Use index URL instead of package URL for keyring credential lookups (#12651)

Some registries (like Azure Artifact) can require you to authenticate separately for every package URL if you do not authenticate for the /simple endpoint. These changes make the auth middleware aware of index URL endpoints and attempts to fetch keyring credentials for such an index URL when making a request to any URL it's a prefix of. The current uv behavior is to cache credentials either at the request URL or realm level. But with these changes, we also need to cache credentials at the index level. Note that when uv does not detect an index URL for a request URL, it will continue to apply the old behavior. Addresses part of #4056 Closes #4583 Closes #11236 Closes #11391 Closes #11507
2025-11-24 13:20:53 +00:00 · 2025-04-29 12:54:07 -05:00 · 2025-04-29 12:54:07 -05:00 · de1479c4ef
commit de1479c4ef
parent 514a7ea6df
26 changed files with 571 additions and 203 deletions
--- a/crates/uv-client/src/base_client.rs
+++ b/crates/uv-client/src/base_client.rs
@ -19,7 +19,7 @@ use tracing::{debug, trace};
 use url::ParseError;
 use url::Url;

-use uv_auth::{AuthMiddleware, UrlAuthPolicies};
+use uv_auth::{AuthMiddleware, Indexes};
 use uv_configuration::{KeyringProviderType, TrustedHost};
 use uv_fs::Simplified;
 use uv_pep508::MarkerEnvironment;
@ -59,7 +59,7 @@ pub struct BaseClientBuilder<'a> {
    markers: Option<&'a MarkerEnvironment>,
    platform: Option<&'a Platform>,
    auth_integration: AuthIntegration,
-    url_auth_policies: Option<UrlAuthPolicies>,
+    indexes: Indexes,
    default_timeout: Duration,
    extra_middleware: Option<ExtraMiddleware>,
    proxies: Vec<Proxy>,
@ -112,7 +112,7 @@ impl BaseClientBuilder<'_> {
            markers: None,
            platform: None,
            auth_integration: AuthIntegration::default(),
-            url_auth_policies: None,
+            indexes: Indexes::new(),
            default_timeout: Duration::from_secs(30),
            extra_middleware: None,
            proxies: vec![],
@ -171,8 +171,8 @@ impl<'a> BaseClientBuilder<'a> {
    }

    #[must_use]
-    pub fn url_auth_policies(mut self, auth_policies: UrlAuthPolicies) -> Self {
-        self.url_auth_policies = Some(auth_policies);
+    pub fn indexes(mut self, indexes: Indexes) -> Self {
+        self.indexes = indexes;
        self
    }

@ -386,20 +386,18 @@ impl<'a> BaseClientBuilder<'a> {
                // Initialize the authentication middleware to set headers.
                match self.auth_integration {
                    AuthIntegration::Default => {
-                        let mut auth_middleware =
-                            AuthMiddleware::new().with_keyring(self.keyring.to_provider());
-                        if let Some(url_auth_policies) = &self.url_auth_policies {
-                            auth_middleware =
-                                auth_middleware.with_url_auth_policies(url_auth_policies.clone());
-                        }
+                        let auth_middleware = AuthMiddleware::new()
+                            .with_indexes(self.indexes.clone())
+                            .with_keyring(self.keyring.to_provider());
                        client = client.with(auth_middleware);
                    }
                    AuthIntegration::OnlyAuthenticated => {
-                        client = client.with(
-                            AuthMiddleware::new()
-                                .with_keyring(self.keyring.to_provider())
-                                .with_only_authenticated(true),
-                        );
+                        let auth_middleware = AuthMiddleware::new()
+                            .with_indexes(self.indexes.clone())
+                            .with_keyring(self.keyring.to_provider())
+                            .with_only_authenticated(true);
+
+                        client = client.with(auth_middleware);
                    }
                    AuthIntegration::NoAuthMiddleware => {
                        // The downstream code uses custom auth logic.
--- a/crates/uv-client/src/registry_client.rs
+++ b/crates/uv-client/src/registry_client.rs
@ -15,14 +15,14 @@ use tokio::sync::{Mutex, Semaphore};
 use tracing::{info_span, instrument, trace, warn, Instrument};
 use url::Url;

-use uv_auth::UrlAuthPolicies;
+use uv_auth::Indexes;
 use uv_cache::{Cache, CacheBucket, CacheEntry, WheelCache};
 use uv_configuration::KeyringProviderType;
 use uv_configuration::{IndexStrategy, TrustedHost};
 use uv_distribution_filename::{DistFilename, SourceDistFilename, WheelFilename};
 use uv_distribution_types::{
-    BuiltDist, File, FileLocation, IndexCapabilities, IndexFormat, IndexMetadataRef, IndexUrl,
-    IndexUrls, Name,
+    BuiltDist, File, FileLocation, IndexCapabilities, IndexFormat, IndexLocations,
+    IndexMetadataRef, IndexUrl, IndexUrls, Name,
 };
 use uv_metadata::{read_metadata_async_seek, read_metadata_async_stream};
 use uv_normalize::PackageName;
@ -68,8 +68,11 @@ impl RegistryClientBuilder<'_> {

 impl<'a> RegistryClientBuilder<'a> {
    #[must_use]
-    pub fn index_urls(mut self, index_urls: IndexUrls) -> Self {
-        self.index_urls = index_urls;
+    pub fn index_locations(mut self, index_locations: &IndexLocations) -> Self {
+        self.index_urls = index_locations.index_urls();
+        self.base_client_builder = self
+            .base_client_builder
+            .indexes(Indexes::from(index_locations));
        self
    }

@ -117,14 +120,6 @@ impl<'a> RegistryClientBuilder<'a> {
        self
    }

-    #[must_use]
-    pub fn url_auth_policies(mut self, url_auth_policies: UrlAuthPolicies) -> Self {
-        self.base_client_builder = self
-            .base_client_builder
-            .url_auth_policies(url_auth_policies);
-        self
-    }
-
    #[must_use]
    pub fn cache(mut self, cache: Cache) -> Self {
        self.cache = cache;