Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not passing port to trusted-host #3841

Closed
patrickhousley opened this issue Jul 12, 2019 · 6 comments
Closed

Not passing port to trusted-host #3841

patrickhousley opened this issue Jul 12, 2019 · 6 comments
Labels
Status: Awaiting Update ⏳ This issue requires more information before assistance can be provided. Type: Possible Bug This issue describes a possible bug in pipenv.

Comments

@patrickhousley
Copy link

patrickhousley commented Jul 12, 2019
edited
Loading

Issue description

When source url contains a port and verify_ssl is false, the port is not passed to pip in the trusted-host cli flag.

13:29 $ pipenv install --dev --verbose
Pipfile.lock (876e1b) out of date, updating to (8ef06c)…
Locking [dev-packages] dependencies…
✘ Locking Failed! 
Using pip: -i https://repo1.lab.com:8443/artifactory/api/pypi/python-pypi-virt/simple --trusted-host repo1.lab.com

[[source]]
name = "artifactory"
url = "https://repo1.lab.com:8443/artifactory/api/pypi/python-pypi-virt/simple"
verify_ssl = false

Expected result

The port should be passed through to pip in the trusted-host cli flag like --trusted-host repo1.lab.com:8443

$ pipenv --support

Pipenv version: '2018.11.26'

Pipenv location: '/home/developer/.local/lib/python3.6/site-packages/pipenv'

Python location: '/usr/bin/python3'

Python installations found:

  • 3.6.7: /usr/bin/python3.6m
  • 3.6.7: /usr/bin/python3
  • 2.7.15rc1: /usr/bin/python

Contents of Pipfile ('/project/Pipfile'):

[[source]]
name = "artifactory"
url = "https://repo1.lab.com:8443/artifactory/api/pypi/python-pypi-virt/simple"
verify_ssl = false
port = "8443"

[global]
trusted-host = "repo1.lab.com:8443"

[requires]
python_version = "3.6"

[dev-packages]
pylint = "*"
pep8 = "*"
autopep8 = "*"
python-githooks = "*"

[packages]
docker = "*"
@frostming frostming added the Type: Possible Bug This issue describes a possible bug in pipenv. label Jul 13, 2019
@frostming
Copy link
Contributor

IIRC, --trusted-host repo1.lab.com is enough to do the trick.

@patrickhousley
Copy link
Author

It's not. I ran pip manually and get the same thing unless I include the port in the trusted host flag.

@frostming
Copy link
Contributor

But I did a simple testing that shows it works

$ pip install -i http://localtest.me:8080 urllib3 --trusted-host localtest.me:8080
Looking in indexes: http://localtest.me:8080
Collecting urllib3
  The repository located at localtest.me is not a trusted or secure host and is being ignored. If this repository is available via HTTPS we recommend you use HTTPS instead, otherwise you may silence this warning and allow it anyway with '--trusted-host localtest.me'.
  Could not find a version that satisfies the requirement urllib3 (from versions: )
No matching distribution found for urllib3
You are using pip version 19.0.3, however version 19.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

$ pip install -i http://localtest.me:8080 urllib3 --trusted-host localtest.me
Looking in indexes: http://localtest.me:8080
Collecting urllib3
  Downloading http://localtest.me:8080/packages/urllib3-1.25.3-py2.py3-none-any.whl (150kB)
    100% |████████████████████████████████| 153kB 56.3MB/s
Installing collected packages: urllib3
Successfully installed urllib3-1.25.3
You are using pip version 19.0.3, however version 19.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

@patrickhousley
Copy link
Author

patrickhousley commented Jul 13, 2019 via email

@frostming
Copy link
Contributor

frostming commented Jul 13, 2019
edited
Loading

After some experiments with verbose output, I found that there is some inconsistency between install and locking phases: installation carries the port in --trusted-host while locking doesn't.

  1. http + port: installation failed ❌ with pip complaining the trusted-host should be sans-port. Locking succeeded ✅.
  2. https + port: installation succeeded ✅ while locking failed ❌for SSL error.

After patching installation to not carrying the port:

  1. http + port: installation ✅ and locking ✅ both succeeded.
  2. https + port: installation ❌ and locking ❌ both failed.

The pip trusted-host checking logic is problematic and should be fixed. Submitted a report to upstream: pypa/pip#6705

@frostming frostming mentioned this issue Jul 15, 2019
Closed
@matteius
Copy link
Member

@patrickhousley Let us know if you can verify this has been fixed on latest pipenv version.

@matteius matteius added the Status: Awaiting Update ⏳ This issue requires more information before assistance can be provided. label Sep 12, 2022
@matteius matteius closed this as completed Nov 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Awaiting Update ⏳ This issue requires more information before assistance can be provided. Type: Possible Bug This issue describes a possible bug in pipenv.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matteius @patrickhousley @frostming