Files
2026-07-13 12:35:43 +08:00

260 lines
7.8 KiB
Go

package pluginstore
import (
"encoding/base64"
"fmt"
"net/http"
"net/url"
"os"
"strings"
)
const (
RequestKindRegistry = "registry"
RequestKindMetadata = "metadata"
RequestKindArtifact = "artifact"
AuthTypeNone = "none"
AuthTypeBearer = "bearer"
AuthTypeBasic = "basic"
AuthTypeHeader = "header"
AuthTypeGitHubToken = "github-token"
)
type AuthConfig struct {
Match string `yaml:"match,omitempty" json:"match,omitempty"`
ApplyTo []string `yaml:"apply-to,omitempty" json:"apply_to,omitempty"`
Type string `yaml:"type,omitempty" json:"type,omitempty"`
TokenEnv string `yaml:"token-env,omitempty" json:"token_env,omitempty"`
UsernameEnv string `yaml:"username-env,omitempty" json:"username_env,omitempty"`
PasswordEnv string `yaml:"password-env,omitempty" json:"password_env,omitempty"`
HeaderName string `yaml:"header-name,omitempty" json:"header_name,omitempty"`
HeaderValueEnv string `yaml:"header-value-env,omitempty" json:"header_value_env,omitempty"`
AllowInsecure bool `yaml:"allow-insecure,omitempty" json:"allow_insecure,omitempty"`
}
func NormalizeAuthConfigs(auth []AuthConfig) []AuthConfig {
if len(auth) == 0 {
return nil
}
out := make([]AuthConfig, 0, len(auth))
for _, item := range auth {
item.Match = strings.TrimSpace(item.Match)
item.Type = strings.ToLower(strings.TrimSpace(item.Type))
item.TokenEnv = strings.TrimSpace(item.TokenEnv)
item.UsernameEnv = strings.TrimSpace(item.UsernameEnv)
item.PasswordEnv = strings.TrimSpace(item.PasswordEnv)
item.HeaderName = strings.TrimSpace(item.HeaderName)
item.HeaderValueEnv = strings.TrimSpace(item.HeaderValueEnv)
if item.Type == "" {
item.Type = AuthTypeNone
}
if item.Match == "" {
continue
}
if len(item.ApplyTo) > 0 {
applyTo := make([]string, 0, len(item.ApplyTo))
seen := map[string]struct{}{}
for _, value := range item.ApplyTo {
value = strings.ToLower(strings.TrimSpace(value))
if value == "" {
continue
}
if _, exists := seen[value]; exists {
continue
}
seen[value] = struct{}{}
applyTo = append(applyTo, value)
}
item.ApplyTo = applyTo
}
out = append(out, item)
}
return out
}
func AuthConfigured(auth []AuthConfig, requestURL string, kind string) bool {
item, ok := matchingAuthConfig(auth, requestURL, kind)
if !ok {
return false
}
switch strings.ToLower(strings.TrimSpace(item.Type)) {
case AuthTypeNone:
return false
case AuthTypeBearer, AuthTypeGitHubToken:
return strings.TrimSpace(os.Getenv(item.TokenEnv)) != ""
case AuthTypeBasic:
return strings.TrimSpace(os.Getenv(item.UsernameEnv)) != "" && strings.TrimSpace(os.Getenv(item.PasswordEnv)) != ""
case AuthTypeHeader:
return item.HeaderName != "" && strings.TrimSpace(os.Getenv(item.HeaderValueEnv)) != ""
default:
return false
}
}
func PluginAuthConfigured(source Source, plugin Plugin, auth []AuthConfig) bool {
if AuthConfigured(auth, source.URL, RequestKindRegistry) {
return true
}
switch PluginInstallType(plugin) {
case InstallTypeDirect:
for _, artifact := range PluginArtifacts(plugin) {
if AuthConfigured(auth, artifact.URL, RequestKindArtifact) {
return true
}
}
case InstallTypeGitHubRelease:
return pluginGitHubReleaseAuthConfigured(plugin, auth)
}
return false
}
func pluginGitHubReleaseAuthConfigured(plugin Plugin, auth []AuthConfig) bool {
owner, repo, errRepository := GitHubRepositoryParts(plugin.Repository)
if errRepository != nil {
return false
}
releasesURL := fmt.Sprintf(
"https://api.github.com/repos/%s/%s/releases/",
url.PathEscape(owner),
url.PathEscape(repo),
)
return AuthConfigured(auth, releasesURL+"latest", RequestKindMetadata) ||
AuthConfigured(auth, releasesURL+"tags/", RequestKindMetadata)
}
func applyPluginStoreAuth(headers http.Header, auth []AuthConfig, requestURL string, kind string) error {
item, ok := matchingAuthConfig(auth, requestURL, kind)
if !ok {
return nil
}
switch strings.ToLower(strings.TrimSpace(item.Type)) {
case "", AuthTypeNone:
return nil
case AuthTypeBearer:
token, errToken := envValueRequired(item.TokenEnv, "token-env")
if errToken != nil {
return errToken
}
headers.Set("Authorization", "Bearer "+token)
case AuthTypeBasic:
username, errUsername := envValueRequired(item.UsernameEnv, "username-env")
if errUsername != nil {
return errUsername
}
password, errPassword := envValueRequired(item.PasswordEnv, "password-env")
if errPassword != nil {
return errPassword
}
encoded := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
headers.Set("Authorization", "Basic "+encoded)
case AuthTypeHeader:
if strings.TrimSpace(item.HeaderName) == "" {
return fmt.Errorf("plugin store auth missing header-name")
}
value, errValue := envValueRequired(item.HeaderValueEnv, "header-value-env")
if errValue != nil {
return errValue
}
headers.Set(item.HeaderName, value)
case AuthTypeGitHubToken:
token, errToken := envValueRequired(item.TokenEnv, "token-env")
if errToken != nil {
return errToken
}
headers.Set("Authorization", "Bearer "+token)
default:
return fmt.Errorf("unsupported plugin store auth type %q", item.Type)
}
return nil
}
func validatePluginStoreRequestURL(auth []AuthConfig, requestURL string, kind string) error {
parsed, errParse := url.Parse(strings.TrimSpace(requestURL))
if errParse != nil || parsed.Scheme == "" || parsed.Host == "" {
return fmt.Errorf("invalid plugin store url")
}
if hasSensitiveQueryParameter(parsed) {
return fmt.Errorf("plugin store url contains sensitive query parameter")
}
if strings.EqualFold(parsed.Scheme, "http") && !allowInsecurePluginStoreURL(auth, requestURL, kind) {
return fmt.Errorf("insecure plugin store url requires matching allow-insecure auth rule")
}
return nil
}
func allowInsecurePluginStoreURL(auth []AuthConfig, requestURL string, kind string) bool {
item, ok := matchingAuthConfig(auth, requestURL, kind)
return ok && item.AllowInsecure
}
func matchingAuthConfig(auth []AuthConfig, requestURL string, kind string) (AuthConfig, bool) {
requestURL = strings.TrimSpace(requestURL)
kind = strings.ToLower(strings.TrimSpace(kind))
for _, item := range NormalizeAuthConfigs(auth) {
if !pluginStoreURLMatchesAuthRule(requestURL, item.Match) {
continue
}
if !authAppliesTo(item, kind) {
continue
}
return item, true
}
return AuthConfig{}, false
}
func pluginStoreURLMatchesAuthRule(requestURL string, matchURL string) bool {
request, errRequest := url.Parse(strings.TrimSpace(requestURL))
if errRequest != nil || request.Scheme == "" || request.Host == "" {
return false
}
rule, errRule := url.Parse(strings.TrimSpace(matchURL))
if errRule != nil || rule.Scheme == "" || rule.Host == "" {
return false
}
if !strings.EqualFold(request.Scheme, rule.Scheme) || !strings.EqualFold(request.Host, rule.Host) {
return false
}
return pluginStorePathMatchesAuthRule(request.Path, rule.Path)
}
func pluginStorePathMatchesAuthRule(requestPath string, rulePath string) bool {
if rulePath == "" || rulePath == "/" {
return true
}
if requestPath == "" {
requestPath = "/"
}
if requestPath == rulePath {
return true
}
if strings.HasSuffix(rulePath, "/") {
return strings.HasPrefix(requestPath, rulePath)
}
return strings.HasPrefix(requestPath, rulePath+"/")
}
func authAppliesTo(item AuthConfig, kind string) bool {
if len(item.ApplyTo) == 0 {
return true
}
for _, value := range item.ApplyTo {
if strings.EqualFold(strings.TrimSpace(value), kind) {
return true
}
}
return false
}
func envValueRequired(envName string, field string) (string, error) {
envName = strings.TrimSpace(envName)
if envName == "" {
return "", fmt.Errorf("plugin store auth missing %s", field)
}
value := strings.TrimSpace(os.Getenv(envName))
if value == "" {
return "", fmt.Errorf("plugin store auth env %s is empty", envName)
}
return value, nil
}