NotificationsYou must be signed in to change notification settings
Fork3.1k
Star9.7k

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

WIP: Fix - Cannot access private repository using token#6795

Closed

booleand wants to merge4 commits intopypa:masterfrombooleand:fix-auth-single-cred

Closed

WIP: Fix - Cannot access private repository using token#6795

booleand wants to merge4 commits intopypa:masterfrombooleand:fix-auth-single-cred

Conversation

Copy link

booleand commentedJul 27, 2019

This PR addresses a potential bug from 19.2 as discussedhere.

Embedding a token in anindex_url is not working.

For example:

pip install SomeProject --index-url="https://TOKEN@some.where/somerepo/"

throws an exception:pip._internal.exceptions.DistributionNotFound

Any guidance/feedback would be appreciated!

Fix - Send authorization when index_url contains single credential

d07b7a3

booleand mentioned this pull request

Jul 27, 2019

Index URLs containing unescaped "@" in username cause "Failed to parse" error in pip 19.2#6775

Closed

Add news entry for bugfix

2cd6f7a

Copy link

Member

chrahunt commentedJul 27, 2019

Resolves#6796.

cjerdonek reviewed

Jul 27, 2019

View reviewed changes

src/pip/_internal/download.pyShow resolvedHide resolved

Copy link

Member

pradyunsg commentedJul 27, 2019

/cc@zooba since this was modified last in the keyring PR, which is what git bisect points to as well.

moseshassan added2 commits

July 28, 2019 00:17

Convert Nonetype arguments to string before calling HTTPBasicAuth

1fa49ef

This is for forward compatibility with requests 3.0.0(see Line 28 in2e51624)

Removed inline comment

f46b7bb

Copy link

Author

booleand commentedJul 28, 2019

Potential test case

def test_get_single_credential():    auth = MultiDomainBasicAuth()    get = auth._get_url_and_credentials    assert get("http://token@example.com/path") \        == ('http://example.com/path', 'token', None)    assert auth.passwords['example.com'] == ('token', None)

To place in:

pip/tests/unit/test_download.py

Line 493 in2cd26a2

deftest_get_credentials():

pradyunsg mentioned this pull request

Jul 29, 2019

pip >=19.2 cannot install packages via custom URLs with "one element" auth#6796

Closed

Copy link

Contributor

zooba commentedJul 29, 2019

ConvertingNone to"" sounds reasonable to me. Though there may also be issues with the caching if we parse"" out of a URL but are expecting/looking forNone.

I've paged all of this code out of my head already, I'm afraid, so without going through and relearning it I can't really offer much help, sorry :)

Copy link

Member

pradyunsg commentedJul 30, 2019

Hehe. No worries@zooba! Thanks for chiming in.

I'm hoping I'll be able to make time to look into this today or tomorrow.

pradyunsg added the type: bugfix label

Jul 30, 2019

Copy link

Member

pradyunsg commentedJul 30, 2019

@booleand Would you mind if I pick this up from here?

Copy link

Author

booleand commentedJul 30, 2019•
edited
Loading

@booleand Would you mind if I pick this up from here?

@pradyunsg OK

Just want to mention a few things:

Need to consider which conditional to use on this line as the behavior will be different:

pip/src/pip/_internal/download.py

Line 317 inf46b7bb

ifusernameisNoneandpasswordisNone:

I suspect there may be edge cases which will result in unexpected behavior. In particular when multiple calls are being made to aMultiDomainBasicAuth object.

Here is a summary of changes inMultiDomainBasicAuth:

_get_new_credentials now returns ausername even if itdoesn't locate a password.
_get_url_and_credentials calls_get_new_credentialsonly when bothusername andpassword are empty. Though this may need to be reconsidered depending on requirements.
_get_url_and_credentials storesusername and/orpassword wheneither is found.
__call__ now instantiates and calls aHTTPBasicAuth wheneitherusername orpassword is present. It also converts anyNoneTypes to an empty string.

Here is a potential test case forMultiDomainBasicAuth.__call__ :

def test_basic_auth_with_url_embedded_token():    with patch.object(pip._internal.download.HTTPBasicAuth, '__call__') as mock_auth:        auth = MultiDomainBasicAuth()        req = MockRequest("http://token@example.com/path")        auth(req)    assert mock_auth.called_with('token', '')

pradyunsg mentioned this pull request

Jul 30, 2019

Fix handling of tokens (single part credentials) in URLs#6818

Merged

Copy link

Member

pradyunsg commentedJul 30, 2019

Thanks@booleand!

consider which conditional to use on this line

I decided to preserve that conditional as is, and modified what_get_url_and_credentials would return. The guard, as it stands, seems to be correct to me.