-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an HTTP download fallback mechanism to avoid proxy authentication failures #4072
Comments
This is an interesting idea but there are a number of issues:
Basically, the HTTP API that chezmoi needs is quite complex, and does not easily map onto replacing calls to Go's Are there other workarounds you can use? For example:
|
Without having looked at the caching internals of chezmoi, I would guess
I admit I did not think outside of downloading external files.
This one is the easiest to solve with
The maintenance overhead of having to build each call to
That was my first thought but at this point there's almost no benefit to using chezmoi to run the script. In my previous example, chezmoi is used to download, verify the checksum, extract and install the files with just a few lines of config.
While this does seem like the "simple" workaround, it raises some additional security concerns. Even if we ignore the security aspect, it can be hard to find a fitting proxy:
As a side note, spnego-proxy is written in go and has an MIT license which could be interesting to assess the cost/complexity of implementing SPNEGO proxy authentication in chezmoi. TL;DR
Relying exclusively on a Using a local proxy isn't a viable alternative when security is a concern Would it be a viable alternative to have a "local archive(-file)" external type that checks against a path on the host instead of retrieving a remote file ? |
Thank you for the detailed further investigation! I totally agree with your analysis and think there are several good ways to build on this, which can be pursued independently: Way 1
Yes, absolutely. It should be fairly straightforward to add support for For example, as well as: [".vim/autoload/plug.vim"]
type = "file"
url = "https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim" you could write: [".vim/autoload/plug.vim"]
type = "file"
urls = [
"file:///home/user/Downloads/plug.vim",
"https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim",
] where chezmoi would try Way 2
Let's not abandon this yet. You're right that there are ways for chezmoi to use Way 3
Yup, these two projects have not been updated in while. It might be because they are abandoned. It could also because they are stable and just work as they are. I agree that integrating them into chezmoi adds a lot of complexity and I would prefer to avoid it. ConclusionLet's do Way 1 first, hold Way 2 in mind, and try to avoid Way 3. What do you think? |
Your idea of how to implement way 1 works even better than I imagined, and it can even allow using mirrors for http resources! IMHO way 3 should not be integrating local proxies into chezmoi but adding support for more http authentication schemes. Regarding my specific issue, way 1 is more than enough. I'll let you be the judge for the need to implement way 2 and/or 3. |
Thank you for the fast implementation, i'll test that out and come back to you. Do you wish for me to close the issue once the tests are successful or do you want to keep it for later reference ? |
I still want to implement supporting multiple URLs for externals. This is non-trivial to implement and I need to find time to work on it. So, keep this issue open for now. |
Is your feature request related to a problem? Please describe.
Golang's HTTP proxy support only implements Basic authentication. Proxies that limit authentication to only digest, NTLM, or SPNEGO (kerberos) are unusable. In many cases, downgrading security is not an option.
Describe the solution you'd like
Ideally, adding support for other schemes would be the simplest from a user standpoint.
However, it means relying on multiple other go libraries for each scheme (eg. jcmturner/gokrb5 for SPNEGO, Azure/go-ntlmssp for NTLM) and leads to an increased maintainer workload and might be made impossible because of licensing issues.
Describe alternatives you've considered
The simpler workaround I thought of would be to use cURL as a fallback. This would be made possible through a configuration variable similarly to git/age fallbacks.
Additional context
Behaviour difference between
chezmoi
andcurl
with correct proxy definition in env vars :The text was updated successfully, but these errors were encountered: