Skip to content

Add HTTP authentication support#239

Merged
lubomir merged 15 commits into
release-engineering:developmentfrom
guillermodotn:feature/http-auth
Mar 25, 2026
Merged

Add HTTP authentication support#239
lubomir merged 15 commits into
release-engineering:developmentfrom
guillermodotn:feature/http-auth

Conversation

@guillermodotn
Copy link
Copy Markdown
Contributor

@guillermodotn guillermodotn commented Mar 24, 2026

Closes #237

Add HTTP authentication to the localize command so it can download files from servers that require credentials (e.g. Pulp).

Authentication methods

Method CLI flags Env vars Precedence
Bearer token --http-token PRODUCTMD_HTTP_TOKEN Highest
HTTP Basic --http-username + --http-password PRODUCTMD_HTTP_PASSWORD Middle
netrc --netrc-file (optional) PRODUCTMD_NETRC_FILE Lowest (implicit)

Implementation decisions

  • stdlib only — uses netrc, base64, urllib.parse, and urllib.request from the standard library. A library like requests would arguably be more robust, but keeping it stdlib-only avoids adding a runtime dependency for what is ultimately straightforward HTTP header handling.
  • Cross-origin redirect safetyAuthorization header is stripped on cross-origin redirects (matches curl behavior). Port normalization handles None vs explicit default port (443/80).
  • Credential validation — rejects CR/LF in tokens, usernames, and passwords to prevent header injection.
  • Mutual exclusion--http-token and --http-username/--http-password cannot be combined; username and password must be provided together. Enforced at both CLI and library level.

@guillermodotn
feat: add netrc-based HTTP Basic auth support
0228627 
Assisted-by: Claude Opus
@guillermodotn
feat: add --netrc-file flag to localize subcommand
1f95132 
Assisted-by: Claude Opus
@guillermodotn
feat: add explicit HTTP Basic auth credentials
ed181e9 
Assisted-by: Claude Opus
@guillermodotn
feat: add --http-username and --http-password flags
25ef840
@guillermodotn
feat: add Bearer token auth
a877341 
Assisted-by: Claude Opus
@guillermodotn
test: add tests for HTTP authentication
558e376 
Assisted-by: Claude Opus
@guillermodotn
docs: document HTTP authentication options
a8a6e6f 
Assisted-by: Claude Opus
@guillermodotn
fix: strip auth header on cross-origin HTTP redirects
56e7fbd 
Assisted-by: Claude Opus
@guillermodotn
fix: require both --http-username and --http-password together
eb12fb8
@guillermodotn
fix: harden auth security and add missing validation
a8bda7f 
Assisted-by: Claude Opus
@guillermodotn
refactor: split test_localize.py into three focused files
817d12d 
Assisted-by: Claude Opus
@guillermodotn
docs: update README and docstring for three-file split
186d40e
@guillermodotn guillermodotn requested a review from lubomir March 24, 2026 14:54
@guillermodotn guillermodotn self-assigned this Mar 24, 2026
lubomir
lubomir reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@lubomir lubomir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the retries be updated not not retry on auth errors? It's not a big deal, but if the credentials are wrong, retry won't help and the user just has to wait longer.

Comment thread doc/cli-localize.rst Outdated
Comment thread productmd/localize.py Outdated
@guillermodotn guillermodotn requested a review from lubomir March 25, 2026 10:27
@lubomir lubomir merged commit 5c73ba4 into release-engineering:development Mar 25, 2026
11 checks passed
@guillermodotn guillermodotn deleted the feature/http-auth branch March 31, 2026 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lubomir lubomir lubomir approved these changes

Assignees

@guillermodotn guillermodotn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guillermodotn @lubomir