From 2f35e1ef6bbae4a63b1db20b30942b9d066f9e73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eric=20Meadows-J=C3=B6nsson?=
 <eric.meadows.jonsson@gmail.com>
Date: Thu, 2 Feb 2023 02:05:09 +0100
Subject: [PATCH] Fix trust lookup for organizations

---
 lib/hex/config.ex      |  4 ++--
 lib/hex/repo.ex        | 35 ++++++++++++++++++++---------------
 test/hex/repo_test.exs | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 17 deletions(-)

diff --git a/lib/hex/config.ex b/lib/hex/config.ex
index f1ddad35..62a46766 100644
--- a/lib/hex/config.ex
+++ b/lib/hex/config.ex
@@ -104,8 +104,8 @@ defmodule Hex.Config do
     term
   end
 
-  def read_repos(config, repos_key \\ Hex.State.fetch!(:repos_key)) do
-    hexpm = Hex.Repo.default_hexpm_repo(repos_key)
+  def read_repos(config, repo_key) do
+    hexpm = Hex.Repo.nostate_default_hexpm_repo(repo_key)
 
     (config[:"$repos"] || %{})
     |> Hex.Repo.merge_hexpm(hexpm)
diff --git a/lib/hex/repo.ex b/lib/hex/repo.ex
index 3dc48062..d5612cbe 100644
--- a/lib/hex/repo.ex
+++ b/lib/hex/repo.ex
@@ -23,21 +23,14 @@ defmodule Hex.Repo do
 
     case Map.fetch(repos, repo) do
       {:ok, config} when repo == "hexpm" ->
-        trusted_mirror_url = Hex.State.fetch!(:trusted_mirror_url)
-        mirror_url = Hex.State.fetch!(:mirror_url)
-
-        config =
-          config
-          |> Map.put(:url, trusted_mirror_url || mirror_url || config.url)
-          |> Map.put(:trusted, trusted_mirror_url != nil or mirror_url == nil)
-
-        {:ok, config}
+        hexpm = default_hexpm_repo()
+        {:ok, %{config | url: hexpm.url || config.url, trusted: hexpm.trusted}}
 
       {:ok, config} ->
         {:ok, config}
 
       :error ->
-        fetch_organization_fallback(repo, repos)
+        fetch_organization_fallback(repo)
     end
   end
 
@@ -51,7 +44,7 @@ defmodule Hex.Repo do
     end
   end
 
-  def default_organization(source, repo, name) do
+  defp default_organization(source, repo, name) do
     url = merge_values(Map.get(repo, :url), source.url <> "/repos/#{name}")
     public_key = merge_values(Map.get(repo, :public_key), source.public_key)
     auth_key = merge_values(Map.get(repo, :auth_key), source.auth_key)
@@ -60,10 +53,22 @@ defmodule Hex.Repo do
     |> Map.put(:url, url)
     |> Map.put(:public_key, public_key)
     |> Map.put(:auth_key, auth_key)
-    |> Map.put(:trusted, auth_key)
+    |> Map.put(:trusted, Map.has_key?(repo, :auth_key) or source.trusted)
+  end
+
+  def default_hexpm_repo() do
+    trusted_mirror_url = Hex.State.fetch!(:trusted_mirror_url)
+    mirror_url = Hex.State.fetch!(:mirror_url)
+
+    %{
+      url: trusted_mirror_url || mirror_url,
+      public_key: @hexpm_public_key,
+      auth_key: nil,
+      trusted: trusted_mirror_url != nil or mirror_url == nil
+    }
   end
 
-  def default_hexpm_repo(auth_key \\ Hex.State.fetch!(:repos_key)) do
+  def nostate_default_hexpm_repo(auth_key) do
     %{
       url: @hexpm_url,
       public_key: @hexpm_public_key,
@@ -72,10 +77,10 @@ defmodule Hex.Repo do
     }
   end
 
-  defp fetch_organization_fallback(repo, repos) do
+  defp fetch_organization_fallback(repo) do
     case String.split(repo, ":", parts: 2) do
       [source, organization] ->
-        source = Map.fetch!(repos, source)
+        {:ok, source} = fetch_repo(source)
         {:ok, default_organization(source, %{}, organization)}
 
       _ ->
diff --git a/test/hex/repo_test.exs b/test/hex/repo_test.exs
index 5db31de8..04ec551f 100644
--- a/test/hex/repo_test.exs
+++ b/test/hex/repo_test.exs
@@ -71,4 +71,39 @@ defmodule Hex.RepoTest do
     config = %{url: "http://localhost:#{bypass.port}/not_found", auth_key: "key", trusted: false}
     assert {:ok, {404, "not found", _}} = Hex.Repo.get_public_key(config)
   end
+
+  test "fetch_repo/1" do
+    assert {:ok,
+            %{auth_key: nil, public_key: _, trusted: true, url: "http://localhost:4043/repo"}} =
+             Hex.Repo.fetch_repo("hexpm")
+
+    assert {:ok,
+            %{
+              auth_key: nil,
+              public_key: _,
+              trusted: true,
+              url: "http://localhost:4043/repo/repos/acme"
+            }} = Hex.Repo.fetch_repo("hexpm:acme")
+
+    assert Hex.Repo.fetch_repo("foo") == :error
+
+    Hex.State.put(:trusted_mirror_url, "http://example.com")
+
+    assert {:ok, %{auth_key: nil, public_key: _, trusted: true, url: "http://example.com"}} =
+             Hex.Repo.fetch_repo("hexpm")
+
+    assert {:ok,
+            %{auth_key: nil, public_key: _, trusted: true, url: "http://example.com/repos/acme"}} =
+             Hex.Repo.fetch_repo("hexpm:acme")
+
+    Hex.State.put(:trusted_mirror_url, nil)
+    Hex.State.put(:mirror_url, "http://example.com")
+
+    assert {:ok, %{auth_key: nil, public_key: _, trusted: false, url: "http://example.com"}} =
+             Hex.Repo.fetch_repo("hexpm")
+
+    assert {:ok,
+            %{auth_key: nil, public_key: _, trusted: false, url: "http://example.com/repos/acme"}} =
+             Hex.Repo.fetch_repo("hexpm:acme")
+  end
 end