Test case: Don't redact username git for SSH (#13814)

2025-08-04 19:08:04 +00:00 · 2025-06-04 09:57:24 +02:00 · 2025-06-04 09:57:24 +02:00 · e7c066cf16
commit e7c066cf16
parent 3ca8d074a4
4 changed files with 140 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -4738,6 +4738,7 @@ dependencies = [
 "version-ranges",
 "walkdir",
 "which",
+ "whoami",
 "wiremock",
 "zip",
 ]
@ -6111,6 +6112,12 @@ dependencies = [
 "wit-bindgen-rt",
 ]

+[[package]]
+name = "wasite"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
+
 [[package]]
 name = "wasm-bindgen"
 version = "0.2.100"
@ -6267,6 +6274,17 @@ dependencies = [
 "winsafe",
 ]

+[[package]]
+name = "whoami"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6994d13118ab492c3c80c1f81928718159254c53c472bf9ce36f8dae4add02a7"
+dependencies = [
+ "redox_syscall 0.5.8",
+ "wasite",
+ "web-sys",
+]
+
 [[package]]
 name = "widestring"
 version = "1.1.0"
--- a/crates/uv/Cargo.toml
+++ b/crates/uv/Cargo.toml
@ -124,6 +124,7 @@ reqwest = { workspace = true, features = ["blocking"], default-features = false
 similar = { version = "2.6.0" }
 tar = { workspace = true }
 tempfile = { workspace = true }
+whoami = { version = "1.6.0" }
 wiremock = { workspace = true }
 zip = { workspace = true }

--- a/crates/uv/tests/it/common/mod.rs
+++ b/crates/uv/tests/it/common/mod.rs
@ -1626,6 +1626,8 @@ pub const READ_ONLY_GITHUB_TOKEN_2: &[&str] = &[
    "SHIzUG1tRVZRSHMzQTl2a3NiVnB4Tmk0eTR3R2JVYklLck1qY05naHhMSFVMTDZGVElIMXNYeFhYN2gK",
 ];

+pub const SSH_DEPLOY_KEY: &str = "LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNBeTF1SnNZK1JXcWp1NkdIY3Z6a3AwS21yWDEwdmo3RUZqTkpNTkRqSGZPZ0FBQUpqWUpwVnAyQ2FWCmFRQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQXkxdUpzWStSV3FqdTZHSGN2emtwMEttclgxMHZqN0VGak5KTU5EakhmT2cKQUFBRUMwbzBnd1BxbGl6TFBJOEFXWDVaS2dVZHJyQ2ptMDhIQm9FenB4VDg3MXBqTFc0bXhqNUZhcU83b1lkeS9PU25RcQphdGZYUytQc1FXTTBrdzBPTWQ4NkFBQUFFR3R2Ym5OMGFVQmhjM1J5WVd3dWMyZ0JBZ01FQlE9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K";
+
 /// Decode a split, base64 encoded authentication token.
 /// We split and encode the token to bypass revoke by GitHub's secret scanning
 pub fn decode_token(content: &[&str]) -> String {
--- a/crates/uv/tests/it/export.rs
+++ b/crates/uv/tests/it/export.rs
@ -1,14 +1,16 @@
 #![allow(clippy::disallowed_types)]

 use crate::common::{
-    READ_ONLY_GITHUB_TOKEN, TestContext, apply_filters, decode_token, uv_snapshot,
+    READ_ONLY_GITHUB_TOKEN, SSH_DEPLOY_KEY, TestContext, apply_filters, decode_token, uv_snapshot,
 };
 use anyhow::{Ok, Result};
 use assert_cmd::assert::OutputAssertExt;
 use assert_fs::prelude::*;
 use indoc::{formatdoc, indoc};
 use insta::assert_snapshot;
+use std::path::Path;
 use std::process::Stdio;
+use uv_fs::Simplified;

 #[test]
 fn requirements_txt_dependency() -> Result<()> {
@ -1174,6 +1176,122 @@ fn requirements_txt_https_git_credentials() -> Result<()> {
    Ok(())
 }

+/// SSH blocks too permissive key files.
+fn reduce_key_permissions(key_file: &Path) -> Result<()> {
+    #[cfg(unix)]
+    {
+        use std::fs::Permissions;
+        use std::os::unix::fs::PermissionsExt;
+        fs_err::set_permissions(key_file, Permissions::from_mode(0o400))?;
+    }
+    #[cfg(windows)]
+    {
+        use std::process::Command;
+
+        // https://superuser.com/a/1489152
+        Command::new("icacls")
+            .arg(key_file)
+            .arg("/inheritance:r")
+            .assert()
+            .success();
+        Command::new("icacls")
+            .arg(key_file)
+            .arg("/grant:r")
+            .arg(format!("{}:R", whoami::username()))
+            .assert()
+            .success();
+    }
+    Ok(())
+}
+
+/// Don't redact the username `git` in SSH URLs.
+#[cfg(feature = "git")]
+#[test]
+fn requirements_txt_ssh_git_username() -> Result<()> {
+    let context = TestContext::new("3.12");
+
+    let pyproject_toml = context.temp_dir.child("pyproject.toml");
+    pyproject_toml.write_str(
+        r#"
+        [project]
+        name = "debug"
+        version = "0.1.0"
+        requires-python = ">=3.12"
+        dependencies = ["uv-private-pypackage @ git+ssh://git@github.com/astral-test/uv-private-pypackage.git@d780faf0ac91257d4d5a4f0c5a0e4509608c0071"]
+    "#,
+    )?;
+
+    let fake_deploy_key = context.temp_dir.child("fake_deploy_key");
+    fake_deploy_key.write_str("not a key")?;
+    reduce_key_permissions(&fake_deploy_key)?;
+
+    // Ensure that we're loading the key and fail if it isn't present
+    let failing_git_ssh_command = format!(
+        "ssh -i {} -o IdentitiesOnly=yes -F /dev/null -o StrictHostKeyChecking=no",
+        fake_deploy_key.portable_display()
+    );
+    let mut filters = context.filters();
+    filters.push((
+        "process didn't exit successfully: .*",
+        "process didn't exit successfully: [GIT_COMMAND_ERROR]",
+    ));
+    let load_key_error = regex::escape(r#"Load key "[TEMP_DIR]/fake_deploy_key":"#) + ".*";
+    filters.push((
+        &load_key_error,
+        r#"Load key "[TEMP_DIR]/fake_deploy_key": [ERROR]"#,
+    ));
+    filters.push((
+        " *Warning: Permanently added 'github.com' \\(ED25519\\) to the list of known hosts.*\n",
+        "",
+    ));
+    filters.push(("failed to clone into: .*", "failed to clone into: [PATH]"));
+    uv_snapshot!(filters, context.export().env("GIT_SSH_COMMAND", failing_git_ssh_command), @r#"
+    success: false
+    exit_code: 1
+    ----- stdout -----
+
+    ----- stderr -----
+      × Failed to download and build `uv-private-pypackage @ git+ssh://git@github.com/astral-test/uv-private-pypackage.git@d780faf0ac91257d4d5a4f0c5a0e4509608c0071`
+      ├─▶ Git operation failed
+      ├─▶ failed to clone into: [PATH]
+      ├─▶ failed to fetch branch, tag, or commit `d780faf0ac91257d4d5a4f0c5a0e4509608c0071`
+      ╰─▶ process didn't exit successfully: [GIT_COMMAND_ERROR]
+          --- stderr
+          Load key "[TEMP_DIR]/fake_deploy_key": [ERROR]
+          git@github.com: Permission denied (publickey).
+          fatal: Could not read from remote repository.
+
+          Please make sure you have the correct access rights
+          and the repository exists.
+    "#);
+
+    let ssh_deploy_key = context.temp_dir.child("uv_test_key");
+    ssh_deploy_key.write_str((decode_token(&[SSH_DEPLOY_KEY]) + "\n").as_str())?;
+    reduce_key_permissions(&ssh_deploy_key)?;
+
+    // Use the specified SSH key, and only that key, ignore `~/.ssh/config`, disable host key
+    // verification for Windows.
+    let git_ssh_command = format!(
+        "ssh -i {} -o IdentitiesOnly=yes -F /dev/null -o StrictHostKeyChecking=no",
+        ssh_deploy_key.portable_display()
+    );
+
+    uv_snapshot!(context.filters(), context.export().env("GIT_SSH_COMMAND", git_ssh_command), @r"
+    success: true
+    exit_code: 0
+    ----- stdout -----
+    # This file was autogenerated by uv via the following command:
+    #    uv export --cache-dir [CACHE_DIR]
+    uv-private-pypackage @ git+ssh://git@github.com/astral-test/uv-private-pypackage.git@d780faf0ac91257d4d5a4f0c5a0e4509608c0071
+        # via debug
+
+    ----- stderr -----
+    Resolved 2 packages in [TIME]
+    ");
+
+    Ok(())
+}
+
 #[test]
 fn requirements_txt_https_credentials() -> Result<()> {
    let context = TestContext::new("3.12");