added support for all authentication methods of composer

[FalkoHilbert]

What are you trying to accomplish?

This PR should enable support for all authentication methods of composer.

should resolve #9093

Anything you want to highlight for special attention from reviewers?

I created the PR to provide an initial approach. Since I am not a Ruby developer, I hope that I have understood the code correctly. I am grateful for any support and would like to use this PR to initiate the feature implementation.

How will you know you've accomplished your goal?

with the changes in this PR it should be possible to use a composer registry with the parameter: token
Bpsw configuration:

registries:
  shopware-packages:
    type: composer-repository
    key: "shopware"
    url: "https://packages.shopware.com/"
    registry: "https://packages.shopware.com/"
    # currently not supported by dependabot
    token: ${{ SHOPWARE_TOKEN }}

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[kbukum1]

Note: When reviewing this PR, please keep in mind that the approach shifts credential handling to the proxy rather than dependabot-core. While some default public credentials may still getting used in dependabot-core for authentication, user registry credentials are managed through the proxy.

Reference: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot

[FalkoHilbert]

Hi @robaiken

is there anything else I can do to support the completion of the pull request?
We would like to use dependabot, but we are waiting for exactly this functionality to analyze our composer dependencies.

[FalkoHilbert]

Hi @robaiken,

Could you give me an update? Unfortunately, I haven't received any further feedback here, so I don't have any information about what else I can do to enable us to merge the feature.

[robaiken]

@FalkoHilbert Thanks for the suggestion! Unfortunately, this approach won't work because it would require changes to the proxy service that sits between Dependabot and the registries.

Since the proxy handles the actual HTTP requests, we're limited to the authentication methods it already supports. Are you unable to use the standard registry authentication for your registry?

[M-arcus]

@robaiken

Since the proxy handles the actual HTTP requests, we're limited to the authentication methods it already supports. Are you unable to use the standard registry authentication for your registry?

@jankal mentioned it here: #9093, basically the method "HTTP Bearer" is needed, but is missing from dependabot authentication methods for private composer recipes: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#composer-repository

[FalkoHilbert]

@robaiken Unfortunately, we are dependent on bearer authentication, as @M-arcus said.
Which administration is the proxy located in? Is it not possible to extend the proxy? Ultimately, it's just a header value that has to pass through the proxy.

[robaiken]

@FalkoHilbert FYI we open sourced the proxy (https://github.com/dependabot/proxy) so you can contribute your changes directly to the repo

[FalkoHilbert]

@robaiken I have adjusted the commit/PR again. I now only process the token and no longer the auth_type.
The transfer of the token itself should also work without any problems in the proxy, as the token is already taken into account there. (see: https://github.com/dependabot/proxy/blob/cb56d4ff258ad1d6372d0a03b7abf118ddce83a6/internal/handlers/composer.go#L98 )
That should work now, right?

[FalkoHilbert]

Addendum:

Since the question of whether an adjustment is necessary in dependabot-core has already been clarified here by @JamieMagee, I wanted to explain once again why I still consider the adjustment to be necessary.

We use Microsoft Azure DevOps for code management at our company, and we would like to use the "Dependabot Azure DevOps (Paklo) Extension" for this.
The code for the extensions can be found here.
However, this extension uses the Dependabot updater images to map the update check in the Azure DevOps task.

Therefore, we also need to take the token into account in the dependabot-core and dependabot-updater-composer images.

[FalkoHilbert]

Hello @robaiken,

Is there any news yet about the PR Review? We need this feature to set up Dependabot in our system accordingly.