diff --git a/src/Microsoft.TemplateEngine.Edge/Installers/NuGet/NugetApiPackageManager.cs b/src/Microsoft.TemplateEngine.Edge/Installers/NuGet/NugetApiPackageManager.cs index 7e6f13bd02f..113417dd8a0 100644 --- a/src/Microsoft.TemplateEngine.Edge/Installers/NuGet/NugetApiPackageManager.cs +++ b/src/Microsoft.TemplateEngine.Edge/Installers/NuGet/NugetApiPackageManager.cs @@ -62,6 +62,11 @@ public async Task DownloadPackageAsync(string downloadPath, st IEnumerable packagesSources = LoadNuGetSources(additionalSources?.ToArray() ?? Array.Empty()); + if (!force) + { + packagesSources = RemoveInsecurePackages(packagesSources); + } + PackageSource source; NugetPackageMetadata packageMetadata; @@ -200,6 +205,32 @@ await GetLatestVersionInternalAsync( return (package.Identity.Version.ToNormalizedString(), isLatestVersion); } + internal IEnumerable RemoveInsecurePackages(IEnumerable packagesSources) + { + var insecurePackages = new List(); + var securePackages = new List(); + foreach (var packageSource in packagesSources) + { + // NuGet IsHttp property can be both http and https sources + if (packageSource.IsHttp && !packageSource.IsHttps) + { + insecurePackages.Add(packageSource); + } + else + { + securePackages.Add(packageSource); + } + } + + if (insecurePackages.Any()) + { + var packagesString = string.Join(", ", insecurePackages.Select(package => package.Source)); + _nugetLogger.LogWarning(string.Format(LocalizableStrings.NuGetApiPackageManager_Warning_InsecureFeed, packagesString)); + } + + return securePackages; + } + private async Task<(PackageSource, NugetPackageMetadata)> GetLatestVersionInternalAsync( string packageIdentifier, IEnumerable packageSources, diff --git a/src/Microsoft.TemplateEngine.Edge/LocalizableStrings.Designer.cs b/src/Microsoft.TemplateEngine.Edge/LocalizableStrings.Designer.cs index 09a54533f0d..78f5801fbbd 100644 --- a/src/Microsoft.TemplateEngine.Edge/LocalizableStrings.Designer.cs +++ b/src/Microsoft.TemplateEngine.Edge/LocalizableStrings.Designer.cs @@ -405,6 +405,15 @@ internal static string NuGetApiPackageManager_Warning_FailedToLoadSource { } } + /// + /// Looks up a localized string similar to The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force.. + /// + internal static string NuGetApiPackageManager_Warning_InsecureFeed { + get { + return ResourceManager.GetString("NuGetApiPackageManager_Warning_InsecureFeed", resourceCulture); + } + } + /// /// Looks up a localized string similar to {0} is not found in NuGet feeds {1}.. /// diff --git a/src/Microsoft.TemplateEngine.Edge/LocalizableStrings.resx b/src/Microsoft.TemplateEngine.Edge/LocalizableStrings.resx index 85fb0261f38..771b3df1eb1 100644 --- a/src/Microsoft.TemplateEngine.Edge/LocalizableStrings.resx +++ b/src/Microsoft.TemplateEngine.Edge/LocalizableStrings.resx @@ -238,6 +238,9 @@ No NuGet sources are defined or enabled. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + Failed to remove {0} after failed download. Remove the file manually if it exists. @@ -448,4 +451,4 @@ The template from 'PACKAGE_ID' will be used. To resolve this conflict, uninstall The template is invalid and cannot be instantiated. - \ No newline at end of file + diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.cs.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.cs.xlf index 1e7a9c1c24e..bc6bfdf43eb 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.cs.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.cs.xlf @@ -197,6 +197,11 @@ Nepovedlo se načíst zdroj Nuget {0}: zdroj není platný. Při dalším zpracování se přeskočí. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. Balíček {0} se nenašel v informačních kanálech NuGet {1}. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.de.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.de.xlf index e5308af417a..165e590f481 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.de.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.de.xlf @@ -197,6 +197,11 @@ Fehler beim Laden der NuGet-Quelle {0}: die Quelle ist ungültig. Sie wird bei der weiteren Verarbeitung übersprungen. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. \"{0}\" wurde in NuGet-Feeds \"{1}\" nicht gefunden. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.es.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.es.xlf index 95704200799..2650e4e3f34 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.es.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.es.xlf @@ -197,6 +197,11 @@ No se pudo cargar el origen de NuGet {0}: el origen no es válido. Se omitirá en un proceso posterior. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. No se encuentra {0} en las fuentes de NuGet {1}. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.fr.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.fr.xlf index 2370f2e0cd0..2a77c7aab25 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.fr.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.fr.xlf @@ -197,6 +197,11 @@ Échec du chargement de la source NuGet {0} : la source n’est pas valide. Il sera ignoré en cours de traitement. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. {0} est introuvable dans les flux NuGet {1}. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.it.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.it.xlf index 79f5df420e8..7ecfa00d0da 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.it.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.it.xlf @@ -197,6 +197,11 @@ Non è stato possibile caricare l'origine NuGet {0}: l'origine non è valida. Verrà ignorata in elaborazioni successive. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. {0} non è stato trovato nei feed NuGet {1}. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ja.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ja.xlf index c965dcdba90..7ea38b4b001 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ja.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ja.xlf @@ -197,6 +197,11 @@ NuGet ソース {0} の読み込みに失敗しました: このソースが有効ではありません。今後の処理ではスキップされます。 + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. {0} が NuGet フィードに見つかりません{1}。 diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ko.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ko.xlf index 1aa19b3c5ca..ca0401aa905 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ko.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ko.xlf @@ -197,6 +197,11 @@ NuGet 원본 {0}을(를) 로드하지 못했습니다. 원본이 유효하지 않습니다. 추가 처리에서 건너뛰세요. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. {0}을(를) NuGet 피드 {1}에서 찾을 수 없습니다. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.pl.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.pl.xlf index 3cfd347ebf5..8d2840c7042 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.pl.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.pl.xlf @@ -197,6 +197,11 @@ Nie można załadować źródła pakietu NuGet {0}: źródło jest nieprawidłowe. Zostanie ono pominięte podczas dalszego przetwarzania. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. Nie znaleziono pakietu {0} w kanałach informacyjnych pakietu NuGet {1}. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.pt-BR.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.pt-BR.xlf index c4ce919e590..a914393f606 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.pt-BR.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.pt-BR.xlf @@ -197,6 +197,11 @@ Falha no carregamento da fonte NuGet {0}: a fonte não é válida. Ela será ignorada num processamento posterior. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. {0} não é encontrado no NuGet feeds {1}. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ru.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ru.xlf index 7aaf189c71c..0adcfbed0f2 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ru.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.ru.xlf @@ -197,6 +197,11 @@ Не удалось загрузить источник NuGet {0}: недопустимый источник. Он будет пропущен при дальнейшей обработке. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. {0} не найдено в веб-каналах NuGet {1}. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.tr.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.tr.xlf index 4da13a59916..670b4b2d865 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.tr.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.tr.xlf @@ -197,6 +197,11 @@ {0} NuGet kaynağı yüklenemedi: kaynak geçerli değil. Daha fazla işlemede atlanacak. + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. {0}, {1} NuGet akışlarında bulunamadı. diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.zh-Hans.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.zh-Hans.xlf index ebded52829c..b46741c8d16 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.zh-Hans.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.zh-Hans.xlf @@ -197,6 +197,11 @@ 无法加载 NuGet 源 {0}: 源无效。进一步处理中将跳过它。 + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. 在 NuGet 源 {1} 中找不到 {0}。 diff --git a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.zh-Hant.xlf b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.zh-Hant.xlf index 3a3e67fe6f7..ee59f36d2ee 100644 --- a/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.zh-Hant.xlf +++ b/src/Microsoft.TemplateEngine.Edge/xlf/LocalizableStrings.zh-Hant.xlf @@ -197,6 +197,11 @@ 無法載入 NuGet 來源 {0}: 來源無效。進一步處理時會跳過此情況。 + + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + The NuGet sources {0} are insecure and will not be searched. If you want to include those sources for search, use --force. + + {0} is not found in NuGet feeds {1}. 在 NuGet 摘要 {1} 中找不到 {0}。 diff --git a/test/Microsoft.TemplateEngine.Edge.UnitTests/NuGetApiPackageManagerTests.cs b/test/Microsoft.TemplateEngine.Edge.UnitTests/NuGetApiPackageManagerTests.cs index 81386900e24..efc8f0ce4fc 100644 --- a/test/Microsoft.TemplateEngine.Edge.UnitTests/NuGetApiPackageManagerTests.cs +++ b/test/Microsoft.TemplateEngine.Edge.UnitTests/NuGetApiPackageManagerTests.cs @@ -5,6 +5,7 @@ using Microsoft.TemplateEngine.Abstractions; using Microsoft.TemplateEngine.Edge.Installers.NuGet; using Microsoft.TemplateEngine.TestHelper; +using NuGet.Configuration; using Xunit; namespace Microsoft.TemplateEngine.Edge.UnitTests @@ -160,5 +161,66 @@ public async Task GetLatestVersion_UnknownPackage() exception.PackageIdentifier.Should().Be("Microsoft.DotNet.NotCommon.ProjectTemplates.5.0"); exception.Message.Should().NotBeNullOrEmpty(); } + + [Fact] + public void RemoveInsecurePackages_AllInsecure() + { + IEngineEnvironmentSettings engineEnvironmentSettings = _environmentSettingsHelper.CreateEnvironment(virtualize: true); + + NuGetApiPackageManager packageManager = new NuGetApiPackageManager(engineEnvironmentSettings); + List allPackages = new List() + { + new PackageSource("http://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json"), + new PackageSource("http://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json"), + new PackageSource("http://pkgs.dev.azure.com/dnceng/public/_packaging/nuget-build/nuget/v3/index.json"), + new PackageSource("http://insecure-feed.org") + }; + var securePackages = packageManager.RemoveInsecurePackages(allPackages); + + securePackages.Should().BeEmpty(); + } + + [Fact] + public void RemoveInsecurePackages_AllSecure() + { + IEngineEnvironmentSettings engineEnvironmentSettings = _environmentSettingsHelper.CreateEnvironment(virtualize: true); + + NuGetApiPackageManager packageManager = new NuGetApiPackageManager(engineEnvironmentSettings); + List allPackages = new List() + { + new PackageSource("https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json"), + new PackageSource("https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json"), + new PackageSource("https://pkgs.dev.azure.com/dnceng/public/_packaging/nuget-build/nuget/v3/index.json") + }; + var securePackages = packageManager.RemoveInsecurePackages(allPackages); + + securePackages.Should().NotBeEmpty(); + Assert.Equal(allPackages, securePackages); + } + + [Fact] + public void RemoveInsecurePackages_Mixed() + { + IEngineEnvironmentSettings engineEnvironmentSettings = _environmentSettingsHelper.CreateEnvironment(virtualize: true); + + NuGetApiPackageManager packageManager = new NuGetApiPackageManager(engineEnvironmentSettings); + List allPackages = new List() + { + new PackageSource("https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json"), + new PackageSource("https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json"), + new PackageSource("http://pkgs.dev.azure.com/dnceng/public/_packaging/nuget-build/nuget/v3/index.json"), + new PackageSource("http://insecure-feed.org") + }; + var securePackages = packageManager.RemoveInsecurePackages(allPackages); + + var expectedOutcome = new List() + { + new PackageSource("https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json"), + new PackageSource("https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json") + }; + + securePackages.Should().NotBeEmpty(); + securePackages.Should().Equal(expectedOutcome); + } } }