-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication prioritize .netrc credentials over ones from url. #10979
Comments
Are you sure this is a Pip issue and not a requests issue? What behavior does requests have for the same thing? Mostly Pip is just delegating to requests on how to handle this. |
This is the error: Your server is giving you a 401 Client Error on this. You'll have to investigate what that is. I'll bundle improving this error message into #10421. |
@pradyunsg I think you are misunderstanding the issue reported here. The credentials are wrong because they are the ones read out of the .netrc file not the ones read out of the URL. But I believe this behavior comes from requests not pip. And as such there are two things I can suggest:
(I see a similar issue quite a lot in my corporate environment) |
Indeed, and thanks for catching that @notatallshaw! :) |
I have deliberately put an incorrect password in .netrc file to trigger a 401 error to illustrate that netrc credentials are used instead of ones in url. Thank you for providing workarounds, but the issue appears in environment where netrc is generated automatically if user don't provide one and user does not have control over env, so they need to remember to generate .netrc to use desired token instead of generating requirements.txt file. You can see in the output of the command there are 2 requests:
and
As you see the first one was successful which means it used credentials from url correctly, while the second one failed so it used netrc ones. This shows that pip is sending these requests in different ways, hence I believe it is pip and not requests issue. |
Are there any other tools that override explicitly provided credentials with netrc credentials? |
You could be correct but I'm not sure based on the information you've provided so far, is still seems speculative. Poking around in Pips code for netrc I could only find 1 location that is a possible culprit: But |
OK, I just re-read this issue and... I completely misread this the last two times. Sincere apologies to @kramarz and @notatallshaw. This is definitely a bug at some point in our network authentication handling code. |
Test in #10998 fails with plain url and netrc credentials? ---url = f"https://USERNAME:PASSWORD@{server.host}:{server.port}/simple"
+++url = f"https://{server.host}:{server.port}/simple"
...
---f"machine {server.host} login wrongusername password wrongpassword"
+++f"machine {server.host} login USERNAME password PASSWORD" but works with reverted #10998 changes for RFC7617 ---"simple-3.0.tar.gz": "/files/simple-3.0.tar.gz",
+++"simple-3.0.tar.gz": "/simple/files/simple-3.0.tar.gz", |
Bumps [pip](https://github.com/pypa/pip) from 22.1.1 to 22.1.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>22.1.2 (2022-05-31)</h1> <h2>Bug Fixes</h2> <ul> <li>Revert <code>[#10979](pypa/pip#10979) <https://github.com/pypa/pip/issues/10979></code>_ since it introduced a regression in certain edge cases. (<code>[#10979](pypa/pip#10979) <https://github.com/pypa/pip/issues/10979></code>_)</li> <li>Fix an incorrect assertion in the logging logic, that prevented the upgrade prompt from being presented. (<code>[#11136](pypa/pip#11136) <https://github.com/pypa/pip/issues/11136></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/5f12c59f69656cf682cbd20cc1eee880578bce88"><code>5f12c59</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/70c9b36582554e9a306429f1c29cca5c47d7d41c"><code>70c9b36</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11134">#11134</a> from q0w/revert-10998-handle-netrc</li> <li><a href="https://github.com/pypa/pip/commit/0799ceac4c69cd4787ffed48b0afcfae93afe3f1"><code>0799cea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11136">#11136</a> from pradyunsg/fix-upgrade-prompt</li> <li>See full diff in <a href="https://github.com/pypa/pip/compare/22.1.1...22.1.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.1.1&new-version=22.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [pip](https://github.com/pypa/pip) from 22.1.1 to 22.1.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/pip/blob/main/NEWS.rst">pip's changelog</a>.</em></p> <blockquote> <h1>22.1.2 (2022-05-31)</h1> <h2>Bug Fixes</h2> <ul> <li>Revert <code>[#10979](pypa/pip#10979) <https://github.com/pypa/pip/issues/10979></code>_ since it introduced a regression in certain edge cases. (<code>[#10979](pypa/pip#10979) <https://github.com/pypa/pip/issues/10979></code>_)</li> <li>Fix an incorrect assertion in the logging logic, that prevented the upgrade prompt from being presented. (<code>[#11136](pypa/pip#11136) <https://github.com/pypa/pip/issues/11136></code>_)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/pip/commit/5f12c59f69656cf682cbd20cc1eee880578bce88"><code>5f12c59</code></a> Bump for release</li> <li><a href="https://github.com/pypa/pip/commit/70c9b36582554e9a306429f1c29cca5c47d7d41c"><code>70c9b36</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11134">#11134</a> from q0w/revert-10998-handle-netrc</li> <li><a href="https://github.com/pypa/pip/commit/0799ceac4c69cd4787ffed48b0afcfae93afe3f1"><code>0799cea</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/pypa/pip/issues/11136">#11136</a> from pradyunsg/fix-upgrade-prompt</li> <li>See full diff in <a href="https://github.com/pypa/pip/compare/22.1.1...22.1.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pip&package-manager=pip&previous-version=22.1.1&new-version=22.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
22.1.2 (2022-05-31) =================== Bug Fixes --------- - Revert <pypa/pip#10979> since it introduced a regression in certain edge cases. - Fix an incorrect assertion in the logging logic, that prevented the upgrade prompt from being presented. 22.1.1 (2022-05-20) =================== Bug Fixes --------- - Properly filter out optional dependencies (i.e. extras) when checking build environment distributions. - Change the build environment dependency checking to be opt-in. - Allow using a pre-release version to satisfy a build requirement. This helps manually populated build environments to more accurately detect build-time requirement conflicts. 22.1 (2022-05-11) ================= Process ------- - Enable the ``importlib.metadata`` metadata implementation by default on Python 3.11 (or later). The environment variable ``_PIP_USE_IMPORTLIB_METADATA`` can still be used to enable the implementation on 3.10 and earlier, or disable it on 3.11 (by setting it to ``0`` or ``false``). Bug Fixes --------- - Revert <pypa/pip#9243> since it introduced a regression in certain edge cases. - Fix missing ``REQUESTED`` metadata when using URL constraints. - ``pip config`` now normalizes names by converting underscores into dashes.
Description
I have private repository in Google Artifacts Registry.
I am able to install a package using following command without the issue:
Once I create
.netrc
file with another token (for example an invalid one) and run the command again pip is able to find tar.gz link using credentials from url, but it uses ~/.netrc credentials to download it (in this example since token is invalid it fails).Anonymized -vvv output of installation attempt is in Output section.
Expected behavior
Credentials in url should be preffered over .netrc ones.
pip version
22.0.4
Python version
3.7.1
OS
Linux
How to Reproduce
pip install --no-input --no-cache-dir --index-url "https://mylogin:[email protected] my-package
pip uninstall my-package
~/.netrc
file with following content: `machine repo.url login mylogin password fakepasswordpip install --no-input --no-cache-dir --index-url "https://mylogin:[email protected] my-package
and see it failsOutput
Code of Conduct
The text was updated successfully, but these errors were encountered: