Add explicit index support

astral-sh · Oct 3, 2024 · 9f9621e · 9f9621e
1 parent 312eeb8
commit 9f9621e
Show file tree

Hide file tree

Showing 50 changed files with 3,408 additions and 607 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/uv-cli/src/lib.rs b/crates/uv-cli/src/lib.rs
@@ -7,13 +7,14 @@ use anyhow::{anyhow, Result};
 use clap::builder::styling::{AnsiColor, Effects, Style};
 use clap::builder::Styles;
 use clap::{Args, Parser, Subcommand};
+
 use url::Url;
 use uv_cache::CacheArgs;
 use uv_configuration::{
     ConfigSettingEntry, ExportFormat, IndexStrategy, KeyringProviderType, PackageNameSpecifier,
     TargetTriple, TrustedHost, TrustedPublishing, VersionControlSystem,
 };
-use uv_distribution_types::{FlatIndexLocation, IndexUrl};
+use uv_distribution_types::{FlatIndexLocation, Index, IndexUrl};
 use uv_normalize::{ExtraName, PackageName};
 use uv_pep508::Requirement;
 use uv_pypi_types::VerbatimParsedUrl;
@@ -779,6 +780,36 @@ fn parse_index_url(input: &str) -> Result<Maybe<IndexUrl>, String> {
     }
 }
 
+/// Parse a string into an [`Index`], mapping the empty string to `None`.
+fn parse_index_source(input: &str) -> Result<Maybe<Index>, String> {
+    if input.is_empty() {
+        Ok(Maybe::None)
+    } else {
+        match Index::from_str(input) {
+            Ok(index) => Ok(Maybe::Some(Index {
+                default: false,
+                ..index
+            })),
+            Err(err) => Err(err.to_string()),
+        }
+    }
+}
+
+/// Parse a string into an [`Index`], mapping the empty string to `None`.
+fn parse_default_index_source(input: &str) -> Result<Maybe<Index>, String> {
+    if input.is_empty() {
+        Ok(Maybe::None)
+    } else {
+        match Index::from_str(input) {
+            Ok(index) => Ok(Maybe::Some(Index {
+                default: true,
+                ..index
+            })),
+            Err(err) => Err(err.to_string()),
+        }
+    }
+}
+
 /// Parse a string into an [`Url`], mapping the empty string to `None`.
 fn parse_insecure_host(input: &str) -> Result<Maybe<TrustedHost>, String> {
     if input.is_empty() {
@@ -2236,8 +2267,8 @@ pub struct VenvArgs {
     ///
     /// By default, uv will stop at the first index on which a given package is available, and
     /// limit resolutions to those present on that first index (`first-match`). This prevents
-    /// "dependency confusion" attacks, whereby an attack can upload a malicious package under the
-    /// same name to a secondary.
+    /// "dependency confusion" attacks, whereby an attacker can upload a malicious package under the
+    /// same name to an alternate index.
     #[arg(long, value_enum, env = "UV_INDEX_STRATEGY")]
     pub index_strategy: Option<IndexStrategy>,
 
@@ -3701,13 +3732,36 @@ pub struct GenerateShellCompletionArgs {
 #[derive(Args)]
 #[allow(clippy::struct_excessive_bools)]
 pub struct IndexArgs {
+    /// The URLs to use when resolving dependencies, in addition to the default index.
+    ///
+    /// Accepts either a repository compliant with PEP 503 (the simple repository API), or a local
+    /// directory laid out in the same format.
+    ///
+    /// All indexes provided via this flag take priority over the index specified by
+    /// `--default-index` (which defaults to PyPI). When multiple `--index` flags are
+    /// provided, earlier values take priority.
+    #[arg(long, env = "UV_INDEX", value_delimiter = ' ', value_parser = parse_index_source, help_heading = "Index options")]
+    pub index: Option<Vec<Maybe<Index>>>,
+
+    /// The URL of the default package index (by default: <https://pypi.org/simple>).
+    ///
+    /// Accepts either a repository compliant with PEP 503 (the simple repository API), or a local
+    /// directory laid out in the same format.
+    ///
+    /// The index given by this flag is given lower priority than all other indexes specified via
+    /// the `--index` flag.
+    #[arg(long, env = "UV_DEFAULT_INDEX", value_parser = parse_default_index_source, help_heading = "Index options")]
+    pub default_index: Option<Maybe<Index>>,
+
     /// The URL of the Python package index (by default: <https://pypi.org/simple>).
     ///
     /// Accepts either a repository compliant with PEP 503 (the simple repository API), or a local
     /// directory laid out in the same format.
     ///
     /// The index given by this flag is given lower priority than all other
     /// indexes specified via the `--extra-index-url` flag.
+    ///
+    /// (Deprecated: use `--default-index` instead.)
     #[arg(long, short, env = "UV_INDEX_URL", value_parser = parse_index_url, help_heading = "Index options")]
     pub index_url: Option<Maybe<IndexUrl>>,
 
@@ -3719,6 +3773,8 @@ pub struct IndexArgs {
     /// All indexes provided via this flag take priority over the index specified by
     /// `--index-url` (which defaults to PyPI). When multiple `--extra-index-url` flags are
     /// provided, earlier values take priority.
+    ///
+    /// (Deprecated: use `--index` instead.)
     #[arg(long, env = "UV_EXTRA_INDEX_URL", value_delimiter = ' ', value_parser = parse_index_url, help_heading = "Index options")]
     pub extra_index_url: Option<Vec<Maybe<IndexUrl>>>,
 
@@ -3842,8 +3898,8 @@ pub struct InstallerArgs {
     ///
     /// By default, uv will stop at the first index on which a given package is available, and
     /// limit resolutions to those present on that first index (`first-match`). This prevents
-    /// "dependency confusion" attacks, whereby an attack can upload a malicious package under the
-    /// same name to a secondary.
+    /// "dependency confusion" attacks, whereby an attacker can upload a malicious package under the
+    /// same name to an alternate index.
     #[arg(
         long,
         value_enum,
@@ -4004,8 +4060,8 @@ pub struct ResolverArgs {
     ///
     /// By default, uv will stop at the first index on which a given package is available, and
     /// limit resolutions to those present on that first index (`first-match`). This prevents
-    /// "dependency confusion" attacks, whereby an attack can upload a malicious package under the
-    /// same name to a secondary.
+    /// "dependency confusion" attacks, whereby an attacker can upload a malicious package under the
+    /// same name to an alternate index.
     #[arg(
         long,
         value_enum,
@@ -4196,8 +4252,8 @@ pub struct ResolverInstallerArgs {
     ///
     /// By default, uv will stop at the first index on which a given package is available, and
     /// limit resolutions to those present on that first index (`first-match`). This prevents
-    /// "dependency confusion" attacks, whereby an attack can upload a malicious package under the
-    /// same name to a secondary.
+    /// "dependency confusion" attacks, whereby an attacker can upload a malicious package under the
+    /// same name to an alternate index.
     #[arg(
         long,
         value_enum,

diff --git a/crates/uv-cli/src/options.rs b/crates/uv-cli/src/options.rs
@@ -1,7 +1,7 @@
 use uv_cache::Refresh;
 use uv_configuration::ConfigSettings;
 use uv_resolver::PrereleaseMode;
-use uv_settings::{PipOptions, ResolverInstallerOptions, ResolverOptions};
+use uv_settings::{Combine, PipOptions, ResolverInstallerOptions, ResolverOptions};
 
 use crate::{
     BuildOptionsArgs, IndexArgs, InstallerArgs, Maybe, RefreshArgs, ResolverArgs,
@@ -186,13 +186,21 @@ impl From<ResolverInstallerArgs> for PipOptions {
 impl From<IndexArgs> for PipOptions {
     fn from(args: IndexArgs) -> Self {
         let IndexArgs {
+            default_index,
+            index,
             index_url,
             extra_index_url,
             no_index,
             find_links,
         } = args;
 
         Self {
+            index: default_index
+                .and_then(Maybe::into_option)
+                .map(|default_index| vec![default_index])
+                .combine(
+                    index.map(|index| index.into_iter().filter_map(Maybe::into_option).collect()),
+                ),
             index_url: index_url.and_then(Maybe::into_option),
             extra_index_url: extra_index_url.map(|extra_index_urls| {
                 extra_index_urls
@@ -242,6 +250,15 @@ pub fn resolver_options(
     } = build_args;
 
     ResolverOptions {
+        index: index_args
+            .default_index
+            .and_then(Maybe::into_option)
+            .map(|default_index| vec![default_index])
+            .combine(
+                index_args
+                    .index
+                    .map(|index| index.into_iter().filter_map(Maybe::into_option).collect()),
+            ),
         index_url: index_args.index_url.and_then(Maybe::into_option),
         extra_index_url: index_args.extra_index_url.map(|extra_index_urls| {
             extra_index_urls
@@ -325,7 +342,16 @@ pub fn resolver_installer_options(
         no_binary_package,
     } = build_args;
 
+    let default_index = index_args
+        .default_index
+        .and_then(Maybe::into_option)
+        .map(|default_index| vec![default_index]);
+    let index = index_args
+        .index
+        .map(|index| index.into_iter().filter_map(Maybe::into_option).collect());
+
     ResolverInstallerOptions {
+        index: default_index.combine(index),
         index_url: index_args.index_url.and_then(Maybe::into_option),
         extra_index_url: index_args.extra_index_url.map(|extra_index_urls| {
             extra_index_urls

diff --git a/crates/uv-client/src/registry_client.rs b/crates/uv-client/src/registry_client.rs
@@ -6,6 +6,7 @@ use std::str::FromStr;
 use async_http_range_reader::AsyncHttpRangeReader;
 use futures::{FutureExt, TryStreamExt};
 use http::HeaderMap;
+use itertools::Either;
 use reqwest::{Client, Response, StatusCode};
 use reqwest_middleware::ClientWithMiddleware;
 use tracing::{info_span, instrument, trace, warn, Instrument};
@@ -16,7 +17,7 @@ use uv_configuration::KeyringProviderType;
 use uv_configuration::{IndexStrategy, TrustedHost};
 use uv_distribution_filename::{DistFilename, SourceDistFilename, WheelFilename};
 use uv_distribution_types::{
-    BuiltDist, File, FileLocation, IndexCapabilities, IndexUrl, IndexUrls, Name,
+    BuiltDist, File, FileLocation, Index, IndexCapabilities, IndexUrl, IndexUrls, Name,
 };
 use uv_metadata::{read_metadata_async_seek, read_metadata_async_stream};
 use uv_normalize::PackageName;
@@ -204,8 +205,15 @@ impl RegistryClient {
     pub async fn simple(
         &self,
         package_name: &PackageName,
+        index: Option<&IndexUrl>,
     ) -> Result<Vec<(IndexUrl, OwnedArchive<SimpleMetadata>)>, Error> {
-        let mut it = self.index_urls.indexes().peekable();
+        let indexes = if let Some(index) = index {
+            Either::Left(std::iter::once(index))
+        } else {
+            Either::Right(self.index_urls.indexes().map(Index::url))
+        };
+
+        let mut it = indexes.peekable();
         if it.peek().is_none() {
             return Err(ErrorKind::NoIndex(package_name.to_string()).into());
         }