Pipenv: Extra Index Url Authentication is Interactive Even When Specified
Authentication for extra index URLs requests user-interactive authentication even when authentication is specified in the extra index URL itself.
Describe your environment
- Arch Linux
- Python version:
Python 3.6.3 - Pipenv version:
pipenv, version 8.3.2
Expected result
When I add a [[source]] with a URL that has authentication information (e.g. https://user:password@host/pypi/simple), authentication information should not be requested.
Actual result
$ pipenv lock --verbose
Locking [dev-packages] dependencies…
Using pip: -i https://pypi.python.org/simple --extra-index-url https://xxxUSERxxx:xxxPASSWORDxxx@xxxHOSTxxx/xxxPATHxxx/pypi/simple
ROUND 1
Current constraints:
xxx
xxx
xxx
Finding the best candidates:
User for xxxxxxxx:
This then waits for user input.
Steps to replicate
- Add a
[[source]]to thePipfilewith a URL that requires basic http auth. - Add a package to the
Pipfilethat uses the specified index (e.g.package_name: {version="*", index="index_name"}. - Run
pipenv lock.
Californian
All 3 comments
Sorry, this is not a pipenv issue; it happens even with normal pip outside of the virtualenv.
FYI, for anyone wondering how to use private pip repos with CI and docker, you'll have to use the PIP_EXTRA_INDEX_URL environment variable with authentication. This can be done for local testing with a .env file that isn't checked into a VCS, and remotely with whatever your CI tool uses for environment variable definition (usually in GUI or CLI settings for the repo). If you are using docker, you can then inject this with a --build-arg YOUR_ARG_KEY=$YOUR_ENV_VAR. I would add this to the relevant issue (#1020), but it was closed for some reason.
Californian
on 4 Dec 2017
@Californian thanks for the relevant update, I'll add a link
techalchemy
on 5 Dec 2017
@Californian OT here, but using --build-arg for secrets is not good. You can actually get the secret from the build history; try docker history <image> and you'll see it there.
rca
on 15 Dec 2017
Related issues
fbender
·
3Comments
jacek-jablonski
·
3Comments
erinxocon
·
3Comments
jakul
·
3Comments
randName
·
3Comments
Most helpful comment
Sorry, this is not a
pipenvissue; it happens even with normalpipoutside of the virtualenv.FYI, for anyone wondering how to use private
piprepos with CI and docker, you'll have to use thePIP_EXTRA_INDEX_URLenvironment variable with authentication. This can be done for local testing with a.envfile that isn't checked into a VCS, and remotely with whatever your CI tool uses for environment variable definition (usually in GUI or CLI settings for the repo). If you are usingdocker, you can then inject this with a--build-arg YOUR_ARG_KEY=$YOUR_ENV_VAR. I would add this to the relevant issue (#1020), but it was closed for some reason.