Do not warn http sources in package reference restore when allowInsecureConnections is set to true

[heng-liu]

Bug

Fixes: NuGet/Home#12787

Regression? Last working version:

Description

• When allowInsecureConnections property in packageSources section is set to true in NuGet.Config files, suppress warnings for HTTP sources in PackageReference restore scenarios in all NuGet tools.
  The PR enable the HTTP warnings in this scenario is: Warn when http sources are used in PackageReference restore operations #4556

• Updated to use _request.DependencyProviders.RemoteProviders, instead of _request.Project.RestoreMetadata to check , as the first one respect the settings.
  Context: The original value of allowInsecureConnections for RestoreRequest.Project.RestoreMetadata.Sources is always false, as the value is from: 1.https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Commands/RestoreCommand/Utility/MSBuildRestoreUtility.cs#L200 which doesn't contain any additional attributes like allowInsecureConnections . (dotnet restore)
  2.https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Clients/NuGet.CommandLine/MsBuildUtility.cs#L210 which is loading an output.dg file(generated by GenerateRestoreGraphFileTask) which also doesn't contain any additional attributes like allowInsecureConnections . (NuGet.exe restore)

PR Checklist

• PR has a meaningful title

• PR has a linked issue.

• Described changes

• Tests

  • Automated tests added
  • OR
  • Test exception
  • OR
  • N/A

• Documentation

  • Documentation PR or issue filled
  • OR
  • N/A

[donnie-msft]

I like that this test is thorough, but is it clearer to just assert Equals on the expected warning, then drop the unexpected warning completely?

Suggested change

Assert.DoesNotContain(unExpectedWarning, logMessage.Message);

[zivkan]

If you mean why not do Assert.Equals("NU1234: This is the expected message"), then that's high risk of causing problems for people who wish to contribute to NuGet but don't use English as their locale: NuGet/Home#12820. The risk will significantly increase if we eventually do localization more like the rest of github.com/dotnet repos, since local builds can have the satellite assemblies.

[donnie-msft]

If you mean why not do Assert.Equals("NU1234: This is the expected message")

No, I do not mean that. I expect we would continue using the localized variable.

[donnie-msft]

Looking at the latest commits and this thread, this hasn't been addressed.

[heng-liu]

Thanks for reviewing! Sorry for taking long to address this. This is fixed.

[donnie-msft]

To reduce copying the HTTP source as well as emphasize that your test is expecting the HTTP source URL, I think a variable here would be clearer:

Suggested change

	string expectedWarning = "You are running the 'restore' operation with an 'HTTP' source, 'http://api.source/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.";
	string expectedWarning = $"You are running the 'restore' operation with an 'HTTP' source, '{testHttpSourceUrl}'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.";

[donnie-msft]

Looking at the latest commits and this thread, this hasn't been addressed.

[heng-liu]

Thanks! This is fixed.

[nkolev92]

This was my bad @heng-liu, I should've done this investigation the first time I provided feedback.

I think we need a slight change here.
I think my original implementation that I added here: 4d2c5a4 is not ideal.

Some background:

• PackageSpec, or rather Project is considered to be the model for restore, the input. This will be created differently on the commandline (static graph vs standard) vs Visual Studio. It has a sources property, which is the processed sources based on the project path, RestoreSources msbuild property etc. It's the actual end sources. The general expectation is that the PackageSpec does not get modified. It is basically what is used for no-op.
• RestoreRequest has a list of DependencyProviders.
  These dependency providers are "shared" across projects, created within this classl,

  NuGet.Client/src/NuGet.Core/NuGet.Commands/RestoreCommand/RequestFactory/DependencyGraphSpecRequestProvider.cs

  Lines 175 to 182 in 41e98d3

  	var sharedCache = _providerCache.GetOrCreate(
  	globalPath,
  	fallbackPaths.AsList(),
  	sources,
  	restoreArgs.CacheContext,
  	restoreArgs.Log,
  	updateLastAccess);

  . It basically ensures that restore for every project shares the same providers, the same SourceRepository and like resources. These dependency provides also happen to have repositories, and PackageSource that should match the ones from the settings file. Hence the whole GetEffectiveSources thing.

When I added the original implementation, I used _request.Project.RestoreMetadata.Sources. I think that's incorrect. Those are not how the sources are used, they are used through request.DependencyProviders which is effectively based on the PackageSource list from the package spec.

I should've used that and it's already used in a bunch of places, like for example, detecting http sources for telemetry,

NuGet.Client/src/NuGet.Core/NuGet.Commands/RestoreCommand/RestoreCommand.cs

Line 155 in 41e98d3

int httpSourcesCount = _request.DependencyProviders.RemoteProviders.Where(e => e.IsHttp).Count();

.

Basically, PackageSpec on the request is expected to be immutable, see: NuGet/Home#9041 (comment). We basically clone it a bunch of time because of fear of these types of changes.

Now this is a thing you've never caught yourself, and it's not incorrect to do this, but I think it'll be a smaller change if you just change it to use the dependencyproviders.

You can try that change and see how it goes, tests might break. Like, not sure if everything is mocked 100%. If that becomes the case, please lmk and I can help or just do the change from using the package spec metadata to the dependencyprovider once, since I caused the pain anyways :)

[nkolev92]

I think the review has been re-requested mistakenly,

[heng-liu]

Thanks @nkolev92 for the detailed contexts! (I was wondering why the tests for no-op failed previously.)
I changed to use RemoteProviders in a testing branch and the build shows the newly changed test failed. There is no warning in result.LockFile.LogMessages so it failed at this line
However, I can see the warning from the console when running the commandline.
Do you have any suggestions about fixing this test? Thanks!

[nkolev92]

NuGet.Client/test/TestUtilities/Test.Utility/Commands/ProjectTestHelpers.cs

Line 223 in 29f2929

var sources = new List<PackageSource> { new PackageSource(pathContext.PackageSource) };

has a bug. It's using a hardcoded list where it's using the PathContext source instead of the ones from the package spec. It should be using the PackageSpec ones. I'll do some quick testing to see if I can have a fix.

[nkolev92]

I'd add a new CreateRestoreRequestMethod, where the source is spec.RestoreMetadata.Sources.

That makes the test pass. Other tests would fail if you make the change in project test helpers directly.
I know how to fix the ones I wrote, but there's many other tests that have package specs that are incomplete.

[nkolev92]

Actually if you replace that line with:

            var sources = spec.RestoreMetadata.Sources.Any() ?
                spec.RestoreMetadata.Sources :
                new List<PackageSource> { new PackageSource(pathContext.PackageSource) };

All tests seem to pass.

[nkolev92]

If you end up choosing that, please create an issue to fix the tests and assign to me. I think our test helpers code should use as much of the production code as possible. I'm hoping to do some changes in the ProjectTestHelpers that'll help us avoid these problems.

[nkolev92]

I spent about an hour doing some refactoring: https://github.com/NuGet/NuGet.Client/tree/dev-nkolev92-cleanupTestHelpers. Feel free to make the change to fix your tests.

[nkolev92]

I have #5407 out.

[heng-liu]

Thanks @nkolev92 for your help! Please take another look.

[donnie-msft]

I re-reviewed as requested by @jeffkl, but after looking at the latest commits and my unresolved threads, there are unaddressed comments by me.

[nkolev92]

🚢

[nkolev92]

Excellent!

Thanks for fixing my mistake :)