fix: enforce ARTIFACTORY_ONLY for virtual package types#418
Merged
danielmeppiel merged 2 commits intomicrosoft:mainfrom Mar 23, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR closes an enforcement gap where ARTIFACTORY_ONLY=1 did not block virtual package types (file/collection/subdirectory), allowing unintended direct GitHub access in proxy-only or air-gapped environments.
Changes:
- Add an
ARTIFACTORY_ONLY/proxy guard to the virtual-package dispatch path inGitHubPackageDownloader.download_package(). - Add unit tests intended to cover virtual-package behavior under
ARTIFACTORY_ONLY. - Add a
CHANGELOG.mdentry describing the fix.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
src/apm_cli/deps/github_downloader.py |
Adds a shared guard to prevent virtual packages from bypassing Artifactory-only mode. |
tests/unit/test_artifactory_support.py |
Adds tests for virtual package errors under ARTIFACTORY_ONLY and intended explicit-FQDN bypass cases. |
CHANGELOG.md |
Documents the enforcement fix under [Unreleased]. |
Virtual file, collection, and subdirectory packages now respect ARTIFACTORY_ONLY=1. Previously only the primary zip-archive download path enforced the proxy-only guard; virtual packages could bypass it and reach GitHub directly in air-gapped or proxy-only environments. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chkp-roniz
force-pushed
the
fix/artifactory-only-virtual-packages
branch
from
84942a3 to
94b0c7f
Compare
danielmeppiel
approved these changes
Mar 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ARTIFACTORY_ONLY=1was only guarded on the main zip-archive download path. Virtual package types (file, collection, subdirectory) had no guard — they would silently bypass the proxy restriction and reach GitHub directly in air-gapped or proxy-only environments.Fix
Hoist a single shared guard above the virtual-type dispatch:
This replaces three copy-pasted per-type guards (one of which was also missing the
not dep_ref.is_artifactory()bypass for explicit FQDN refs).Behaviour matrix after fix:
ARTIFACTORY_ONLY=0, any depARTIFACTORY_ONLY=1+ proxy URL set, file/collectiondownload_raw_file(proxy handled internally)ARTIFACTORY_ONLY=1+ proxy URL set, subdirectory_download_subdirectory_from_artifactoryARTIFACTORY_ONLY=1+ no proxy, file/collectionRuntimeErrorARTIFACTORY_ONLY=1+ no proxy, subdirectoryRuntimeErrorARTIFACTORY_ONLY=1, explicit Artifactory FQDN, any typeTests
5 new unit tests in
TestArtifactoryOnlyMode:test_virtual_{file,collection,subdirectory}_errors_without_base_url— each raises when no proxy is configuredtest_explicit_artifactory_fqdn_virtual_{file,collection}_passes— explicit FQDN refs are not blockedSplit from #401 — this fix is self-contained with no architectural dependencies.
🤖 Generated with Claude Code