Enable environment variable authentication for named indexes

Author: charliermarsh

Cargo.lock

@@ -19,6 +19,7 @@ pep440_rs = { workspace = true }
 pep508_rs = { workspace = true, features = ["serde"] }
 platform-tags = { workspace = true }
 pypi-types = { workspace = true }
+uv-auth = { workspace = true }
 uv-cache-info = { workspace = true }
 uv-fs = { workspace = true }
 uv-git = { workspace = true }

crates/distribution-types/Cargo.toml

@@ -2,6 +2,7 @@ use crate::{IndexUrl, IndexUrlError};
 use std::str::FromStr;
 use thiserror::Error;
 use url::Url;
+use uv_auth::Credentials;
 
 #[derive(Debug, Clone, Hash, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
 #[cfg_attr(feature = "schemars", derive(schemars::JsonSchema))]
@@ -102,6 +103,19 @@ impl Index {
     pub fn raw_url(&self) -> &Url {
         self.url.url()
     }
+
+    /// Retrieve the credentials for the index, either from the environment, or from the URL itself.
+    pub fn credentials(&self) -> Option<Credentials> {
+        // If the index is named, and credentials are provided via the environment, prefer those.
+        if let Some(name) = self.name.as_deref() {
+            if let Some(credentials) = Credentials::from_env(name) {
+                return Some(credentials);
+            }
+        }
+
+        // Otherwise, extract the credentials from the URL.
+        Credentials::from_url(self.url.url())
+    }
 }
 
 impl FromStr for Index {

crates/distribution-types/src/index.rs

@@ -407,7 +407,7 @@ impl<'a> IndexLocations {
     }
 
     /// Return an iterator over the [`FlatIndexLocation`] entries.
-    pub fn flat_index(&'a self) -> impl Iterator<Item = &'a FlatIndexLocation> + 'a {
+    pub fn flat_indexes(&'a self) -> impl Iterator<Item = &'a FlatIndexLocation> + 'a {
         self.flat_index.iter()
     }
 
@@ -424,9 +424,10 @@ impl<'a> IndexLocations {
         }
     }
 
-    /// Return an iterator over all allowed [`IndexUrl`] entries.
+    /// Return an iterator over all allowed [`Index`] entries.
     ///
-    /// This includes both explicit and implicit indexes, as well as the default index.
+    /// This includes both explicit and implicit indexes, as well as the default index (but _not_
+    /// the flat indexes).
     ///
     /// If `no_index` was enabled, then this always returns an empty
     /// iterator.
@@ -435,18 +436,6 @@ impl<'a> IndexLocations {
             .chain(self.implicit_indexes())
             .chain(self.default_index())
     }
-
-    /// Return an iterator over all allowed [`Url`] entries.
-    ///
-    /// This includes both explicit and implicit index URLs, as well as the default index.
-    ///
-    /// If `no_index` was enabled, then this always returns an empty
-    /// iterator.
-    pub fn allowed_urls(&'a self) -> impl Iterator<Item = &'a Url> + 'a {
-        self.allowed_indexes()
-            .map(Index::raw_url)
-            .chain(self.flat_index().map(FlatIndexLocation::url))
-    }
 }
 
 /// The index URLs to use for fetching packages.

crates/distribution-types/src/index_url.rs

@@ -139,6 +139,21 @@ impl Credentials {
         })
     }
 
+    /// Extract the [`Credentials`] from the environment, given a named source.
+    ///
+    /// For example, given a name of `"pytorch"`, search for `UV_HTTP_BASIC_PYTORCH_USERNAME` and
+    /// `UV_HTTP_BASIC_PYTORCH_PASSWORD`.
+    pub fn from_env(name: &str) -> Option<Self> {
+        let name = name.to_uppercase();
+        let username = std::env::var(format!("UV_HTTP_BASIC_{name}_USERNAME")).ok();
+        let password = std::env::var(format!("UV_HTTP_BASIC_{name}_PASSWORD")).ok();
+        if username.is_none() && password.is_none() {
+            None
+        } else {
+            Some(Self::new(username, password))
+        }
+    }
+
     /// Parse [`Credentials`] from an HTTP request, if any.
     ///
     /// Only HTTP Basic Authentication is supported.

crates/uv-auth/src/credentials.rs

@@ -35,3 +35,11 @@ pub fn store_credentials_from_url(url: &Url) -> bool {
         false
     }
 }
+
+/// Populate the global authentication store with credentials on a URL, if there are any.
+///
+/// Returns `true` if the store was updated.
+pub fn store_credentials(url: &Url, credentials: Credentials) {
+    trace!("Caching credentials for {url}");
+    CREDENTIALS_CACHE.insert(url, Arc::new(credentials));
+}

crates/uv-auth/src/lib.rs

@@ -89,7 +89,7 @@ impl<'a> RegistryWheelIndex<'a> {
 
         // Collect into owned `IndexUrl`.
         let flat_index_urls: Vec<Index> = index_locations
-            .flat_index()
+            .flat_indexes()
             .map(|flat_index| Index::from_extra_index_url(IndexUrl::from(flat_index.clone())))
             .collect();
 

crates/uv-distribution/src/index/registry_wheel_index.rs

@@ -1055,7 +1055,7 @@ impl Lock {
                 })
                 .chain(
                     locations
-                        .flat_index()
+                        .flat_indexes()
                         .filter_map(|index_url| match index_url {
                             FlatIndexLocation::Url(_) => {
                                 Some(UrlString::from(index_url.redacted()))
@@ -1081,7 +1081,7 @@ impl Lock {
                 })
                 .chain(
                     locations
-                        .flat_index()
+                        .flat_indexes()
                         .filter_map(|index_url| match index_url {
                             FlatIndexLocation::Url(_) => None,
                             FlatIndexLocation::Path(index_url) => {

crates/uv-resolver/src/lock/mod.rs

@@ -621,7 +621,7 @@ impl PubGrubReportFormatter<'_> {
         incomplete_packages: &FxHashMap<PackageName, BTreeMap<Version, IncompletePackage>>,
         hints: &mut IndexSet<PubGrubHint>,
     ) {
-        let no_find_links = index_locations.flat_index().peekable().peek().is_none();
+        let no_find_links = index_locations.flat_indexes().peekable().peek().is_none();
 
         // Add hints due to the package being entirely unavailable.
         match unavailable_packages.get(name) {

crates/uv-resolver/src/pubgrub/report.rs

@@ -8,7 +8,7 @@ use distribution_types::{DependencyMetadata, IndexLocations};
 use install_wheel_rs::linker::LinkMode;
 use owo_colors::OwoColorize;
 
-use uv_auth::store_credentials_from_url;
+use uv_auth::{store_credentials, store_credentials_from_url};
 use uv_cache::Cache;
 use uv_client::{BaseClientBuilder, Connectivity, FlatIndexClient, RegistryClientBuilder};
 use uv_configuration::{
@@ -391,8 +391,13 @@ async fn build_package(
     .into_interpreter();
 
     // Add all authenticated sources to the cache.
-    for url in index_locations.allowed_urls() {
-        store_credentials_from_url(url);
+    for index in index_locations.allowed_indexes() {
+        if let Some(credentials) = index.credentials() {
+            store_credentials(index.raw_url(), credentials);
+        }
+    }
+    for index in index_locations.flat_indexes() {
+        store_credentials_from_url(index.url());
     }
 
     // Read build constraints.
@@ -445,7 +450,7 @@ async fn build_package(
     // Resolve the flat indexes from `--find-links`.
     let flat_index = {
         let client = FlatIndexClient::new(&client, cache);
-        let entries = client.fetch(index_locations.flat_index()).await?;
+        let entries = client.fetch(index_locations.flat_indexes()).await?;
         FlatIndex::from_entries(entries, None, &hasher, build_options)
     };