Fix poetry secondary source bug #4323
Conversation
…for lock files ...in the case where the [tool.poetry.source] is for a private repository.
…entials in URL This requires some more work because the authed URL won't match the original URL, so we have to match on the original URLs and merge in changes.
|
Thanks for digging into this! I'm going to let CI run, I'll need to dig into the changes a bit and spotted some style/ruby specific things, but overall looks good from a quick scan |
| poetry_object["source"] = sources if sources.any? | ||
| sources_hash = pyproject_sources.map { |source| [source["url"], source] }.to_h | ||
|
|
||
| for source in config_variable_sources(credentials) do |
There was a problem hiding this comment.
Somewhat nitty, but using for is discouraged in ruby, each is faster and more idiomatic. Apologies for the nitpick 😬
| for source in config_variable_sources(credentials) do | |
| config_variable_sources(credentials).each do |source| |
There was a problem hiding this comment.
No worries! I'll change this as part of fixing what rubocop flags in the next commit.
| sources_hash = pyproject_sources.map { |source| [source["url"], source] }.to_h | ||
|
|
||
| for source in config_variable_sources(credentials) do | ||
| if sources_hash.has_key?(source["original_url"]) |
There was a problem hiding this comment.
| if sources_hash.has_key?(source["original_url"]) | |
| if sources_hash.key?(source["original_url"]) |
I believe has_key is deprecated
There was a problem hiding this comment.
Will also fix this as part of the rubocop fixes. 👍
python/spec/dependabot/python/file_updater/pyproject_preparer_spec.rb
Outdated
Show resolved
Hide resolved
|
This looks great, one thing I want to verify is that this doesn't cause the username/password to be committed as plain text when running this end to end |
Is this something that I should address with more tests, or is it something that you'd have to run yourself? Am happy to make more changes as needed. |
@isobelhooper apologies for the slow response on this! It would be great to add a few tests to |
I'm afraid I don't have a project I could test this against - setting one up would be much appreciated! I had a try at writing tests for EDIT: However, you reminded me that I could test locally against one of our private repos and then change code to use a different one, which I'll do so I can keep working on this. |
This was tested with a local instance of pypiserver with an empty packages/ directory, which meant it was just proxying calls to pypi.org. The credentials used in testing were set up using the pypiserver instructions at https://pypi.org/project/pypiserver/#apache-like-authentication-htpasswd. This might be feasible for Dependabot's own testing, as you could run this as part of the setup, but there are probably better alternatives.
|
Apologies for the slow response on this - I've pushed another commit with a test in At the moment, it relies on having a Python repository running at I did this using pypiserver and following the instructions in https://pypi.org/project/pypiserver/ to set up a server running on The new test should pass once there's a Python repository like this (with auth credentials) that it can access - though I wouldn't expect it to be on Would it be possible for the Dependabot CI to either set up a temporary Python repository like this just for testing, or use an internal private Python repository? |
I'm not sure, both approaches seem fairly brittle and involved 🤔 is there a way that we could mock out those calls instead? |
Unfortunately those calls are made as part of the I'm thinking that it might be possible to move the test to a little earlier in the file updating, and avoid having to make an external call at all. Since the only thing that I'll have a go at making a test for |
...rather than testing against the updated files as in the previous commit. With this approach, we don't need to set up an actual repository with credentials, since all we are doing is checking that the credentials do not leak into the pyproject file. Since the lock file is created by Poetry itself from the pyproject file, if our pyproject file is clean of credentials when we generate the lock file, the only way credentials could then leak in would be a bug in Poetry.
|
Thanks for all your work on this! |
Fixes #4026 (hopefully).
PyprojectPreparermade sure to get all of the originally-defined Poetry sources (with their original names), and any sources configured based onpython-indexsources in Dependabot's config (with short random hex strings as names).However, it then used these to generate
poetry.lockwithout trying to combine them, so packages in private repos would end up with the short random hex string as their reference inpoetry.lock, which would not work.This PR merges any configured sources into the originally-defined Poetry sources in
PyprojectPreparer.replace_sources, so that the final sources should have the original name they had inpyproject.toml.Please let me know if there are any code style or other changes you'd like made to this. Ruby isn't my main language, but I'm happy to change whatever's needed.