Authentication#
This page lists the credential configuration that the sysand client supports
for HTTP(S) indexes and project downloads.
For the conceptual overview, see Authentication. To create a Sysand Index API token, see Create an API token.
Credential environment variables#
HTTP credentials are configured through environment variables whose names share
one arbitrary suffix <X>.
Basic authentication:
SYSAND_CRED_<X>=<PATTERN>
SYSAND_CRED_<X>_BASIC_USER=<USER>
SYSAND_CRED_<X>_BASIC_PASS=<PASSWORD>
Bearer token authentication:
SYSAND_CRED_<X>=<PATTERN>
SYSAND_CRED_<X>_BEARER_TOKEN=<TOKEN>
<PATTERN> is a URL glob pattern. <X> is only a label that connects the URL
pattern to its credential values.
URL glob matching#
Sysand uses URL glob patterns with literal path separators:
Pattern syntax |
Meaning |
|---|---|
|
Matches any single character except |
|
Matches any sequence of characters that does not contain |
|
Matches any sequence of characters, including |
Example:
$ export SYSAND_CRED_TEST='https://*.example.com/**'
$ export SYSAND_CRED_TEST_BASIC_USER='foo'
$ export SYSAND_CRED_TEST_BASIC_PASS='bar'
That pattern matches URLs such as:
https://www.example.com/projects/project.kpar
https://projects.example.com/index.json
https://projects.example.com/projects/myproject/versions.json
Request behavior#
For normal HTTP(S) fetches, Sysand first makes an unauthenticated request. If the response status is in the 4xx range and the URL matches a credential pattern, Sysand retries with matching credentials.
If multiple credential patterns match one URL, Sysand logs a warning and tries the matching credentials until one returns a response outside the 4xx range. If none succeeds, the first response is returned.
Redirects are handled differently:
If credentials were sent to the original URL and that URL redirects to another URL on the same host, the credentials are also sent to the redirected URL.
Sysand does not first try the redirected URL without credentials.
SYSAND_CRED_* variables do not configure Git credentials. For Git projects,
Sysand runs Git with the user’s existing Git setup, such as SSH keys or
credential helpers.
Publish credentials#
In the default auto mode, sysand publish first uses trusted publishing when
it detects a supported CI environment. If trusted publishing is unavailable, it
falls back to configured bearer token credentials. Basic-auth entries are
ignored for publishing.
Before uploading, sysand publish resolves the publish API URL and then checks
the configured bearer-token patterns against that upload URL when falling back
to explicit credentials.
Outside supported trusted-publishing environments, publishing fails before the
upload request is made if no bearer-token pattern matches the upload URL. If
more than one bearer-token pattern matches the upload URL, publishing also
fails; refine the SYSAND_CRED_<X> patterns so exactly one bearer token
matches.