Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not passing port to trusted-host #3841

Open
patrickhousley opened this issue Jul 12, 2019 · 5 comments

Comments

@patrickhousley
Copy link

commented Jul 12, 2019

Issue description

When source url contains a port and verify_ssl is false, the port is not passed to pip in the trusted-host cli flag.

13:29 $ pipenv install --dev --verbose
Pipfile.lock (876e1b) out of date, updating to (8ef06c)…
Locking [dev-packages] dependencies…
✘ Locking Failed! 
Using pip: -i https://repo1.lab.com:8443/artifactory/api/pypi/python-pypi-virt/simple --trusted-host repo1.lab.com
[[source]]
name = "artifactory"
url = "https://repo1.lab.com:8443/artifactory/api/pypi/python-pypi-virt/simple"
verify_ssl = false

Expected result

The port should be passed through to pip in the trusted-host cli flag like --trusted-host repo1.lab.com:8443


$ pipenv --support

Pipenv version: '2018.11.26'

Pipenv location: '/home/developer/.local/lib/python3.6/site-packages/pipenv'

Python location: '/usr/bin/python3'

Python installations found:

  • 3.6.7: /usr/bin/python3.6m
  • 3.6.7: /usr/bin/python3
  • 2.7.15rc1: /usr/bin/python

Contents of Pipfile ('/project/Pipfile'):

[[source]]
name = "artifactory"
url = "https://repo1.lab.com:8443/artifactory/api/pypi/python-pypi-virt/simple"
verify_ssl = false
port = "8443"

[global]
trusted-host = "repo1.lab.com:8443"

[requires]
python_version = "3.6"

[dev-packages]
pylint = "*"
pep8 = "*"
autopep8 = "*"
python-githooks = "*"

[packages]
docker = "*"
@frostming

This comment has been minimized.

Copy link
Collaborator

commented Jul 13, 2019

IIRC, --trusted-host repo1.lab.com is enough to do the trick.

@patrickhousley

This comment has been minimized.

Copy link
Author

commented Jul 13, 2019

It's not. I ran pip manually and get the same thing unless I include the port in the trusted host flag.

@frostming

This comment has been minimized.

Copy link
Collaborator

commented Jul 13, 2019

But I did a simple testing that shows it works

$ pip install -i http://localtest.me:8080 urllib3 --trusted-host localtest.me:8080
Looking in indexes: http://localtest.me:8080
Collecting urllib3
  The repository located at localtest.me is not a trusted or secure host and is being ignored. If this repository is available via HTTPS we recommend you use HTTPS instead, otherwise you may silence this warning and allow it anyway with '--trusted-host localtest.me'.
  Could not find a version that satisfies the requirement urllib3 (from versions: )
No matching distribution found for urllib3
You are using pip version 19.0.3, however version 19.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

$ pip install -i http://localtest.me:8080 urllib3 --trusted-host localtest.me
Looking in indexes: http://localtest.me:8080
Collecting urllib3
  Downloading http://localtest.me:8080/packages/urllib3-1.25.3-py2.py3-none-any.whl (150kB)
    100% |████████████████████████████████| 153kB 56.3MB/s
Installing collected packages: urllib3
Successfully installed urllib3-1.25.3
You are using pip version 19.0.3, however version 19.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
@patrickhousley

This comment has been minimized.

Copy link
Author

commented Jul 13, 2019

@frostming

This comment has been minimized.

Copy link
Collaborator

commented Jul 13, 2019

After some experiments with verbose output, I found that there is some inconsistency between install and locking phases: installation carries the port in --trusted-host while locking doesn't.

  1. http + port: installation failed with pip complaining the trusted-host should be sans-port. Locking succeeded .
  2. https + port: installation succeeded while locking failed for SSL error.

After patching installation to not carrying the port:

  1. http + port: installation and locking both succeeded.
  2. https + port: installation and locking both failed.

The pip trusted-host checking logic is problematic and should be fixed. Submitted a report to upstream: pypa/pip#6705

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.