Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: GOAUTH command output can't have a trailing slash #71889

Open
yihanzhen opened this issue Feb 22, 2025 · 2 comments
Open

cmd/go: GOAUTH command output can't have a trailing slash #71889

yihanzhen opened this issue Feb 22, 2025 · 2 comments
Labels
BugReport Issues describing a possible bug in the Go implementation. GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@yihanzhen
Copy link

yihanzhen commented Feb 22, 2025
edited
Loading

Go version

go1.25

Output of go env in your module/workspace:

AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='blaze-bin/cloud/sdk/gcloud/gcloud_lite artifacts go goauth --location=us-west1'
GOBIN=''
GOCACHE='/usr/local/google/home/hzyi/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/usr/local/google/home/hzyi/.config/go/env'
GOEXE=''
GOEXPERIMENT='fieldtrack,boringcrypto'
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3533660362=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/usr/local/google/home/hzyi/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/usr/local/google/home/hzyi/go'
GOPRIVATE=''
GOPROXY='staging-qual-us-west1-go.pkg.dev/hanzhenyi3/go-remote'
GOROOT='/usr/lib/google-golang'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/usr/local/google/home/hzyi/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/lib/google-golang/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.25-20250216-RC00 cl/727547642 +d524e1eccd X:fieldtrack,boringcrypto'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

I work on the GCP Artifact Registry team (private Go registries) and I am integrating with the GOAUTH environment variable in 1.24. I am working on a gcloud command that would output:

https://us-west1-go.pkg.dev/

Authorization: Bearer <token>

This is based on the sample at https://pkg.go.dev/cmd/go#hdr-GOAUTH_environment_variable

What did you see happen?

Go fails to attach the authorization when I run go mod download resulting in a 401 error (as I have access to the backend log, I can see in the backend that the request indeed does not have the auth header from the GOAUTH output).

Full error:

$ go mod download -x github.com/google/[email protected]
# get https://staging-qual-us-west1-go.pkg.dev/hanzhenyi3/go-remote/github.com/google/go-containerregistry/@v/v0.20.0.info
# get https://staging-qual-us-west1-go.pkg.dev/hanzhenyi3/go-remote/github.com/google/go-containerregistry/@v/v0.20.0.info: 401 Unauthorized (9.990s)
go: github.com/google/[email protected]: reading https://staging-qual-us-west1-go.pkg.dev/hanzhenyi3/go-remote/github.com/google/go-containerregistry/@v/v0.20.0.info: 401 Unauthorized

What did you expect to see?

More detailed docs on what the output should be in the docs.

I did some digging and I think the problem is at this line:

go/src/cmd/go/internal/auth/auth.go

Line 149 in d7a1261

currentPrefix, _, ok = strings.Cut(currentPrefix, "/")
that strings.Cut(currentPrefix, "/") will remove the trailing slash in the URL when Go tries to match URLs in the credential cache by prefix. If I remove the trailing slash in the output of the GOAUTH command, i.e. to the following:

https://us-west1-go.pkg.dev

Authorization: Bearer <token>

It works, but this contradicts the example in the Godoc.

	https://example.com/
	https://example.net/api/

	Authorization: Basic <token>

	https://another-example.org/

	Example: Data

Looking at the code there seem to be two ways Go matches request URLs to those in the credential cache (by full match or by prefix match), but the documentation does not have clarification on this. I am also not sure how a full match would work given the request URL is different for every Go module proxy API endpoint.
@gabyhelp
Copy link

Related Issues

Related Code Changes

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the BugReport Issues describing a possible bug in the Go implementation. label Feb 22, 2025
@mknyszek mknyszek changed the title src/cmd/go/internal/auth: GOAUTH command output can't have a trailing slash cmd/go: GOAUTH command output can't have a trailing slash Feb 22, 2025
@mknyszek
Copy link
Contributor

CC @matloob @samthanawalla

@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 22, 2025
@mknyszek mknyszek added this to the Backlog milestone Feb 22, 2025
@mknyszek mknyszek added the GoCommand cmd/go label Feb 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BugReport Issues describing a possible bug in the Go implementation. GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@mknyszek @yihanzhen @gabyhelp