Preliminary support for HTTP_AUTH.

apko/private/apk.bzl

@@ -6,7 +6,7 @@ load(":util.bzl", "util")
 APK_IMPORT_TMPL = """\
 # Generated by apk_import. DO NOT EDIT
 filegroup(
-    name = "all", 
+    name = "all",
     srcs = glob(
         ["**/*.tar.gz", "**/*.apk"],
         allow_empty = True,
@@ -15,6 +15,29 @@ filegroup(
 )
 """
 
+def _auth(rctx, url):
+    if "HTTP_AUTH" not in rctx.os.environ:
+        return {}
+    http_auth = rctx.os.environ["HTTP_AUTH"]
+
+    parts = http_auth.split(":", 3)
+    if len(parts) != 4:
+        fail("malformed HTTP_AUTH environment variable wanted basic:REALM:USER:PASSWORD, but got {} parts", len(parts))
+
+    if parts[0].lower() != "basic":
+        fail("malformed HTTP_AUTH environment variable wanted basic:REALM:USER:PASSWORD, but got {} for first part", parts[0])
+
+    if not url.startswith("https://{}".format(parts[1])):
+        return {}
+
+    return {
+        url: {
+            "type": "basic",
+            "login": parts[2],
+            "password": parts[3],
+        },
+    }
+
 def _range(url, range):
     return "{}#_apk_range_{}".format(url, range.replace("=", "_"))
 
@@ -36,10 +59,10 @@ def _check_initial_setup(rctx):
     if bytes[0] != "1":
         fail("""
 
-‼️ We encountered an issue with your current configuration that prevents partial package fetching during downloads. 
+‼️ We encountered an issue with your current configuration that prevents partial package fetching during downloads.
 
 This may indicate either a misconfiguration or that the initial setup hasn't been performed correctly.
-To resolve this issue and enable partial package fetching, please follow the step-by-step instructions in our documentation. 
+To resolve this issue and enable partial package fetching, please follow the step-by-step instructions in our documentation.
 
 📚 Documentation: https://github.com/chainguard-dev/rules_apko/blob/main/docs/initial-setup.md
 
@@ -50,11 +73,13 @@ def _download(rctx, url, rng, **kwargs):
         return rctx.download(
             url = [url],
             headers = {"Range": [rng]},
+            auth = _auth(rctx, url),
             **kwargs
         )
     else:
         return rctx.download(
             url = [_range(url, rng)],
+            auth = _auth(rctx, url),
             **kwargs
         )
 
@@ -123,7 +148,7 @@ apk_import = repository_rule(
 APK_REPOSITORY_TMPL = """\
 # Generated by apk_repository. DO NOT EDIT
 filegroup(
-    name = "index", 
+    name = "index",
     srcs = glob(["**/APKINDEX/*.tar.gz"]),
     visibility = ["//visibility:public"]
 )
@@ -135,6 +160,7 @@ def _apk_repository_impl(rctx):
     _check_initial_setup(rctx)
     rctx.download(
         url = [rctx.attr.url],
+        auth = _auth(rctx, rctx.attr.url),
         output = "{}/{}/APKINDEX/latest.tar.gz".format(repo_escaped, rctx.attr.architecture),
     )
     rctx.file("BUILD.bazel", APK_REPOSITORY_TMPL)
@@ -150,7 +176,7 @@ apk_repository = repository_rule(
 APK_KEYRING_TMPL = """\
 # Generated by apk_import. DO NOT EDIT
 filegroup(
-    name = "keyring", 
+    name = "keyring",
     srcs = ["{public_key}"],
     visibility = ["//visibility:public"]
 )
@@ -177,7 +203,7 @@ def _cachePathFromURL(url):
 
 def _apk_keyring_impl(rctx):
     public_key = _cachePathFromURL(rctx.attr.url)
-    rctx.download(url = [rctx.attr.url], output = public_key)
+    rctx.download(url = [rctx.attr.url], output = public_key, auth = _auth(rctx, rctx.attr.url))
     rctx.file("BUILD.bazel", APK_KEYRING_TMPL.format(public_key = public_key))
 
 apk_keyring = repository_rule(