Add a warning when using registry.token with source replacement.

Author: ehuss

Cargo.toml

@@ -22,7 +22,7 @@ path = "src/cargo/lib.rs"
 atty = "0.2"
 bytesize = "1.0"
 cargo-platform = { path = "crates/cargo-platform", version = "0.1.1" }
-crates-io = { path = "crates/crates-io", version = "0.31" }
+crates-io = { path = "crates/crates-io", version = "0.31.1" }
 crossbeam-utils = "0.7"
 crypto-hash = "0.3.1"
 curl = { version = "0.4.23", features = ["http2"] }

crates/crates-io/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "crates-io"
-version = "0.31.0"
+version = "0.31.1"
 edition = "2018"
 authors = ["Alex Crichton <alex@alexcrichton.com>"]
 license = "MIT OR Apache-2.0"

crates/crates-io/lib.rs

@@ -139,9 +139,7 @@ impl Registry {
     }
 
     pub fn host_is_crates_io(&self) -> bool {
-        Url::parse(self.host())
-            .map(|u| u.host_str() == Some("crates.io"))
-            .unwrap_or(false)
+        is_url_crates_io(&self.host)
     }
 
     pub fn add_owners(&mut self, krate: &str, owners: &[&str]) -> Result<String> {
@@ -420,3 +418,10 @@ fn reason(code: u32) -> &'static str {
         _ => "<unknown>",
     }
 }
+
+/// Returns `true` if the host of the given URL is "crates.io".
+pub fn is_url_crates_io(url: &str) -> bool {
+    Url::parse(url)
+        .map(|u| u.host_str() == Some("crates.io"))
+        .unwrap_or(false)
+}

src/cargo/ops/registry.rs

@@ -7,7 +7,7 @@ use std::time::Duration;
 use std::{cmp, env};
 
 use anyhow::{bail, format_err};
-use crates_io::{NewCrate, NewCrateDependency, Registry};
+use crates_io::{self, NewCrate, NewCrateDependency, Registry};
 use curl::easy::{Easy, InfoType, SslOpt, SslVersion};
 use log::{log, Level};
 use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
@@ -378,27 +378,8 @@ fn registry(
         token: token_config,
         index: index_config,
     } = registry_configuration(config, registry.clone())?;
-    let token = match (&index, &token, &token_config) {
-        // No token.
-        (None, None, None) => {
-            if validate_token {
-                bail!("no upload token found, please run `cargo login` or pass `--token`");
-            }
-            None
-        }
-        // Token on command-line.
-        (_, Some(_), _) => token,
-        // Token in config, no --index, loading from config is OK for crates.io.
-        (None, None, Some(_)) => token_config,
-        // --index, no --token
-        (Some(_), None, _) => {
-            if validate_token {
-                bail!("command-line argument --index requires --token to be specified")
-            }
-            None
-        }
-    };
-    let sid = get_source_id(config, index_config.or(index), registry)?;
+    let opt_index = index_config.as_ref().or(index.as_ref());
+    let sid = get_source_id(config, opt_index, registry.as_ref())?;
     if !sid.is_remote_registry() {
         bail!(
             "{} does not support API commands.\n\
@@ -426,6 +407,50 @@ fn registry(
         cfg.and_then(|cfg| cfg.api)
             .ok_or_else(|| format_err!("{} does not support API commands", sid))?
     };
+    let token = match (&index, &token, &token_config) {
+        // No token.
+        (None, None, None) => {
+            if validate_token {
+                bail!("no upload token found, please run `cargo login` or pass `--token`");
+            }
+            None
+        }
+        // Token on command-line.
+        (_, Some(_), _) => token,
+        // Token in config, no --index, loading from config is OK for crates.io.
+        (None, None, Some(_)) => {
+            // Check `is_default_registry` so that the crates.io index can
+            // change config.json's "api" value, and this won't affect most
+            // people. It will affect those using source replacement, but
+            // hopefully that's a relatively small set of users.
+            if registry.is_none()
+                && !sid.is_default_registry()
+                && !crates_io::is_url_crates_io(&api_host)
+            {
+                if validate_token {
+                    config.shell().warn(
+                        "using `registry.token` config value with source \
+                        replacement is deprecated\n\
+                        This may become a hard error in the future; \
+                        see <https://github.com/rust-lang/cargo/issues/xxx>.\n\
+                        Use the --token command-line flag to remove this warning.",
+                    )?;
+                    token_config
+                } else {
+                    None
+                }
+            } else {
+                token_config
+            }
+        }
+        // --index, no --token
+        (Some(_), None, _) => {
+            if validate_token {
+                bail!("command-line argument --index requires --token to be specified")
+            }
+            None
+        }
+    };
     let handle = http_handle(config)?;
     Ok((Registry::new_handle(api_host, token, handle), sid))
 }
@@ -782,8 +807,8 @@ pub fn yank(
 /// If both are None, returns the source for crates.io.
 fn get_source_id(
     config: &Config,
-    index: Option<String>,
-    reg: Option<String>,
+    index: Option<&String>,
+    reg: Option<&String>,
 ) -> CargoResult<SourceId> {
     match (reg, index) {
         (Some(r), _) => SourceId::alt_registry(config, &r),

tests/testsuite/publish.rs

@@ -144,6 +144,9 @@ fn old_token_location() {
         .with_stderr(&format!(
             "\
 [UPDATING] `{reg}` index
+[WARNING] using `registry.token` config value with source replacement is deprecated
+This may become a hard error in the future[..]
+Use the --token command-line flag to remove this warning.
 [WARNING] manifest has no documentation, [..]
 See [..]
 [PACKAGING] foo v0.0.1 ([CWD])
@@ -1273,6 +1276,8 @@ fn index_requires_token() {
     // --index will not load registry.token to avoid possibly leaking
     // crates.io token to another server.
     registry::init();
+    let credentials = paths::home().join(".cargo/credentials");
+    fs::remove_file(&credentials).unwrap();
 
     let p = project()
         .file(
@@ -1292,6 +1297,47 @@ fn index_requires_token() {
     p.cargo("publish --no-verify --index")
         .arg(registry_url().to_string())
         .with_status(101)
-        .with_stderr("[ERROR] command-line argument --index requires --token to be specified")
+        .with_stderr(
+            "\
+[UPDATING] [..]
+[ERROR] command-line argument --index requires --token to be specified
+",
+        )
+        .run();
+}
+
+#[cargo_test]
+fn registry_token_with_source_replacement() {
+    // publish with source replacement without --token
+    registry::init();
+
+    let p = project()
+        .file(
+            "Cargo.toml",
+            r#"
+            [project]
+            name = "foo"
+            version = "0.0.1"
+            authors = []
+            license = "MIT"
+            description = "foo"
+        "#,
+        )
+        .file("src/lib.rs", "")
+        .build();
+
+    p.cargo("publish --no-verify")
+        .with_stderr(
+            "\
+[UPDATING] [..]
+[WARNING] using `registry.token` config value with source replacement is deprecated
+This may become a hard error in the future[..]
+Use the --token command-line flag to remove this warning.
+[WARNING] manifest has no documentation, [..]
+See [..]
+[PACKAGING] foo v0.0.1 ([CWD])
+[UPLOADING] foo v0.0.1 ([CWD])
+",
+        )
         .run();
 }