Update auth logic

Motivation:
SwiftPM should support using credentials stored in keychain for binary
download and registry authentication.

Modifications:
- Wire up `KeychainAuthorizationProvider` in `SwiftTool`. Add `--no-keychain` option which allows user to opt-out.
- Update netrc logic to either:
  - Load from a user-defined `.netrc` file
  - Default to `.netrc` file found in current workspace (if any) and/or
    user's home directory.
- Deprecate `Workspace.Configuration.Netrc`

rdar://83682028

Author: yim-lee

Sources/Basics/AuthorizationProvider.swift

@@ -41,7 +41,7 @@ public extension AuthorizationProvider {
     }
 }
 
-extension Foundation.URL {
+private extension Foundation.URL {
     var authenticationID: String? {
         guard let host = host?.lowercased() else {
             return nil

Sources/Commands/Options.swift

@@ -328,6 +328,15 @@ public struct SwiftToolOptions: ParsableArguments {
         help: "Specify the .netrc file path.",
         completion: .file())
     var netrcFilePath: AbsolutePath?
+    
+#if canImport(Security)
+    /// Whether to use keychain for authenticating with remote servers
+    /// when downloading binary artifacts or communicating with a registry.
+    @Flag(inversion: .prefixedNo,
+          exclusivity: .exclusive,
+          help: "Search credentials in OS keychain")
+    var keychain: Bool = true
+#endif
 
     @Flag(name: .customLong("netrc"), help: .hidden)
     var _deprecated_netrc: Bool = false

Sources/Commands/SwiftTool.swift

@@ -1,7 +1,7 @@
 /*
  This source file is part of the Swift.org open source project
 
- Copyright (c) 2014 - 2020 Apple Inc. and the Swift project authors
+ Copyright (c) 2014 - 2021 Apple Inc. and the Swift project authors
  Licensed under Apache License v2.0 with Runtime Library Exception
 
  See http://swift.org/LICENSE.txt for license information
@@ -497,35 +497,58 @@ public class SwiftTool {
 
     func getAuthorizationProvider() throws -> AuthorizationProvider? {
         var providers = [AuthorizationProvider]()
-        // netrc file has higher specificity than keychain so use it first
-        if let workspaceNetrc = try self.getNetrcConfig()?.get() {
-            providers.append(workspaceNetrc)
-        }
 
-        // TODO: add --no-keychain option to allow opt-out
-//#if canImport(Security)
-//        providers.append(KeychainAuthorizationProvider(observabilityScope: self.observabilityScope))
-//#endif
+        // netrc has higher specificity than keychain so use it first
+        try providers.append(contentsOf: self.getNetrcAuthorizationProviders())
+
+#if canImport(Security)
+        if self.options.keychain {
+            providers.append(KeychainAuthorizationProvider(observabilityScope: self.observabilityScope))
+        }
+#endif
 
         return providers.isEmpty ? nil : CompositeAuthorizationProvider(providers, observabilityScope: self.observabilityScope)
     }
 
-    func getNetrcConfig() -> Workspace.Configuration.Netrc? {
-        guard options.netrc else { return nil }
+    func getNetrcAuthorizationProviders() throws -> [NetrcAuthorizationProvider] {
+        guard options.netrc else { return [] }
 
+        var providers = [NetrcAuthorizationProvider]()
+        
+        // Use custom .netrc file if specified, otherwise look for it within workspace and user's home directory.
         if let configuredPath = options.netrcFilePath {
             guard localFileSystem.exists(configuredPath) else {
                 self.observabilityScope.emit(error: "Did not find .netrc file at \(configuredPath).")
-                return nil
+                return providers
             }
 
-            return .init(path: configuredPath, fileSystem: localFileSystem)
+            providers.append(try NetrcAuthorizationProvider(path: configuredPath, fileSystem: localFileSystem))
         } else {
-            let defaultPath = localFileSystem.homeDirectory.appending(component: ".netrc")
-            guard localFileSystem.exists(defaultPath) else { return nil }
+            // User didn't tell us to use these .netrc files so be more lenient with errors
+            func loadNetrcNoThrows(at path: AbsolutePath) -> NetrcAuthorizationProvider? {
+                guard localFileSystem.exists(path) else { return nil }
+                
+                do {
+                    return try NetrcAuthorizationProvider(path: path, fileSystem: localFileSystem)
+                } catch {
+                    self.observabilityScope.emit(warning: "Failed to load .netrc file at \(path). Error: \(error)")
+                    return nil
+                }
+            }
+            
+            // Workspace's .netrc file should be consulted before user-global file
+            if let workspaceNetrcPath = try? Workspace.DefaultLocations.netrcFile(forRootPackage: self.getPackageRoot()),
+               let workspaceNetrcProvider = loadNetrcNoThrows(at: workspaceNetrcPath) {
+                providers.append(workspaceNetrcProvider)
+            }
 
-            return .init(path: defaultPath, fileSystem: localFileSystem)
+            let userNetrcPath = localFileSystem.homeDirectory.appending(component: ".netrc")
+            if let userNetrcProvider = loadNetrcNoThrows(at: userNetrcPath) {
+                providers.append(userNetrcProvider)
+            }
         }
+        
+        return providers
     }
 
     private func getSharedCacheDirectory() throws -> AbsolutePath? {

Sources/PackageCollections/API.swift

@@ -112,7 +112,7 @@ public protocol PackageCollectionsProtocol {
     ///   - reference: The package reference
     ///   - callback: The closure to invoke when result becomes available
     // deprecated 9/21
-    @available(*, deprecated, message: "user getPackageMetadata(identity:) instead")
+    @available(*, deprecated, message: "use getPackageMetadata(identity:) instead")
     func getPackageMetadata(
         _ reference: PackageReference,
         callback: @escaping (Result<PackageCollectionsModel.PackageMetadata, Error>) -> Void
@@ -129,7 +129,7 @@ public protocol PackageCollectionsProtocol {
     ///                  processed collection will be used.
     ///   - callback: The closure to invoke when result becomes available
     // deprecated 9/21
-    @available(*, deprecated, message: "user getPackageMetadata(identity:) instead")
+    @available(*, deprecated, message: "use getPackageMetadata(identity:) instead")
     func getPackageMetadata(
         _ reference: PackageReference,
         collections: Set<PackageCollectionsModel.CollectionIdentifier>?,

Sources/Workspace/WorkspaceConfiguration.swift

@@ -156,6 +156,10 @@ extension Workspace {
         public static func registriesConfigurationFile(at path: AbsolutePath) -> AbsolutePath {
             path.appending(component: "registries.json")
         }
+        
+        public static func netrcFile(forRootPackage rootPath: AbsolutePath) -> AbsolutePath {
+            rootPath.appending(component: ".netrc")
+        }
 
         public static func manifestsDirectory(at path: AbsolutePath) -> AbsolutePath {
             path.appending(component: "manifests")
@@ -346,6 +350,7 @@ extension Workspace.Configuration {
 // MARK: - Authentication
 
 extension Workspace.Configuration {
+    @available(*, deprecated, message: "Use NetrcAuthorizationProvider instead")
     public struct Netrc {
         private let path: AbsolutePath
         private let fileSystem: FileSystem

Tests/CommandsTests/RunToolTests.swift

@@ -37,7 +37,7 @@ final class RunToolTests: XCTestCase {
         XCTAssert(stdout.contains("Swift Package Manager"), "got stdout:\n" + stdout)
     }
 
-    func testUnkownProductAndArgumentPassing() throws {
+    func testUnknownProductAndArgumentPassing() throws {
         fixture(name: "Miscellaneous/EchoExecutable") { path in
 
             let result = try SwiftPMProduct.SwiftRun.executeProcess(