Add in-URL credentials to store prior to creating requests

astral-sh · Mar 14, 2024 · 1bb5b97 · 1bb5b97
1 parent d29645c
commit 1bb5b97
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 7 deletions.
diff --git a/crates/distribution-types/src/index_url.rs b/crates/distribution-types/src/index_url.rs
@@ -26,6 +26,16 @@ pub enum IndexUrl {
     Url(VerbatimUrl),
 }
 
+impl IndexUrl {
+    /// Return the raw URL for the index.
+    pub(crate) fn url(&self) -> &Url {
+        match self {
+            Self::Pypi(url) => url.raw(),
+            Self::Url(url) => url.raw(),
+        }
+    }
+}
+
 impl Display for IndexUrl {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
         match self {
@@ -268,6 +278,16 @@ impl<'a> IndexLocations {
             no_index: self.no_index,
         }
     }
+
+    /// Return an iterator over all [`Url`] entries.
+    pub fn urls(&'a self) -> impl Iterator<Item = &'a Url> + 'a {
+        self.indexes()
+            .map(IndexUrl::url)
+            .chain(self.flat_index.iter().filter_map(|index| match index {
+                FlatIndexLocation::Path(_) => None,
+                FlatIndexLocation::Url(url) => Some(url),
+            }))
+    }
 }
 
 /// The index URLs to use for fetching packages.

diff --git a/crates/uv-auth/src/middleware.rs b/crates/uv-auth/src/middleware.rs
@@ -44,19 +44,19 @@ impl Middleware for AuthMiddleware {
         next: Next<'_>,
     ) -> reqwest_middleware::Result<Response> {
         let url = req.url().clone();
+
         // If the request already has an authorization header, we don't need to do anything.
         // This gives in-URL credentials precedence over the netrc file.
         if req.headers().contains_key(reqwest::header::AUTHORIZATION) {
-            if !url.username().is_empty() {
-                GLOBAL_AUTH_STORE.save_from_url(&url);
-            }
+            debug!("Request already has an authorization header: {url}");
             return next.run(req, _extensions).await;
         }
 
         // Try auth strategies in order of precedence:
         if let Some(stored_auth) = GLOBAL_AUTH_STORE.get(&url) {
             // If we've already seen this URL, we can use the stored credentials
             if let Some(auth) = stored_auth {
+                debug!("Adding authentication to already-seen URL: {url}");
                 match auth {
                     Credential::Basic(_) => {
                         req.headers_mut().insert(
@@ -67,6 +67,8 @@ impl Middleware for AuthMiddleware {
                     // Url must already have auth if before middleware runs - see `AuthenticationStore::with_url_encoded_auth`
                     Credential::UrlEncoded(_) => (),
                 }
+            } else {
+                debug!("No credentials found for already-seen URL: {url}");
             }
         } else if let Some(auth) = self.nrc.as_ref().and_then(|nrc| {
             // If we find a matching entry in the netrc file, we can use it
@@ -100,6 +102,7 @@ impl Middleware for AuthMiddleware {
 
         // If we still don't have any credentials, we save the URL so we don't have to check netrc or keyring again
         if !req.headers().contains_key(reqwest::header::AUTHORIZATION) {
+            debug!("No credentials found for: {url}");
             GLOBAL_AUTH_STORE.set(&url, None);
         }
 

diff --git a/crates/uv-auth/src/store.rs b/crates/uv-auth/src/store.rs
@@ -102,6 +102,7 @@ impl AuthenticationStore {
         }
     }
 
+    /// Store in-URL credentials for future use.
     pub fn save_from_url(&self, url: &Url) {
         let netloc = NetLoc::from(url);
         let mut credentials = self.credentials.lock().unwrap();

diff --git a/crates/uv/src/commands/pip_compile.rs b/crates/uv/src/commands/pip_compile.rs
@@ -18,7 +18,7 @@ use tracing::debug;
 use distribution_types::{IndexLocations, LocalEditable, Verbatim};
 use platform_tags::Tags;
 use requirements_txt::EditableRequirement;
-use uv_auth::KeyringProvider;
+use uv_auth::{KeyringProvider, GLOBAL_AUTH_STORE};
 use uv_cache::Cache;
 use uv_client::{Connectivity, FlatIndex, FlatIndexClient, RegistryClientBuilder};
 use uv_dispatch::BuildDispatch;
@@ -187,6 +187,11 @@ pub(crate) async fn pip_compile(
     let index_locations =
         index_locations.combine(index_url, extra_index_urls, find_links, no_index);
 
+    // Add all authenticated sources to the store.
+    for url in index_locations.urls() {
+        GLOBAL_AUTH_STORE.save_from_url(url);
+    }
+
     // Initialize the registry client.
     let client = RegistryClientBuilder::new(cache.clone())
         .native_tls(native_tls)

diff --git a/crates/uv/src/commands/pip_install.rs b/crates/uv/src/commands/pip_install.rs
@@ -20,7 +20,7 @@ use pep508_rs::{MarkerEnvironment, Requirement};
 use platform_tags::Tags;
 use pypi_types::Yanked;
 use requirements_txt::EditableRequirement;
-use uv_auth::KeyringProvider;
+use uv_auth::{KeyringProvider, GLOBAL_AUTH_STORE};
 use uv_cache::Cache;
 use uv_client::{Connectivity, FlatIndex, FlatIndexClient, RegistryClient, RegistryClientBuilder};
 use uv_dispatch::BuildDispatch;
@@ -181,6 +181,11 @@ pub(crate) async fn pip_install(
     let index_locations =
         index_locations.combine(index_url, extra_index_urls, find_links, no_index);
 
+    // Add all authenticated sources to the store.
+    for url in index_locations.urls() {
+        GLOBAL_AUTH_STORE.save_from_url(url);
+    }
+
     // Initialize the registry client.
     let client = RegistryClientBuilder::new(cache.clone())
         .native_tls(native_tls)

diff --git a/crates/uv/src/commands/pip_sync.rs b/crates/uv/src/commands/pip_sync.rs
@@ -10,7 +10,7 @@ use install_wheel_rs::linker::LinkMode;
 use platform_tags::Tags;
 use pypi_types::Yanked;
 use requirements_txt::EditableRequirement;
-use uv_auth::KeyringProvider;
+use uv_auth::{KeyringProvider, GLOBAL_AUTH_STORE};
 use uv_cache::{ArchiveTarget, ArchiveTimestamp, Cache};
 use uv_client::{Connectivity, FlatIndex, FlatIndexClient, RegistryClient, RegistryClientBuilder};
 use uv_dispatch::BuildDispatch;
@@ -115,6 +115,11 @@ pub(crate) async fn pip_sync(
     let index_locations =
         index_locations.combine(index_url, extra_index_urls, find_links, no_index);
 
+    // Add all authenticated sources to the store.
+    for url in index_locations.urls() {
+        GLOBAL_AUTH_STORE.save_from_url(url);
+    }
+
     // Initialize the registry client.
     let client = RegistryClientBuilder::new(cache.clone())
         .native_tls(native_tls)

diff --git a/crates/uv/src/commands/venv.rs b/crates/uv/src/commands/venv.rs
@@ -13,7 +13,7 @@ use thiserror::Error;
 
 use distribution_types::{DistributionMetadata, IndexLocations, Name};
 use pep508_rs::Requirement;
-use uv_auth::KeyringProvider;
+use uv_auth::{KeyringProvider, GLOBAL_AUTH_STORE};
 use uv_cache::Cache;
 use uv_client::{Connectivity, FlatIndex, FlatIndexClient, RegistryClientBuilder};
 use uv_dispatch::BuildDispatch;
@@ -140,6 +140,11 @@ async fn venv_impl(
         // Extract the interpreter.
         let interpreter = venv.interpreter();
 
+        // Add all authenticated sources to the store.
+        for url in index_locations.urls() {
+            GLOBAL_AUTH_STORE.save_from_url(url);
+        }
+
         // Instantiate a client.
         let client = RegistryClientBuilder::new(cache.clone())
             .native_tls(native_tls)