pipenv icon indicating copy to clipboard operation
pipenv copied to clipboard

Published 20 hours ago verified publisher icon pypa

Not passing port to trusted-host

Open patrickhousley opened this issue 6 years ago • 6 comments

Issue description

When source url contains a port and verify_ssl is false, the port is not passed to pip in the trusted-host cli flag.

13:29 $ pipenv install --dev --verbose
Pipfile.lock (876e1b) out of date, updating to (8ef06c)…
Locking [dev-packages] dependencies…
✘ Locking Failed! 
Using pip: -i https://repo1.lab.com:8443/artifactory/api/pypi/python-pypi-virt/simple --trusted-host repo1.lab.com

[[source]]
name = "artifactory"
url = "https://repo1.lab.com:8443/artifactory/api/pypi/python-pypi-virt/simple"
verify_ssl = false

Expected result

The port should be passed through to pip in the trusted-host cli flag like --trusted-host repo1.lab.com:8443

$ pipenv --support

Pipenv version: '2018.11.26'

Pipenv location: '/home/developer/.local/lib/python3.6/site-packages/pipenv'

Python location: '/usr/bin/python3'

Python installations found:

  • 3.6.7: /usr/bin/python3.6m
  • 3.6.7: /usr/bin/python3
  • 2.7.15rc1: /usr/bin/python

Contents of Pipfile ('/project/Pipfile'):

[[source]]
name = "artifactory"
url = "https://repo1.lab.com:8443/artifactory/api/pypi/python-pypi-virt/simple"
verify_ssl = false
port = "8443"

[global]
trusted-host = "repo1.lab.com:8443"

[requires]
python_version = "3.6"

[dev-packages]
pylint = "*"
pep8 = "*"
autopep8 = "*"
python-githooks = "*"

[packages]
docker = "*"

patrickhousley avatar Jul 12 '19 18:07 patrickhousley

IIRC, --trusted-host repo1.lab.com is enough to do the trick.

frostming avatar Jul 13 '19 01:07 frostming

It's not. I ran pip manually and get the same thing unless I include the port in the trusted host flag.

patrickhousley avatar Jul 13 '19 01:07 patrickhousley

But I did a simple testing that shows it works

$ pip install -i http://localtest.me:8080 urllib3 --trusted-host localtest.me:8080
Looking in indexes: http://localtest.me:8080
Collecting urllib3
  The repository located at localtest.me is not a trusted or secure host and is being ignored. If this repository is available via HTTPS we recommend you use HTTPS instead, otherwise you may silence this warning and allow it anyway with '--trusted-host localtest.me'.
  Could not find a version that satisfies the requirement urllib3 (from versions: )
No matching distribution found for urllib3
You are using pip version 19.0.3, however version 19.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

$ pip install -i http://localtest.me:8080 urllib3 --trusted-host localtest.me
Looking in indexes: http://localtest.me:8080
Collecting urllib3
  Downloading http://localtest.me:8080/packages/urllib3-1.25.3-py2.py3-none-any.whl (150kB)
    100% |████████████████████████████████| 153kB 56.3MB/s
Installing collected packages: urllib3
Successfully installed urllib3-1.25.3
You are using pip version 19.0.3, however version 19.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

frostming avatar Jul 13 '19 01:07 frostming

I'll have to try again on Monday once I'm back in office.

On Fri, Jul 12, 2019, 20:46 Frost Ming [email protected] wrote:

But I did a simple testing that shows it works

$ pip install -i http://localtest.me:8080 urllib3 --trusted-host localtest.me:8080

Looking in indexes: http://localtest.me:8080

Collecting urllib3

The repository located at localtest.me is not a trusted or secure host and is being ignored. If this repository is available via HTTPS we recommend you use HTTPS instead, otherwise you may silence this warning and allow it anyway with '--trusted-host localtest.me'.

Could not find a version that satisfies the requirement urllib3 (from versions: )

No matching distribution found for urllib3

You are using pip version 19.0.3, however version 19.1.1 is available.

You should consider upgrading via the 'pip install --upgrade pip' command.

$ pip install -i http://localtest.me:8080 urllib3 --trusted-host localtest.me

Looking in indexes: http://localtest.me:8080

Collecting urllib3

Downloading http://localtest.me:8080/packages/urllib3-1.25.3-py2.py3-none-any.whl (150kB)

100% |████████████████████████████████| 153kB 56.3MB/s

Installing collected packages: urllib3

Successfully installed urllib3-1.25.3

You are using pip version 19.0.3, however version 19.1.1 is available.

You should consider upgrading via the 'pip install --upgrade pip' command.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/pypa/pipenv/issues/3841?email_source=notifications&email_token=AA6M4UZROLUEOP4AUPGBBSTP7EXWVA5CNFSM4ICPH3LKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ3GXCI#issuecomment-511077257, or mute the thread https://github.com/notifications/unsubscribe-auth/AA6M4U5F6UUOZFHTD5QUCNTP7EXWVANCNFSM4ICPH3LA .

patrickhousley avatar Jul 13 '19 01:07 patrickhousley

After some experiments with verbose output, I found that there is some inconsistency between install and locking phases: installation carries the port in --trusted-host while locking doesn't.

  1. http + port: installation failed ❌ with pip complaining the trusted-host should be sans-port. Locking succeeded ✅.
  2. https + port: installation succeeded ✅ while locking failed ❌for SSL error.

After patching installation to not carrying the port:

  1. http + port: installation ✅ and locking ✅ both succeeded.
  2. https + port: installation ❌ and locking ❌ both failed.

The pip trusted-host checking logic is problematic and should be fixed. Submitted a report to upstream: https://github.com/pypa/pip/issues/6705

frostming avatar Jul 13 '19 06:07 frostming

@patrickhousley Let us know if you can verify this has been fixed on latest pipenv version.

matteius avatar Sep 12 '22 01:09 matteius