Addresses Issue pypa#5572: Implement PIP_TRUSTED_HOSTS logic...

Duplicated logic from `import_requirements()` to `do_install()` in `core.py` to allow users to specify index via `--index` command-line option and validate against `PIP_TRUSTED_HOSTS` when determining `verify_ssl` value.
kalebmckale · Mar 10, 2023 · 9c0c27b · 9c0c27b
1 parent 34b5768
commit 9c0c27b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/news/5572.feature.rst b/news/5572.feature.rst
@@ -0,0 +1 @@
+Implement PIP_TRUSTED_HOSTS logic from importing requirements to specified --index URL.
diff --git a/pipenv/core.py b/pipenv/core.py
@@ -2366,8 +2366,21 @@ def do_install(
                 )
                 # Add the package to the Pipfile.
                 if index_url:
+                    trusted_hosts = get_trusted_hosts()
+                    host_and_port = get_host_and_port(index_url)
+                    require_valid_https = not any(
+                        (
+                            v in trusted_hosts
+                            for v in (
+                                host_and_port,
+                                host_and_port.partition(":")[
+                                    0
+                                ],  # also check if hostname without port is in trusted_hosts
+                            )
+                        )
+                    )
                     index_name = project.add_index_to_pipfile(
-                        index_url, verify_ssl=index_url.startswith("https:")
+                        index_url, verify_ssl=require_valid_https
                     )
                     pkg_requirement.index = index_name
                 try: