Update vendored version of hex_core to v0.12.0

apps/rebar/src/vendored/r3_hex_api.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% Hex HTTP API
@@ -103,12 +103,14 @@ request(Config, Method, Path, Body) when is_binary(Path) and is_map(Config) ->
     case r3_hex_http:request(Config, Method, build_url(Path, Config), ReqHeaders2, Body) of
         {ok, {Status, RespHeaders, RespBody}} ->
             ContentType = maps:get(<<"content-type">>, RespHeaders, <<"">>),
-            case binary:match(ContentType, ?ERL_CONTENT_TYPE) of
-                {_, _} ->
-                    {ok, {Status, RespHeaders, binary_to_term(RespBody)}};
-                nomatch ->
-                    {ok, {Status, RespHeaders, nil}}
-            end;
+            Response =
+                case binary:match(ContentType, ?ERL_CONTENT_TYPE) of
+                    {_, _} ->
+                        {ok, {Status, RespHeaders, binary_to_term(RespBody)}};
+                    nomatch ->
+                        {ok, {Status, RespHeaders, nil}}
+                end,
+            detect_otp_error(Response);
         Other ->
             Other
     end.
@@ -135,6 +137,8 @@ make_headers(Config) ->
 %% @private
 set_header(api_key, Token, Headers) when is_binary(Token) ->
     maps:put(<<"authorization">>, Token, Headers);
+set_header(api_otp, OTP, Headers) when is_binary(OTP) ->
+    maps:put(<<"x-hex-otp">>, OTP, Headers);
 set_header(_, _, Headers) ->
     Headers.
 
@@ -163,3 +167,17 @@ to_list(A) when is_atom(A) -> atom_to_list(A);
 to_list(B) when is_binary(B) -> unicode:characters_to_list(B);
 to_list(I) when is_integer(I) -> integer_to_list(I);
 to_list(Str) -> unicode:characters_to_list(Str).
+
+%% TODO: not needed after exdoc is fixed
+%% @private
+detect_otp_error({ok, {401, Headers, Body}}) ->
+    case maps:get(<<"www-authenticate">>, Headers, nil) of
+        <<"Bearer realm=\"hex\", error=\"totp_required\"", _/binary>> ->
+            {error, otp_required};
+        <<"Bearer realm=\"hex\", error=\"invalid_totp\"", _/binary>> ->
+            {error, invalid_totp};
+        _ ->
+            {ok, {401, Headers, Body}}
+    end;
+detect_otp_error(Response) ->
+    Response.

apps/rebar/src/vendored/r3_hex_api_key.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Keys.

apps/rebar/src/vendored/r3_hex_api_package.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Packages.

apps/rebar/src/vendored/r3_hex_api_package_owner.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Package Owners.

apps/rebar/src/vendored/r3_hex_api_release.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Releases.
@@ -12,13 +12,11 @@
     unretire/3
 ]).
 
--export_type([publish_params/0, retirement_params/0, retirement_reason/0]).
+-export_type([publish_params/0, retirement_params/0]).
 
 -type publish_params() :: [{replace, boolean()}].
 
--type retirement_reason() :: other | invalid | security | deprecated | renamed.
-
--type retirement_params() :: #{reason := retirement_reason(), message => binary()}.
+-type retirement_params() :: #{binary() := binary()}.
 %% @doc
 %% Gets a package release.
 %%
@@ -109,15 +107,26 @@ publish(Config, Tarball) -> publish(Config, Tarball, []).
 publish(Config, Tarball, Params) when
     is_map(Config) andalso is_binary(Tarball) andalso is_list(Params)
 ->
-    QueryString = r3_hex_api:encode_query_string([
-        {replace, proplists:get_value(replace, Params, false)}
-    ]),
-    Path = r3_hex_api:join_path_segments(r3_hex_api:build_repository_path(Config, ["publish"])),
-    PathWithQuery = <<Path/binary, "?", QueryString/binary>>,
-    TarballContentType = "application/octet-stream",
-    Config2 = put_header(<<"content-length">>, integer_to_binary(byte_size(Tarball)), Config),
-    Body = {TarballContentType, Tarball},
-    r3_hex_api:post(Config2, PathWithQuery, Body).
+    case r3_hex_tarball:unpack(Tarball, memory) of
+        {ok, #{metadata := Metadata}} ->
+            PackageName = maps:get(<<"name">>, Metadata),
+            QueryString = r3_hex_api:encode_query_string([
+                {replace, proplists:get_value(replace, Params, false)}
+            ]),
+            Path = r3_hex_api:join_path_segments(
+                r3_hex_api:build_repository_path(Config, ["packages", PackageName, "releases"])
+            ),
+            PathWithQuery = <<Path/binary, "?", QueryString/binary>>,
+            TarballContentType = "application/octet-stream",
+            Config2 = put_header(
+                <<"content-length">>, integer_to_binary(byte_size(Tarball)), Config
+            ),
+            Config3 = maybe_put_expect_header(Config2),
+            Body = {TarballContentType, Tarball},
+            r3_hex_api:post(Config3, PathWithQuery, Body);
+        {error, Reason} ->
+            {error, {tarball, Reason}}
+    end.
 
 %% @doc
 %% Deletes a package release.
@@ -175,3 +184,10 @@ put_header(Name, Value, Config) ->
     Headers = maps:get(http_headers, Config, #{}),
     Headers2 = maps:put(Name, Value, Headers),
     maps:put(http_headers, Headers2, Config).
+
+%% @private
+maybe_put_expect_header(Config) ->
+    case maps:get(send_100_continue, Config, true) of
+        true -> put_header(<<"expect">>, <<"100-continue">>, Config);
+        false -> Config
+    end.

apps/rebar/src/vendored/r3_hex_api_user.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Users.

apps/rebar/src/vendored/r3_hex_core.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% `hex_core' entrypoint module.
@@ -14,6 +14,15 @@
 %%
 %% * `api_key' - Authentication key used when accessing the HTTP API.
 %%
+%% * `api_otp' - TOTP (Time-based One-Time Password) code for two-factor authentication.
+%%   When using OAuth tokens, write operations require 2FA if the user has it enabled.
+%%   If required, the server returns one of:
+%%   - `{error, otp_required}' - Retry the request with a 6-digit TOTP code in this option
+%%   - `{error, invalid_totp}' - The provided TOTP code was incorrect, retry with correct code
+%%   - `{ok, {403, _, #{<<"message">> => <<"Two-factor authentication must be enabled for API write access">>}}}' - User must enable 2FA first
+%%   - `{ok, {429, _, _}}' - Too many failed TOTP attempts, rate limited
+%%   API keys do not require TOTP validation.
+%%
 %% * `api_organization' - Name of the organization endpoint in the API, this should
 %%   for example be set when accessing key for a specific organization.
 %%
@@ -49,6 +58,10 @@
 %% * `repo_verify_origin' - If `true' will verify the repository signature origin,
 %%   requires protobuf messages as of hex_core v0.4.0 (default: `true').
 %%
+%% * `send_100_continue' - If `true' will send `Expect: 100-continue' header for
+%%   publish operations. This allows the server to validate authentication and
+%%   authorization before the client sends the request body (default: `true').
+%%
 %% * `tarball_max_size' - Maximum size of package tarball, defaults to
 %%   `16_777_216' (16 MiB). Set to `infinity' to not enforce the limit.
 %%
@@ -81,6 +94,7 @@
 
 -type config() :: #{
     api_key => binary() | undefined,
+    api_otp => binary() | undefined,
     api_organization => binary() | undefined,
     api_repository => binary() | undefined,
     api_url => binary(),
@@ -95,6 +109,7 @@
     repo_organization => binary() | undefined,
     repo_verify => boolean(),
     repo_verify_origin => boolean(),
+    send_100_continue => boolean(),
     tarball_max_size => pos_integer() | infinity,
     tarball_max_uncompressed_size => pos_integer() | infinity,
     docs_tarball_max_size => pos_integer() | infinity,
@@ -105,6 +120,7 @@
 default_config() ->
     #{
         api_key => undefined,
+        api_otp => undefined,
         api_organization => undefined,
         api_repository => undefined,
         api_url => <<"https://hex.pm/api">>,
@@ -119,6 +135,7 @@ default_config() ->
         repo_organization => undefined,
         repo_verify => true,
         repo_verify_origin => true,
+        send_100_continue => true,
         tarball_max_size => 16 * 1024 * 1024,
         tarball_max_uncompressed_size => 128 * 1024 * 1024,
         docs_tarball_max_size => 16 * 1024 * 1024,

apps/rebar/src/vendored/r3_hex_core.hrl

@@ -1,3 +1,3 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
--define(HEX_CORE_VERSION, "0.10.1").
+-define(HEX_CORE_VERSION, "0.12.0").

apps/rebar/src/vendored/r3_hex_erl_tar.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @private
 %% Copied from https://github.com/erlang/otp/blob/OTP-20.0.1/lib/stdlib/src/erl_tar.erl

apps/rebar/src/vendored/r3_hex_erl_tar.hrl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 % Copied from https://github.com/erlang/otp/blob/OTP-20.0.1/lib/stdlib/src/erl_tar.hrl
 

apps/rebar/src/vendored/r3_hex_filename.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 % @private
 % Excerpt from https://github.com/erlang/otp/blob/OTP-20.0.1/lib/stdlib/src/filename.erl#L761-L788

apps/rebar/src/vendored/r3_hex_http.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% HTTP contract.
@@ -15,7 +15,9 @@
 -type headers() :: #{binary() => binary()}.
 -export_type([headers/0]).
 -type body() :: {ContentType :: binary(), Body :: binary()} | undefined.
+-export_type([body/0]).
 -type adapter_config() :: map().
+-export_type([adapter_config/0]).
 
 -callback request(method(), URI :: binary(), headers(), body(), adapter_config()) ->
     {ok, {status(), headers(), binary()}}

apps/rebar/src/vendored/r3_hex_http_httpc.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% httpc-based implementation of {@link r3_hex_http} contract.
@@ -22,25 +22,44 @@
 
 request(Method, URI, ReqHeaders, Body, AdapterConfig) when is_binary(URI) ->
     Profile = maps:get(profile, AdapterConfig, default),
-    HTTPOptions = maps:get(http_options, AdapterConfig, []),
+    HTTPOptions0 = maps:get(http_options, AdapterConfig, []),
 
     HTTPS =
         case URI of
             <<"https", _/binary>> -> true;
             _ -> false
         end,
-    SSLOpts = proplists:get_value(ssl, HTTPOptions),
+    SSLOpts0 = proplists:get_value(ssl, HTTPOptions0),
 
-    if
-        HTTPS == true andalso SSLOpts == undefined ->
-            io:format(
-                "[r3_hex_http_httpc] using default ssl options which are insecure.~n"
-                "Configure your adapter with: "
-                "{r3_hex_http_httpc, #{http_options => [{ssl, SslOpts}]}}~n"
-            );
-        true ->
-            ok
-    end,
+    HTTPOptions =
+        if
+            HTTPS == true andalso SSLOpts0 == undefined ->
+                %% Add safe defaults if possible.
+                try
+                    [
+                        {ssl, [
+                            {verify, verify_peer},
+                            {cacerts, public_key:cacerts_get()},
+                            {depth, 3},
+                            {customize_hostname_check, [
+                                {match_fun, public_key:pkix_verify_hostname_match_fun(https)}
+                            ]}
+                        ]}
+                        | HTTPOptions0
+                    ]
+                catch
+                    _:_ ->
+                        io:format(
+                            "[r3_hex_http_httpc] using default ssl options which are insecure.~n"
+                            "Configure your adapter with: "
+                            "{r3_hex_http_httpc, #{http_options => [{ssl, SslOpts}]}}~n"
+                            "or upgrade Erlang/OTP to OTP-25 or later.~n"
+                        ),
+                        HTTPOptions0
+                end;
+            true ->
+                HTTPOptions0
+        end,
 
     Request = build_request(URI, ReqHeaders, Body),
     case httpc:request(Method, Request, HTTPOptions, [{body_format, binary}], Profile) of

apps/rebar/src/vendored/r3_hex_licenses.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% Hex Licenses.

apps/rebar/src/vendored/r3_hex_pb_names.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_pb_package.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_pb_signed.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_pb_versions.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_registry.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.10.1, do not edit manually
+%% Vendored from hex_core v0.12.0, do not edit manually
 
 %% @doc
 %% Functions for encoding and decoding Hex registries.
@@ -57,7 +57,7 @@ decode_names(Payload, Repository) ->
         #{repository := Repository, packages := _Packages} = Result ->
             {ok, Result};
         _ ->
-            {error, unverified}
+            {error, bad_repo_name}
     end.
 
 %% @doc
@@ -86,7 +86,7 @@ decode_versions(Payload, Repository) ->
         #{repository := Repository, packages := _Packages} = Result ->
             {ok, Result};
         _ ->
-            {error, unverified}
+            {error, bad_repo_name}
     end.
 
 %% @doc
@@ -115,7 +115,7 @@ decode_package(Payload, Repository, Package) ->
         #{repository := Repository, name := Package, releases := _Releases} = Result ->
             {ok, Result};
         _ ->
-            {error, unverified}
+            {error, bad_repo_name}
     end.
 
 %% @private
@@ -133,7 +133,7 @@ decode_and_verify_signed(Signed, PublicKey) ->
     #{payload := Payload, signature := Signature} = decode_signed(Signed),
     case verify(Payload, Signature, PublicKey) of
         true -> {ok, Payload};
-        false -> {error, unverified};
+        false -> {error, bad_signature};
         {error, Reason} -> {error, Reason}
     end.