rules_python icon indicating copy to clipboard operation
rules_python copied to clipboard
verified publisher icon bazelbuild

No way to set --index_url without leaking password on error

Open aaron-michaux opened this issue 1 year ago • 6 comments

🐞 bug report

Affected Rule

pip_parse(
    ...
    envsubst = ["PIP_INDEX_URL"],
    extra_pip_args = ["--index-url", "${PIP_INDEX_URL}"],
)

Is this a regression?

No

Description

We have an "index-url" that uses secure credentials. We do not want those credentials to leak into error logs when there's a pip error. However, the combo of setting envsubst and extra_pip_args precisely does this.

(We cannot use bzlmod, so we cannot use the bazel http downloader for python pip.)

🔬 Minimal Reproduction

Any pip_parse rule that errors will print the extra_pip_args.

Note that pip itself is smart enough to ***** out the password on PIP_INDEX_URL.

🔥 Exception or Error


command: ..../bin/python3 -m python.private.pypi.whl_installer.wheel_installer --requirement "..." --extra_pip_args "{\"arg\": [https://username:PASSWORD@someurl/simpl]}" ...

🌍 Your Environment

Operating System:

  
Linux

Output of bazel version:

  
Bazelisk version: v1.20.0
Build label: 6.3.2
Build target: .../BazelServer_deploy.jar
...

Rules_python version:

  
0.35.0

Anything else relevant?

=)

aaron-michaux avatar Sep 07 '24 19:09 aaron-michaux

Wolud using the bazel downloader as described in the docs work for you in this case? It should hopefully not leak the credentials upon failures, but it is only supported in bzlmod.

aignas avatar Sep 08 '24 12:09 aignas

Alas, we cannot use bzlmod because of complicated dependencies. Maybe in a few years we could.

aaron-michaux avatar Sep 08 '24 16:09 aaron-michaux

bzlmod usage can be incremental - i.e. you could use bzlmod for rules_python but WORKSPACE for the rest. But you know better here.

I thought that when you use the envsubst feature you don't need to specify the --index-url manually anymore? Maybe I am misremembering that part...

aignas avatar Sep 09 '24 01:09 aignas

I tried envsubst without extra_pip_args (i.e., -index-url), however that doesn't work. The docs say that envsubst allows env-variable substitution in extra_pip_args arguments. That is, it allows you to use ["--index-url", "${PIP_INDEX_URL}"], such that PIP_INDEX_URL is read from the environment.

aaron-michaux avatar Sep 09 '24 12:09 aaron-michaux

Have you also tried https://rules-python.readthedocs.io/en/latest/api/rules_python/python/extensions/pip.html#pip.parse.environment?

aignas avatar Sep 11 '24 01:09 aignas

Wouldn't that imply that the password is stored plain text in a WORKSPACE or .bzl file? And checked into git? How would different users have different passwords?

aaron-michaux avatar Sep 11 '24 12:09 aaron-michaux

I think I am inclined to point users to the bazel-downloader and credential-helper support that we have in bzlmod. That should fix the issue of leaking the password.

aignas avatar Nov 13 '24 00:11 aignas

Closing in favor of pointing users to credential-helper: https://rules-python.readthedocs.io/en/latest/pypi-dependencies.html#credential-helper

aignas avatar Mar 01 '25 11:03 aignas