[7.2.0] Fix getting authentication for URLs in http repo rules (#22583)

- Fixed the leak of `remote_patches` URLs for downloaded the source
archive.
- Compute auth for required URLs only

Fixes https://github.com/bazelbuild/bazel/issues/22201

Closes #22517.

PiperOrigin-RevId: 638300996
Change-Id: Ib76e3284f209d2314844cfd662ac8eadba785fae

Commit
https://github.com/bazelbuild/bazel/commit/5986420a3a5ce3493c50d733618649246a7e8651

Co-authored-by: Yun Peng <pcloudy@google.com>
diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock
index b4c5a31..959e7f7 100644
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -2767,7 +2767,7 @@
   "moduleExtensions": {
     "//:extensions.bzl%bazel_android_deps": {
       "general": {
-        "bzlTransitiveDigest": "kGK7vQSUnYTiX5+yCN3M8Mdy5PtT3d9zz8C7MpetGCk=",
+        "bzlTransitiveDigest": "fsj2Y0/OdubiefV/mXYFaPLbTvxWyuGu7Pp/xcVMWBE=",
         "recordedFileInputs": {},
         "recordedDirentsInputs": {},
         "envVariables": {},
@@ -2923,10 +2923,10 @@
     },
     "//:extensions.bzl%bazel_build_deps": {
       "general": {
-        "bzlTransitiveDigest": "kGK7vQSUnYTiX5+yCN3M8Mdy5PtT3d9zz8C7MpetGCk=",
+        "bzlTransitiveDigest": "fsj2Y0/OdubiefV/mXYFaPLbTvxWyuGu7Pp/xcVMWBE=",
         "recordedFileInputs": {
           "@@//MODULE.bazel": "ebb77f16d8f0a7ce4dfb1163ac6552073681a6fd506bd703e11bd435fa5badf5",
-          "@@//src/test/tools/bzlmod/MODULE.bazel.lock": "25e5660da3f92a92d560a450ef453fb64629795bf24613286c52f2da529adfd1"
+          "@@//src/test/tools/bzlmod/MODULE.bazel.lock": "828ca18c55ab0580454760a1a8b00d414057233329bd7a44c31e477cdaa56d81"
         },
         "recordedDirentsInputs": {},
         "envVariables": {},
@@ -3317,7 +3317,7 @@
     },
     "//:extensions.bzl%bazel_test_deps": {
       "general": {
-        "bzlTransitiveDigest": "kGK7vQSUnYTiX5+yCN3M8Mdy5PtT3d9zz8C7MpetGCk=",
+        "bzlTransitiveDigest": "fsj2Y0/OdubiefV/mXYFaPLbTvxWyuGu7Pp/xcVMWBE=",
         "recordedFileInputs": {},
         "recordedDirentsInputs": {},
         "envVariables": {},
diff --git a/src/test/tools/bzlmod/MODULE.bazel.lock b/src/test/tools/bzlmod/MODULE.bazel.lock
index da7cc57..552c9be 100644
--- a/src/test/tools/bzlmod/MODULE.bazel.lock
+++ b/src/test/tools/bzlmod/MODULE.bazel.lock
@@ -108,7 +108,7 @@
     },
     "@@rules_jvm_external~//:extensions.bzl%maven": {
       "general": {
-        "bzlTransitiveDigest": "SLfIGbNRszU0h8ge0IMO3/eI3rU4GFZKXkA2TRilJmw=",
+        "bzlTransitiveDigest": "06WDcwoMOciaDDX09JBCxhi9KiKFGUIcXpQjCSle5AE=",
         "usagesDigest": "UPebZtX4g40+QepdK3oMHged0o0tq6ojKbW84wE6XRA=",
         "recordedFileInputs": {
           "@@rules_jvm_external~//rules_jvm_external_deps_install.json": "10442a5ae27d9ff4c2003e5ab71643bf0d8b48dcf968b4173fa274c3232a8c06"
@@ -1132,7 +1132,7 @@
     },
     "@@rules_jvm_external~//:non-module-deps.bzl%non_module_deps": {
       "general": {
-        "bzlTransitiveDigest": "oHEz4DXnwk2aTh/PnIWUE3E1lOge1JPTJOlZOSOr3wI=",
+        "bzlTransitiveDigest": "l6SlNloqPvd60dcuPdWiJNi3g3jfK76fcZc0i/Yr0dQ=",
         "usagesDigest": "bTG4ItERqhG1LeSs62hQ01DiMarFsflWgpZaghM5qik=",
         "recordedFileInputs": {},
         "recordedDirentsInputs": {},
@@ -1160,7 +1160,7 @@
     },
     "@@rules_python~//python/extensions:python.bzl%python": {
       "general": {
-        "bzlTransitiveDigest": "8RLGOLaDCviFdE0nDT5TmqaQd1w6Cm2OXWVzHbcIcxQ=",
+        "bzlTransitiveDigest": "GnREFVYskmF5MZu1H3nyqMWFZ2U/bty7gcbHX+l45kY=",
         "usagesDigest": "7vjNHuEgQORYN9+9/77Q4zw1kawobM2oCQb9p0uhL68=",
         "recordedFileInputs": {},
         "recordedDirentsInputs": {},
@@ -1190,7 +1190,7 @@
     },
     "@@rules_python~//python/extensions/private:internal_deps.bzl%internal_deps": {
       "general": {
-        "bzlTransitiveDigest": "Vndk0q54LA1/G79/d/uCtAGxXLCTRbSCHJiWlL/cQos=",
+        "bzlTransitiveDigest": "PiT9IOA5dSBSmnfZRUrvgo71zttPpvs3cNPbxftlChs=",
         "usagesDigest": "b+nMDqtqPCBxiMBewNNde3aNjzKqZyvJuN5/49xB62s=",
         "recordedFileInputs": {},
         "recordedDirentsInputs": {},
diff --git a/tools/build_defs/repo/http.bzl b/tools/build_defs/repo/http.bzl
index f08019c..ebb01b4 100644
--- a/tools/build_defs/repo/http.bzl
+++ b/tools/build_defs/repo/http.bzl
@@ -70,22 +70,19 @@
 URLs are tried in order until one succeeds, so you should list local mirrors first.
 If all downloads fail, the rule will fail."""
 
-def _get_all_urls(ctx):
-    """Returns all urls provided via the url, urls and remote_patches attributes.
+def _get_source_urls(ctx):
+    """Returns source urls provided via the url, urls attributes.
 
     Also checks that at least one url is provided."""
     if not ctx.attr.url and not ctx.attr.urls:
         fail("At least one of url and urls must be provided")
 
-    all_urls = []
+    source_urls = []
     if ctx.attr.urls:
-        all_urls = ctx.attr.urls
+        source_urls = ctx.attr.urls
     if ctx.attr.url:
-        all_urls = [ctx.attr.url] + all_urls
-    if hasattr(ctx.attr, "remote_patches") and ctx.attr.remote_patches:
-        all_urls = all_urls + ctx.attr.remote_patches.keys()
-
-    return all_urls
+        source_urls = [ctx.attr.url] + source_urls
+    return source_urls
 
 _AUTH_PATTERN_DOC = """An optional dict mapping host names to custom authorization patterns.
 
@@ -130,25 +127,21 @@
     if ctx.attr.build_file and ctx.attr.build_file_content:
         fail("Only one of build_file and build_file_content can be provided.")
 
-    all_urls = _get_all_urls(ctx)
-    auth = get_auth(ctx, all_urls)
-
+    source_urls = _get_source_urls(ctx)
     download_info = ctx.download_and_extract(
-        # TODO(fzakaria): all_urls here has the remote_patch URL which is incorrect
-        # I believe this to be a file
-        all_urls,
+        source_urls,
         ctx.attr.add_prefix,
         ctx.attr.sha256,
         ctx.attr.type,
         ctx.attr.strip_prefix,
-        canonical_id = ctx.attr.canonical_id or get_default_canonical_id(ctx, all_urls),
-        auth = auth,
+        canonical_id = ctx.attr.canonical_id or get_default_canonical_id(ctx, source_urls),
+        auth = get_auth(ctx, source_urls),
         integrity = ctx.attr.integrity,
     )
     workspace_and_buildfile(ctx)
 
-    download_remote_files(ctx, auth = auth)
-    patch(ctx, auth = auth)
+    download_remote_files(ctx)
+    patch(ctx)
 
     return _update_integrity_attr(ctx, _http_archive_attrs, download_info)
 
@@ -176,15 +169,14 @@
     download_path = ctx.path("file/" + downloaded_file_path)
     if download_path in forbidden_files or not str(download_path).startswith(str(repo_root)):
         fail("'%s' cannot be used as downloaded_file_path in http_file" % ctx.attr.downloaded_file_path)
-    all_urls = _get_all_urls(ctx)
-    auth = get_auth(ctx, all_urls)
+    source_urls = _get_source_urls(ctx)
     download_info = ctx.download(
-        all_urls,
+        source_urls,
         "file/" + downloaded_file_path,
         ctx.attr.sha256,
         ctx.attr.executable,
-        canonical_id = ctx.attr.canonical_id or get_default_canonical_id(ctx, all_urls),
-        auth = auth,
+        canonical_id = ctx.attr.canonical_id or get_default_canonical_id(ctx, source_urls),
+        auth = get_auth(ctx, source_urls),
         integrity = ctx.attr.integrity,
     )
     ctx.file("WORKSPACE", "workspace(name = \"{name}\")".format(name = ctx.name))
@@ -211,15 +203,14 @@
 
 def _http_jar_impl(ctx):
     """Implementation of the http_jar rule."""
-    all_urls = _get_all_urls(ctx)
-    auth = get_auth(ctx, all_urls)
+    source_urls = _get_source_urls(ctx)
     downloaded_file_name = ctx.attr.downloaded_file_name
     download_info = ctx.download(
-        all_urls,
+        source_urls,
         "jar/" + downloaded_file_name,
         ctx.attr.sha256,
-        canonical_id = ctx.attr.canonical_id or get_default_canonical_id(ctx, all_urls),
-        auth = auth,
+        canonical_id = ctx.attr.canonical_id or get_default_canonical_id(ctx, source_urls),
+        auth = get_auth(ctx, source_urls),
         integrity = ctx.attr.integrity,
     )
     ctx.file("WORKSPACE", "workspace(name = \"{name}\")".format(name = ctx.name))
diff --git a/tools/build_defs/repo/utils.bzl b/tools/build_defs/repo/utils.bzl
index 9620853..9544207 100644
--- a/tools/build_defs/repo/utils.bzl
+++ b/tools/build_defs/repo/utils.bzl
@@ -79,14 +79,14 @@
             return False
     return True
 
-def _download_patch(ctx, patch_url, integrity, auth):
+def _download_patch(ctx, patch_url, integrity, auth = None):
     name = patch_url.split("/")[-1]
     patch_path = ctx.path(_REMOTE_PATCH_DIR).get_child(name)
     ctx.download(
         patch_url,
         patch_path,
         canonical_id = ctx.attr.canonical_id,
-        auth = auth,
+        auth = get_auth(ctx, [patch_url]) if auth == None else auth,
         integrity = integrity,
     )
     return patch_path
@@ -108,7 +108,7 @@
             remote_file_urls,
             path,
             canonical_id = ctx.attr.canonical_id,
-            auth = auth,
+            auth = get_auth(ctx, remote_file_urls) if auth == None else auth,
             integrity = ctx.attr.remote_file_integrity.get(path, ""),
             block = False,
         )