Poetry: repository credential resolution from config is ambiguous

Created on 11 Dec 2020  路  5Comments  路  Source: python-poetry/poetry
  • [x] I am on the latest Poetry version.
  • [x] I have searched the issues of this repo and believe that this is not a duplicate.

  • [x] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

  • Poetry 1.1.4

Issue

As a practical example, gitlab provides public/private package registries on projects which follow the general url form:
https://gitlab.com/api/v4/projects/<project id>/packages/pypi/simple.

Let's say a user is part of two separate (private) projects on gitlab, foo and bar, and they configure poetry on their system as follows:

poetry config repositories.foo-pypi "https://gitlab.com/api/v4/projects/foo/packages/pypi/simple"
poetry config http-basic.foo-pypi "foo-username" "foo-password"
poetry config repositories.bar-pypi "https://gitlab.com/api/v4/projects/bar/packages/pypi/simple"
poetry config http-basic.bar-pypi "bar-username" "bar-password"

In project baz they have the following dependency

[tool.poetry.dependencies]
bar-library = {version = "^1.0.0", source = "bar-pypi"}

When poetry goes to look up bar-library, it will try to use the foo-username and foo-password credentials, which will fail as these are the wrong credentials (this is somewhat heinous in gitlab's case, as it just replies with a 404 on bad credentials, I believe to avoid leaking information about private resources. The 404 just looks like a missing package to poetry rather than a credential error, so it ends up erroring in the solver).

The reason the wrong credentials are used is in poetry/installation/authenticator.py, specifically in Authenticator._get_credentials_for_netloc_from_config. The problem is that poetry does a credential lookup based on the netloc component of the parsed repository URL (in this case, gitlab.com) and it compares it to the netloc component of each repository URL in the config until it finds a match. Because both of the configured repositories have the same netloc in their URL, the credentials for the first one stored in the configuration file will always be used.

I suspect an appropriate fix would involve passing the repository name through to the authenticator (when available) rather than performing the potentially lossy process of name -> url -> name that is currently used.

Bug Triage
Source
picture torque

Most helpful comment

I couldn't find anything in the documentation about the source field. I think that's a neat feature that should definitely be captured in the docs. I'll write a quick PR.

picture glencairn on 11 Dec 2020
👍2

All 5 comments

[tool.poetry.dependencies]
bar-library = {version = "^1.0.0", source = "bar-pypi"}

I did not know it was possible to set a source here. Is that documented somewhere? I see it is specified in the _schema_ here: https://github.com/python-poetry/poetry-core/blob/1.0.0/poetry/core/json/schemas/poetry-schema.json#L301-L304

sinoroc picture sinoroc on 11 Dec 2020

I couldn't find anything in the documentation about the source field. I think that's a neat feature that should definitely be captured in the docs. I'll write a quick PR.

glencairn picture glencairn on 11 Dec 2020
👍2

@glencairn Maybe it's one of the things that is not officially supported.

sinoroc picture sinoroc on 11 Dec 2020

I ran across the source field for the dependency specification in https://github.com/python-poetry/poetry/pull/908. I would hope that indicates it is a supported feature.

torque picture torque on 11 Dec 2020
👍1

version 1.1.4 advertises the --source option for the poetry add command- I think it's safe to say this is a supported feature.

glencairn picture glencairn on 11 Dec 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alexlatchford picture alexlatchford  路  3Comments
Euphorbium picture Euphorbium  路  3Comments
thmo picture thmo  路  3Comments
kierun picture kierun  路  3Comments
etijskens picture etijskens  路  3Comments