Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an interface to allow calling system keyring #11589

Merged
merged 19 commits into from
Nov 10, 2022
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions news/11589.feature.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Enable the use of ``keyring`` found on ``PATH``. This allows ``keyring``
installed using ``pipx`` to be used by ``pip``.
55 changes: 51 additions & 4 deletions src/pip/_internal/network/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,10 @@
providing credentials in the context of network requests.
"""

import shutil
import subprocess
import urllib.parse
from typing import Any, Dict, List, Optional, Tuple
from typing import Any, Dict, List, NamedTuple, Optional, Tuple

from pip._vendor.requests.auth import AuthBase, HTTPBasicAuth
from pip._vendor.requests.models import Request, Response
Expand All @@ -23,11 +25,52 @@

logger = getLogger(__name__)

Credentials = Tuple[str, str, str]

class Credentials(NamedTuple):
service_name: str
username: str
password: str


class KeyRingCredential(NamedTuple):
username: Optional[str]
password: str


class KeyRingCli:
"""Mirror the parts of keyring's API which pip uses

Instead of calling the keyring package installed alongside pip
we call keyring on the command line which will enable pip to
use which ever installation of keyring is available first in
PATH.
"""

@classmethod
def get_credential(
cls, service_name: str, username: Optional[str]
) -> Optional[KeyRingCredential]:
cmd = ["keyring", "get", service_name, str(username)]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why str() round username? You don't account for the possibility of None (allowed by the type signature) and str() will do nothing if it's a string.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've avoided this by only supporting get_password. I think this is the more correct thing to do as this is actually the function which is being called by the CLI.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've moved to mirroring keyring's default implementation of get_credential which just wraps get_password

res = subprocess.run(cmd, capture_output=True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to support the --no-input option here, so don't try to read stdin if the user supplied that flag.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think I understand this. I'm not reading from stdin here.

Did you mean this line res = subprocess.run(cmd, input=input_)? If so the reason I'm doing this is that the user has already supplied the password through interaction. We're just saving the result here in a callback. Unfortunately, keyring doesn't support passing the password in any other way as far as I can see.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, the keyring command you run might try to read from stdin. The --no-input flag is specifically to ensure that people can run pip without getting prompted for input, so you need to ensure that if --no-input is specified, you stop the keyring subprocess from reading stdin - probably by passing stdin=subprocess.DEVNULL to the call, assuming the keyring process works correctly if you do that.

if res.returncode:
return None
password = res.stdout.decode().strip("\n")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Encoding issues possible here. On Windows, at least, it's not necessarily true that keywring will write its output in the same encoding as the pip process' default encoding.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I've solved this using PYTHONIOENCODING

return KeyRingCredential(username=username, password=password)

@classmethod
def set_password(cls, service_name: str, username: str, password: str) -> None:
cmd = ["keyring", "set", service_name, username]
input_ = password.encode() + b"\n"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can imagine encoding issues here, especially on Windows.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I've solved this using PYTHONIOENCODING

res = subprocess.run(cmd, input=input_)
res.check_returncode()
return None


try:
import keyring
except ImportError:
if shutil.which("keyring") is not None:
keyring = KeyRingCli # type: ignore[assignment]
keyring = None # type: ignore[assignment]
except Exception as exc:
logger.warning(
Expand Down Expand Up @@ -276,7 +319,11 @@ def handle_401(self, resp: Response, **kwargs: Any) -> Response:

# Prompt to save the password to keyring
if save and self._should_save_password_to_keyring():
self._credentials_to_save = (parsed.netloc, username, password)
self._credentials_to_save = Credentials(
service_name=parsed.netloc,
username=username,
password=password,
)

# Consume content and release the original connection to allow our new
# request to reuse the same one.
Expand Down Expand Up @@ -318,6 +365,6 @@ def save_credentials(self, resp: Response, **kwargs: Any) -> None:
if creds and resp.status_code < 400:
try:
logger.info("Saving credentials to keyring")
keyring.set_password(*creds)
keyring.set_password(creds.service_name, creds.username, creds.password)
except Exception:
logger.exception("Failed to save credentials")