Skip to content

Commit

Permalink
Implicitly trust explicitly requested repos. (#813)
Browse files Browse the repository at this point in the history
Previously we did not do this and could thus confusingly fail resolves
against explicitly requested insecure repos.

Fixes #812
  • Loading branch information
jsirois authored Nov 26, 2019
1 parent e4ac0e3 commit a641fd7
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 22 deletions.
21 changes: 18 additions & 3 deletions pex/pip.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
from collections import deque

from pex import third_party
from pex.compatibility import urlparse
from pex.interpreter import PythonInterpreter
from pex.platforms import Platform
from pex.variables import ENV
Expand Down Expand Up @@ -46,23 +47,37 @@ def execute_pip_isolated(args, cache=None, interpreter=None):


def _calculate_package_index_options(indexes=None, find_links=None):
trusted_hosts = []

def maybe_trust_insecure_host(url):
url_info = urlparse.urlparse(url)
if 'http' == url_info.scheme:
# Implicitly trust explicitly asked for http indexes and find_links repos instead of requiring
# seperate trust configuration.
trusted_hosts.append(url_info.netloc)
return url

# N.B.: We interpret None to mean accept pip index defaults, [] to mean turn off all index use.
if indexes is not None:
if len(indexes) == 0:
yield '--no-index'
else:
all_indexes = deque(indexes)
yield '--index-url'
yield all_indexes.popleft()
yield maybe_trust_insecure_host(all_indexes.popleft())
if all_indexes:
for extra_index in all_indexes:
yield '--extra-index-url'
yield extra_index
yield maybe_trust_insecure_host(extra_index)

if find_links:
for find_link_url in find_links:
yield '--find-links'
yield find_link_url
yield maybe_trust_insecure_host(find_link_url)

for trusted_host in trusted_hosts:
yield '--trusted-host'
yield trusted_host


def download_distributions(target,
Expand Down
42 changes: 23 additions & 19 deletions tests/test_integration.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
from pex.pex_info import PexInfo
from pex.pip import build_wheels, download_distributions
from pex.testing import (
IS_PYPY,
NOT_CPYTHON27,
NOT_CPYTHON27_OR_OSX,
NOT_CPYTHON36_OR_LINUX,
Expand Down Expand Up @@ -1096,9 +1095,7 @@ def test_pex_interpreter_interact_custom_setuptools_useable():
assert rc == 0, stdout


@pytest.mark.skipif(IS_PYPY,
reason='Our pyenv interpreter setup fails under pypy: '
'https://github.com/pantsbuild/pex/issues/477')
@skip_for_pyenv_use_under_pypy
def test_setup_python():
interpreter = ensure_python_interpreter(PY27)
with temporary_dir() as out:
Expand All @@ -1111,9 +1108,7 @@ def test_setup_python():
subprocess.check_call([pex, '-c', 'import jsonschema'])


@pytest.mark.skipif(IS_PYPY,
reason='Our pyenv interpreter setup fails under pypy: '
'https://github.com/pantsbuild/pex/issues/477')
@skip_for_pyenv_use_under_pypy
def test_setup_interpreter_constraint():
interpreter = ensure_python_interpreter(PY27)
with temporary_dir() as out:
Expand All @@ -1133,9 +1128,7 @@ def test_setup_interpreter_constraint():
assert rc == 0


@pytest.mark.skipif(IS_PYPY,
reason='Our pyenv interpreter setup fails under pypy: '
'https://github.com/pantsbuild/pex/issues/477')
@skip_for_pyenv_use_under_pypy
def test_setup_python_multiple_transitive_markers():
py27_interpreter = ensure_python_interpreter(PY27)
py36_interpreter = ensure_python_interpreter(PY36)
Expand Down Expand Up @@ -1169,9 +1162,7 @@ def test_setup_python_multiple_transitive_markers():
assert to_bytes(os.path.realpath(py36_interpreter)) == stdout.strip()


@pytest.mark.skipif(IS_PYPY,
reason='Our pyenv interpreter setup fails under pypy: '
'https://github.com/pantsbuild/pex/issues/477')
@skip_for_pyenv_use_under_pypy
def test_setup_python_direct_markers():
py36_interpreter = ensure_python_interpreter(PY36)
with temporary_dir() as out:
Expand All @@ -1189,9 +1180,7 @@ def test_setup_python_direct_markers():
subprocess.check_call(py2_only_program, env=make_env(PATH=os.path.dirname(py36_interpreter)))


@pytest.mark.skipif(IS_PYPY,
reason='Our pyenv interpreter setup fails under pypy: '
'https://github.com/pantsbuild/pex/issues/477')
@skip_for_pyenv_use_under_pypy
def test_setup_python_multiple_direct_markers():
py36_interpreter = ensure_python_interpreter(PY36)
py27_interpreter = ensure_python_interpreter(PY27)
Expand Down Expand Up @@ -1562,9 +1551,7 @@ def test_pex_reexec_constraints_dont_match_current_pex_python():
interpreter_constraints=['=={}'.format(version)])


@pytest.mark.skipif(IS_PYPY,
reason='Our pyenv interpreter setup fails under pypy: '
'https://github.com/pantsbuild/pex/issues/477')
@skip_for_pyenv_use_under_pypy
def test_issues_745_extras_isolation():
# Here we ensure one of our extras, `subprocess32`, is properly isolated in the transition from
# pex bootstrapping where it is imported by `pex.executor` to execution of user code.
Expand Down Expand Up @@ -1604,3 +1591,20 @@ def test_issues_745_extras_isolation():

subprocess32_location = os.path.realpath(output.decode('utf-8').strip())
assert subprocess32_location.startswith(pex_root)


@skip_for_pyenv_use_under_pypy
def test_trusted_host_handling():
python = ensure_python_interpreter(PY27)
# Since we explicitly ask Pex to find links at http://www.antlr3.org/download/Python, it should
# implicitly trust the www.antlr3.org host.
results = run_pex_command(
args=[
'--find-links=http://www.antlr3.org/download/Python',
'antlr_python_runtime==3.1.3',
'--',
'-c', 'import antlr3'
],
python=python
)
results.assert_success()

0 comments on commit a641fd7

Please sign in to comment.