Redact registry credentials in lockfile (#5803)

## Summary

Okay, I tested this against...

- Our public "private" proxy
- Fury
- AWS CodeArtifact
- Azure Artifacts

It took a long time.

All of them work as expected with this approach: we omit the credentials
from the lockfile, then wire them back up when the index URL is provided
during subsequent operations.

Closes https://github.com/astral-sh/uv/issues/5119.

crates/uv-resolver/src/lock.rs

@@ -1470,14 +1470,25 @@ impl Source {
     }
 
     fn from_index_url(index_url: &IndexUrl) -> Source {
+        /// Redact a URL by removing any username and password.
+        fn redact(mut url: Url) -> Result<Url, ()> {
+            url.set_username("")?;
+            url.set_password(None)?;
+            Ok(url)
+        }
+
         match *index_url {
-            IndexUrl::Pypi(ref verbatim_url) => Source::Registry(verbatim_url.to_url()),
-            IndexUrl::Url(ref verbatim_url) => Source::Registry(verbatim_url.to_url()),
+            IndexUrl::Pypi(ref verbatim_url) => {
+                Source::Registry(redact(verbatim_url.to_url()).expect("Could not redact URL"))
+            }
+            IndexUrl::Url(ref verbatim_url) => {
+                Source::Registry(redact(verbatim_url.to_url()).expect("Could not redact URL"))
+            }
             // TODO(konsti): Retain path on index url without converting to URL.
             IndexUrl::Path(ref verbatim_url) => Source::Path(
                 verbatim_url
                     .to_file_path()
-                    .expect("Could not convert index url to path"),
+                    .expect("Could not convert index URL to path"),
             ),
         }
     }

crates/uv/tests/lock.rs

@@ -4391,3 +4391,104 @@ fn lock_dev_transitive() -> Result<()> {
 
     Ok(())
 }
+
+/// Avoid persisting credentials in `uv.lock`.
+#[test]
+fn lock_redact() -> Result<()> {
+    let context = TestContext::new("3.12");
+
+    let pyproject_toml = context.temp_dir.child("pyproject.toml");
+    pyproject_toml.write_str(
+        r#"
+        [project]
+        name = "foo"
+        version = "0.1.0"
+        requires-python = ">=3.12"
+        dependencies = ["iniconfig"]
+        "#,
+    )?;
+
+    uv_snapshot!(context.filters(), context.lock().arg("--index-url").arg("https://public:heron@pypi-proxy.fly.dev/basic-auth/simple").current_dir(&context.temp_dir), @r###"
+    success: true
+    exit_code: 0
+    ----- stdout -----
+
+    ----- stderr -----
+    warning: `uv lock` is experimental and may change without warning
+    Resolved 2 packages in [TIME]
+    "###);
+
+    let lock = fs_err::read_to_string(context.temp_dir.join("uv.lock")).unwrap();
+
+    // The lockfile shout omit the credentials.
+    insta::with_settings!({
+        filters => context.filters(),
+    }, {
+        assert_snapshot!(
+            lock, @r###"
+        version = 1
+        requires-python = ">=3.12"
+        exclude-newer = "2024-03-25 00:00:00 UTC"
+
+        [[distribution]]
+        name = "foo"
+        version = "0.1.0"
+        source = { editable = "." }
+        dependencies = [
+            { name = "iniconfig" },
+        ]
+
+        [[distribution]]
+        name = "iniconfig"
+        version = "2.0.0"
+        source = { registry = "https://pypi-proxy.fly.dev/basic-auth/simple" }
+        sdist = { url = "https://pypi-proxy.fly.dev/basic-auth/files/packages/d7/4b/cbd8e699e64a6f16ca3a8220661b5f83792b3017d0f79807cb8708d33913/iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3", size = 4646 }
+        wheels = [
+            { url = "https://pypi-proxy.fly.dev/basic-auth/files/packages/ef/a6/62565a6e1cf69e10f5727360368e451d4b7f58beeac6173dc9db836a5b46/iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374", size = 5892 },
+        ]
+        "###
+        );
+    });
+
+    // Installing from the lockfile should fail without credentials.
+    uv_snapshot!(context.filters(), context.sync().arg("--frozen").arg("--index-url").arg("https://pypi-proxy.fly.dev/basic-auth/simple").current_dir(&context.temp_dir), @r###"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    warning: `uv sync` is experimental and may change without warning
+    error: Failed to prepare distributions
+      Caused by: Failed to fetch wheel: iniconfig==2.0.0
+      Caused by: HTTP status client error (401 Unauthorized) for url (https://pypi-proxy.fly.dev/basic-auth/files/packages/ef/a6/62565a6e1cf69e10f5727360368e451d4b7f58beeac6173dc9db836a5b46/iniconfig-2.0.0-py3-none-any.whl)
+    "###);
+
+    // Installing from the lockfile should fail without an index.
+    uv_snapshot!(context.filters(), context.sync().arg("--frozen").current_dir(&context.temp_dir), @r###"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    warning: `uv sync` is experimental and may change without warning
+    error: Failed to prepare distributions
+      Caused by: Failed to fetch wheel: iniconfig==2.0.0
+      Caused by: HTTP status client error (401 Unauthorized) for url (https://pypi-proxy.fly.dev/basic-auth/files/packages/ef/a6/62565a6e1cf69e10f5727360368e451d4b7f58beeac6173dc9db836a5b46/iniconfig-2.0.0-py3-none-any.whl)
+    "###);
+
+    // Installing from the lockfile should succeed when credentials are included.
+    uv_snapshot!(context.filters(), context.sync().arg("--frozen").arg("--index-url").arg("https://public:heron@pypi-proxy.fly.dev/basic-auth/simple").current_dir(&context.temp_dir), @r###"
+    success: true
+    exit_code: 0
+    ----- stdout -----
+
+    ----- stderr -----
+    warning: `uv sync` is experimental and may change without warning
+    Prepared 2 packages in [TIME]
+    Installed 2 packages in [TIME]
+     + foo==0.1.0 (from file://[TEMP_DIR]/)
+     + iniconfig==2.0.0
+    "###);
+
+    Ok(())
+}