git: ignore http auth for ssh url

abn · abn · commit 78c597db6d2a · 2022-05-10T19:34:39.000+02:00
This change ensures that http-basic auth credentials are only passed to
dulwich when the remote url uses http/https schemes.

In addition to the above, it is now ensured that username/password
parameters are not passed through to dulwich unless both username and
password are configured explicitly. This is to ensure that dulwich does
not bail out if it detects a username in the url
(eg: `ssh://git@github.com`).
diff --git a/src/poetry/utils/authenticator.py b/src/poetry/utils/authenticator.py
@@ -270,6 +270,11 @@ def _get_credentials_for_url(
         return credential
 
     def get_credentials_for_git_url(self, url: str) -> HTTPAuthCredential:
+        parsed_url = urllib.parse.urlsplit(url)
+
+        if parsed_url.scheme not in {"http", "https"}:
+            return HTTPAuthCredential()
+
         key = f"git+{url}"
 
         if key not in self._credentials:
diff --git a/src/poetry/vcs/git/backend.py b/src/poetry/vcs/git/backend.py
@@ -186,9 +186,17 @@ def _fetch_remote_refs(cls, url: str, local: Repo) -> FetchPackResult:
         client: GitClient
         path: str
 
+        kwargs: dict[str, str] = {}
         credentials = get_default_authenticator().get_credentials_for_git_url(url=url)
+
+        if credentials.password and credentials.username:
+            # we do this conditionally as otherwise, dulwich might complain if these
+            # parameters are passed in for an ssh url
+            kwargs["username"] = credentials.username
+            kwargs["password"] = credentials.password
+
         client, path = get_transport_and_path(  # type: ignore[no-untyped-call]
-            url, username=credentials.username, password=credentials.password
+            url, **kwargs
         )
 
         with local:
diff --git a/tests/integration/test_utils_vcs_git.py b/tests/integration/test_utils_vcs_git.py
@@ -298,6 +298,25 @@ def test_configured_repository_http_auth(
     spy_get_transport_and_path.assert_called_once()
 
 
+def test_username_password_parameter_is_not_passed_to_dulwich(
+    mocker: MockerFixture, source_url: str, config: Config
+) -> None:
+    from poetry.vcs.git import backend
+
+    spy_clone = mocker.spy(Git, "_clone")
+    spy_get_transport_and_path = mocker.spy(backend, "get_transport_and_path")
+
+    with Git.clone(url=source_url, branch="0.1") as repo:
+        assert_version(repo, BRANCH_TO_REVISION_MAP["0.1"])
+
+    spy_clone.assert_called_once()
+
+    spy_get_transport_and_path.assert_called_with(
+        location=source_url,
+    )
+    spy_get_transport_and_path.assert_called_once()
+
+
 def test_system_git_called_when_configured(
     mocker: MockerFixture, source_url: str, use_system_git_client: None
 ) -> None:
diff --git a/tests/utils/test_authenticator.py b/tests/utils/test_authenticator.py
@@ -592,6 +592,10 @@ def test_authenticator_git_repositories(
     assert two.username == "baz"
     assert two.password == "qux"
 
+    two_ssh = authenticator.get_credentials_for_git_url("ssh://git@foo.bar/org/two.git")
+    assert not two_ssh.username
+    assert not two_ssh.password
+
     three = authenticator.get_credentials_for_git_url("https://foo.bar/org/three.git")
     assert not three.username
     assert not three.password
