feat(config): add support for netrc #7164
Conversation
This PR adds support for `.netrc` file-based HTTP authentication in mise. - **Netrc file parsing**: Automatically reads credentials from `~/.netrc` (Default is `%USERPROFILE%/_netrc` on Windows, with a fallback to the Unix default) - **New settings**: - `netrc` (boolean, default: `true`) - Enable/disable netrc support - `netrc_file` (path) - Custom path to netrc file - **Environment variable support**: `MISE_NETRC=0` to disable, `MISE_NETRC_FILE=/path` for custom location - **URL replacement integration**: Netrc credentials are applied after URL replacement, allowing authentication when redirecting public URLs to private servers. - **Credential priority**: Netrc credentials override any existing auth headers (e.g., GitHub/GitLab tokens) after URL replacement - **vfox backend support**: Netrc authentication works for vfox plugin downloads and Lua HTTP module. User headers have priority. ``` machine artifacts.company.com login deploy password secret-token ``` ```toml [settings] netrc = true netrc_file = ~/.netrc ``` - Added a dependency to `netrc-rs` for netrc file parsing. - `src/netrc.rs` - Netrc parsing and credential lookup for main mise - `src/http.rs` - Apply netrc auth headers after URL replacement in `send_once()` - `crates/vfox/src/http.rs` - Netrc support for vfox backend (downloads and Lua HTTP module) - `crates/vfox/src/vfox.rs` - Apply netrc headers in `download()` function - `crates/vfox/src/lua_mod/http.rs` - `merge_with_netrc_headers()` for Lua plugin HTTP calls - `docs/netrc.md` - User documentation - e2e tests in `e2e/config/test_netrc` covering: - Settings via config file and environment variables - Credential lookup and HTTP header injection - URL replacement + netrc interaction - Netrc overriding GitHub token after URL replacement - Unit tests for netrc parsing with exact host match and default machine fallback
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR adds support for .netrc file-based HTTP Basic authentication to mise, enabling secure credential management for private artifact repositories and internal mirrors. The implementation integrates netrc support across both the main mise codebase and the vfox backend.
Key Changes
- Added netrc file parsing with configurable location and platform-specific defaults (
~/.netrcon Unix/macOS,%USERPROFILE%\_netrcon Windows) - Implemented two new settings:
netrc(boolean toggle) andnetrc_file(custom path configuration) - Integrated netrc authentication to work after URL replacement, allowing credentials to be applied to redirected URLs
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/netrc.rs | Core netrc parsing and credential lookup functionality with lazy-loaded caching |
| src/http.rs | Integration of netrc headers into HTTP requests after URL replacement |
| crates/vfox/src/http.rs | Netrc implementation for vfox backend with environment variable support |
| crates/vfox/src/vfox.rs | Application of netrc headers in vfox download function |
| crates/vfox/src/lua_mod/http.rs | Netrc support for Lua HTTP module with header merging |
| settings.toml | Configuration definitions for netrc settings with comprehensive documentation |
| schema/mise.json | JSON schema updates for new netrc settings |
| docs/netrc.md | User-facing documentation with examples and troubleshooting guidance |
| e2e/config/test_netrc | Comprehensive e2e test suite covering various netrc scenarios |
| e2e/helpers/scripts/http_test_server.py | Enhanced test server with header logging capability |
| Cargo.toml | Added netrc-rs and base64 dependencies |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Use incrementing counter for log files | ||
| existing = list(log_dir.glob("request_*.json")) | ||
| next_num = len(existing) + 1 | ||
| log_file = log_dir / f"request_{next_num:04d}.json" |
There was a problem hiding this comment.
Potential race condition in header logging. The counter calculation on line 52 (next_num = len(existing) + 1) could result in filename collisions if multiple requests arrive simultaneously, as the glob operation and file creation are not atomic. Consider using a timestamp-based naming scheme or proper locking mechanism to ensure unique filenames.
There was a problem hiding this comment.
I don't think this is an improvement given the use case, let me know if you think otherwise.
docs/netrc.md
Outdated
| @@ -0,0 +1,142 @@ | |||
| # Netrc Authentication | |||
There was a problem hiding this comment.
this doesn't need its own page in documentation, a short description for the settings is plenty
crates/vfox/src/http.rs
Outdated
| }); | ||
|
|
||
| /// Cached parsed netrc file | ||
| static NETRC: LazyLock<Option<Netrc>> = LazyLock::new(|| { |
There was a problem hiding this comment.
this has a bug where it's not using the settings properties. I would remove this and just make it possible to define custom headers for vfox
There was a problem hiding this comment.
Good point, reverted the changes.
src/http.rs
Outdated
| // Apply netrc credentials after URL replacement | ||
| let mut final_headers = headers.clone(); | ||
| let netrc = netrc_headers(&url); | ||
| if !netrc.is_empty() { |
There was a problem hiding this comment.
this conditional isn't doing anything is it?
There was a problem hiding this comment.
Indeed, simplified.
|
|
||
| let mut req = self.reqwest.request(method, url.clone()); | ||
| req = req.headers(headers.clone()); | ||
| req = req.headers(final_headers); |
There was a problem hiding this comment.
Currently, netrc credentials are applied when fetching vfox plugins themselves (i.e., downloading the plugin archives), but not for HTTP calls made by the plugins during runtime. I reverted a previous change that attempted to add runtime support because the implementation wasn't sensible in hindsight.
Thinking on it some more though, I'm now questioning whether netrc support in the vfox runtime is actually needed. Here's my reasoning:
- HTTP calls made by vfox plugins cannot be remapped through mise's URL replacement mechanism, so they can't be redirected to authenticated endpoints
- Plugin authors who need to access restricted artifacts already have the capability to pass custom headers in their HTTP calls
Given the above, I'm not really seeing any value in providing netrc support in the vfox runtime. I'd appreciate your take on this though - am I overlooking overlooking something?
|
Bugbot run |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
### 🚀 Features - **(config)** add support for netrc by @RobotSupervisor in [#7164](#7164) - **(lock)** add resolve_lock_info to core backends for checksum fetching by @jdx in [#7180](#7180) - **(ruby)** Install ruby from a zip file over HTTPS by @KaanYT in [#7167](#7167) - **(tasks)** add `usage` args to Tera context in run scripts by @iamkroot in [#7041](#7041) ### 🐛 Bug Fixes - **(lock)** validate platform qualifiers when reading from lockfile by @jdx in [#7181](#7181) - **(task)** retry shebang scripts on ETXTBUSY by @iamkroot in [#7162](#7162) - **(ui)** remove duplicate 'mise' prefix in verbose footer output by @jdx in [#7174](#7174) ### 📦️ Dependency Updates - bump usage-lib to 2.9.0 by @jdx in [#7177](#7177) ### 📦 Registry - remove duplicated ubi and github backends from gping by @risu729 in [#7144](#7144) - disable bashly test (not working in CI) by @jdx in [#7173](#7173) - disable cfn-lint test (failing in CI) by @jdx in [#7176](#7176) ### Chore - add fd to mise.toml by @blampe in [#7178](#7178) ### New Contributors - @RobotSupervisor made their first contribution in [#7164](#7164) ## 📦 Aqua Registry Updates #### New Packages (2) - [`Kitware/CMake`](https://github.com/Kitware/CMake) - [`quarto-dev/quarto-cli`](https://github.com/quarto-dev/quarto-cli) #### Updated Packages (6) - [`apache/jena`](https://github.com/apache/jena) - [`apache/spark`](https://github.com/apache/spark) - [`danielfoehrKn/kubeswitch`](https://github.com/danielfoehrKn/kubeswitch) - [`danielfoehrKn/kubeswitch/switch-sh`](https://github.com/danielfoehrKn/kubeswitch/switch-sh) - [`evilmartians/lefthook`](https://github.com/evilmartians/lefthook) - [`updatecli/updatecli`](https://github.com/updatecli/updatecli)
2 participants
This PR adds support for
.netrcfile-based HTTP authentication in mise.~/.netrc, on Windows the default is%USERPROFILE%/_netrc(with a fallback to%USERPROFILE%/.netrc).netrc(boolean, default:true) - Enable/disable netrc supportnetrc_file(path) - Custom path to netrc fileMISE_NETRC=0to disable,MISE_NETRC_FILE=/pathfor custom locationExample
netrcfile entry:New configuration options:
Added a dependency to
netrc-rsfor netrc file parsing.src/netrc.rs- Netrc parsing and credential lookup for main misesrc/http.rs- Apply netrc auth headers after URL replacement insend_once()e2e tests in
e2e/config/test_netrccovering:Note
Adds netrc-based HTTP Basic auth, configurable via settings/env, applied after URL replacements, with tests and schema/docs updates.
src/netrc.rsto parse netrc and lookup credentials (with Unix permission warning).src/http.rs, applynetrcBasicauthorizationheader afterapply_url_replacementsvianetrc_headers().settings.netrc(defaulttrue) andsettings.netrc_filewith env varsMISE_NETRCandMISE_NETRC_FILE.schema/mise.jsonandsettings.tomldocs for new options.e2e/config/test_netrccovering enable/disable, custom path, permissions warning, URL replacement interaction, and GitHub token override.e2e/helpers/scripts/http_test_server.pyto optionally log request headers.netrc-rscrate.Written by Cursor Bugbot for commit 9060c21. This will update automatically on new commits. Configure here.