(Callbacks, BaseConfig, Fun, no_credentials, Opts);
+ {error, no_auth} ->
+ %% auth_inline is false, just return error
+ {error, {auth_error, no_credentials}};
+ {error, _} = Error ->
+ Error
+ end.
+
+%% @doc
+%% Execute a function with repository authentication.
+%%
+%% Equivalent to `with_repo(Callbacks, Config, Fun, [])'.
+%%
+%% @see with_repo/4
+-spec with_repo(callbacks(), r3_hex_core:config(), fun((r3_hex_core:config()) -> Result)) ->
+ Result | {error, auth_error()}
+when
+ Result :: term().
+with_repo(Callbacks, BaseConfig, Fun) ->
+ with_repo(Callbacks, BaseConfig, Fun, []).
+
+%% @doc
+%% Execute a function with repository authentication.
+%%
+%% Resolves credentials in this order:
+%%
+%% - `repo_key' in config - passthrough
+%% - `repo_key' from `get_auth_config' callback - passthrough
+%% - `auth_key' from `get_auth_config' when `trusted' is true and `oauth_exchange' is true - exchange for OAuth token
+%% - `auth_key' from `get_auth_config' when `trusted' is true - use directly
+%% - Global OAuth token from `get_oauth_tokens' callback
+%% - No auth when `optional' is true (with retry on 401)
+%% - Prompt via `should_authenticate' when `auth_inline' is true
+%%
+%%
+%% The repository name is taken from the config (`repo_name' or `repo_organization').
+%%
+%% Options:
+%%
+%% - `optional' - When `true' (default), proceeds without auth if none found; retries with auth on 401.
+%% - `auth_inline' - When `true', prompts user via `should_authenticate' callback. Default is `false'.
+%% - `oauth_open_browser' - When `true' (default), automatically opens the browser
+%% during device auth flow. When `false', only prints the URL for the user.
+%%
+%%
+%% Example:
+%% ```
+%% r3_hex_cli_auth:with_repo(Callbacks, Config, fun(C) ->
+%% r3_hex_repo:get_tarball(C, <<"ecto">>, <<"3.0.0">>)
+%% end).
+%% '''
+-spec with_repo(
+ callbacks(), r3_hex_core:config(), fun((r3_hex_core:config()) -> Result), opts()
+) ->
+ Result | {error, auth_error()}
+when
+ Result :: term().
+with_repo(Callbacks, BaseConfig, Fun, Opts) ->
+ Optional = proplists:get_value(optional, Opts, true),
+ AuthInline = proplists:get_value(auth_inline, Opts, false),
+ case resolve_repo_auth(Callbacks, BaseConfig) of
+ {ok, RepoKey, _AuthContext} when is_binary(RepoKey) ->
+ Config = BaseConfig#{repo_key => RepoKey},
+ Fun(Config);
+ no_auth when Optional =:= true ->
+ %% Auth is optional, try without credentials first
+ execute_optional_with_retry(Callbacks, BaseConfig, Fun, Opts);
+ no_auth when AuthInline =:= true ->
+ %% No auth found, ask user if they want to authenticate
+ maybe_authenticate_and_retry(Callbacks, BaseConfig, Fun, no_credentials, Opts);
+ no_auth ->
+ %% auth_inline is false, return error
+ {error, {auth_error, no_credentials}};
+ {error, _} = Error ->
+ Error
+ end.
+
+%% @private
+%% Extract repository name from config.
+-spec repo_name(r3_hex_core:config()) -> binary().
+repo_name(#{repo_name := Name, repo_organization := Org}) when is_binary(Name) and is_binary(Org) ->
+ <>;
+repo_name(#{repo_name := Name}) when is_binary(Name) -> Name;
+repo_name(_) ->
+ <<"hexpm">>.
+
+%% @private
+%% Ask user if they want to authenticate, and if yes, initiate device auth.
+maybe_authenticate_and_retry(Callbacks, BaseConfig, Fun, Reason, Opts) ->
+ case call_callback(Callbacks, should_authenticate, [Reason]) of
+ true ->
+ case device_auth(Callbacks, BaseConfig, <<"api repositories">>, Opts) of
+ {ok, #{access_token := Token}} ->
+ BearerToken = <<"Bearer ", Token/binary>>,
+ Config = BaseConfig#{api_key => BearerToken},
+ AuthContext = #{source => oauth, has_refresh_token => true},
+ execute_with_retry(Callbacks, Config, Fun, AuthContext, 0, undefined);
+ {error, _} = Error ->
+ Error
+ end;
+ false ->
+ {error, {auth_error, no_credentials}}
+ end.
+
+%% @private
+%% Execute function without auth, but retry with auth if we get a 401.
+execute_optional_with_retry(Callbacks, BaseConfig, Fun, Opts) ->
+ AuthInline = proplists:get_value(auth_inline, Opts, true),
+ case Fun(BaseConfig) of
+ {ok, {401, _Headers, _Body}} when AuthInline =:= true ->
+ %% Got 401, need auth - ask user if they want to authenticate
+ maybe_authenticate_and_retry(Callbacks, BaseConfig, Fun, no_credentials, Opts);
+ {ok, {401, _Headers, _Body}} ->
+ %% Got 401 but auth_inline is false, return error
+ {error, {auth_error, no_credentials}};
+ Other ->
+ Other
+ end.
+
+%%====================================================================
+%% Internal functions - Device Auth
+%%====================================================================
+
+%% @private
+%% Initiate OAuth device authorization flow.
+%% Prompts user, optionally opens the browser for user authentication,
+%% polls for token completion, and persists tokens via callback on success.
+-spec device_auth(callbacks(), r3_hex_core:config(), binary(), opts()) ->
+ {ok, oauth_tokens()} | {error, auth_error()}.
+device_auth(Callbacks, Config, Scope, Opts) ->
+ ClientId = call_callback(Callbacks, get_client_id, []),
+ OpenBrowser = proplists:get_value(oauth_open_browser, Opts, true),
+ PromptUser = fun(VerificationUri, UserCode) ->
+ io:format("Open ~ts in your browser and enter code: ~ts~n", [VerificationUri, UserCode])
+ end,
+ FlowOpts = [{open_browser, OpenBrowser}],
+ case r3_hex_api_oauth:device_auth_flow(Config, ClientId, Scope, PromptUser, FlowOpts) of
+ {ok, #{access_token := AccessToken, refresh_token := RefreshToken, expires_at := ExpiresAt}} ->
+ ok = call_callback(Callbacks, persist_oauth_tokens, [
+ global, AccessToken, RefreshToken, ExpiresAt
+ ]),
+ {ok, #{
+ access_token => AccessToken,
+ refresh_token => RefreshToken,
+ expires_at => ExpiresAt
+ }};
+ {error, timeout} ->
+ {error, {auth_error, device_auth_timeout}};
+ {error, {access_denied, _Status, _Body}} ->
+ {error, {auth_error, device_auth_denied}};
+ {error, {device_auth_failed, _Status, _Body} = Reason} ->
+ {error, {auth_error, Reason}};
+ {error, {poll_failed, _Status, _Body} = Reason} ->
+ {error, {auth_error, Reason}};
+ {error, Reason} ->
+ {error, {auth_error, Reason}}
+ end.
+
+%% @private
+%% Check if a token is expired (within 5 minute buffer).
+-spec is_token_expired(integer()) -> boolean().
+is_token_expired(ExpiresAt) ->
+ Now = erlang:system_time(second),
+ ExpiresAt - Now < ?EXPIRY_BUFFER_SECONDS.
+
+%%====================================================================
+%% Internal functions - Auth Resolution
+%%====================================================================
+
+%% @private
+-spec resolve_api_auth(callbacks(), permission(), r3_hex_core:config()) ->
+ {ok, binary(), auth_context()} | {error, no_auth} | {error, auth_error()}.
+resolve_api_auth(_Callbacks, _Permission, #{api_key := ApiKey}) when is_binary(ApiKey) ->
+ %% api_key already in config, pass through directly
+ {ok, ApiKey, #{source => config, has_refresh_token => false}};
+resolve_api_auth(Callbacks, _Permission, Config) ->
+ RepoName = repo_name(Config),
+ %% 1. Check per-repo api_key
+ case call_callback(Callbacks, get_auth_config, [RepoName]) of
+ #{api_key := ApiKey} when is_binary(ApiKey) ->
+ {ok, ApiKey, #{source => config, has_refresh_token => false}};
+ _ ->
+ %% 2. Check parent repo (for "hexpm:org" organizations)
+ case get_parent_repo_key(Callbacks, RepoName, api_key) of
+ {ok, ApiKey} ->
+ {ok, ApiKey, #{source => config, has_refresh_token => false}};
+ error ->
+ %% 3. Try global OAuth token
+ resolve_oauth_token_with_context(Callbacks, Config)
+ end
+ end.
+
+%% @private
+%% Resolve repo auth credentials in this order:
+%% 0. repo_key in config => passthrough
+%% 1. repo_key from get_auth_config => passthrough
+%% 2. trusted + auth_key + oauth_exchange => exchange for OAuth token
+%% 3. trusted + auth_key => use directly
+%% 4. trusted + global OAuth tokens => use those
+%% 5. Fallthrough to no_auth (handled by with_repo/4 for optional/auth_inline)
+-spec resolve_repo_auth(callbacks(), r3_hex_core:config()) ->
+ {ok, binary(), auth_context()} | no_auth | {error, auth_error()}.
+resolve_repo_auth(_Callbacks, #{repo_key := RepoKey}) when is_binary(RepoKey) ->
+ %% repo_key already in config, pass through directly
+ {ok, RepoKey, #{source => config, has_refresh_token => false}};
+resolve_repo_auth(Callbacks, Config) ->
+ RepoName = repo_name(Config),
+ global:trans(
+ {{?MODULE, repo}, RepoName},
+ fun() ->
+ do_resolve_repo_auth(Callbacks, RepoName, RepoName, Config)
+ end,
+ [],
+ infinity
+ ).
+
+do_resolve_repo_auth(Callbacks, RepoName, LookupRepo, Config) ->
+ Trusted = maps:get(trusted, Config, false),
+ OAuthExchange = maps:get(oauth_exchange, Config, false),
+ case call_callback(Callbacks, get_auth_config, [LookupRepo]) of
+ #{repo_key := RepoKey} when is_binary(RepoKey) ->
+ %% 1. repo_key from get_auth_config => passthrough
+ {ok, RepoKey, #{source => config, has_refresh_token => false}};
+ #{oauth_token := OAuthToken, auth_key := AuthKey} when
+ is_binary(AuthKey) and OAuthExchange, Trusted
+ ->
+ %% 2. trusted + oauth_token + auth_key + oauth_exchange => use/refresh existing token
+ resolve_repo_oauth_token(Callbacks, RepoName, Config, AuthKey, OAuthToken);
+ #{auth_key := AuthKey} when is_binary(AuthKey) and OAuthExchange, Trusted ->
+ %% 3. trusted + auth_key + oauth_exchange => exchange for new OAuth token
+ exchange_for_oauth_token(Callbacks, RepoName, Config, AuthKey, <<"repositories">>);
+ #{auth_key := AuthKey} when is_binary(AuthKey), Trusted ->
+ %% 4. trusted + auth_key => use directly
+ {ok, AuthKey, #{source => config, has_refresh_token => false}};
+ _ when Trusted ->
+ %% 5. Check parent repo (for "hexpm:org" organizations)
+ case binary:split(LookupRepo, <<":">>) of
+ [ParentName, _OrgName] ->
+ do_resolve_repo_auth(Callbacks, RepoName, ParentName, Config);
+ _ ->
+ %% 6. trusted + global OAuth tokens => use those
+ resolve_global_oauth_for_repo(Callbacks, Config)
+ end;
+ _ ->
+ %% 7. Not trusted, no auth
+ no_auth
+ end.
+
+%% @private
+resolve_global_oauth_for_repo(Callbacks, Config) ->
+ case resolve_oauth_token_with_context(Callbacks, Config) of
+ {ok, Token, AuthContext} ->
+ {ok, Token, AuthContext};
+ {error, no_auth} ->
+ no_auth;
+ {error, _} = Error ->
+ Error
+ end.
+
+%% @private
+%% Resolve repo OAuth token: use if valid, re-exchange if expiring.
+resolve_repo_oauth_token(Callbacks, RepoName, Config, AuthKey, #{
+ access_token := AccessToken, expires_at := ExpiresAt
+}) ->
+ case is_token_expired(ExpiresAt) of
+ false ->
+ %% Token is still valid, use it
+ BearerToken = <<"Bearer ", AccessToken/binary>>,
+ {ok, BearerToken, #{source => oauth, has_refresh_token => false}};
+ true ->
+ %% Token expired, do a new exchange
+ exchange_for_oauth_token(Callbacks, RepoName, Config, AuthKey, <<"repositories">>)
+ end.
+
+%% @private
+%% Exchange api_key/auth_key for OAuth token via client credentials grant.
+%% Persists the token with the repo name for per-repo token storage.
+exchange_for_oauth_token(Callbacks, RepoName, Config, AuthKey, Scope) ->
+ ClientId = call_callback(Callbacks, get_client_id, []),
+ ExchangeConfig =
+ case maps:get(oauth_exchange_url, Config, undefined) of
+ undefined -> Config;
+ OAuthUrl -> Config#{api_url => OAuthUrl}
+ end,
+ case r3_hex_api_oauth:client_credentials_token(ExchangeConfig, ClientId, AuthKey, Scope) of
+ {ok, {200, _, #{<<"access_token">> := AccessToken, <<"expires_in">> := ExpiresIn}}} ->
+ ExpiresAt = erlang:system_time(second) + ExpiresIn,
+ ok = call_callback(Callbacks, persist_oauth_tokens, [
+ RepoName, AccessToken, undefined, ExpiresAt
+ ]),
+ BearerToken = <<"Bearer ", AccessToken/binary>>,
+ {ok, BearerToken, #{source => oauth, has_refresh_token => false}};
+ {ok, {_Status, _, _Body}} ->
+ {error, {auth_error, oauth_exchange_failed}};
+ {error, _} ->
+ {error, {auth_error, oauth_exchange_failed}}
+ end.
+
+%% @private
+get_parent_repo_key(Callbacks, RepoName, KeyType) ->
+ case binary:split(RepoName, <<":">>) of
+ [ParentName, _OrgName] ->
+ case call_callback(Callbacks, get_auth_config, [ParentName]) of
+ #{KeyType := Key} when is_binary(Key) ->
+ {ok, Key};
+ _ ->
+ error
+ end;
+ _ ->
+ error
+ end.
+
+%% @private
+%% Resolve OAuth token with global lock to prevent concurrent refresh attempts.
+resolve_oauth_token_with_context(Callbacks, Config) ->
+ global:trans(
+ {{?MODULE, token_refresh}, self()},
+ fun() ->
+ do_resolve_oauth_token_with_context(Callbacks, Config)
+ end,
+ [],
+ infinity
+ ).
+
+%% @private
+do_resolve_oauth_token_with_context(Callbacks, Config) ->
+ case call_callback(Callbacks, get_oauth_tokens, []) of
+ {ok, #{access_token := AccessToken, expires_at := ExpiresAt} = Tokens} ->
+ HasRefreshToken =
+ maps:is_key(refresh_token, Tokens) andalso
+ is_binary(maps:get(refresh_token, Tokens)),
+ case is_token_expired(ExpiresAt) of
+ true ->
+ maybe_refresh_token_with_context(Callbacks, Config, Tokens);
+ false ->
+ BearerToken = <<"Bearer ", AccessToken/binary>>,
+ {ok, BearerToken, #{source => oauth, has_refresh_token => HasRefreshToken}}
+ end;
+ error ->
+ {error, no_auth}
+ end.
+
+%% @private
+maybe_refresh_token_with_context(Callbacks, Config, #{refresh_token := RefreshToken}) when
+ is_binary(RefreshToken)
+->
+ ClientId = call_callback(Callbacks, get_client_id, []),
+ case r3_hex_api_oauth:refresh_token(Config, ClientId, RefreshToken) of
+ {ok, {200, _, TokenResponse}} when is_map(TokenResponse) ->
+ #{
+ <<"access_token">> := NewAccessToken,
+ <<"expires_in">> := ExpiresIn
+ } = TokenResponse,
+ NewRefreshToken = maps:get(<<"refresh_token">>, TokenResponse, RefreshToken),
+ ExpiresAt = erlang:system_time(second) + ExpiresIn,
+ ok = call_callback(Callbacks, persist_oauth_tokens, [
+ global, NewAccessToken, NewRefreshToken, ExpiresAt
+ ]),
+ BearerToken = <<"Bearer ", NewAccessToken/binary>>,
+ HasRefreshToken = is_binary(NewRefreshToken),
+ {ok, BearerToken, #{source => oauth, has_refresh_token => HasRefreshToken}};
+ {ok, {_Status, _, _Body}} ->
+ {error, {auth_error, token_refresh_failed}};
+ {error, _Reason} ->
+ {error, {auth_error, token_refresh_failed}}
+ end;
+maybe_refresh_token_with_context(_Callbacks, _Config, _Tokens) ->
+ {error, {auth_error, token_refresh_failed}}.
+
+%%====================================================================
+%% Internal functions - Retry Logic
+%%====================================================================
+
+%% @private
+execute_with_retry(Callbacks, Config, Fun, AuthContext, OtpRetries, LastOtpError) ->
+ case Fun(Config) of
+ {error, otp_required} ->
+ handle_otp_retry(
+ Callbacks, Config, Fun, AuthContext, OtpRetries, <<"Enter OTP code:">>
+ );
+ {error, invalid_totp} ->
+ handle_otp_retry(
+ Callbacks,
+ Config,
+ Fun,
+ AuthContext,
+ OtpRetries,
+ <<"Invalid OTP code. Please try again:">>
+ );
+ {ok, {401, Headers, _Body}} = Response ->
+ case detect_auth_error(Headers) of
+ otp_required ->
+ handle_otp_retry(
+ Callbacks, Config, Fun, AuthContext, OtpRetries, <<"Enter OTP code:">>
+ );
+ invalid_totp ->
+ Msg =
+ case LastOtpError of
+ invalid_totp -> <<"Invalid OTP code. Please try again:">>;
+ _ -> <<"Enter OTP code:">>
+ end,
+ handle_otp_retry(Callbacks, Config, Fun, AuthContext, OtpRetries, Msg);
+ token_expired ->
+ handle_token_refresh_retry(Callbacks, Config, Fun, AuthContext);
+ none ->
+ Response
+ end;
+ Other ->
+ Other
+ end.
+
+%% @private
+handle_otp_retry(_Callbacks, _Config, _Fun, _AuthContext, OtpRetries, _Message) when
+ OtpRetries >= ?MAX_OTP_RETRIES
+->
+ {error, {auth_error, otp_max_retries}};
+handle_otp_retry(Callbacks, Config, Fun, AuthContext, OtpRetries, Message) ->
+ case call_callback(Callbacks, prompt_otp, [Message]) of
+ {ok, OtpCode} ->
+ NewConfig = Config#{api_otp => OtpCode},
+ execute_with_retry(
+ Callbacks, NewConfig, Fun, AuthContext, OtpRetries + 1, invalid_totp
+ );
+ cancelled ->
+ {error, {auth_error, otp_cancelled}}
+ end.
+
+%% @private
+handle_token_refresh_retry(Callbacks, Config, Fun, AuthContext) ->
+ %% Only attempt refresh if we have a refresh token
+ case maps:get(has_refresh_token, AuthContext, false) of
+ true ->
+ case resolve_oauth_token_with_context(Callbacks, Config) of
+ {ok, NewBearerToken, NewAuthContext} ->
+ NewConfig = Config#{api_key => NewBearerToken},
+ execute_with_retry(Callbacks, NewConfig, Fun, NewAuthContext, 0, undefined);
+ {error, _} ->
+ {error, {auth_error, token_refresh_failed}}
+ end;
+ false ->
+ {error, {auth_error, token_refresh_failed}}
+ end.
+
+%% @private
+-spec detect_auth_error(r3_hex_http:headers()) -> otp_required | invalid_totp | token_expired | none.
+detect_auth_error(Headers) ->
+ case maps:get(<<"www-authenticate">>, Headers, undefined) of
+ undefined ->
+ none;
+ Value ->
+ parse_www_authenticate(Value)
+ end.
+
+%% @private
+parse_www_authenticate(Value) when is_binary(Value) ->
+ case Value of
+ <<"Bearer realm=\"hex\", error=\"totp_required\"", _/binary>> ->
+ otp_required;
+ <<"Bearer realm=\"hex\", error=\"invalid_totp\"", _/binary>> ->
+ invalid_totp;
+ <<"Bearer realm=\"hex\", error=\"token_expired\"", _/binary>> ->
+ token_expired;
+ _ ->
+ none
+ end.
+
+%%====================================================================
+%% Internal functions - Utilities
+%%====================================================================
+
+%% @private
+call_callback(Callbacks, Name, Args) ->
+ Fun = maps:get(Name, Callbacks),
+ erlang:apply(Fun, Args).
diff --git a/apps/rebar/src/vendored/r3_hex_core.erl b/apps/rebar/src/vendored/r3_hex_core.erl
index 4bcf7f618..e3b406ee0 100644
--- a/apps/rebar/src/vendored/r3_hex_core.erl
+++ b/apps/rebar/src/vendored/r3_hex_core.erl
@@ -113,7 +113,10 @@
tarball_max_size => pos_integer() | infinity,
tarball_max_uncompressed_size => pos_integer() | infinity,
docs_tarball_max_size => pos_integer() | infinity,
- docs_tarball_max_uncompressed_size => pos_integer() | infinity
+ docs_tarball_max_uncompressed_size => pos_integer() | infinity,
+ trusted => boolean(),
+ oauth_exchange => boolean(),
+ oauth_exchange_url => binary() | undefined
}.
-spec default_config() -> config().
@@ -139,5 +142,8 @@ default_config() ->
tarball_max_size => 16 * 1024 * 1024,
tarball_max_uncompressed_size => 128 * 1024 * 1024,
docs_tarball_max_size => 16 * 1024 * 1024,
- docs_tarball_max_uncompressed_size => 128 * 1024 * 1024
+ docs_tarball_max_uncompressed_size => 128 * 1024 * 1024,
+ trusted => true,
+ oauth_exchange => true,
+ oauth_exchange_url => undefined
}.
diff --git a/apps/rebar/src/vendored/r3_hex_http_httpc.erl b/apps/rebar/src/vendored/r3_hex_http_httpc.erl
index 335776e43..3cbed4ff3 100644
--- a/apps/rebar/src/vendored/r3_hex_http_httpc.erl
+++ b/apps/rebar/src/vendored/r3_hex_http_httpc.erl
@@ -41,15 +41,12 @@ request_to_file(Method, URI, ReqHeaders, Body, Filename, AdapterConfig) when is_
Method,
Request,
HTTPOptions,
- [{stream, unicode:characters_to_list(Filename)}],
+ [{sync, false}, {stream, self}],
Profile
)
of
- {ok, saved_to_file} ->
- {ok, {200, #{}}};
- {ok, {{_, StatusCode, _}, RespHeaders, _RespBody}} ->
- RespHeaders2 = load_headers(RespHeaders),
- {ok, {StatusCode, RespHeaders2}};
+ {ok, RequestId} ->
+ stream_to_file(RequestId, Filename);
{error, Reason} ->
{error, Reason}
end.
@@ -58,6 +55,39 @@ request_to_file(Method, URI, ReqHeaders, Body, Filename, AdapterConfig) when is_
%% Internal functions
%%====================================================================
+%% @private
+%% httpc streams 200/206 responses as messages and returns non-2xx as
+%% a normal response tuple. stream_start includes the response headers.
+stream_to_file(RequestId, Filename) ->
+ receive
+ {http, {RequestId, stream_start, Headers}} ->
+ {ok, File} = file:open(Filename, [write, binary]),
+ case stream_body(RequestId, File) of
+ ok ->
+ ok = file:close(File),
+ {ok, {200, load_headers(Headers)}};
+ {error, Reason} ->
+ ok = file:close(File),
+ {error, Reason}
+ end;
+ {http, {RequestId, {{_, StatusCode, _}, RespHeaders, _RespBody}}} ->
+ {ok, {StatusCode, load_headers(RespHeaders)}};
+ {http, {RequestId, {error, Reason}}} ->
+ {error, Reason}
+ end.
+
+%% @private
+stream_body(RequestId, File) ->
+ receive
+ {http, {RequestId, stream, BinBodyPart}} ->
+ ok = file:write(File, BinBodyPart),
+ stream_body(RequestId, File);
+ {http, {RequestId, stream_end, _Headers}} ->
+ ok;
+ {http, {RequestId, {error, Reason}}} ->
+ {error, Reason}
+ end.
+
%% @private
http_options(URI, AdapterConfig) ->
HTTPOptions0 = maps:get(http_options, AdapterConfig, []),
diff --git a/apps/rebar/src/vendored/r3_hex_repo.erl b/apps/rebar/src/vendored/r3_hex_repo.erl
index d2085e22a..4d44abc8c 100644
--- a/apps/rebar/src/vendored/r3_hex_repo.erl
+++ b/apps/rebar/src/vendored/r3_hex_repo.erl
@@ -12,7 +12,9 @@
get_docs/3,
get_docs_to_file/4,
get_public_key/1,
- get_hex_installs/1
+ get_hex_installs/1,
+ fingerprint/1,
+ fingerprint_equal/2
]).
%%====================================================================
@@ -208,6 +210,66 @@ get_hex_installs(Config) ->
Other
end.
+%% @doc
+%% Computes a SHA256 fingerprint of a PEM-encoded public key.
+%%
+%% Returns a string in the format "SHA256:" which can be used
+%% to verify public keys out-of-band.
+%%
+%% Examples:
+%%
+%% ```
+%% > r3_hex_repo:fingerprint(PublicKeyPem).
+%% "SHA256:abc123..."
+%% '''
+%% @end
+-spec fingerprint(binary()) -> string().
+fingerprint(PublicKeyPem) when is_binary(PublicKeyPem) ->
+ [PemEntry] = public_key:pem_decode(PublicKeyPem),
+ PublicKey = public_key:pem_entry_decode(PemEntry),
+ application:ensure_all_started(ssh),
+ ssh:hostkey_fingerprint(sha256, PublicKey).
+
+%% @doc
+%% Compares a PEM-encoded public key against an expected fingerprint.
+%%
+%% Uses constant-time comparison to prevent timing attacks.
+%%
+%% Examples:
+%%
+%% ```
+%% > r3_hex_repo:fingerprint_equal(PublicKeyPem, "SHA256:abc123...").
+%% true
+%% '''
+%% @end
+-spec fingerprint_equal(binary(), iodata()) -> boolean().
+fingerprint_equal(PublicKeyPem, ExpectedFingerprint) when is_binary(PublicKeyPem) ->
+ ActualFingerprint = fingerprint(PublicKeyPem),
+ constant_time_compare(
+ list_to_binary(ActualFingerprint),
+ iolist_to_binary(ExpectedFingerprint)
+ ).
+
+%% @private
+%% Constant-time comparison to prevent timing attacks.
+%% Uses crypto:hash_equals/2 on OTP 25+, falls back to manual comparison on older versions.
+-if(?OTP_RELEASE >= 25).
+constant_time_compare(A, B) when byte_size(A) =/= byte_size(B) ->
+ false;
+constant_time_compare(A, B) ->
+ crypto:hash_equals(A, B).
+-else.
+constant_time_compare(A, B) when byte_size(A) =:= byte_size(B) ->
+ constant_time_compare(A, B, 0);
+constant_time_compare(_, _) ->
+ false.
+
+constant_time_compare(<>, <>, Acc) ->
+ constant_time_compare(RestA, RestB, Acc bor (X bxor Y));
+constant_time_compare(<<>>, <<>>, Acc) ->
+ Acc =:= 0.
+-endif.
+
%%====================================================================
%% Internal functions
%%====================================================================
diff --git a/apps/rebar/test/rebar_pkg_SUITE.erl b/apps/rebar/test/rebar_pkg_SUITE.erl
index 6a74fcb96..007502291 100644
--- a/apps/rebar/test/rebar_pkg_SUITE.erl
+++ b/apps/rebar/test/rebar_pkg_SUITE.erl
@@ -17,7 +17,8 @@
all() -> [good_uncached, good_cached, badpkg, badhash_nocache,
badindexchk, badhash_cache, bad_to_good, good_disconnect,
bad_disconnect, pkgs_provider, find_highest_matching,
- parse_deps_ignores_optional].
+ parse_deps_ignores_optional,
+ oauth_download_with_token, oauth_download_token_refresh].
init_per_suite(Config) ->
application:start(meck),
@@ -102,6 +103,20 @@ init_per_testcase(bad_disconnect=Name, Config0) ->
{error, econnrefused}
end),
Config;
+init_per_testcase(oauth_download_with_token=Name, Config0) ->
+ Config = [{good_cache, false},
+ {pkg, {<<"goodpkg">>, <<"1.0.0">>}},
+ {oauth_token, <<"test-oauth-token">>}
+ | Config0],
+ mock_config_oauth(Name, Config);
+init_per_testcase(oauth_download_token_refresh=Name, Config0) ->
+ Config = [{good_cache, false},
+ {pkg, {<<"goodpkg">>, <<"1.0.0">>}},
+ {oauth_token, <<"expired-token">>},
+ {oauth_refresh_token, <<"refresh-token">>},
+ {new_oauth_token, <<"new-access-token">>}
+ | Config0],
+ mock_config_oauth_refresh(Name, Config);
init_per_testcase(Name, Config0) ->
Config = [{good_cache, false},
{pkg, {<<"goodpkg">>, <<"1.0.0">>}}
@@ -268,6 +283,44 @@ parse_deps_ignores_optional(_Config) ->
{<<"alias">>, {pkg, <<"ali">>, <<"4.0">>, _, _}}],
Result).
+%% Test that OAuth token is properly sent as Bearer token in requests
+oauth_download_with_token(Config) ->
+ Tmp = ?config(tmp_dir, Config),
+ {Pkg, Vsn} = ?config(pkg, Config),
+ State = ?config(state, Config),
+ OAuthToken = ?config(oauth_token, Config),
+ ExpectedBearer = <<"Bearer ", OAuthToken/binary>>,
+ ?assertEqual(ok,
+ rebar_pkg_resource:download(Tmp, {pkg, Pkg, Vsn, ?good_checksum, ?good_checksum,
+ #{name => <<"hexpm">>, trusted => true}},
+ State, #{}, true)),
+ %% Verify that the Bearer token was sent
+ ?assert(meck:called(r3_hex_repo, get_tarball,
+ [meck:is(fun(#{repo_key := Key}) -> Key =:= ExpectedBearer end), '_', '_'])),
+ Cache = ?config(cache_dir, Config),
+ ?assert(filelib:is_regular(filename:join(Cache, <>))).
+
+%% Test that OAuth token is refreshed on 401 and request is retried
+oauth_download_token_refresh(Config) ->
+ Tmp = ?config(tmp_dir, Config),
+ {Pkg, Vsn} = ?config(pkg, Config),
+ State = ?config(state, Config),
+ _OldToken = ?config(oauth_token, Config),
+ _RefreshToken = ?config(oauth_refresh_token, Config),
+ NewToken = ?config(new_oauth_token, Config),
+ NewBearer = <<"Bearer ", NewToken/binary>>,
+ ?assertEqual(ok,
+ rebar_pkg_resource:download(Tmp, {pkg, Pkg, Vsn, ?good_checksum, ?good_checksum,
+ #{name => <<"hexpm">>, trusted => true}},
+ State, #{}, true)),
+ %% Verify that refresh was called
+ ?assert(meck:called(r3_hex_api_oauth, refresh_token, '_')),
+ %% Verify that the new Bearer token was used for retry
+ ?assert(meck:called(r3_hex_repo, get_tarball,
+ [meck:is(fun(#{repo_key := Key}) -> Key =:= NewBearer end), '_', '_'])),
+ Cache = ?config(cache_dir, Config),
+ ?assert(filelib:is_regular(filename:join(Cache, <>))).
+
%%%%%%%%%%%%%%%
%%% Helpers %%%
%%%%%%%%%%%%%%%
@@ -372,3 +425,214 @@ copy_to_cache({Pkg,Vsn}, Config) ->
Source = filename:join(?config(data_dir, Config), Name),
Dest = filename:join(?config(cache_dir, Config), Name),
ec_file:copy(Source, Dest).
+
+%% Mock config for OAuth tests - similar to mock_config but includes OAuth token handling
+mock_config_oauth(Name, Config) ->
+ Priv = ?config(priv_dir, Config),
+ CacheRoot = filename:join([Priv, "cache", atom_to_list(Name)]),
+ TmpDir = filename:join([Priv, "tmp", atom_to_list(Name)]),
+ Tid = ets:new(registry_table, [public]),
+ AllDeps = [
+ {{<<"goodpkg">>,<<"1.0.0">>}, [[], ?good_checksum, ?good_checksum, [<<"rebar3">>]]}
+ ],
+ ets:insert_new(Tid, AllDeps),
+ CacheDir = filename:join([CacheRoot, "hex", "com", "test", "packages"]),
+ filelib:ensure_dir(filename:join([CacheDir, "registry"])),
+ ok = ets:tab2file(Tid, filename:join([CacheDir, "registry"])),
+
+ catch ets:delete(?PACKAGE_TABLE),
+ rebar_packages:new_package_table(),
+ lists:foreach(fun({{N, Vsn}, [Deps, InnerChecksum, OuterChecksum, _]}) ->
+ {ok, Parsed} = rebar_semver:parse_version(Vsn),
+ ets:insert(?PACKAGE_TABLE, #package{key={ec_cnv:to_binary(N), Parsed, <<"hexpm">>},
+ dependencies=Deps,
+ retired=false,
+ inner_checksum=InnerChecksum,
+ outer_checksum=OuterChecksum})
+ end, AllDeps),
+
+ meck:new(r3_hex_repo, [passthrough]),
+ meck:expect(r3_hex_repo, get_package,
+ fun(_Config, PkgName) ->
+ Matches = ets:match_object(Tid, {{PkgName,'_'}, '_'}),
+ Releases =
+ [#{outer_checksum => OuterChecksum,
+ inner_checksum => InnerChecksum,
+ version => Vsn,
+ dependencies => Deps} ||
+ {{_, Vsn}, [Deps, InnerChecksum, OuterChecksum, _]} <- Matches],
+ {ok, {200, #{}, Releases}}
+ end),
+
+ meck:new(rebar_state, [passthrough]),
+ meck:expect(rebar_state, get,
+ fun(_State, rebar_packages_cdn, _Default) ->
+ "http://test.com/";
+ (_, _, Default) ->
+ Default
+ end),
+ meck:expect(rebar_state, resources,
+ fun(_State) ->
+ DefaultConfig = r3_hex_core:default_config(),
+ %% trusted => true is required for OAuth token resolution
+ [rebar_resource_v2:new(pkg, rebar_pkg_resource,
+ #{repos => [DefaultConfig#{name => <<"hexpm">>,
+ trusted => true}],
+ base_config => #{}})]
+ end),
+
+ meck:new(rebar_dir, [passthrough]),
+ meck:expect(rebar_dir, global_cache_dir, fun(_) -> CacheRoot end),
+
+ meck:expect(rebar_packages, registry_dir, fun(_) -> {ok, CacheDir} end),
+ meck:expect(rebar_packages, package_dir, fun(_, _) -> {ok, CacheDir} end),
+
+ meck:new(rebar_prv_update, [passthrough]),
+ meck:expect(rebar_prv_update, do, fun(State) -> {ok, State} end),
+
+ {Pkg, Vsn} = ?config(pkg, Config),
+ PkgFile = <>,
+ {ok, PkgContents} = file:read_file(filename:join(?config(data_dir, Config), PkgFile)),
+
+ %% Write auth config file with OAuth token
+ OAuthToken = ?config(oauth_token, Config),
+ AuthConfigDir = filename:join([CacheRoot, "config"]),
+ AuthConfigFile = filename:join(AuthConfigDir, "hex.config"),
+ filelib:ensure_dir(AuthConfigFile),
+ AuthConfig = #{<<"$oauth">> => #{
+ access_token => OAuthToken,
+ expires_at => erlang:system_time(second) + 3600
+ }},
+ ok = file:write_file(AuthConfigFile, io_lib:format("~p.~n", [AuthConfig])),
+
+ meck:expect(rebar_dir, global_config_dir, fun(_) -> AuthConfigDir end),
+
+ %% For OAuth test: verify Bearer token is passed and return success
+ meck:expect(r3_hex_repo, get_tarball,
+ fun(#{repo_key := <<"Bearer ", _/binary>>}, _, _) ->
+ {ok, {200, #{<<"etag">> => ?good_etag}, PkgContents}};
+ (_, _, _) ->
+ {ok, {401, #{}, #{<<"message">> => <<"Unauthorized">>}}}
+ end),
+
+ [{cache_root, CacheRoot},
+ {cache_dir, CacheDir},
+ {tmp_dir, TmpDir},
+ {mock_table, Tid},
+ {state, rebar_state:new()} | Config].
+
+%% Mock config for OAuth refresh tests - returns 401 first, then success after refresh
+mock_config_oauth_refresh(Name, Config) ->
+ Priv = ?config(priv_dir, Config),
+ CacheRoot = filename:join([Priv, "cache", atom_to_list(Name)]),
+ TmpDir = filename:join([Priv, "tmp", atom_to_list(Name)]),
+ Tid = ets:new(registry_table, [public]),
+ AllDeps = [
+ {{<<"goodpkg">>,<<"1.0.0">>}, [[], ?good_checksum, ?good_checksum, [<<"rebar3">>]]}
+ ],
+ ets:insert_new(Tid, AllDeps),
+ CacheDir = filename:join([CacheRoot, "hex", "com", "test", "packages"]),
+ filelib:ensure_dir(filename:join([CacheDir, "registry"])),
+ ok = ets:tab2file(Tid, filename:join([CacheDir, "registry"])),
+
+ catch ets:delete(?PACKAGE_TABLE),
+ rebar_packages:new_package_table(),
+ lists:foreach(fun({{N, Vsn}, [Deps, InnerChecksum, OuterChecksum, _]}) ->
+ {ok, Parsed} = rebar_semver:parse_version(Vsn),
+ ets:insert(?PACKAGE_TABLE, #package{key={ec_cnv:to_binary(N), Parsed, <<"hexpm">>},
+ dependencies=Deps,
+ retired=false,
+ inner_checksum=InnerChecksum,
+ outer_checksum=OuterChecksum})
+ end, AllDeps),
+
+ meck:new(r3_hex_repo, [passthrough]),
+ meck:expect(r3_hex_repo, get_package,
+ fun(_Config, PkgName) ->
+ Matches = ets:match_object(Tid, {{PkgName,'_'}, '_'}),
+ Releases =
+ [#{outer_checksum => OuterChecksum,
+ inner_checksum => InnerChecksum,
+ version => Vsn,
+ dependencies => Deps} ||
+ {{_, Vsn}, [Deps, InnerChecksum, OuterChecksum, _]} <- Matches],
+ {ok, {200, #{}, Releases}}
+ end),
+
+ meck:new(rebar_state, [passthrough]),
+ meck:expect(rebar_state, get,
+ fun(_State, rebar_packages_cdn, _Default) ->
+ "http://test.com/";
+ (_, _, Default) ->
+ Default
+ end),
+ meck:expect(rebar_state, resources,
+ fun(_State) ->
+ DefaultConfig = r3_hex_core:default_config(),
+ %% trusted => true is required for OAuth token resolution
+ [rebar_resource_v2:new(pkg, rebar_pkg_resource,
+ #{repos => [DefaultConfig#{name => <<"hexpm">>,
+ trusted => true}],
+ base_config => #{}})]
+ end),
+
+ meck:new(rebar_dir, [passthrough]),
+ meck:expect(rebar_dir, global_cache_dir, fun(_) -> CacheRoot end),
+
+ meck:expect(rebar_packages, registry_dir, fun(_) -> {ok, CacheDir} end),
+ meck:expect(rebar_packages, package_dir, fun(_, _) -> {ok, CacheDir} end),
+
+ meck:new(rebar_prv_update, [passthrough]),
+ meck:expect(rebar_prv_update, do, fun(State) -> {ok, State} end),
+
+ {Pkg, Vsn} = ?config(pkg, Config),
+ PkgFile = <>,
+ {ok, PkgContents} = file:read_file(filename:join(?config(data_dir, Config), PkgFile)),
+
+ OldToken = ?config(oauth_token, Config),
+ RefreshToken = ?config(oauth_refresh_token, Config),
+ NewToken = ?config(new_oauth_token, Config),
+ OldBearer = <<"Bearer ", OldToken/binary>>,
+ NewBearer = <<"Bearer ", NewToken/binary>>,
+
+ %% Write auth config file with expired OAuth token and refresh token
+ AuthConfigDir = filename:join([CacheRoot, "config"]),
+ AuthConfigFile = filename:join(AuthConfigDir, "hex.config"),
+ filelib:ensure_dir(AuthConfigFile),
+ AuthConfig = #{<<"$oauth">> => #{
+ access_token => OldToken,
+ refresh_token => RefreshToken,
+ expires_at => erlang:system_time(second) - 100 %% Expired
+ }},
+ ok = file:write_file(AuthConfigFile, io_lib:format("~p.~n", [AuthConfig])),
+
+ meck:expect(rebar_dir, global_config_dir, fun(_) -> AuthConfigDir end),
+
+ %% Mock update_repo_auth_config to track calls but not actually write
+ meck:new(rebar_hex_repos, [passthrough]),
+ meck:expect(rebar_hex_repos, update_repo_auth_config, fun(_Updates, _RepoName, _State) -> ok end),
+
+ %% Return 401 for old token, 200 for new token
+ meck:expect(r3_hex_repo, get_tarball,
+ fun(#{repo_key := Key}, _, _) when Key =:= OldBearer ->
+ {ok, {401, #{}, #{<<"message">> => <<"Unauthorized">>}}};
+ (#{repo_key := Key}, _, _) when Key =:= NewBearer ->
+ {ok, {200, #{<<"etag">> => ?good_etag}, PkgContents}};
+ (_, _, _) ->
+ {ok, {401, #{}, #{<<"message">> => <<"Unauthorized">>}}}
+ end),
+
+ %% Mock OAuth refresh
+ meck:new(r3_hex_api_oauth, [passthrough]),
+ meck:expect(r3_hex_api_oauth, refresh_token,
+ fun(_Config, _ClientId, _RefreshToken) ->
+ {ok, {200, #{}, #{<<"access_token">> => NewToken,
+ <<"refresh_token">> => <<"new-refresh-token">>,
+ <<"expires_in">> => 3600}}}
+ end),
+
+ [{cache_root, CacheRoot},
+ {cache_dir, CacheDir},
+ {tmp_dir, TmpDir},
+ {mock_table, Tid},
+ {state, rebar_state:new()} | Config].
diff --git a/apps/rebar/test/rebar_pkg_repos_SUITE.erl b/apps/rebar/test/rebar_pkg_repos_SUITE.erl
index 4cb5ee26a..7113acc44 100644
--- a/apps/rebar/test/rebar_pkg_repos_SUITE.erl
+++ b/apps/rebar/test/rebar_pkg_repos_SUITE.erl
@@ -357,14 +357,14 @@ organization_merging(_Config) ->
?assertMatch({ok,
#resource{state=#{repos := [#{name := <<"hexpm:repo-1">>,
parent := <<"hexpm">>,
- repo_name := <<"repo-1">>,
+ repo_name := <<"hexpm">>,
api_repository := <<"repo-1">>,
repo_organization := <<"repo-1">>,
read_key := <<"read key">>,
write_key := <<"write key hexpm">>},
#{name := <<"hexpm:repo-2">>,
parent := <<"hexpm">>,
- repo_name := <<"repo-2">>,
+ repo_name := <<"hexpm">>,
api_repository := <<"repo-2">>,
repo_organization := <<"repo-2">>,
read_key := <<"read key 2">>,
diff --git a/vendor_hex_core.sh b/vendor_hex_core.sh
index 79eaa2c98..e596a68ea 100755
--- a/vendor_hex_core.sh
+++ b/vendor_hex_core.sh
@@ -39,6 +39,7 @@ filenames="hex_core.hrl \
hex_api_package_owner.erl \
hex_api_release.erl \
hex_api_user.erl \
+ hex_cli_auth.erl \
hex_licenses.erl \
hex_safe_binary_to_term.erl \
safe_erl_term.xrl"
@@ -56,6 +57,7 @@ search_to_replace="hex_core: \
hex_http \
hex_repo \
hex_api \
+ hex_cli_auth \
hex_licenses \
hex_safe_binary_to_term \
safe_erl_term"