fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Implement RFC7617-compliant multi-domain basic authentication

Author: potiuk

src/pip/_internal/network/auth.py

@@ -5,7 +5,8 @@
 """
 
 import urllib.parse
-from typing import Any, List, Optional, Tuple
+from collections import defaultdict
+from typing import Any, Dict, List, Optional, Tuple
 
 from pip._vendor.requests.auth import AuthBase, HTTPBasicAuth
 from pip._vendor.requests.models import Request, Response
@@ -16,6 +17,7 @@
     ask,
     ask_input,
     ask_password,
+    get_scheme_netloc_no_auth,
     remove_auth_from_url,
     split_auth_netloc_from_url,
 )
@@ -76,14 +78,22 @@ def __init__(
     ) -> None:
         self.prompting = prompting
         self.index_urls = index_urls
-        self.passwords: List[Tuple[str, AuthInfo]] = []
+        # we store the AuthInfo lists in dict indexed by the url,
+        # which is both domain (netloc) and scheme.
+        self.passwords: Dict[str, List[Tuple[str, AuthInfo]]] = defaultdict(list)
         # When the user is prompted to enter credentials and keyring is
         # available, we will offer to save them. If the user accepts,
         # this value is set to the credentials they entered. After the
         # request authenticates, the caller should call
         # ``save_credentials`` to save these.
         self._credentials_to_save: Optional[Credentials] = None
 
+    def _add_auth_info_to_dict(self, url: str, auth_info: AuthInfo) -> None:
+        scheme_netloc_no_auth = get_scheme_netloc_no_auth(url)
+        self.passwords[scheme_netloc_no_auth].append(
+            (remove_auth_from_url(url), auth_info)
+        )
+
     def _get_index_url(self, url: str) -> Optional[str]:
         """Return the original index URL matching the requested URL.
 
@@ -191,7 +201,8 @@ def _get_matching_credentials(self, original_url: str) -> Optional[AuthInfo]:
         matched_auth_info = None
         no_auth_url = remove_auth_from_url(original_url)
         parsed_original = urllib.parse.urlparse(no_auth_url)
-        for prefix, auth_info in self.passwords:
+        scheme_netloc_no_auth = get_scheme_netloc_no_auth(original_url)
+        for prefix, auth_info in self.passwords[scheme_netloc_no_auth]:
             parsed_stored = urllib.parse.urlparse(prefix)
             if (
                 parsed_stored.netloc != parsed_original.netloc
@@ -244,7 +255,7 @@ def _get_url_and_credentials(
             password = password or ""
 
             # Store any acquired credentials.
-            self.passwords.append((remove_auth_from_url(url), (username, password)))
+            self._add_auth_info_to_dict(url, (username, password))
 
         assert (
             # Credentials were found
@@ -317,7 +328,7 @@ def handle_401(self, resp: Response, **kwargs: Any) -> Response:
         # Store the new username and password to use for future requests
         self._credentials_to_save = None
         if username is not None and password is not None:
-            self.passwords.append((remove_auth_from_url(resp.url), (username, password)))
+            self._add_auth_info_to_dict(resp.url, (username, password))
 
             # Prompt to save the password to keyring
             if save and self._should_save_password_to_keyring():

src/pip/_internal/utils/misc.py

@@ -507,6 +507,17 @@ def split_auth_netloc_from_url(url: str) -> Tuple[str, str, Tuple[str, str]]:
     return url_without_auth, netloc, auth
 
 
+def get_scheme_netloc_no_auth(url: str) -> str:
+    """
+    Retrieve scheme + netloc with auth info removed
+
+    Returns: str(scheme + netloc without auth info)
+    """
+    url_no_auth = remove_auth_from_url(url)
+    purl = urllib.parse.urlsplit(url_no_auth)
+    return f"{purl.scheme}://{purl.netloc}"
+
+
 def remove_auth_from_url(url: str) -> str:
     """Return a copy of url with 'username:password@' removed."""
     # username/pass params are passed to subversion through flags

tests/unit/test_network_auth.py

@@ -52,7 +52,7 @@ def test_get_credentials_parses_correctly(
         (username is None and password is None)
         or
         # Credentials were found and "cached" appropriately
-        (url, (username, password)) in auth.passwords
+        (url, (username, password)) in auth.passwords["http://example.com"]
     )
 
 
@@ -72,7 +72,7 @@ def test_handle_prompt_for_password_successful() -> None:
     auth._prompt_for_password.assert_called_with("example.com")
     expected = ("http://example.com", ("user", "password"))
     assert len(auth.passwords) == 1
-    assert auth.passwords[0] == expected
+    assert auth.passwords["http://example.com"][0] == expected
 
 
 def test_handle_prompt_for_password_unsuccessful() -> None:
@@ -94,7 +94,7 @@ def test_handle_prompt_for_password_unsuccessful() -> None:
 
 def test_get_credentials_not_to_uses_cached_credentials() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("http://example.com", ("user", "pass")))
+    auth._add_auth_info_to_dict("http://example.com", ("user", "pass"))
 
     got = auth._get_url_and_credentials("http://foo:[email protected]/path")
     expected = ("http://example.com/path", "foo", "bar")
@@ -103,7 +103,7 @@ def test_get_credentials_not_to_uses_cached_credentials() -> None:
 
 def test_get_credentials_not_to_use_cached_credentials_only_username() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("https://example.com", ("user", "pass")))
+    auth._add_auth_info_to_dict("https://example.com", ("user", "pass"))
 
     got = auth._get_url_and_credentials("https://[email protected]/path")
     expected = ("https://example.com/path", "foo", "")
@@ -112,8 +112,8 @@ def test_get_credentials_not_to_use_cached_credentials_only_username() -> None:
 
 def test_multi_domain_credentials_match() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("http://example.com", ("user", "pass")))
-    auth.passwords.append(("http://example.com/path", ("user", "pass2")))
+    auth._add_auth_info_to_dict("http://example.com", ("user", "pass"))
+    auth._add_auth_info_to_dict("http://example.com/path", ("user", "pass2"))
 
     got = auth._get_url_and_credentials("http://[email protected]/path")
     expected = ("http://example.com/path", "user", "pass2")
@@ -122,9 +122,9 @@ def test_multi_domain_credentials_match() -> None:
 
 def test_multi_domain_credentials_longest_match() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("http://example.com", ("user", "pass")))
-    auth.passwords.append(("http://example.com/path", ("user", "pass2")))
-    auth.passwords.append(("http://example.com/path/subpath", ("user", "pass3")))
+    auth._add_auth_info_to_dict("http://example.com", ("user", "pass"))
+    auth._add_auth_info_to_dict("http://example.com/path", ("user", "pass2"))
+    auth._add_auth_info_to_dict("http://example.com/path/subpath", ("user", "pass3"))
 
     got = auth._get_url_and_credentials("http://[email protected]/path")
     expected = ("http://example.com/path", "user", "pass2")
@@ -133,7 +133,7 @@ def test_multi_domain_credentials_longest_match() -> None:
 
 def test_multi_domain_credentials_partial_match_only() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("http://example.com/path1", ("user", "pass")))
+    auth._add_auth_info_to_dict("http://example.com/path1", ("user", "pass"))
 
     got = auth._get_url_and_credentials("http://example.com/path2")
     expected = ("http://example.com/path2", None, None)
@@ -142,7 +142,7 @@ def test_multi_domain_credentials_partial_match_only() -> None:
 
 def test_get_credentials_uses_cached_credentials() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("https://example.com", ("user", "pass")))
+    auth._add_auth_info_to_dict("https://example.com", ("user", "pass"))
 
     got = auth._get_url_and_credentials("https://example.com/path")
     expected = ("https://example.com/path", "user", "pass")
@@ -151,7 +151,7 @@ def test_get_credentials_uses_cached_credentials() -> None:
 
 def test_get_credentials_not_uses_cached_credentials_different_scheme_http() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("http://example.com", ("user", "pass")))
+    auth._add_auth_info_to_dict("http://example.com", ("user", "pass"))
 
     got = auth._get_url_and_credentials("https://example.com/path")
     expected = ("https://example.com/path", None, None)
@@ -160,7 +160,7 @@ def test_get_credentials_not_uses_cached_credentials_different_scheme_http() ->
 
 def test_get_credentials_not_uses_cached_credentials_different_scheme_https() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("https://example.com", ("user", "pass")))
+    auth._add_auth_info_to_dict("https://example.com", ("user", "pass"))
 
     got = auth._get_url_and_credentials("http://example.com/path")
     expected = ("http://example.com/path", None, None)
@@ -169,7 +169,7 @@ def test_get_credentials_not_uses_cached_credentials_different_scheme_https() ->
 
 def test_get_credentials_uses_cached_credentials_only_username() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("http://example.com", ("user", "pass")))
+    auth._add_auth_info_to_dict("http://example.com", ("user", "pass"))
 
     got = auth._get_url_and_credentials("http://[email protected]/path")
     expected = ("http://example.com/path", "user", "pass")
@@ -178,7 +178,7 @@ def test_get_credentials_uses_cached_credentials_only_username() -> None:
 
 def test_get_credentials_uses_cached_credentials_wrong_username() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("http://example.com", ("user", "pass")))
+    auth._add_auth_info_to_dict("http://example.com", ("user", "pass"))
 
     got = auth._get_url_and_credentials("http://[email protected]/path")
     expected = ("http://example.com/path", "user2", "")
@@ -187,8 +187,8 @@ def test_get_credentials_uses_cached_credentials_wrong_username() -> None:
 
 def test_get_credentials_added_multiple_times() -> None:
     auth = MultiDomainBasicAuth()
-    auth.passwords.append(("http://example.com", ("user", "pass")))
-    auth.passwords.append(("http://example.com", ("user", "pass2")))
+    auth._add_auth_info_to_dict("http://example.com", ("user", "pass"))
+    auth._add_auth_info_to_dict("http://example.com", ("user", "pass2"))
 
     got = auth._get_url_and_credentials("http://[email protected]/path")
     expected = ("http://example.com/path", "user", "pass")