Pipenv: Extra Index Url Authentication is Interactive Even When Specified

Created on 4 Dec 2017  ·  3Comments  ·  Source: pypa/pipenv

Authentication for extra index URLs requests user-interactive authentication even when authentication is specified in the extra index URL itself.

Describe your environment
  1. Arch Linux
  2. Python version: Python 3.6.3
  3. Pipenv version: pipenv, version 8.3.2
Expected result

When I add a [[source]] with a URL that has authentication information (e.g. https://user:password@host/pypi/simple), authentication information should not be requested.

Actual result
$ pipenv lock --verbose
Locking [dev-packages] dependencies…
Using pip: -i https://pypi.python.org/simple --extra-index-url https://xxxUSERxxx:xxxPASSWORDxxx@xxxHOSTxxx/xxxPATHxxx/pypi/simple

                          ROUND 1
Current constraints:
  xxx
  xxx
  xxx

Finding the best candidates:
User for xxxxxxxx:

This then waits for user input.

Steps to replicate
  1. Add a [[source]] to the Pipfile with a URL that requires basic http auth.
  2. Add a package to the Pipfile that uses the specified index (e.g. package_name: {version="*", index="index_name"}.
  3. Run pipenv lock.
picture Californian

Most helpful comment

Sorry, this is not a pipenv issue; it happens even with normal pip outside of the virtualenv.

FYI, for anyone wondering how to use private pip repos with CI and docker, you'll have to use the PIP_EXTRA_INDEX_URL environment variable with authentication. This can be done for local testing with a .env file that isn't checked into a VCS, and remotely with whatever your CI tool uses for environment variable definition (usually in GUI or CLI settings for the repo). If you are using docker, you can then inject this with a --build-arg YOUR_ARG_KEY=$YOUR_ENV_VAR. I would add this to the relevant issue (#1020), but it was closed for some reason.

picture Californian on 4 Dec 2017
👍4

All 3 comments

Sorry, this is not a pipenv issue; it happens even with normal pip outside of the virtualenv.

FYI, for anyone wondering how to use private pip repos with CI and docker, you'll have to use the PIP_EXTRA_INDEX_URL environment variable with authentication. This can be done for local testing with a .env file that isn't checked into a VCS, and remotely with whatever your CI tool uses for environment variable definition (usually in GUI or CLI settings for the repo). If you are using docker, you can then inject this with a --build-arg YOUR_ARG_KEY=$YOUR_ENV_VAR. I would add this to the relevant issue (#1020), but it was closed for some reason.

Californian picture Californian on 4 Dec 2017
👍4

@Californian thanks for the relevant update, I'll add a link

techalchemy picture techalchemy on 5 Dec 2017

@Californian OT here, but using --build-arg for secrets is not good. You can actually get the secret from the build history; try docker history <image> and you'll see it there.

rca picture rca on 15 Dec 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jacek-jablonski picture jacek-jablonski  ·  3Comments
bgjelstrup picture bgjelstrup  ·  3Comments
ansrivas picture ansrivas  ·  3Comments
marc-fez picture marc-fez  ·  3Comments
jeyraof picture jeyraof  ·  3Comments