-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add flag to force pip to always fetch password from keyring #10269
Comments
Hi! Would you be interested in working on a solution to this? We can first produce a prototype that makes pip switch behaviour (maybe based on an environment variable first) and work out a good way to present the functionality to users from there. |
I'll give it a try. One thing I'm wondering is whether it would make more sense to have a different env var for By the way, for context our private repo is hosted on Artifactory. Due to a bug on their end, the repeated unauthenticated requests from pip cause it to return 403 at random when it shouldn't. So this fix would also resolve that issue. |
The problem is you can have index URLs, and when you do that |
Hmm, wouldn't you have the same general problem with some "always auth with keyring" flag then? |
My understanding is we store index URL auths per-domain in You can find this logic in |
I see. Actually, I do have another question after trying to read through the code. In my case, the index url only contained a username, not a password (or even a colon). But the code seems to have checks of the form pip/src/pip/_internal/network/auth.py Line 180 in 330d0aa
When the request is first sent, keyring isn't even consulted, because for some reason pip/src/pip/_internal/network/auth.py Lines 150 to 161 in 330d0aa
|
Edit: Oops, sorry, I misread the comment. The first 401 pass is intentional so keyring is not hit when the URL does not actually need authentication, which is the vast majority of cases. The keyring can pretty slow (depending on the back-end), and we want to make it as nonintrusive as possible for most people. If pip is a corporate tool we would probably always go through keyring, but pip is FOSS, and 99% (impression number without evidence, don’t quote me) of our users are only using FOSS indexes, so we prioritise them. |
Upon further review of the code, I think I've found a bug that, if fixed, will mostly resolve my issue without needing any new flags, and without incurring a performance hit for the majority case. After fetching the password from keyring, it caches the credentials for later. pip/src/pip/_internal/network/auth.py Lines 265 to 268 in 330d0aa
However, the cache is only consulted if the index url has no credentials at all. pip/src/pip/_internal/network/auth.py Lines 182 to 184 in 330d0aa
Instead, the cache lookup should be this: if (username is None or password is None) and netloc in self.passwords:
un, pw = self.passwords[netloc]
if username is None or username == un:
username, password = un, pw Separately, it would be nice to avoid the initial 401 by always consulting keyring in the first place. But that seems more complicated to do correctly, and less necessary if the cache lookup is fixed. |
Again, always checking keyring unconditionally would not be an option, because we don’t want to acces keyring unless necessary. Checking the cached entry sounds like a doable change, but I think we need to make |
Right, that is one of the reasons I was saying that being able to force it to consult keyring in the first place is more complicated.
I didn't understand this point. My modified condition for using cached credentials will handle it fine. The only time it doesn't work is when there are two index urls in play for the same hostname with different embedded usernames. But that seems like a pretty bizarre use case, and it would already not be using the cache today anyway. |
Isn’t this what your |
Yes, by "doesn't work", I just meant that it won't really function as a cache. It won't mix up the passwords though. I've opened #10288 as a draft PR. I have not tried to run it myself, or even run the unit tests. |
@uranusjr Please take a look at that PR when you have a chance. |
Bumps [pip](https://github.com/pypa/pip) from 21.2.4 to 21.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>21.3 (2021-10-11)</h1> <h2>Deprecations and Removals</h2> <ul> <li>Improve deprecation warning regarding the copying of source trees when installing from a local directory. (<code>[#10128](pypa/pip#10128) <https://github.com/pypa/pip/issues/10128></code>_)</li> <li>Suppress location mismatch warnings when pip is invoked from a Python source tree, so <code>ensurepip</code> does not emit warnings on CPython <code>make install</code>. (<code>[#10270](pypa/pip#10270) <https://github.com/pypa/pip/issues/10270></code>_)</li> <li>On Python 3.10 or later, the installation scheme backend has been changed to use <code>sysconfig</code>. This is to anticipate the deprecation of <code>distutils</code> in Python 3.10, and its scheduled removal in 3.12. For compatibility considerations, pip installations running on Python 3.9 or lower will continue to use <code>distutils</code>. (<code>[#10358](pypa/pip#10358) <https://github.com/pypa/pip/issues/10358></code>_)</li> <li>Remove the <code>--build-dir</code> option and aliases, one last time. (<code>[#10485](pypa/pip#10485) <https://github.com/pypa/pip/issues/10485></code>_)</li> <li>In-tree builds are now the default. <code>--use-feature=in-tree-build</code> is now ignored. <code>--use-deprecated=out-of-tree-build</code> may be used temporarily to ease the transition. (<code>[#10495](pypa/pip#10495) <https://github.com/pypa/pip/issues/10495></code>_)</li> <li>Un-deprecate source distribution re-installation behaviour. (<code>[#8711](pypa/pip#8711) <https://github.com/pypa/pip/issues/8711></code>_)</li> </ul> <h2>Features</h2> <ul> <li>Replace vendored appdirs with platformdirs. (<code>[#10202](pypa/pip#10202) <https://github.com/pypa/pip/issues/10202></code>_)</li> <li>Support <code>PEP 610 <https://www.python.org/dev/peps/pep-0610/></code>_ to detect editable installs in <code>pip freeze</code> and <code>pip list</code>. The <code>pip list</code> column output has a new <code>Editable project location</code> column, and the JSON output has a new <code>editable_project_location</code> field. (<code>[#10249](pypa/pip#10249) <https://github.com/pypa/pip/issues/10249></code>_)</li> <li><code>pip freeze</code> will now always fallback to reporting the editable project location when it encounters a VCS error while analyzing an editable requirement. Before, it sometimes reported the requirement as non-editable. (<code>[#10410](pypa/pip#10410) <https://github.com/pypa/pip/issues/10410></code>_)</li> <li><code>pip show</code> now sorts <code>Requires</code> and <code>Required-By</code> alphabetically. (<code>[#10422](pypa/pip#10422) <https://github.com/pypa/pip/issues/10422></code>_)</li> <li>Do not raise error when there are no files to remove with <code>pip cache purge/remove</code>. Instead log a warning and continue (to log that we removed 0 files). (<code>[#10459](pypa/pip#10459) <https://github.com/pypa/pip/issues/10459></code>_)</li> <li>When backtracking during dependency resolution, prefer the dependencies which are involved in the most recent conflict. This can significantly reduce the amount of backtracking required. (<code>[#10479](pypa/pip#10479) <https://github.com/pypa/pip/issues/10479></code>_)</li> <li>Cache requirement objects, to improve performance reducing reparses of requirement strings. (<code>[#10550](pypa/pip#10550) <https://github.com/pypa/pip/issues/10550></code>_)</li> <li>Support editable installs for projects that have a <code>pyproject.toml</code> and use a build backend that supports :pep:<code>660</code>. (<code>[#8212](pypa/pip#8212) <https://github.com/pypa/pip/issues/8212></code>_)</li> <li>When a revision is specified in a Git URL, use git's partial clone feature to speed up source retrieval. (<code>[#9086](pypa/pip#9086) <https://github.com/pypa/pip/issues/9086></code>_)</li> <li>Add a <code>--debug</code> flag, to enable a mode that doesn't log errors and propagates them to the top level instead. This is primarily to aid with debugging pip's crashes. (<code>[#9349](pypa/pip#9349) <https://github.com/pypa/pip/issues/9349></code>_)</li> <li>If a host is explicitly specified as trusted by the user (via the --trusted-host option), cache HTTP responses from it in addition to HTTPS ones. (<code>[#9498](pypa/pip#9498) <https://github.com/pypa/pip/issues/9498></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Present a better error message, when a <code>file:</code> URL is not found. (<code>[#10263](pypa/pip#10263) <https://github.com/pypa/pip/issues/10263></code>_)</li> <li>Fix the auth credential cache to allow for the case in which the index url contains the username, but the password comes from an external source, such as keyring. (<code>[#10269](pypa/pip#10269) <https://github.com/pypa/pip/issues/10269></code>_)</li> <li>Fix double unescape of HTML <code>data-requires-python</code> and <code>data-yanked</code> attributes. (<code>[#10378](pypa/pip#10378) <https://github.com/pypa/pip/issues/10378></code>_)</li> <li>New resolver: Fixes depth ordering of packages during resolution, e.g. a dependency 2 levels deep will be ordered before a dependecy 3 levels deep. (<code>[#10482](pypa/pip#10482) <https://github.com/pypa/pip/issues/10482></code>_)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/abec8a701bfa66aa15fedf4c898011aa2d95f29e"><code>abec8a7</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/68a70486c9224f9d25be3cbf56c73d8a33c6a713"><code>68a7048</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/9f18a403ca41f4e42fbb89d286b6571a099cb54b"><code>9f18a40</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10481">#10481</a> from notatallshaw/prefer_failures</li> <li><a href="https://github.com/pypa/pip/commit/db496cbce518fa159476695db0cd4f1c1a8ab6f5"><code>db496cb</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10563">#10563</a> from pradyunsg/shorter-timeout</li> <li><a href="https://github.com/pypa/pip/commit/4fac2b90a5d200b46e7b576013bb25f4ebb3f937"><code>4fac2b9</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10550">#10550</a> from jbylund/joe/cache_requirement_creation</li> <li><a href="https://github.com/pypa/pip/commit/786957cf85a641d49b4cfcceef717ef229ac8238"><code>786957c</code></a> Use a shorter timeout, to ensure that this fails more often</li> <li><a href="https://github.com/pypa/pip/commit/1e3c127d4a938643aca1bbc25e6581493e316476"><code>1e3c127</code></a> Avoid passing <code>.</code> to vendoring</li> <li><a href="https://github.com/pypa/pip/commit/610424f9f8ad1f99d0a48bf9a53e7a9df4242304"><code>610424f</code></a> Quote "PreferenceInformation" to avoid runtime NameError</li> <li><a href="https://github.com/pypa/pip/commit/c01b5c6d8a4858cf733408b4b020933f902dda9e"><code>c01b5c6</code></a> Update a test for resolvelib 0.8.0</li> <li><a href="https://github.com/pypa/pip/commit/394a24eb1a5f9af5da7d4d2452ed5fe952de5db2"><code>394a24e</code></a> Upgrade resolvelib to 0.8.0</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/21.2.4...21.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=21.2.4&new-version=21.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 21.2.4 to 21.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>21.3 (2021-10-11)</h1> <h2>Deprecations and Removals</h2> <ul> <li>Improve deprecation warning regarding the copying of source trees when installing from a local directory. (<code>[#10128](pypa/pip#10128) <https://github.com/pypa/pip/issues/10128></code>_)</li> <li>Suppress location mismatch warnings when pip is invoked from a Python source tree, so <code>ensurepip</code> does not emit warnings on CPython <code>make install</code>. (<code>[#10270](pypa/pip#10270) <https://github.com/pypa/pip/issues/10270></code>_)</li> <li>On Python 3.10 or later, the installation scheme backend has been changed to use <code>sysconfig</code>. This is to anticipate the deprecation of <code>distutils</code> in Python 3.10, and its scheduled removal in 3.12. For compatibility considerations, pip installations running on Python 3.9 or lower will continue to use <code>distutils</code>. (<code>[#10358](pypa/pip#10358) <https://github.com/pypa/pip/issues/10358></code>_)</li> <li>Remove the <code>--build-dir</code> option and aliases, one last time. (<code>[#10485](pypa/pip#10485) <https://github.com/pypa/pip/issues/10485></code>_)</li> <li>In-tree builds are now the default. <code>--use-feature=in-tree-build</code> is now ignored. <code>--use-deprecated=out-of-tree-build</code> may be used temporarily to ease the transition. (<code>[#10495](pypa/pip#10495) <https://github.com/pypa/pip/issues/10495></code>_)</li> <li>Un-deprecate source distribution re-installation behaviour. (<code>[#8711](pypa/pip#8711) <https://github.com/pypa/pip/issues/8711></code>_)</li> </ul> <h2>Features</h2> <ul> <li>Replace vendored appdirs with platformdirs. (<code>[#10202](pypa/pip#10202) <https://github.com/pypa/pip/issues/10202></code>_)</li> <li>Support <code>PEP 610 <https://www.python.org/dev/peps/pep-0610/></code>_ to detect editable installs in <code>pip freeze</code> and <code>pip list</code>. The <code>pip list</code> column output has a new <code>Editable project location</code> column, and the JSON output has a new <code>editable_project_location</code> field. (<code>[#10249](pypa/pip#10249) <https://github.com/pypa/pip/issues/10249></code>_)</li> <li><code>pip freeze</code> will now always fallback to reporting the editable project location when it encounters a VCS error while analyzing an editable requirement. Before, it sometimes reported the requirement as non-editable. (<code>[#10410](pypa/pip#10410) <https://github.com/pypa/pip/issues/10410></code>_)</li> <li><code>pip show</code> now sorts <code>Requires</code> and <code>Required-By</code> alphabetically. (<code>[#10422](pypa/pip#10422) <https://github.com/pypa/pip/issues/10422></code>_)</li> <li>Do not raise error when there are no files to remove with <code>pip cache purge/remove</code>. Instead log a warning and continue (to log that we removed 0 files). (<code>[#10459](pypa/pip#10459) <https://github.com/pypa/pip/issues/10459></code>_)</li> <li>When backtracking during dependency resolution, prefer the dependencies which are involved in the most recent conflict. This can significantly reduce the amount of backtracking required. (<code>[#10479](pypa/pip#10479) <https://github.com/pypa/pip/issues/10479></code>_)</li> <li>Cache requirement objects, to improve performance reducing reparses of requirement strings. (<code>[#10550](pypa/pip#10550) <https://github.com/pypa/pip/issues/10550></code>_)</li> <li>Support editable installs for projects that have a <code>pyproject.toml</code> and use a build backend that supports :pep:<code>660</code>. (<code>[#8212](pypa/pip#8212) <https://github.com/pypa/pip/issues/8212></code>_)</li> <li>When a revision is specified in a Git URL, use git's partial clone feature to speed up source retrieval. (<code>[#9086](pypa/pip#9086) <https://github.com/pypa/pip/issues/9086></code>_)</li> <li>Add a <code>--debug</code> flag, to enable a mode that doesn't log errors and propagates them to the top level instead. This is primarily to aid with debugging pip's crashes. (<code>[#9349](pypa/pip#9349) <https://github.com/pypa/pip/issues/9349></code>_)</li> <li>If a host is explicitly specified as trusted by the user (via the --trusted-host option), cache HTTP responses from it in addition to HTTPS ones. (<code>[#9498](pypa/pip#9498) <https://github.com/pypa/pip/issues/9498></code>_)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Present a better error message, when a <code>file:</code> URL is not found. (<code>[#10263](pypa/pip#10263) <https://github.com/pypa/pip/issues/10263></code>_)</li> <li>Fix the auth credential cache to allow for the case in which the index url contains the username, but the password comes from an external source, such as keyring. (<code>[#10269](pypa/pip#10269) <https://github.com/pypa/pip/issues/10269></code>_)</li> <li>Fix double unescape of HTML <code>data-requires-python</code> and <code>data-yanked</code> attributes. (<code>[#10378](pypa/pip#10378) <https://github.com/pypa/pip/issues/10378></code>_)</li> <li>New resolver: Fixes depth ordering of packages during resolution, e.g. a dependency 2 levels deep will be ordered before a dependecy 3 levels deep. (<code>[#10482](pypa/pip#10482) <https://github.com/pypa/pip/issues/10482></code>_)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/abec8a701bfa66aa15fedf4c898011aa2d95f29e"><code>abec8a7</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/68a70486c9224f9d25be3cbf56c73d8a33c6a713"><code>68a7048</code></a> Update AUTHORS.txt</li> <li><a href="https://github.com/pypa/pip/commit/9f18a403ca41f4e42fbb89d286b6571a099cb54b"><code>9f18a40</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10481">#10481</a> from notatallshaw/prefer_failures</li> <li><a href="https://github.com/pypa/pip/commit/db496cbce518fa159476695db0cd4f1c1a8ab6f5"><code>db496cb</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10563">#10563</a> from pradyunsg/shorter-timeout</li> <li><a href="https://github.com/pypa/pip/commit/4fac2b90a5d200b46e7b576013bb25f4ebb3f937"><code>4fac2b9</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/10550">#10550</a> from jbylund/joe/cache_requirement_creation</li> <li><a href="https://github.com/pypa/pip/commit/786957cf85a641d49b4cfcceef717ef229ac8238"><code>786957c</code></a> Use a shorter timeout, to ensure that this fails more often</li> <li><a href="https://github.com/pypa/pip/commit/1e3c127d4a938643aca1bbc25e6581493e316476"><code>1e3c127</code></a> Avoid passing <code>.</code> to vendoring</li> <li><a href="https://github.com/pypa/pip/commit/610424f9f8ad1f99d0a48bf9a53e7a9df4242304"><code>610424f</code></a> Quote "PreferenceInformation" to avoid runtime NameError</li> <li><a href="https://github.com/pypa/pip/commit/c01b5c6d8a4858cf733408b4b020933f902dda9e"><code>c01b5c6</code></a> Update a test for resolvelib 0.8.0</li> <li><a href="https://github.com/pypa/pip/commit/394a24eb1a5f9af5da7d4d2452ed5fe952de5db2"><code>394a24e</code></a> Upgrade resolvelib to 0.8.0</li> <li>Additional commits viewable in <a href="https://github.com/pypa/pip/compare/21.2.4...21.3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=21.2.4&new-version=21.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
What's the problem this feature will solve?
I am trying to fetch modules from a private server. In order to avoid storing this password in filesystem or environment, I have added it to keyring instead. I have also set
https://username@my-private-server.com
as global.index-url in my pip.conf.Based upon the verbose logs from
pip install
, it seems that pip will first do the request without a password, get a 401, and then fetch the password from keyring.Describe the solution you'd like
There should be a way to force pip to always fetch the password from keyring in the first place. This would prevent it from spamming the server with unauthenticated requests.
Alternative Solutions
I don't want to put the password in plaintext in my pip.conf or environment variables, so I'm not aware of any alternative solution.
Additional context
n/a
The text was updated successfully, but these errors were encountered: