libstore: Enable kerberos negotiation for http binary caches

[georgyo]

Motivation

It would be nice to be able to do kerberos negotiation when fetching or pushing stuff to an HTTP binary store. This PR makes it possible to add ?negotiate=true to have libcurl do krb negotiation.

I debated on just adding CURLAUTH_ANY unconditionally here, which is what git does and would automatically do krb negotiation if the server supports it, but figured that might be a too dramatic change as that could change existing behavior.

Priorities and Process

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

[roberth]

Could you add a test for this?
I think this needs to be a NixOS test, because that makes it easy to set up the necessary services, and doesn't add dependencies to the nix package.
We don't have a NixOS test for binary caches, so you could add a new one under tests/nixos.

[roberth]

Does this need to be a configuration item, or could it be autodetected?

I think negotiate is a bit vague. Would kerberos be a better name?

[georgyo]

We could add CURLAUTH_ANY instead of CURLAUTH_NEGOITATE, which would do the detection for you. We could add that flag at all times, and libcurl will use the best available authentication it finds. This is what git does, and that works pretty well. The downside is that if the HTTP server will accept negotiation OR another protocol, libcurl will always choose negotiation, which has a very slim chance of breaking use cases. This may be a very acceptable risk as git has been doing this for a decade already.

negotiate is the best name here, it matches the curl command line argument --negotiate, and is widely known as that.

[roberth]

I'm not too familiar with that, but it's generally good to mirror existing interfaces.
What about CURLAUTH_ANYSAFE ?
Maybe we should similarly expose a single auth setting, instead of specific ones for each possible solution.

[georgyo]

A decent idea, I've created #10584 as an alternate proposal to this one.

[georgyo]

Could you add a test for this? I think this needs to be a NixOS test, because that makes it easy to set up the necessary services, and doesn't add dependencies to the nix package. We don't have a NixOS test for binary caches, so you could add a new one under tests/nixos.

Testing kerberos/negotiation auth is notoriously hard. It requires setting up a KDC, generating service keytabs, users keytabs and configuring servers to do it. In the end we are testing a single option to libcurl, of which libcurl is very well tested.

Creating a nixos test for this would take more time than I can devote to this feature.

[roberth]

this would take more time than I can devote to this feature.

NixOS does come with kerberos.nix test for NFS, which presumably has most of the setup required, so maybe you want to reconsider, but I can respect your argument.