Hide password in the index printed via `--emit-index-annotation` (#3112)

## Summary resolves https://github.com/astral-sh/uv/issues/3106 ## Test Plan added a simple test where the password provided in `UV_INDEX_URL` is hidden in the output as expected.
2024-04-17 23:59:44 -04:00 · 2024-04-17 23:59:44 -04:00 · 8c7d0a31e6
parent 01532d98c4
commit 8c7d0a31e6
3 changed files with 56 additions and 1 deletions
--- a/crates/distribution-types/src/index_url.rs
+++ b/crates/distribution-types/src/index_url.rs
@ -51,6 +51,19 @@ impl IndexUrl {
            Self::Path(url) => url.raw(),
        }
    }
+
+    /// Return the redacted URL for the index, omitting any sensitive credentials.
+    pub fn redacted(&self) -> Cow<'_, Url> {
+        let url = self.url();
+        if url.username().is_empty() && url.password().is_none() {
+            Cow::Borrowed(url)
+        } else {
+            let mut url = url.clone();
+            let _ = url.set_username("");
+            let _ = url.set_password(None);
+            Cow::Owned(url)
+        }
+    }
 }

 impl Display for IndexUrl {
--- a/crates/uv-resolver/src/resolution.rs
+++ b/crates/uv-resolver/src/resolution.rs
@ -746,7 +746,8 @@ impl std::fmt::Display for DisplayResolutionGraph<'_> {
            // `# from https://pypi.org/simple`).
            if self.include_index_annotation {
                if let Some(index) = node.index() {
-                    writeln!(f, "{}", format!("    # from {index}").green())?;
+                    let url = index.redacted();
+                    writeln!(f, "{}", format!("    # from {url}").green())?;
                }
            }
        }
--- a/crates/uv/tests/pip_compile.rs
+++ b/crates/uv/tests/pip_compile.rs
@ -7640,6 +7640,47 @@ fn compile_index_url_fallback_prefer_primary() -> Result<()> {
    Ok(())
 }

+/// Ensure that the username and the password are omitted when
+/// index annotations are displayed via `--emit-index-annotation`.
+#[test]
+fn emit_index_annotation_hide_password() -> Result<()> {
+    let context = TestContext::new("3.12");
+
+    let requirements_in = context.temp_dir.child("requirements.in");
+    requirements_in.write_str("requests")?;
+
+    uv_snapshot!(context.compile()
+        .arg("requirements.in")
+        .arg("--emit-index-annotation")
+        .env("UV_INDEX_URL", "https://test-user:test-password@pypi.org/simple"), @r###"
+    success: true
+    exit_code: 0
+    ----- stdout -----
+    # This file was autogenerated by uv via the following command:
+    #    uv pip compile --cache-dir [CACHE_DIR] --exclude-newer 2024-03-25T00:00:00Z requirements.in --emit-index-annotation
+    certifi==2024.2.2
+        # via requests
+        # from https://pypi.org/simple
+    charset-normalizer==3.3.2
+        # via requests
+        # from https://pypi.org/simple
+    idna==3.6
+        # via requests
+        # from https://pypi.org/simple
+    requests==2.31.0
+        # from https://pypi.org/simple
+    urllib3==2.2.1
+        # via requests
+        # from https://pypi.org/simple
+
+    ----- stderr -----
+    Resolved 5 packages in [TIME]
+    "###
+    );
+
+    Ok(())
+}
+
 /// Ensure that `--emit-index-annotation` prints the index URL for each package.
 #[test]
 fn emit_index_annotation_pypi_org_simple() -> Result<()> {