Redact index sources in uv.lock (#8333)

## Summary Closes #8296.
astral-sh · Oct 18, 2024 · a459052 · a459052
1 parent 23c80c5
commit a459052
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 41 deletions.
diff --git a/crates/uv-pypi-types/src/requirement.rs b/crates/uv-pypi-types/src/requirement.rs
@@ -70,43 +70,6 @@ impl Requirement {
         self.source.is_editable()
     }
 
-    /// Remove any sensitive credentials from the requirement.
-    #[must_use]
-    pub fn redact(self) -> Requirement {
-        match self.source {
-            RequirementSource::Git {
-                mut repository,
-                reference,
-                precise,
-                subdirectory,
-                url,
-            } => {
-                // Redact the repository URL, but allow `git@`.
-                redact_credentials(&mut repository);
-
-                // Redact the PEP 508 URL.
-                let mut url = url.to_url();
-                redact_credentials(&mut url);
-                let url = VerbatimUrl::from_url(url);
-
-                Self {
-                    name: self.name,
-                    extras: self.extras,
-                    marker: self.marker,
-                    source: RequirementSource::Git {
-                        repository,
-                        reference,
-                        precise,
-                        subdirectory,
-                        url,
-                    },
-                    origin: self.origin,
-                }
-            }
-            _ => self,
-        }
-    }
-
     /// Convert the requirement to a [`Requirement`] relative to the given path.
     pub fn relative_to(self, path: &Path) -> Result<Self, io::Error> {
         Ok(Self {
@@ -614,7 +577,15 @@ enum RequirementSourceWire {
 impl From<RequirementSource> for RequirementSourceWire {
     fn from(value: RequirementSource) -> Self {
         match value {
-            RequirementSource::Registry { specifier, index } => Self::Registry { specifier, index },
+            RequirementSource::Registry {
+                specifier,
+                mut index,
+            } => {
+                if let Some(index) = index.as_mut() {
+                    redact_credentials(index);
+                }
+                Self::Registry { specifier, index }
+            }
             RequirementSource::Url {
                 subdirectory,
                 location,
@@ -625,7 +596,7 @@ impl From<RequirementSource> for RequirementSourceWire {
                 subdirectory: subdirectory
                     .as_deref()
                     .and_then(Path::to_str)
-                    .map(str::to_string),
+                    .map(ToString::to_string),
             },
             RequirementSource::Git {
                 repository,

diff --git a/crates/uv/tests/it/lock.rs b/crates/uv/tests/it/lock.rs
@@ -6501,7 +6501,7 @@ fn lock_redact_index_sources() -> Result<()> {
         ]
 
         [package.metadata]
-        requires-dist = [{ name = "iniconfig", specifier = ">=2", index = "https://public:heron@pypi-proxy.fly.dev/basic-auth/simple" }]
+        requires-dist = [{ name = "iniconfig", specifier = ">=2", index = "https://pypi-proxy.fly.dev/basic-auth/simple" }]
 
         [[package]]
         name = "iniconfig"

diff --git a/docs/configuration/indexes.md b/docs/configuration/indexes.md
@@ -150,7 +150,7 @@ Alternatively, credentials can be embedded directly in the index definition:
 ```toml
 [[tool.uv.index]]
 name = "internal"
-url = "https://public:koala@https://pypi-proxy.corp.dev/simple"
+url = "https://public:[email protected]/simple"
 ```
 
 For security purposes, credentials are _never_ stored in the `uv.lock` file; as such, uv _must_ have