8000 feat(auth.json): support for authorization with client TLS-certificates by rtm-ctrlz · Pull Request #12406 · composer/composer · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat(auth.json): support for authorization with client TLS-certificates #12406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(auth.json): support for authorization with client TLS-certificates #12406

wants to merge 3 commits into from

Conversation

rtm-ctrlz
Copy link
Contributor
@rtm-ctrlz rtm-ctrlz commented May 11, 2025
edited
Loading

Description

With this change it will be possible to specify client-side TLS-certificate per origin.

It could be used in cases when a repository requires TLS-certificate to make an HTTPS request, ex. private package registry.
Technically without this PR it's possible to use client certificates for registries (by using repositories section of composer.json), but in that case path to certificate/key will we stored within the composer.lock, but when it is stored in VCS and each developer/CI has it's own certificate it stops working, for details see #12019.

Changes made by the way:

  • #6688f21 add AuthHelper::addAuthenticationOptions to allow AuthHelper configure request options not only headers (to make this pr possible) and deprecate AuthHelper::addAuthenticationHeader
  • #e8adca0 minor change to AuthHelper::addAuthenticationOptions, that helps simplify unit-test a bit - just noticed that during test implementation.

Examples (auth.json)

Minimal (certificate and key are in one file, the key is unencrypted):

{
    "client-certificate": {
        "exmaple.org": {
          "local_cert": "/path/to/cert.key.pem"
        }
    }
}
Certificate and key are in separated files file, the key is unencrypted 
{
    "client-certificate": {
        "exmaple.org": {
          "local_cert": "/path/to/cert.pem",
          "local_pk": "/path/to/key.pem"
        }
    }
}
Certificate and key are in separated files file, the key is encrypted 
{
    "client-certificate": {
        "exmaple.org": {
          "local_cert": "/path/to/cert.pem",
          "local_pk": "/path/to/key.pem",
          "passphrase": "$uper$ecret"
        }
    }
}

Is it breaking change?

In general - no.
There may be some packages that rely on the deprecated AuthHelper::addAuthenticationHeader method, usage of which will trigger E_USER_DEPRECATED.

Is there other issues?

This PR doesn't bring issues by itself.

But there could be issues when auth.json has options multiple configurations for one domain (http-basic + client-cerntifcate), but the same issue will appear when there is configuration http-basic + bearer; in this case there will be a warning in log saying You should avoid overwriting already defined auth settings.

Other suggestions?

  • current authentication array-shape (array{username: string|null, password: string|null}), forces all types of authentications to use this array in very odd way, ex. using password field as "authentication type", this PR use json_encode/json_decode to store configuration within username and using password to keep track authentication type;
  • currently there is no way to combine multiple authentication (for one origin) without conflicts (ex, http-basic + bearer or http-basic + client-certificate), because of the way authentications are stored (array<origin_name, mixed>);
  • it could be more efficient to add support for an option transport-options in auth.json (like is done in lock file), but in this case the file will be not about authentication, but "private transport configurations" (global or per-domain).

@Seldaek Seldaek added this to the 2.9 milestone May 12, 2025
Seldaek
Seldaek reviewed May 12, 2025
View reviewed changes
Seldaek
Seldaek reviewed May 12, 2025
View reviewed changes
@asgrim asgrim mentioned this pull request May 14, 2025
Open
@rtm-ctrlz rtm-ctrlz force-pushed the feat/auth-client-certificate branch 5 times, most recently from 82a61d2 to eaa9d7f Compare May 16, 2025 10:58
@rtm-ctrlz rtm-ctrlz closed this May 19, 2025
@rtm-ctrlz rtm-ctrlz force-pushed the feat/auth-client-certificate branch from eaa9d7f to 282bba0 Compare May 19, 2025 20:47
@rtm-ctrlz rtm-ctrlz reopened this May 19, 2025
@rtm-ctrlz rtm-ctrlz force-pushed the feat/auth-client-certificate branch from 2957295 to c33bc04 Compare May 19, 2025 20:56
@rtm-ctrlz
Copy link
Contributor Author

@Seldaek I updated PR:

  • AuthHelper::addAuthenticationHeader is present and deprecated, under the hood AuthHelper::addAuthenticationOptions is used, so it would be pretty easy to remove it in future;
  • removed unnecessary changes AuthHelper::addAuthenticationOptions for authentication type checks;
  • PR now contains also updates for docs and schema.

@rtm-ctrlz rtm-ctrlz requested a review from Seldaek May 19, 2025 21:23
@rtm-ctrlz rtm-ctrlz mentioned this pull request May 19, 2025
Draft
stof
stof reviewed May 19, 2025
View reviewed changes
@rtm-ctrlz rtm-ctrlz force-pushed the feat/auth-client-certificate branch from c33bc04 to 9de82ab Compare May 20, 2025 07:48
@rtm-ctrlz rtm-ctrlz requested a review from stof May 21, 2025 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgrim asgrim asgrim left review comments

@Seldaek Seldaek Awaiting requested review from Seldaek

@stof stof Awaiting requested review from stof

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.9
Development

Successfully merging this pull request may close these issues.
4 participants
@rtm-ctrlz @Seldaek @stof @asgrim
0