Download tool packages from NuGet feeds directly, instead of implicitly restoring

[JL03-Yue]

PR for issue #31134

Currently, when installing a dotnet tool package, the code restores a temporary project using toolPackageInstaller. This PR updated the methods handling tools to use NuGet API when installing, updating, restoring, and uninstalling global and local tools.

This PR also changes the tests that test the installing, updating, restoring, and uninstalling global and local tools. It also controls the verbosity output from NuGet API when downloading tools.

[dsplaisted]

/azp run

[azure-pipelines]

Pull request contains merge conflicts.

[dsplaisted]

Great job getting this working!

Some of this is pretty complicated to review, I took a first pass and added my comments, but I will probably have to look at it again later.

Thanks!

[nkolev92]

This implementation must consider PackageSourceMapping. We're moving away from an implementation that considers it, we must not lose that.

I'll review in more detail later.

[dsplaisted]

This implementation must consider PackageSourceMapping. We're moving away from an implementation that considers it, we must not lose that.

I'll review in more detail later.

@nkolev92 @zivkan We're using NuGet APIs to download a package. The code for that is here. Is there a way to respect package source mapping when calling those APIs?

[nkolev92]

Yeah, I'll link examples later when I review it.

[dsplaisted]

Looking pretty good, great job!

[nkolev92]

NuGet warns for http source since NuGet 6.3 (https://devblogs.microsoft.com/nuget/https-everywhere/) Before this change, dotnet tool install will run implicit restore so NuGet is able to warn customer about http source when installing dotnet tool. However, after this change, there will be no warning for http source when installing dotnet tool. Hi @JonDouglas @aortiz-msft @nkolev92 @zivkan do you have any concerns about this?

That's a great catch! I think that should be added as well.

[JonDouglas]

We want to have a consistent experience everywhere we can. Since most of that is implemented at restore, could we somehow provide a central API or similar piping for NuGet APIs as well? That way it is rather easy for people to contribute these types of changes without having to know about all the NuGet best security practices and years of work going into restore security?

[nkolev92]

We want to have a consistent experience everywhere we can. Since most of that is implemented at restore, could we somehow provide a central API or similar piping for NuGet APIs as well? That way it is rather easy for people to contribute these types of changes without having to know about all the NuGet best security practices and years of work going into restore security?

http warnings, PSM, signature verification are concerns at different parts of restore, so they're not really implemented at the same level.

Adding a central API end up being something that's not used anywhere within the NuGet code itself, so we wouldn't know how to best author it.
After some discussions (maybe @zivkan was a part of that?), downloading was implemented on the SDK side (plus time constraints).

@zivkan mentioned this in a side-chat, but I think this is showing that we need to add some tests testing NuGet scenarios within in this repo, regardless of how stuff gets implemented :)

[dsplaisted]

I still want to take a look at the tests, but I think I've reviewed everything else in detail now.

Let's take a look at the feedback together.

[dsplaisted]

I've finished reviewing the tests now too. Some of the feedback here we've already discussed live.

I also think we should add tests for some scenarios where the package has already been downloaded or the tool has already been installed in another local tools folder.

[dsplaisted]

I think we should have a test where package source mapping is configured correctly, and verify that it can download successfully. I'm not sure yet what the best way to write such a test would be.

[dsplaisted]

Great job! We're almost there, just a few remaining comments.

[dsplaisted]

This only applies to local tools. So I tihnk it should probably be in a block that only applies to local tools (such as an else statement from the previous suggestion).