don't complain about localhost when checking security of index links

pip/index.py

@@ -23,6 +23,7 @@
 __all__ = ['PackageFinder']
 
 
+LOCAL_HOSTNAMES = ('localhost', '127.0.0.1')
 INSECURE_SCHEMES = {
     "http": ["https"],
 }
@@ -185,6 +186,36 @@ def _sort_versions(self, applicable_versions):
             reverse=True
         )
 
+    def _warn_about_insecure_transport_scheme(self, logger, location):
+        # Determine if this url used a secure transport mechanism
+        parsed = urlparse.urlparse(str(location))
+        if parsed.scheme in INSECURE_SCHEMES:
+            secure_schemes = INSECURE_SCHEMES[parsed.scheme]
+
+            if parsed.hostname in LOCAL_HOSTNAMES:
+                # localhost is not a security risk
+                pass
+            elif len(secure_schemes) == 1:
+                ctx = (location, parsed.scheme, secure_schemes[0],
+                       parsed.netloc)
+                logger.warn("%s uses an insecure transport scheme (%s). "
+                            "Consider using %s if %s has it available" %
+                            ctx)
+            elif len(secure_schemes) > 1:
+                ctx = (
+                    location,
+                    parsed.scheme,
+                    ", ".join(secure_schemes),
+                    parsed.netloc,
+                )
+                logger.warn("%s uses an insecure transport scheme (%s). "
+                            "Consider using one of %s if %s has any of "
+                            "them available" % ctx)
+            else:
+                ctx = (location, parsed.scheme)
+                logger.warn("%s uses an insecure transport scheme (%s)." %
+                            ctx)
+
     def find_requirement(self, req, upgrade):
 
         def mkurl_pypi_url(url):
@@ -240,32 +271,7 @@ def mkurl_pypi_url(url):
         logger.debug('URLs to search for versions for %s:' % req)
         for location in locations:
             logger.debug('* %s' % location)
-
-            # Determine if this url used a secure transport mechanism
-            parsed = urlparse.urlparse(str(location))
-            if parsed.scheme in INSECURE_SCHEMES:
-                secure_schemes = INSECURE_SCHEMES[parsed.scheme]
-
-                if len(secure_schemes) == 1:
-                    ctx = (location, parsed.scheme, secure_schemes[0],
-                           parsed.netloc)
-                    logger.warn("%s uses an insecure transport scheme (%s). "
-                                "Consider using %s if %s has it available" %
-                                ctx)
-                elif len(secure_schemes) > 1:
-                    ctx = (
-                        location,
-                        parsed.scheme,
-                        ", ".join(secure_schemes),
-                        parsed.netloc,
-                    )
-                    logger.warn("%s uses an insecure transport scheme (%s). "
-                                "Consider using one of %s if %s has any of "
-                                "them available" % ctx)
-                else:
-                    ctx = (location, parsed.scheme)
-                    logger.warn("%s uses an insecure transport scheme (%s)." %
-                                ctx)
+            self._warn_about_insecure_transport_scheme(logger, location)
 
         found_versions = []
         found_versions.extend(

tests/unit/test_index.py

@@ -106,3 +106,35 @@ def test_ext_query(self):
 )
 def test_base_url(html, url, expected):
     assert HTMLPage(html, url).base_url == expected
+
+
+class MockLogger(object):
+    def __init__(self):
+        self.called = False
+
+    def warn(self, *args, **kwargs):
+        self.called = True
+
+
+class TestInsecureTransport(object):
+    def _assert_call_to_logger(self, location, expected_result):
+        finder = PackageFinder([], [], session=[])
+        logger = MockLogger()
+        finder._warn_about_insecure_transport_scheme(logger, location)
+        assert logger.called == expected_result
+
+    def test_pypi_http(self):
+        location = 'http://pypi.python.org/something'
+        self._assert_call_to_logger(location, expected_result=True)
+
+    def test_pypi_https(self):
+        location = 'https://pypi.python.org/something'
+        self._assert_call_to_logger(location, expected_result=False)
+
+    def test_localhost_http(self):
+        location = 'http://localhost'
+        self._assert_call_to_logger(location, expected_result=False)
+
+    def test_localhost_by_ip(self):
+        location = 'http://127.0.0.1'
+        self._assert_call_to_logger(location, expected_result=False)