Skip to content

Comments

git: allow http auth via dulwich#5567

Merged
abn merged 1 commit intopython-poetry:masterfrom
abn:git-http-auth
May 8, 2022
Merged

git: allow http auth via dulwich#5567
abn merged 1 commit intopython-poetry:masterfrom
abn:git-http-auth

Conversation

@abn
Copy link
Member

@abn abn commented May 8, 2022
edited
Loading

This change makes use of existing repository authentication mechanisms to enable http authentication for git dependencies.

HTTP basic authentication for git repositories can now be enabled using these commands.

poetry config repositories.git-repo https://gitlhub.com/org/project.git
poetry config http-basic.git-repo username token
poetry add git+https://github.com/org/project.git

Thanks to the improvements in #5518, You can also add organisation or host level tokens by using a shorter url for the repository in config like, https://github.com or https://github.com/org. But do remember that this would apply to all clones - so project specific tokens are better. Alternatively, use poetry config --local.

This builds on top of #5428 and #5518 to enable http basic auth for vcs sources without issues like leaking credentials into the lockfile or pyproject.toml files as with previous attempts in #2169 and python-poetry/poetry-core#115.

Resolves: #2062 #2050
Closes: python-poetry/poetry-core#115

@abn
git: allow http auth via dulwich
a5f7f5f 
This change makes use of existing repository authentication mechanisms
to enable http authentication for git dependencies.
@abn abn requested a review from a team May 8, 2022 19:40
@abn abn marked this pull request as ready for review May 8, 2022 19:48
@abn
Copy link
Member Author

abn commented May 8, 2022

Opted to reuse repositories here as it made sense to reuse the authenticator for this. There is a possibility that we move this into a "git" specific config section. But as an experimental feature this might be good enough.

@abn abn mentioned this pull request May 8, 2022
Closed
3 tasks
neersighted
neersighted approved these changes May 8, 2022
View reviewed changes
@abn abn merged commit 1c1cb92 into python-poetry:master May 8, 2022
@abn abn deleted the git-http-auth branch May 8, 2022 20:06
@abn abn mentioned this pull request May 8, 2022
Open
@fazal-kh4n fazal-kh4n mentioned this pull request May 9, 2022
Closed
3 tasks
@jkgenser
Copy link

jkgenser commented May 9, 2022

Really excited for this commit. Forgive my ignorance of poetry's release cadence. When would this be expected in a release?

This was referenced May 9, 2022
Merged
Merged
@cbuffett cbuffett mentioned this pull request Jul 5, 2022
Open
3 tasks
@jaklan
Copy link

jaklan commented Jul 25, 2022

@abn as nicely described in #5955, that MR doesn't fully solve the issue, because it works only when using poetry - if you want to install given package as a dependency in another, non-poetry project, you are stucked.

In general - leaking credentials are problematic, so the above feature for sure would be useful for poetry-only cases, but leaking deploy tokens with read-only permissions can be actually expected to be able to deal with private git dependencies - especially in internal projects, when you can neither: a) make the repos public b) enforce proper packaging of dependencies c) enforce usage of poetry.

Actually, taking into consideration the workaround with specifying the token manually in pyproject.toml seems to work (#2062 (comment)), the issue seems to be related to poetry add itself...

Having said that, I would be glad to hear if you see any other solutions for that issue.

@neersighted
Copy link
Member

neersighted commented Jul 25, 2022

Generally I would avoid bundling private Git deps, and if you have to SSH keys would be the preferred way to solve this. I'm really not sure that a 'controlled' option to leak credentials into the lockfile (and thus built artifacts) is a good idea as it's incredibly likely to bite more users than it helps.

Also, the 'correct' way to solve this would be uploading your packages to a private registry -- private Git deps is not a great option for this workflow. I do think that just because something is possible as a workflow, doesn't mean it's necessarily a good one. Maybe beefing up our docs to suggest against using Git deps for private packages would be helpful.

Regardless, let's take discussion back to #5955 as this is not a great forum/place for a feature request.

@abn abn mentioned this pull request Feb 28, 2024
Closed
2 tasks
@github-actions
Copy link

github-actions bot commented Mar 31, 2024

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@neersighted neersighted neersighted approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Poetry cannot properly parse URL with Gitlab [deploy tokens]

4 participants

@abn @jkgenser @jaklan @neersighted