dependabot · jurre · Jan 7, 2022 · Oct 1, 2021 · Oct 1, 2021 · Oct 1, 2021
@@ -22,8 +22,18 @@ def replace_sources(credentials)
           pyproject_object = TomlRB.parse(pyproject_content)
           poetry_object = pyproject_object.fetch("tool").fetch("poetry")
 
-          sources = pyproject_sources + config_variable_sources(credentials)
-          poetry_object["source"] = sources if sources.any?
+          sources_hash = pyproject_sources.map { |source| [source["url"], source] }.to_h
+
+          for source in config_variable_sources(credentials) do
-          for source in config_variable_sources(credentials) do
+          config_variable_sources(credentials).each do |source|
-          for source in config_variable_sources(credentials) do
+          config_variable_sources(credentials).each do |source|
+            if sources_hash.has_key?(source["original_url"])
-            if sources_hash.has_key?(source["original_url"])
+            if sources_hash.key?(source["original_url"])
-            if sources_hash.has_key?(source["original_url"])
+            if sources_hash.key?(source["original_url"])
+              sources_hash[source["original_url"]]["url"] = source["url"]
+            else
+              source.delete("original_url")
+              sources_hash[source["url"]] = source
+            end
+          end
+
+          poetry_object["source"] = sources_hash.values if !sources_hash.empty?
 
           TomlRB.dump(pyproject_object)
         end
@@ -105,6 +115,7 @@ def config_variable_sources(credentials)
             select { |cred| cred["type"] == "python_index" }.
             map do |c|
               {
+                "original_url" => c["index-url"],
                 "url" => AuthedUrlBuilder.authed_url(credential: c),
                 "name" => SecureRandom.hex[0..3],
                 "default" => c["replaces-base"]

@@ -62,6 +62,30 @@
         it { is_expected.to include("default = true") }
       end
     end
+    context "with a private repository as a python_index" do
+      subject(:parsed_sources) { TomlRB.parse(replace_sources, symbolize_keys: true)[:tool][:poetry][:source] }
+      let(:pyproject_fixture_name) { "private_secondary_source.toml" }
+      let(:credentials) do
+        [{
+          "type" => "python_index",
+          "index-url" => "https://some.internal.registry.com/pypi/"
+        }]
+      end
+
+      it { is_expected.to contain_exactly({"name": "custom", "secondary": true, "url": credentials[0]["index-url"]})}
+
+      context "that includes auth details" do
+        let(:credentials) do
+          [{
+            "type" => "python_index",
+            "index-url" => "https://some.internal.registry.com/pypi/",
+            "token" => "username:password"
+          }]
+        end
+
+        it { is_expected.to contain_exactly({"name": "custom", "secondary": true, "url": "https://username:password@some.internal.registry.com/pypi/"})}
+      end
+    end
   end
 
   describe "#sanitize" do

@@ -343,6 +343,13 @@
         end
       end
 
+      context "set in a pyproject.toml" do
+        let(:pyproject_fixture_name) { "private_source.toml" }
+        let(:dependency_files) { [pyproject] }
+        let(:pypi_url) { "https://some.internal.registry.com/pypi/luigi/" }
+        it { is_expected.to eq(Gem::Version.new("2.6.0")) }
+      end
+
       context "set in credentials" do
         let(:credentials) do
           [{

@@ -0,0 +1,18 @@
+[tool.poetry]
+name = "PythonProjects"
+version = "2.0.0"
+homepage = "https://github.com/roghu/py3_projects"
+license = "MIT"
+readme = "README.md"
+authors = ["Dependabot <support@dependabot.com>"]
+description = "Various small python projects."
+
+[tool.poetry.dependencies]
+python = "^3.7"
+requests = "2.18.0"
+internal = { version = "=1.2.3", source = "custom" }
+
+[[tool.poetry.source]]
+name = "custom"
+url = "https://some.internal.registry.com/pypi/"
+secondary = true