astral-sh · charliermarsh · Oct 12, 2024 · Oct 9, 2024 · Oct 10, 2024 · Oct 10, 2024
diff --git a/crates/uv-configuration/src/trusted_host.rs b/crates/uv-configuration/src/trusted_host.rs
@@ -2,34 +2,39 @@ use serde::{Deserialize, Deserializer};
 use std::str::FromStr;
 use url::Url;
 
-/// A trusted host, which could be a host or a host-port pair.
+/// A host specification (wildcard, or host, with optional scheme and/or port) for which
+/// certificates are not verified when making HTTPS requests.
 #[derive(Debug, Clone, PartialEq, Eq)]
-pub struct TrustedHost {
-    scheme: Option<String>,
-    host: String,
-    port: Option<u16>,
+pub enum TrustedHost {
+    Wildcard,
+    Host {
+        scheme: Option<String>,
+        host: String,
+        port: Option<u16>,
+    },
 }
 
 impl TrustedHost {
     /// Returns `true` if the [`Url`] matches this trusted host.
     pub fn matches(&self, url: &Url) -> bool {
-        if self
-            .scheme
-            .as_ref()
-            .is_some_and(|scheme| scheme != url.scheme())
-        {
-            return false;
+        match self {
+            TrustedHost::Wildcard => true,
+            TrustedHost::Host { scheme, host, port } => {
+                if scheme.as_ref().is_some_and(|scheme| scheme != url.scheme()) {
+                    return false;
+                }
+
+                if port.is_some_and(|port| url.port() != Some(port)) {
+                    return false;
+                }
+
+                if Some(host.as_str()) != url.host_str() {
+                    return false;
+                }
+
+                true
+            }
         }
-
-        if self.port.is_some_and(|port| url.port() != Some(port)) {
-            return false;
-        }
-
-        if Some(self.host.as_ref()) != url.host_str() {
-            return false;
-        }
-
-        true
     }
 }
 
@@ -48,7 +53,7 @@ impl<'de> Deserialize<'de> for TrustedHost {
         serde_untagged::UntaggedEnumVisitor::new()
             .string(|string| TrustedHost::from_str(string).map_err(serde::de::Error::custom))
             .map(|map| {
-                map.deserialize::<Inner>().map(|inner| TrustedHost {
+                map.deserialize::<Inner>().map(|inner| TrustedHost::Host {
                     scheme: inner.scheme,
                     host: inner.host,
                     port: inner.port,
@@ -80,6 +85,10 @@ impl std::str::FromStr for TrustedHost {
     type Err = TrustedHostError;
 
     fn from_str(s: &str) -> Result<Self, Self::Err> {
+        if s == "*" {
+            return Ok(Self::Wildcard);
+        }
+
         // Detect scheme.
         let (scheme, s) = if let Some(s) = s.strip_prefix("https://") {
             (Some("https".to_string()), s)
@@ -105,20 +114,27 @@ impl std::str::FromStr for TrustedHost {
             .transpose()
             .map_err(|_| TrustedHostError::InvalidPort(s.to_string()))?;
 
-        Ok(Self { scheme, host, port })
+        Ok(Self::Host { scheme, host, port })
     }
 }
 
 impl std::fmt::Display for TrustedHost {
     fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
-        if let Some(scheme) = &self.scheme {
-            write!(f, "{}://{}", scheme, self.host)?;
-        } else {
-            write!(f, "{}", self.host)?;
-        }
-
-        if let Some(port) = self.port {
-            write!(f, ":{port}")?;
+        match self {
+            TrustedHost::Wildcard => {
+                write!(f, "*")?;
+            }
+            TrustedHost::Host { scheme, host, port } => {
+                if let Some(scheme) = &scheme {
+                    write!(f, "{scheme}://{host}")?;
+                } else {
+                    write!(f, "{host}")?;
+                }
+
+                if let Some(port) = port {
+                    write!(f, ":{port}")?;
+                }
+            }
         }
 
         Ok(())

diff --git a/crates/uv-configuration/src/trusted_host/tests.rs b/crates/uv-configuration/src/trusted_host/tests.rs
@@ -1,8 +1,13 @@
 #[test]
 fn parse() {
+    assert_eq!(
+        "*".parse::<super::TrustedHost>().unwrap(),
+        super::TrustedHost::Wildcard
+    );
+
     assert_eq!(
         "example.com".parse::<super::TrustedHost>().unwrap(),
-        super::TrustedHost {
+        super::TrustedHost::Host {
             scheme: None,
             host: "example.com".to_string(),
             port: None
@@ -11,7 +16,7 @@ fn parse() {
 
     assert_eq!(
         "example.com:8080".parse::<super::TrustedHost>().unwrap(),
-        super::TrustedHost {
+        super::TrustedHost::Host {
             scheme: None,
             host: "example.com".to_string(),
             port: Some(8080)
@@ -20,7 +25,7 @@ fn parse() {
 
     assert_eq!(
         "https://example.com".parse::<super::TrustedHost>().unwrap(),
-        super::TrustedHost {
+        super::TrustedHost::Host {
             scheme: Some("https".to_string()),
             host: "example.com".to_string(),
             port: None
@@ -31,7 +36,7 @@ fn parse() {
         "https://example.com/hello/world"
             .parse::<super::TrustedHost>()
             .unwrap(),
-        super::TrustedHost {
+        super::TrustedHost::Host {
             scheme: Some("https".to_string()),
             host: "example.com".to_string(),
             port: None

diff --git a/crates/uv/tests/it/common/mod.rs b/crates/uv/tests/it/common/mod.rs
@@ -14,11 +14,13 @@ use assert_fs::assert::PathAssert;
 use assert_fs::fixture::{ChildPath, PathChild, PathCopy, PathCreateDir, SymlinkToFile};
 use base64::{prelude::BASE64_STANDARD as base64, Engine};
 use etcetera::BaseStrategy;
+use futures::StreamExt;
 use indoc::formatdoc;
 use itertools::Itertools;
 use predicates::prelude::predicate;
 use regex::Regex;
 
+use tokio::io::AsyncWriteExt;
 use uv_cache::Cache;
 use uv_fs::Simplified;
 use uv_python::managed::ManagedPythonInstallations;
@@ -1279,6 +1281,31 @@ pub fn decode_token(content: &[&str]) -> String {
     token
 }
 
+/// Simulates `reqwest::blocking::get` but returns bytes directly, and disables
+/// certificate verification, passing through the `BaseClient`
+#[tokio::main(flavor = "current_thread")]
+pub async fn download_to_disk(url: &str, path: &Path) {
+    let trusted_hosts: Vec<_> = std::env::var("UV_INSECURE_HOST")
+        .unwrap_or_default()
+        .split(' ')
+        .map(|h| uv_configuration::TrustedHost::from_str(h).unwrap())
+        .collect();
+
+    let client = uv_client::BaseClientBuilder::new()
+        .allow_insecure_host(trusted_hosts)
+        .build();
+    let url: reqwest::Url = url.parse().unwrap();
+    let client = client.for_host(&url);
+    let response = client.request(http::Method::GET, url).send().await.unwrap();
+
+    let mut file = tokio::fs::File::create(path).await.unwrap();
+    let mut stream = response.bytes_stream();
+    while let Some(chunk) = stream.next().await {
+        file.write_all(&chunk.unwrap()).await.unwrap();
+    }
+    file.sync_all().await.unwrap();
+}
+
 /// Utility macro to return the name of the current function.
 ///
 /// https://stackoverflow.com/a/40234666/3549270

diff --git a/crates/uv/tests/it/lock.rs b/crates/uv/tests/it/lock.rs
@@ -7,7 +7,8 @@ use std::io::BufReader;
 use url::Url;
 
 use crate::common::{
-    self, build_vendor_links_url, decode_token, packse_index_url, uv_snapshot, TestContext,
+    self, build_vendor_links_url, decode_token, download_to_disk, packse_index_url, uv_snapshot,
+    TestContext,
 };
 use uv_fs::Simplified;
 
@@ -7876,11 +7877,11 @@ fn lock_sources_archive() -> Result<()> {
     let context = TestContext::new("3.12");
 
     // Download the source.
-    let response =
-        reqwest::blocking::get("https://github.com/user-attachments/files/16592193/workspace.zip")?;
     let workspace_archive = context.temp_dir.child("workspace.zip");
-    let mut workspace_archive_file = fs_err::File::create(&*workspace_archive)?;
-    std::io::copy(&mut response.bytes()?.as_ref(), &mut workspace_archive_file)?;
+    download_to_disk(
+        "https://github.com/user-attachments/files/16592193/workspace.zip",
+        &workspace_archive,
+    );
 
     let pyproject_toml = context.temp_dir.child("pyproject.toml");
     pyproject_toml.write_str(&formatdoc! {
@@ -8015,11 +8016,11 @@ fn lock_sources_source_tree() -> Result<()> {
     let context = TestContext::new("3.12");
 
     // Download the source.
-    let response =
-        reqwest::blocking::get("https://github.com/user-attachments/files/16592193/workspace.zip")?;
     let workspace_archive = context.temp_dir.child("workspace.zip");
-    let mut workspace_archive_file = fs_err::File::create(&*workspace_archive)?;
-    std::io::copy(&mut response.bytes()?.as_ref(), &mut workspace_archive_file)?;
+    download_to_disk(
+        "https://github.com/user-attachments/files/16592193/workspace.zip",
+        &workspace_archive,
+    );
 
     // Unzip the file.
     let file = fs_err::File::open(&*workspace_archive)?;

diff --git a/crates/uv/tests/it/pip_compile.rs b/crates/uv/tests/it/pip_compile.rs
@@ -8,9 +8,9 @@ use anyhow::{bail, Context, Result};
 use assert_fs::prelude::*;
 use indoc::indoc;
 use url::Url;
-use uv_fs::Simplified;
 
-use crate::common::{uv_snapshot, TestContext};
+use crate::common::{download_to_disk, uv_snapshot, TestContext};
+use uv_fs::Simplified;
 
 #[test]
 fn compile_requirements_in() -> Result<()> {
@@ -2592,10 +2592,11 @@ fn compile_wheel_path_dependency() -> Result<()> {
     let context = TestContext::new("3.12");
 
     // Download a wheel.
-    let response = reqwest::blocking::get("https://files.pythonhosted.org/packages/36/42/015c23096649b908c809c69388a805a571a3bea44362fe87e33fc3afa01f/flask-3.0.0-py3-none-any.whl")?;
     let flask_wheel = context.temp_dir.child("flask-3.0.0-py3-none-any.whl");
-    let mut flask_wheel_file = fs::File::create(&flask_wheel)?;
-    std::io::copy(&mut response.bytes()?.as_ref(), &mut flask_wheel_file)?;
+    download_to_disk(
+        "https://files.pythonhosted.org/packages/36/42/015c23096649b908c809c69388a805a571a3bea44362fe87e33fc3afa01f/flask-3.0.0-py3-none-any.whl",
+        &flask_wheel,
+    );
 
     let requirements_in = context.temp_dir.child("requirements.in");
     requirements_in.write_str(&format!(
@@ -2842,10 +2843,11 @@ fn compile_wheel_path_dependency() -> Result<()> {
 fn compile_source_distribution_path_dependency() -> Result<()> {
     let context = TestContext::new("3.12");
     // Download a source distribution.
-    let response = reqwest::blocking::get("https://files.pythonhosted.org/packages/d8/09/c1a7354d3925a3c6c8cfdebf4245bae67d633ffda1ba415add06ffc839c5/flask-3.0.0.tar.gz")?;
     let flask_wheel = context.temp_dir.child("flask-3.0.0.tar.gz");
-    let mut flask_wheel_file = std::fs::File::create(&flask_wheel)?;
-    std::io::copy(&mut response.bytes()?.as_ref(), &mut flask_wheel_file)?;
+    download_to_disk(
+        "https://files.pythonhosted.org/packages/d8/09/c1a7354d3925a3c6c8cfdebf4245bae67d633ffda1ba415add06ffc839c5/flask-3.0.0.tar.gz",
+        &flask_wheel,
+    );
 
     let requirements_in = context.temp_dir.child("requirements.in");
     requirements_in.write_str(&format!(
@@ -3517,10 +3519,11 @@ fn preserve_url() -> Result<()> {
 fn preserve_project_root() -> Result<()> {
     let context = TestContext::new("3.12");
     // Download a wheel.
-    let response = reqwest::blocking::get("https://files.pythonhosted.org/packages/36/42/015c23096649b908c809c69388a805a571a3bea44362fe87e33fc3afa01f/flask-3.0.0-py3-none-any.whl")?;
     let flask_wheel = context.temp_dir.child("flask-3.0.0-py3-none-any.whl");
-    let mut flask_wheel_file = std::fs::File::create(flask_wheel)?;
-    std::io::copy(&mut response.bytes()?.as_ref(), &mut flask_wheel_file)?;
+    download_to_disk(
+        "https://files.pythonhosted.org/packages/36/42/015c23096649b908c809c69388a805a571a3bea44362fe87e33fc3afa01f/flask-3.0.0-py3-none-any.whl",
+        &flask_wheel,
+    );
 
     let requirements_in = context.temp_dir.child("requirements.in");
     requirements_in.write_str("flask @ file://${PROJECT_ROOT}/flask-3.0.0-py3-none-any.whl")?;
@@ -3670,10 +3673,11 @@ fn error_missing_unnamed_env_var() -> Result<()> {
 fn respect_file_env_var() -> Result<()> {
     let context = TestContext::new("3.12");
     // Download a wheel.
-    let response = reqwest::blocking::get("https://files.pythonhosted.org/packages/36/42/015c23096649b908c809c69388a805a571a3bea44362fe87e33fc3afa01f/flask-3.0.0-py3-none-any.whl")?;
     let flask_wheel = context.temp_dir.child("flask-3.0.0-py3-none-any.whl");
-    let mut flask_wheel_file = std::fs::File::create(flask_wheel)?;
-    std::io::copy(&mut response.bytes()?.as_ref(), &mut flask_wheel_file)?;
+    download_to_disk(
+        "https://files.pythonhosted.org/packages/36/42/015c23096649b908c809c69388a805a571a3bea44362fe87e33fc3afa01f/flask-3.0.0-py3-none-any.whl",
+        &flask_wheel,
+    );
 
     let requirements_in = context.temp_dir.child("requirements.in");
     requirements_in.write_str("flask @ ${FILE_PATH}")?;