Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proxy authentication mechanism support in cargo #7330

Open
baburkin opened this issue Sep 5, 2019 · 8 comments
Open

Proxy authentication mechanism support in cargo #7330

baburkin opened this issue Sep 5, 2019 · 8 comments
Labels
A-networking Area: networking issues, curl, etc. C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.

Comments

@baburkin
Copy link

baburkin commented Sep 5, 2019

Problem statement

Currently cargo does not support updating crates index from GitHub behind some types of proxy, e.g. NTLM (which can often be the case for companies that don't allow direct access to GitHub due to corporate security policies).

For example, I am able to download the index manually, via curl, e.g.:

curl -vv --proxy-ntlm -U <user>:<password> --proxy <https://proxy:8080> https://github.com/rust-lang/crates.io-index

But cargo fails to apply the correct authentication mechanism when dealing with the proxy.

Proposed solution

Ideally, it would be nice to be able to to specify in ~/.cargo/config:

[http]
proxy = "host:port" # HTTP proxy to use for HTTP requests (defaults to none)
proxy-auth = "ntlm" # negotiate, basic, digest, etc... 
proxy-user = "username"
proxy-password = "password"
...          

And cargo should use that config for proxy authentication.

Notes
There are few other proxy authentication (DIGEST, SPNEGO, etc.) methods that curl supports besides the NTLM, so eventually all of them might be supported by cargo.

This feature request was spawned off from Issue 6513

@baburkin baburkin added the C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` label Sep 5, 2019
baburkin added a commit to baburkin/cargo that referenced this issue Sep 5, 2019
…gested by rust-lang#7330.

The added authentication methods added are supported by `libcurl`:
* NTLM
* NTLM_WB
* GSSNEGOTIATE
* BASIC
* DIGEST
* DIGEST_IE

The authentication methods suggest user credentials to be provided as well - and their support will be added in future commits.
baburkin added a commit to baburkin/cargo that referenced this issue Sep 5, 2019
This commit adds support for HTTP proxy authentication methods in cargo as suggested by rust-lang#7330.

The added authentication methods added are supported by `libcurl`:
* NTLM
* NTLM_WB
* GSSNEGOTIATE
* BASIC
* DIGEST
* DIGEST_IE

The authentication methods suggest user credentials to be provided as well - and their support will be added in future commits.
@alexcrichton
Copy link
Member

Thanks for opening this up @baburkin If you're curious to work on this, that'd be awesome! It looks like the configuration would go roughly around here and the methods this'd use would be:

We'd probably want to make sure that the password could be loaded from ~/.cargo/credentials as well in case it's preferred to be stored there instead of in normal config files.

baburkin added a commit to baburkin/cargo that referenced this issue Sep 6, 2019
This commit adds support of credentials for proxy authentication:

```toml
[http]

proxy-username = "foo"
proxy-password = "bar"
```
baburkin added a commit to baburkin/cargo that referenced this issue Sep 8, 2019
This commit updates cargo config documentation with settings for proxy authentication, such as `proxy-auth`, `proxy-username`, `proxy-password`.
@ehuss ehuss added the A-networking Area: networking issues, curl, etc. label Sep 21, 2019
@baburkin
Copy link
Author

Temporary workaround has been found and described here.

@olijaun
Copy link

olijaun commented May 10, 2021

Since there seems to be no movement here I just wanted to say that this is really a problem. I wanted to have a look at rust in order to see whether it would be interesting for our company and I lost a whole afternoon due to this. Will try the mentioned workaround now.

@your-diary
Copy link

Any updates?
The workaround mentioned above didn't work.

@Eh2406
Copy link
Contributor

Eh2406 commented Jul 20, 2022

git-fetch-with-cli = true is one work around. You may also be interested in #9069 witch removes the use of git from the index.

@your-diary
Copy link

your-diary commented Jul 22, 2022

@Eh2406
git is irrelevant in my case (as far as I think). I cannot access crates.io via cargo.

Here's the Cargo.toml:

[package]
name = "hello"
version = "0.1.0"
edition = "2021"

[dependencies]
thirtyfour_sync = "0.27.1"

and cargo check gives

warning: spurious network error (2 tries remaining): [56] Failure when receiving data from the peer (Received HTTP code 407 from proxy after CONNECT)
(snip (many duplicate lines here))
error: failed to download from `https://crates.io/api/v1/crates/async-trait/0.1.56/download`

Caused by:
  [56] Failures when receiving data from the peer (Received HTTP code 407 from proxy after CONNECT)

When I use curl,

$ curl https://crates.io/
curl: (56) Received HTTP code 407 from proxy after CONNECT

$ curl --proxy-ntlm --proxy-user <user>:<password> --proxy <IP> https://crates.io/
{"errors":[{"detail":"Not Found"}]} #error response from crates.io (i.e. request itself succeeded)

I can also access crates.io via browsers.

@brianblank
Copy link

I'm also getting a 407 code from cargo which is due to failed authentication with a corporate proxy server. The above code changes from babukin appear to add the necessary parameters to the configuration to allow us to specify the details necessary to get the proxy server to work correctly with cargo.

What is needed to move this fix forward?

@hhirtz
Copy link

hhirtz commented Nov 28, 2022

Hey, I made a working cargo patch here: #11433 It'd be nice if others could test it out.

The idea is to have the proxy auth work automatically when it's possible, so just setting http_proxy/https_proxy should work. If not, you can set http.proxy-username and http.proxy-password in your config.

The main issue from what I can tell is that corporate (kerberos) proxies use "gss"/spnego authentication, which requires curl to be built with a 3rd-party library. However,

  • curl-rust doesn't provide a way to vendor this dependency,
  • official cargo builds seem to use the vendored curl flavor.

So either 1/ we need official cargo builds to link dynamically to libcurl and gss support depends on the user's libcurl, or 2/ figure out how to vendor libgss.

I'm more for option 2, so I opened an issue on curl-rust: alexcrichton/curl-rust#481

@epage epage added the S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted. label Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-networking Area: networking issues, curl, etc. C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants