Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication for index-url not being used #1458

Closed
inigohidalgo opened this issue Feb 16, 2024 · 13 comments
Closed

Authentication for index-url not being used #1458

inigohidalgo opened this issue Feb 16, 2024 · 13 comments
Labels
bug Something isn't working registry Related to package indexes and registries

Comments

@inigohidalgo
Copy link

inigohidalgo commented Feb 16, 2024
edited
Loading

I am running

uv pip install package-name --index-url https://username:[email protected]/[redacted]/pypi/simple/

It is being correctly parsed:

parse url=Url { scheme: "https", cannot_be_a_base: false, username: "username", password: Some("personalaccesstoken"), host: Some(Domain("pkgs.dev.azure.com")), port: None, path: "/[redacted]/pypi/simple/package-name/", query: None, fragment: None }

But then when it goes to query the index, it seems to not be using the user and password:

uv_client::cached_client::fresh_request url="https://pkgs.dev.azure.com/[redacted]-py3-none-any.whl#sha256=[redacted]"

Which results in the error

Caused by: HTTP status client error (405 Method Not Allowed) for url (https://pkgs.dev.azure.com/[redacted]-py3-none-any.whl#sha256=[redacted])
@MichaReiser MichaReiser mentioned this issue Feb 16, 2024
Closed
@inigohidalgo
Copy link
Author

Just saw #1371, probably the same issue. I get the same 405, and my feed is also azure artifacts. Feel free to close in favor of that one.

Adding an additional datapoint since I just saw #1388

From what I can tell, that isn't the issue here, as the URLs queried from pip and from uv seem to be the same, except for the extra sha at the end which shouldn't make a difference.

uv

https://pkgs.dev.azure.com/[my-org]/_packaging/[redacted]/pypi/download/pdm/2.12.3/pdm-2.12.3-py3-none-any.whl#sha256=27eddf71434906e39db3f448d35ea5ee1f4d0f557de39fc932205f7dfc82f902

pip

https://pkgs.dev.azure.com/[my-org]/_packaging/[redacted]/pypi/download/pdm/2.12.3/pdm-2.12.3-py3-none-any.whl

@inigohidalgo
Copy link
Author

@VMRuiz what does your PIP_EXTRA_INDEX_URL look like? Do you use a personal access token or are you using keyring for authentication with the artifacts feed?

I get your 401 Unauthorized when I pass the index_url like this https://pkgs.dev.azure.com/[my-org]/_packaging/[my-feed]/pypi/simple/

But when I supply the personal access token like in my OP, the error is the 405.

In your case, it seems to be failing at an earlier step (process_request request=Prefetch pdm *), which seems to be working fine when I supply the PAT, and instead it is failing in a later step, trying to download a specific wheel.

@VMRuiz
Copy link

VMRuiz commented Feb 16, 2024

My PIP_EXTRA_INDEX_URL is like: https://username:password@url . However, I'm not using Azure but https:/chriskuehl/dumb-pypi as PyPI index. Sorry for the confusion.

@datajoely
Copy link

Also seeing this with JFrog PyPI indexes

@charliermarsh
Copy link
Member

Thanks! Will take a look.

@zanieb zanieb added registry Related to package indexes and registries bug Something isn't working labels Feb 16, 2024
@mfurquimdev
Copy link

I think I'm having the same issues when trying to fetch packages from a private PyPI server. I get 401 Unauthorized when using --index-url, even though PYPI_USER and PYPI_PASS are correctly being resolved.

I have nothing at PIP_EXTRA_INDEX_URL.

$ uv pip compile --verbose --index-url="https://${PYPI_USER}:${PYPI_PASS}@pypi.voltaware.com/simple" pyproject.toml --output-file=requirements.txt
[...]
uv_client::html::parse url=Url { scheme: "https", cannot_be_a_base: false, username: "correct-username", password: Some("correct-password"), host: Some(Domain("pypi.voltaware.com")), port: None, path: "/simple/[redacted]/", query: None, fragment: None }
[...]
error: Failed to download: [redacted]
  Caused by: The wheel [redacted]-py3-none-any.whl is not a valid zip file
  Caused by: an upstream reader returned an error: io error occurred: HTTP status client error (401 Unauthorized) for url (https://pypi.voltaware.com/packages/[redacted]-py3-none-any.whl#sha256=[redacted])
  Caused by: io error occurred: HTTP status client error (401 Unauthorized) for url (https://pypi.voltaware.com/packages/[redacted]-py3-none-any.whl#sha256=[redacted])
  Caused by: HTTP status client error (401 Unauthorized) for url (https://pypi.voltaware.com/packages/[redacted]-py3-none-any.whl#sha256=[redacted])

@zanieb zanieb self-assigned this Feb 16, 2024
@tfcace tfcace mentioned this issue Feb 17, 2024
Closed
@J3ronimo
Copy link

J3ronimo commented Feb 17, 2024
edited
Loading

Same here. I have user and token in a Gitlab url passed with uv pip install --extra-index-url ..., which makes it find the package (so the credentials must be OK). but then fails with

error: Failed to download: ...
  Caused by: HTTP status client error (401 Unauthorized) for url {url}

where url is missing the url-encoded credentials now. Can't say if they were sent in HTTP headers though.

@olivierlefloch olivierlefloch mentioned this issue Feb 18, 2024
Open
@olivierlefloch
Copy link
Contributor

I believe the issue for Azure Artifacts is that uv runs HEAD requests, which Azure Artifacts does not seem to allow. I've confirmed this behavior via proxying of uv requests / replaying via curl. Authenticated GET requests with --index-url specified work, but HEAD requests are failing. Here's a sample session:

❯ python3 -m uv pip install --index-url=https://REDACTED:[email protected]/REDACTED/_packaging/REDACTED/pypi/simple/ --upgrade --verbose -r requirements/dev.txt 2>&1 | grep private-package
        0.131560s   0ms DEBUG uv_resolver::resolver Adding direct dependency: private-package==REDACTED
 uv_resolver::resolver::process_request request=Versions private-package
   uv_client::registry_client::simple_api package=private-package
       uv_client::cached_client::read_and_parse_cache file=/Users/olivierlefloch/Library/Caches/uv/simple-v1/REDACTED/private-package.REDACTED
        0.133447s   2ms DEBUG uv_resolver::resolver Adding direct dependency: private-package==REDACTED
          0.133694s   0ms WARN uv_client::cached_client Broken cache entry at /Users/olivierlefloch/Library/Caches/uv/simple-v1/REDACTED/private-package.REDACTED, removing: failed to open file `/Users/olivierlefloch/Library/Caches/uv/simple-v1/REDACTED/private-package.REDACTED`
          0.136200s   2ms DEBUG uv_client::cached_client No cache entry for: https://pkgs.dev.azure.com/REDACTED/_packaging/REDACTED/pypi/simple/private-package/
       uv_client::cached_client::fresh_request url="https://pkgs.dev.azure.com/REDACTED/_packaging/REDACTED/pypi/simple/private-package/"
        0.635864s 504ms DEBUG uv_resolver::resolver Adding direct dependency: private-package==REDACTED
       uv_client::cached_client::new_cache file=/Users/olivierlefloch/Library/Caches/uv/simple-v1/REDACTED/private-package.REDACTED
       uv_client::registry_client::parse_simple_api package=private-package
         uv_client::html::parse url=https://REDACTED:[email protected]/REDACTED/_packaging/REDACTED/pypi/simple/private-package/
 uv_resolver::resolver::process_request request=Prefetch private-package ==REDACTED
   uv_distribution::distribution_database::get_or_build_wheel_metadata dist=private-package==REDACTED
     uv_client::registry_client::wheel_metadata built_dist=private-package==REDACTED
           uv_client::cached_client::read_and_parse_cache file=/Users/olivierlefloch/Library/Caches/uv/wheels-v0/index/REDACTED/private-package/private_package-REDACTED-py3-none-any.msgpack
              0.756403s   0ms WARN uv_client::cached_client Broken cache entry at /Users/olivierlefloch/Library/Caches/uv/wheels-v0/index/REDACTED/private-package/private_package-REDACTED-py3-none-any.msgpack, removing: failed to open file `/Users/olivierlefloch/Library/Caches/uv/wheels-v0/index/REDACTED/private-package/private_package-REDACTED-py3-none-any.msgpack`
              0.756439s   0ms DEBUG uv_client::cached_client No cache entry for: https://pkgs.dev.azure.com/REDACTED/_packaging/REDACTED/pypi/download/private-package/REDACTED/private_package-REDACTED-py3-none-any.whl#sha256=REDACTED
           uv_client::cached_client::fresh_request url="https://pkgs.dev.azure.com/REDACTED/_packaging/REDACTED/pypi/download/private-package/REDACTED/private_package-REDACTED-py3-none-any.whl#sha256=REDACTED"
error: Failed to download: private-package==REDACTED
  Caused by: HTTP status client error (405 Method Not Allowed) for url (https://pkgs.dev.azure.com/REDACTED/_packaging/REDACTED/pypi/download/private-package/REDACTED/private_package-REDACTED-py3-none-any.whl#sha256=REDACTED)

The failed HEAD request looks like:

HEAD https://pkgs.dev.azure.com/REDACTED/_packaging/REDACTED/pypi/download/private-package/1.2.3/private-package-1.2.3-cp310-cp310-macosx_11_0_arm64.whl

I imagine that the HEAD call in wheel_metadata_no_pep658 here:

https:/astral-sh/uv/blob/main/crates/uv-client/src/registry_client.rs#L441

might be related, with the error handling in is_http_range_requests_unsupported (

uv/crates/uv-client/src/error.rs

Line 160 in 4b92a51

pub(crate) fn is_http_range_requests_unsupported(&self) -> bool {
) perhaps not covering this case? I was unable to find relevant Azure Artifacts documentation to explain / justify this behavior.

It seems there may be a couple of other issues reported in this thread however. I'd suggest splitting the conversation here perhaps, between Azure Artifacts specific issues and the perhaps more general 401 / Auth issues others seem to be encountering.

@zanieb
Copy link
Member

zanieb commented Feb 19, 2024

Thanks for the information! cc @charliermarsh who was just working with this code.

olivierlefloch added a commit to olivierlefloch/uv that referenced this issue Feb 19, 2024
@olivierlefloch
is_http_range_requests_unsupported should return true on Method Not A…
3f6e46b 
…llowed

Azure Artifacts does not allow HEAD requests when attempting to download packages. This expands error handling in `is_http_range_requests_unsupported` to identify HTTP 405 (Method Not Allowed) error codes, and return `true` (i.e. Range requests will not be supported). This partially addresses astral-sh#1458 – after this change, Azure Artifacts downloads still fail, but due to 401 Not Authorized instead of 405 Method Not Allowed.
@inigohidalgo
Copy link
Author

there may be a couple of other issues reported in this thread however
@olivierlefloch

Yeah, I've seen the two different error codes:

@charliermarsh charliermarsh mentioned this issue Feb 19, 2024
Closed
@charliermarsh
Copy link
Member

Ahh thank you, ok, I can take this one.

@charliermarsh charliermarsh mentioned this issue Feb 19, 2024
Closed
@zanieb zanieb mentioned this issue Feb 19, 2024
Closed
@olivierlefloch olivierlefloch mentioned this issue Feb 19, 2024
Merged
@olivierlefloch
Copy link
Contributor

@charliermarsh after working around the 405 issue on Azure Artifacts, I'm getting a 401 error:

#1713

charliermarsh pushed a commit that referenced this issue Feb 19, 2024
@olivierlefloch
is_http_range_requests_unsupported should return true on Method Not A…
220bc46 
…llowed (#1713)

## Summary

Azure Artifacts does not allow HEAD requests when attempting to download
packages. This expands error handling in
`is_http_range_requests_unsupported` to identify HTTP 405 (Method Not
Allowed) error codes, and return `true` (i.e. Range requests will not be
supported). This partially addresses #1458 – after this change, Azure
Artifacts downloads still fail, but due to 401 Not Authorized instead of
405 Method Not Allowed.

## Test Plan

I ran something akin to

```
RUST_LOG=trace cargo run -- pip install --index-url=https://REDACTED:[email protected]/REDACTED/_packaging/REDACTED/pypi/simple/ --upgrade --verbose private-package
```

without this code, and got a 405 failure:

```
error: Failed to download: private-package==1.2.3
  Caused by: HTTP status client error (405 Method Not Allowed) for url (https://pkgs.dev.azure.com/REDACTED/_packaging/REDACTED/pypi/download/private-package/1.2.3/private_package-1.2.3-py3-none-any.whl#sha256=REDACTED)
  ```

with this code, I get a 401 failure:

```
error: Failed to download: private-package==1.2.3
Caused by: HTTP status client error (401 Unauthorized) for url
(https://pkgs.dev.azure.com/REDACTED/_packaging/REDACTED/pypi/download/private-package/1.2.3/private_package-1.2.3-py3-none-any.whl#sha256=REDACTED)
```

## Caveats

I'm not seeing a non HEAD request being reported as being fired, so I'm not sure I'm doing this correctly!
@charliermarsh charliermarsh removed their assignment Feb 19, 2024
@charliermarsh
Copy link
Member

I'm gonna merge this into #1371.

@charliermarsh charliermarsh closed this as not planned Won't fix, can't repro, duplicate, stale Feb 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working registry Related to package indexes and registries
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@olivierlefloch @charliermarsh @mfurquimdev @zanieb @J3ronimo @VMRuiz @inigohidalgo @datajoely