git: ignore http auth for ssh url

This change ensures that http-basic auth credentials are only passed to dulwich when the remote url uses http/https schemes. In addition to the above, it is now ensured that username/password parameters are not passed through to dulwich unless both username and password are configured explicitly. This is to ensure that dulwich does not bail out if it detects a username in the url (eg: `ssh://git@github.com`).

git: ignore http auth for ssh url
This change ensures that http-basic auth credentials are only passed to dulwich when the remote url uses http/https schemes. In addition to the above, it is now ensured that username/password parameters are not passed through to dulwich unless both username and password are configured explicitly. This is to ensure that dulwich does not bail out if it detects a username in the url (eg: `ssh://git@github.com`).
f19d1374 · Arun Babu Neelicattu · Bjorn Neergaard · b2b8c859 · f19d1374 · f19d1374
Commit f19d1374 authored May 10, 2022 by Arun Babu Neelicattu Committed by Bjorn Neergaard May 10, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 1 deletions

src/poetry/utils/authenticator.py
+5 -0

src/poetry/vcs/git/backend.py
+9 -1

tests/integration/test_utils_vcs_git.py
+19 -0

tests/utils/test_authenticator.py
+4 -0

No files found.
--- a/src/poetry/utils/authenticator.py
+++ b/src/poetry/utils/authenticator.py
@@ -270,6 +270,11 @@ class Authenticator:
        return credential

    def get_credentials_for_git_url(self, url: str) -> HTTPAuthCredential:
+        parsed_url = urllib.parse.urlsplit(url)
+
+        if parsed_url.scheme not in {"http", "https"}:
+            return HTTPAuthCredential()
+
        key = f"git+{url}"

        if key not in self._credentials:

--- a/src/poetry/vcs/git/backend.py
+++ b/src/poetry/vcs/git/backend.py
@@ -186,9 +186,17 @@ class Git:
        client: GitClient
        path: str

+        kwargs: dict[str, str] = {}
        credentials = get_default_authenticator().get_credentials_for_git_url(url=url)
+
+        if credentials.password and credentials.username:
+            # we do this conditionally as otherwise, dulwich might complain if these
+            # parameters are passed in for an ssh url
+            kwargs["username"] = credentials.username
+            kwargs["password"] = credentials.password
+
        client, path = get_transport_and_path(  # type: ignore[no-untyped-call]
-            url, username=credentials.username, password=credentials.password
+            url, **kwargs
        )

        with local:

--- a/tests/integration/test_utils_vcs_git.py
+++ b/tests/integration/test_utils_vcs_git.py
@@ -298,6 +298,25 @@ def test_configured_repository_http_auth(
    spy_get_transport_and_path.assert_called_once()


+def test_username_password_parameter_is_not_passed_to_dulwich(
+    mocker: MockerFixture, source_url: str, config: Config
+) -> None:
+    from poetry.vcs.git import backend
+
+    spy_clone = mocker.spy(Git, "_clone")
+    spy_get_transport_and_path = mocker.spy(backend, "get_transport_and_path")
+
+    with Git.clone(url=source_url, branch="0.1") as repo:
+        assert_version(repo, BRANCH_TO_REVISION_MAP["0.1"])
+
+    spy_clone.assert_called_once()
+
+    spy_get_transport_and_path.assert_called_with(
+        location=source_url,
+    )
+    spy_get_transport_and_path.assert_called_once()
+
+
 def test_system_git_called_when_configured(
    mocker: MockerFixture, source_url: str, use_system_git_client: None
 ) -> None:

--- a/tests/utils/test_authenticator.py
+++ b/tests/utils/test_authenticator.py
@@ -592,6 +592,10 @@ def test_authenticator_git_repositories(
    assert two.username == "baz"
    assert two.password == "qux"

+    two_ssh = authenticator.get_credentials_for_git_url("ssh://git@foo.bar/org/two.git")
+    assert not two_ssh.username
+    assert not two_ssh.password
+
    three = authenticator.get_credentials_for_git_url("https://foo.bar/org/three.git")
    assert not three.username
    assert not three.password