crate_seq_core/

auth.rs

//! Token resolution: CLI arg -> env/cmd -> `~/.cargo/credentials.toml`.

#[cfg(test)]
#[path = "auth_tests.rs"]
mod tests;

use std::env;
use std::io;
use std::process::Command;

use crate_seq_ledger::LedgerAuth;

/// Errors that can occur during token resolution.
#[derive(Debug, thiserror::Error)]
pub enum TokenError {
    /// The named env var is set but contains an empty string.
    #[error("token_env '{var}' is set but empty")]
    EnvVarEmpty {
        /// The environment variable name.
        var: String,
    },
    /// The token command ran but produced no usable output, or exited non-zero.
    #[error("token_cmd failed: {reason}")]
    CmdFailed {
        /// The stderr or diagnostic message from the command.
        reason: String,
    },
    /// Could not read `~/.cargo/credentials.toml`.
    #[error("failed to read cargo credentials: {0}")]
    CargoCredentials(#[source] io::Error),
    /// No token found after exhausting all tiers.
    #[error("no token found; tried: {tried}")]
    NotFound {
        /// A human-readable list of the sources tried.
        tried: String,
    },
}

/// Returns the home directory path using `HOME` (Unix) or `USERPROFILE` (Windows).
fn home_dir() -> Option<String> {
    env::var("HOME")
        .ok()
        .or_else(|| env::var("USERPROFILE").ok())
}

/// Attempts tier 2a: reads `var_name` from the environment.
///
/// Returns `Ok(Some(val))` if set and non-empty, `Ok(None)` if not set,
/// `Err(TokenError::EnvVarEmpty)` if set but empty.
///
/// # Errors
///
/// Returns `TokenError::EnvVarEmpty` if the variable exists but is empty or non-Unicode.
fn try_env(var_name: &str) -> Result<Option<String>, TokenError> {
    match env::var(var_name) {
        Ok(val) if val.is_empty() => Err(TokenError::EnvVarEmpty {
            var: var_name.to_owned(),
        }),
        Ok(val) => Ok(Some(val)),
        Err(env::VarError::NotPresent) => Ok(None),
        Err(env::VarError::NotUnicode(_)) => Err(TokenError::EnvVarEmpty {
            var: var_name.to_owned(),
        }),
    }
}

/// Attempts tier 2b: runs `cmd` in a shell and captures trimmed stdout.
///
/// Returns `Ok(Some(token))` on non-empty output with zero exit,
/// `Err(TokenError::CmdFailed)` otherwise.
///
/// # Errors
///
/// Returns `TokenError::CmdFailed` if the process cannot be spawned, exits non-zero,
/// or produces empty stdout.
fn try_cmd(cmd: &str) -> Result<Option<String>, TokenError> {
    let output =
        Command::new("sh")
            .args(["-c", cmd])
            .output()
            .map_err(|e| TokenError::CmdFailed {
                reason: e.to_string(),
            })?;

    let stdout = String::from_utf8_lossy(&output.stdout);
    let trimmed = stdout.trim();

    if output.status.success() && !trimmed.is_empty() {
        return Ok(Some(trimmed.to_owned()));
    }

    let stderr = String::from_utf8_lossy(&output.stderr).trim().to_owned();
    Err(TokenError::CmdFailed {
        reason: if stderr.is_empty() {
            format!("command exited with status {}", output.status)
        } else {
            stderr
        },
    })
}

/// Attempts tier 3: reads `[registry].token` from a credentials TOML file.
///
/// `path_override` allows tests to inject a path; `None` falls back to the
/// canonical `~/.cargo/credentials.toml` location.
///
/// Returns `Ok(None)` if the file does not exist or the key is absent.
///
/// # Errors
///
/// Returns `TokenError::CargoCredentials` if the file exists but cannot be read
/// or contains invalid TOML.
fn try_cargo_credentials_at(
    path_override: Option<&std::path::Path>,
) -> Result<Option<String>, TokenError> {
    let path = if let Some(p) = path_override {
        p.to_owned()
    } else {
        let Some(home) = home_dir() else {
            return Ok(None);
        };
        std::path::PathBuf::from(home)
            .join(".cargo")
            .join("credentials.toml")
    };

    let content = match std::fs::read_to_string(&path) {
        Ok(s) => s,
        Err(e) if e.kind() == io::ErrorKind::NotFound => return Ok(None),
        Err(e) => return Err(TokenError::CargoCredentials(e)),
    };

    let doc: toml_edit::DocumentMut = content.parse().map_err(|_| {
        TokenError::CargoCredentials(io::Error::new(
            io::ErrorKind::InvalidData,
            "credentials.toml is not valid TOML",
        ))
    })?;

    let token = doc
        .get("registry")
        .and_then(|r| r.get("token"))
        .and_then(|t| t.as_str())
        .map(ToOwned::to_owned);

    Ok(token)
}

/// Attempts to resolve a crates.io API token from three sources in priority order.
///
/// 1. `cli_token` argument (highest priority -- for scripting and CI).
/// 2. `ledger_auth.token_env`: reads the named environment variable.
///    `ledger_auth.token_cmd`: runs the command string in a shell and captures stdout.
///    Only one of `token_env` or `token_cmd` is used (env takes precedence if both set).
/// 3. Fall through to `~/.cargo/credentials.toml` `[registry] token` field.
///
/// Returns `Ok(Some(token))` if any tier succeeds, `Ok(None)` if no token found
/// (caller decides whether to proceed -- cargo itself may have credentials).
///
/// # Errors
///
/// Returns `TokenError::EnvVarEmpty` if `token_env` is set but the variable is empty.
/// Returns `TokenError::CmdFailed` if `token_cmd` fails or produces no output.
/// Returns `TokenError::CargoCredentials` if `credentials.toml` exists but is unreadable.
pub fn resolve_token(
    cli_token: Option<&str>,
    ledger_auth: &LedgerAuth,
) -> Result<Option<String>, TokenError> {
    resolve_token_inner(cli_token, ledger_auth, None)
}

/// Inner implementation with injectable credentials path for testing.
pub(crate) fn resolve_token_inner(
    cli_token: Option<&str>,
    ledger_auth: &LedgerAuth,
    creds_path_override: Option<&std::path::Path>,
) -> Result<Option<String>, TokenError> {
    if let Some(t) = cli_token {
        return Ok(Some(t.to_owned()));
    }

    if let Some(ref var) = ledger_auth.token_env {
        if let Some(val) = try_env(var)? {
            return Ok(Some(val));
        }
        // NotPresent: fall through to tier 3
    } else if let Some(ref cmd) = ledger_auth.token_cmd {
        return try_cmd(cmd);
    }

    try_cargo_credentials_at(creds_path_override)
}

/// Resolves the token for publishing, failing fast with setup instructions if none found.
///
/// Returns `Ok(Some(token))` if a token was found, `Ok(None)` if cargo's own
/// credentials should be used (tier 3 returned nothing -- cargo may still succeed).
/// Returns `Err` with actionable setup instructions if a tier 2 source was
/// configured but failed.
///
/// # Errors
///
/// Returns `Error::TokenResolution` if a configured token source fails.
pub fn require_token(
    cli_token: Option<&str>,
    ledger_auth: &LedgerAuth,
) -> Result<Option<String>, crate::Error> {
    match resolve_token(cli_token, ledger_auth) {
        Ok(token) => Ok(token),
        Err(TokenError::EnvVarEmpty { var }) => Err(crate::Error::TokenResolution(format!(
            "env var '{var}' is set but empty; set it to your crates.io token"
        ))),
        Err(TokenError::CmdFailed { reason }) => Err(crate::Error::TokenResolution(format!(
            "token_cmd failed: {reason}\nCheck the command in your .crate-seq.toml [auth] section"
        ))),
        Err(TokenError::CargoCredentials(e)) => Err(crate::Error::TokenResolution(format!(
            "could not read ~/.cargo/credentials.toml: {e}\nRun `cargo login` or set [auth] in .crate-seq.toml"
        ))),
        Err(TokenError::NotFound { tried }) => Err(crate::Error::TokenResolution(format!(
            "no token found (tried: {tried})"
        ))),
    }
}