From 552c75cf49fc6b7fae6bd0b6335cadcc30acd7df Mon Sep 17 00:00:00 2001 From: Charlie Marsh Date: Mon, 5 Aug 2024 22:54:18 -0400 Subject: [PATCH] Redact registry credentials in lockfile (#5803) ## Summary Okay, I tested this against... - Our public "private" proxy - Fury - AWS CodeArtifact - Azure Artifacts It took a long time. All of them work as expected with this approach: we omit the credentials from the lockfile, then wire them back up when the index URL is provided during subsequent operations. Closes https://github.com/astral-sh/uv/issues/5119. --- crates/uv-resolver/src/lock.rs | 17 +++++- crates/uv/tests/lock.rs | 101 +++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+), 3 deletions(-) diff --git a/crates/uv-resolver/src/lock.rs b/crates/uv-resolver/src/lock.rs index 242aec01075b..978b7465c7b5 100644 --- a/crates/uv-resolver/src/lock.rs +++ b/crates/uv-resolver/src/lock.rs @@ -1470,14 +1470,25 @@ impl Source { } fn from_index_url(index_url: &IndexUrl) -> Source { + /// Redact a URL by removing any username and password. + fn redact(mut url: Url) -> Result { + url.set_username("")?; + url.set_password(None)?; + Ok(url) + } + match *index_url { - IndexUrl::Pypi(ref verbatim_url) => Source::Registry(verbatim_url.to_url()), - IndexUrl::Url(ref verbatim_url) => Source::Registry(verbatim_url.to_url()), + IndexUrl::Pypi(ref verbatim_url) => { + Source::Registry(redact(verbatim_url.to_url()).expect("Could not redact URL")) + } + IndexUrl::Url(ref verbatim_url) => { + Source::Registry(redact(verbatim_url.to_url()).expect("Could not redact URL")) + } // TODO(konsti): Retain path on index url without converting to URL. IndexUrl::Path(ref verbatim_url) => Source::Path( verbatim_url .to_file_path() - .expect("Could not convert index url to path"), + .expect("Could not convert index URL to path"), ), } } diff --git a/crates/uv/tests/lock.rs b/crates/uv/tests/lock.rs index ebdd41718976..af577bcb9103 100644 --- a/crates/uv/tests/lock.rs +++ b/crates/uv/tests/lock.rs @@ -4391,3 +4391,104 @@ fn lock_dev_transitive() -> Result<()> { Ok(()) } + +/// Avoid persisting credentials in `uv.lock`. +#[test] +fn lock_redact() -> Result<()> { + let context = TestContext::new("3.12"); + + let pyproject_toml = context.temp_dir.child("pyproject.toml"); + pyproject_toml.write_str( + r#" + [project] + name = "foo" + version = "0.1.0" + requires-python = ">=3.12" + dependencies = ["iniconfig"] + "#, + )?; + + uv_snapshot!(context.filters(), context.lock().arg("--index-url").arg("https://public:heron@pypi-proxy.fly.dev/basic-auth/simple").current_dir(&context.temp_dir), @r###" + success: true + exit_code: 0 + ----- stdout ----- + + ----- stderr ----- + warning: `uv lock` is experimental and may change without warning + Resolved 2 packages in [TIME] + "###); + + let lock = fs_err::read_to_string(context.temp_dir.join("uv.lock")).unwrap(); + + // The lockfile shout omit the credentials. + insta::with_settings!({ + filters => context.filters(), + }, { + assert_snapshot!( + lock, @r###" + version = 1 + requires-python = ">=3.12" + exclude-newer = "2024-03-25 00:00:00 UTC" + + [[distribution]] + name = "foo" + version = "0.1.0" + source = { editable = "." } + dependencies = [ + { name = "iniconfig" }, + ] + + [[distribution]] + name = "iniconfig" + version = "2.0.0" + source = { registry = "https://pypi-proxy.fly.dev/basic-auth/simple" } + sdist = { url = "https://pypi-proxy.fly.dev/basic-auth/files/packages/d7/4b/cbd8e699e64a6f16ca3a8220661b5f83792b3017d0f79807cb8708d33913/iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3", size = 4646 } + wheels = [ + { url = "https://pypi-proxy.fly.dev/basic-auth/files/packages/ef/a6/62565a6e1cf69e10f5727360368e451d4b7f58beeac6173dc9db836a5b46/iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374", size = 5892 }, + ] + "### + ); + }); + + // Installing from the lockfile should fail without credentials. + uv_snapshot!(context.filters(), context.sync().arg("--frozen").arg("--index-url").arg("https://pypi-proxy.fly.dev/basic-auth/simple").current_dir(&context.temp_dir), @r###" + success: false + exit_code: 2 + ----- stdout ----- + + ----- stderr ----- + warning: `uv sync` is experimental and may change without warning + error: Failed to prepare distributions + Caused by: Failed to fetch wheel: iniconfig==2.0.0 + Caused by: HTTP status client error (401 Unauthorized) for url (https://pypi-proxy.fly.dev/basic-auth/files/packages/ef/a6/62565a6e1cf69e10f5727360368e451d4b7f58beeac6173dc9db836a5b46/iniconfig-2.0.0-py3-none-any.whl) + "###); + + // Installing from the lockfile should fail without an index. + uv_snapshot!(context.filters(), context.sync().arg("--frozen").current_dir(&context.temp_dir), @r###" + success: false + exit_code: 2 + ----- stdout ----- + + ----- stderr ----- + warning: `uv sync` is experimental and may change without warning + error: Failed to prepare distributions + Caused by: Failed to fetch wheel: iniconfig==2.0.0 + Caused by: HTTP status client error (401 Unauthorized) for url (https://pypi-proxy.fly.dev/basic-auth/files/packages/ef/a6/62565a6e1cf69e10f5727360368e451d4b7f58beeac6173dc9db836a5b46/iniconfig-2.0.0-py3-none-any.whl) + "###); + + // Installing from the lockfile should succeed when credentials are included. + uv_snapshot!(context.filters(), context.sync().arg("--frozen").arg("--index-url").arg("https://public:heron@pypi-proxy.fly.dev/basic-auth/simple").current_dir(&context.temp_dir), @r###" + success: true + exit_code: 0 + ----- stdout ----- + + ----- stderr ----- + warning: `uv sync` is experimental and may change without warning + Prepared 2 packages in [TIME] + Installed 2 packages in [TIME] + + foo==0.1.0 (from file://[TEMP_DIR]/) + + iniconfig==2.0.0 + "###); + + Ok(()) +}