From 3171034f9a4e83272a928659e610ccd54d8c738d Mon Sep 17 00:00:00 2001 From: Charlie Marsh Date: Fri, 18 Oct 2024 10:57:46 -0400 Subject: [PATCH] Redact index sources in uv.lock --- crates/uv-pypi-types/src/requirement.rs | 49 +++++-------------------- crates/uv/tests/it/lock.rs | 2 +- docs/configuration/indexes.md | 2 +- 3 files changed, 12 insertions(+), 41 deletions(-) diff --git a/crates/uv-pypi-types/src/requirement.rs b/crates/uv-pypi-types/src/requirement.rs index 96e4435fb90c..e7823cda499a 100644 --- a/crates/uv-pypi-types/src/requirement.rs +++ b/crates/uv-pypi-types/src/requirement.rs @@ -70,43 +70,6 @@ impl Requirement { self.source.is_editable() } - /// Remove any sensitive credentials from the requirement. - #[must_use] - pub fn redact(self) -> Requirement { - match self.source { - RequirementSource::Git { - mut repository, - reference, - precise, - subdirectory, - url, - } => { - // Redact the repository URL, but allow `git@`. - redact_credentials(&mut repository); - - // Redact the PEP 508 URL. - let mut url = url.to_url(); - redact_credentials(&mut url); - let url = VerbatimUrl::from_url(url); - - Self { - name: self.name, - extras: self.extras, - marker: self.marker, - source: RequirementSource::Git { - repository, - reference, - precise, - subdirectory, - url, - }, - origin: self.origin, - } - } - _ => self, - } - } - /// Convert the requirement to a [`Requirement`] relative to the given path. pub fn relative_to(self, path: &Path) -> Result { Ok(Self { @@ -614,7 +577,15 @@ enum RequirementSourceWire { impl From for RequirementSourceWire { fn from(value: RequirementSource) -> Self { match value { - RequirementSource::Registry { specifier, index } => Self::Registry { specifier, index }, + RequirementSource::Registry { + specifier, + mut index, + } => { + if let Some(index) = index.as_mut() { + redact_credentials(index); + } + Self::Registry { specifier, index } + } RequirementSource::Url { subdirectory, location, @@ -625,7 +596,7 @@ impl From for RequirementSourceWire { subdirectory: subdirectory .as_deref() .and_then(Path::to_str) - .map(str::to_string), + .map(ToString::to_string), }, RequirementSource::Git { repository, diff --git a/crates/uv/tests/it/lock.rs b/crates/uv/tests/it/lock.rs index 8eabe2daf778..395616f5f4fa 100644 --- a/crates/uv/tests/it/lock.rs +++ b/crates/uv/tests/it/lock.rs @@ -6501,7 +6501,7 @@ fn lock_redact_index_sources() -> Result<()> { ] [package.metadata] - requires-dist = [{ name = "iniconfig", specifier = ">=2", index = "https://public:heron@pypi-proxy.fly.dev/basic-auth/simple" }] + requires-dist = [{ name = "iniconfig", specifier = ">=2", index = "https://pypi-proxy.fly.dev/basic-auth/simple" }] [[package]] name = "iniconfig" diff --git a/docs/configuration/indexes.md b/docs/configuration/indexes.md index 7c4b0168eba6..18b6c9d17535 100644 --- a/docs/configuration/indexes.md +++ b/docs/configuration/indexes.md @@ -150,7 +150,7 @@ Alternatively, credentials can be embedded directly in the index definition: ```toml [[tool.uv.index]] name = "internal" -url = "https://public:koala@https://pypi-proxy.corp.dev/simple" +url = "https://public:koala@pypi-proxy.corp.dev/simple" ``` For security purposes, credentials are _never_ stored in the `uv.lock` file; as such, uv _must_ have