Auto merge of #12334 - arlosi:cred-ext, r=ehuss

credential provider implementation

The current credential process protocol only allows sending the credential without any additional information. This changes the protocol in two important ways: Cargo will tell the credential provider what the token is needed for, and the credential provider can tell Cargo how the token can be used.

Since the credential provider knows why Cargo needs a token (`publish` for example), it can produce a signed token specifically for that operation. This would enable a credential process to produce an asymmetric token, or a token with restricted scope such as PASETO or Biscuit.

The credential process can also indicate back to Cargo if the token can be cached in-memory for subsequent requests. For example, if a credential provider integrates with an SSO identity provider that provides short-lived tokens, Cargo will only continue to use the token while it is valid.

### Summary of changes
* Rename `credential-process` to `credential-provider` in config.
* Add a new line-oriented JSON protocol for communicating with external credential providers via stdin/stdout.
* Allow built-in credential providers to run in the Cargo process.
* Move support for asymmetric tokens (RFC3231) into a built-in credential provider (`cargo:paseto`).
* Change the unstable key for asymmetric tokens from `registry-auth` to `credential-process`
* Add a new built-in provider to represent the current config/token based system (`cargo:token`).
* Add a new built-in provider for the a "basic" provider that prints only the token on stdout (`cargo:basic`).
* Create a new config key for the fallback credential providers (`registry.credential-providers`) as a list.
* The provider for `crates.io` no longer also acts as a fallback for other registries.
* Adds a `[credential-alias]` table for defining aliases of credential providers.
* Collect all headers from `http_registry` requests, passing them through to the cred provider.

Everything remains unstable under the `-Zcredential-process` flag.

### How to review this:
I recommend starting with the changes in `unstable.md` for a more detailed description.

### Open questions
* [x] Should we pass all the HTTP headers rather than just `www-authenticate`

Author: bors

Cargo.lock

@@ -19,7 +19,10 @@ anyhow = "1.0.47"
 base64 = "0.21.0"
 bytesize = "1.0"
 cargo = { path = "" }
-cargo-credential = { version = "0.2.0", path = "credential/cargo-credential" }
+cargo-credential = { version = "0.3.0", path = "credential/cargo-credential" }
+cargo-credential-1password = { version = "0.3.0", path = "credential/cargo-credential-1password" }
+cargo-credential-wincred = { version = "0.3.0", path = "credential/cargo-credential-wincred" }
+cargo-credential-macos-keychain = { version = "0.3.0", path = "credential/cargo-credential-macos-keychain" }
 cargo-platform = { path = "crates/cargo-platform", version = "0.1.4" }
 cargo-test-macro = { path = "crates/cargo-test-macro" }
 cargo-test-support = { path = "crates/cargo-test-support" }
@@ -88,7 +91,7 @@ tar = { version = "0.4.38", default-features = false }
 tempfile = "3.1.0"
 termcolor = "1.1.2"
 thiserror = "1.0.40"
-time = { version = "0.3", features = ["parsing", "formatting"] }
+time = { version = "0.3", features = ["parsing", "formatting", "serde"] }
 toml = "0.7.0"
 toml_edit = "0.19.0"
 unicode-width = "0.1.5"
@@ -119,6 +122,10 @@ anyhow.workspace = true
 base64.workspace = true
 bytesize.workspace = true
 cargo-platform.workspace = true
+cargo-credential.workspace = true
+cargo-credential-1password.workspace = true
+cargo-credential-macos-keychain.workspace = true
+cargo-credential-wincred.workspace = true
 cargo-util.workspace = true
 clap = { workspace = true, features = ["wrap_help"] }
 crates-io.workspace = true

Cargo.toml

@@ -192,6 +192,7 @@ fn substitute_macros(input: &str) -> String {
         ("[CHECKING]", "    Checking"),
         ("[COMPLETED]", "   Completed"),
         ("[CREATED]", "     Created"),
+        ("[CREDENTIAL]", "  Credential"),
         ("[DOWNGRADING]", " Downgrading"),
         ("[FINISHED]", "    Finished"),
         ("[ERROR]", "error:"),

crates/cargo-test-support/src/compare.rs

@@ -104,6 +104,8 @@ pub struct RegistryBuilder {
     not_found_handler: RequestCallback,
     /// If nonzero, the git index update to be delayed by the given number of seconds.
     delayed_index_update: usize,
+    /// Credential provider in configuration
+    credential_provider: Option<String>,
 }
 
 pub struct TestRegistry {
@@ -172,6 +174,7 @@ impl RegistryBuilder {
             custom_responders: HashMap::new(),
             not_found_handler: Box::new(not_found),
             delayed_index_update: 0,
+            credential_provider: None,
         }
     }
 
@@ -266,6 +269,13 @@ impl RegistryBuilder {
         self
     }
 
+    /// The credential provider to configure for this registry.
+    #[must_use]
+    pub fn credential_provider(mut self, provider: &[&str]) -> Self {
+        self.credential_provider = Some(format!("['{}']", provider.join("','")));
+        self
+    }
+
     /// Initializes the registry.
     #[must_use]
     pub fn build(self) -> TestRegistry {
@@ -336,6 +346,18 @@ impl RegistryBuilder {
                     .as_bytes(),
                 )
                 .unwrap();
+                if let Some(p) = &self.credential_provider {
+                    append(
+                        &config_path,
+                        &format!(
+                            "
+                        credential-provider = {p}
+                        "
+                        )
+                        .as_bytes(),
+                    )
+                    .unwrap()
+                }
             } else {
                 append(
                     &config_path,
@@ -351,6 +373,20 @@ impl RegistryBuilder {
                     .as_bytes(),
                 )
                 .unwrap();
+
+                if let Some(p) = &self.credential_provider {
+                    append(
+                        &config_path,
+                        &format!(
+                            "
+                        [registry]
+                        credential-provider = {p}
+                        "
+                        )
+                        .as_bytes(),
+                    )
+                    .unwrap()
+                }
             }
         }
 

crates/cargo-test-support/src/registry.rs

@@ -1,6 +1,6 @@
 [package]
 name = "cargo-credential-1password"
-version = "0.2.0"
+version = "0.3.0"
 edition.workspace = true
 license.workspace = true
 repository = "https://github.com/rust-lang/cargo"