pex-tool · jsirois · Jan 15, 2025 · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024
diff --git a/pex/cli/commands/lock.py b/pex/cli/commands/lock.py
@@ -1703,6 +1703,7 @@ def _sync(self):
                 pip_version=pip_configuration.version,
                 use_pip_config=pip_configuration.use_pip_config,
                 extra_pip_requirements=pip_configuration.extra_requirements,
+                keyring_provider=pip_configuration.keyring_provider,
                 result_type=InstallableType.INSTALLED_WHEEL_CHROOT,
             )
         )

diff --git a/pex/pip/tool.py b/pex/pip/tool.py
@@ -151,6 +151,7 @@ def create(
         password_entries=(),  # type: Iterable[PasswordEntry]
         use_pip_config=False,  # type: bool
         extra_pip_requirements=(),  # type: Tuple[Requirement, ...]
+        keyring_provider=None,  # type: Optional[str]
     ):
         # type: (...) -> PackageIndexConfiguration
         resolver_version = resolver_version or ResolverVersion.default(pip_version)
@@ -174,6 +175,7 @@ def create(
             use_pip_config=use_pip_config,
             extra_pip_requirements=extra_pip_requirements,
             password_entries=password_entries,
+            keyring_provider=keyring_provider,
         )
 
     def __init__(
@@ -186,6 +188,7 @@ def __init__(
         password_entries=(),  # type: Iterable[PasswordEntry]
         pip_version=None,  # type: Optional[PipVersionValue]
         extra_pip_requirements=(),  # type: Tuple[Requirement, ...]
+        keyring_provider=None,  # type: Optional[str]
     ):
         # type: (...) -> None
         self.resolver_version = resolver_version  # type: ResolverVersion.Value
@@ -196,6 +199,7 @@ def __init__(
         self.password_entries = password_entries  # type: Iterable[PasswordEntry]
         self.pip_version = pip_version  # type: Optional[PipVersionValue]
         self.extra_pip_requirements = extra_pip_requirements  # type: Tuple[Requirement, ...]
+        self.keyring_provider = keyring_provider  # type: Optional[str]
 
 
 if TYPE_CHECKING:
@@ -393,6 +397,11 @@ def _spawn_pip_isolated(
             # `~/.config/pip/pip.conf`.
             pip_args.append("--isolated")
 
+        # Configure a keychain provider if so configured.
+        if package_index_configuration and package_index_configuration.keyring_provider:
+            pip_args.append("--keyring-provider")
+            pip_args.append(package_index_configuration.keyring_provider)
+
         if log:
             pip_args.append("--log")
             pip_args.append(log)

diff --git a/pex/resolve/configured_resolve.py b/pex/resolve/configured_resolve.py
@@ -64,6 +64,7 @@ def resolve(
                     pip_version=lock.pip_version,
                     use_pip_config=pip_configuration.use_pip_config,
                     extra_pip_requirements=pip_configuration.extra_requirements,
+                    keyring_provider=pip_configuration.keyring_provider,
                     result_type=result_type,
                     dependency_configuration=dependency_configuration,
                 )
@@ -130,6 +131,7 @@ def resolve(
                 resolver=ConfiguredResolver(pip_configuration=resolver_configuration),
                 use_pip_config=resolver_configuration.use_pip_config,
                 extra_pip_requirements=resolver_configuration.extra_requirements,
+                keyring_provider=resolver_configuration.keyring_provider,
                 result_type=result_type,
                 dependency_configuration=dependency_configuration,
             )
diff --git a/pex/resolve/configured_resolver.py b/pex/resolve/configured_resolver.py
@@ -77,6 +77,7 @@ def resolve_lock(
                 pip_version=pip_version or self.pip_configuration.version,
                 use_pip_config=self.pip_configuration.use_pip_config,
                 extra_pip_requirements=self.pip_configuration.extra_requirements,
+                keyring_provider=self.pip_configuration.keyring_provider,
                 result_type=result_type,
             )
         )
@@ -113,5 +114,6 @@ def resolve_requirements(
                 if extra_resolver_requirements is not None
                 else self.pip_configuration.extra_requirements
             ),
+            keyring_provider=self.pip_configuration.keyring_provider,
             result_type=result_type,
         )
diff --git a/pex/resolve/lock_resolver.py b/pex/resolve/lock_resolver.py
@@ -95,6 +95,7 @@ def __init__(
         resolver=None,  # type: Optional[Resolver]
         use_pip_config=False,  # type: bool
         extra_pip_requirements=(),  # type: Tuple[Requirement, ...]
+        keyring_provider=None,  # type: Optional[str]
     ):
         super(VCSArtifactDownloadManager, self).__init__(
             pex_root=pex_root, file_lock_style=file_lock_style
@@ -117,6 +118,7 @@ def __init__(
         self._resolver = resolver
         self._use_pip_config = use_pip_config
         self._extra_pip_requirements = extra_pip_requirements
+        self._keyring_provider = keyring_provider
 
     def save(
         self,
@@ -143,6 +145,7 @@ def save(
             resolver=self._resolver,
             use_pip_config=self._use_pip_config,
             extra_pip_requirements=self._extra_pip_requirements,
+            keyring_provider=self._keyring_provider,
         )
         if len(downloaded_vcs.local_distributions) != 1:
             return Error(
@@ -257,6 +260,7 @@ def resolve_from_lock(
     pip_version=None,  # type: Optional[PipVersionValue]
     use_pip_config=False,  # type: bool
     extra_pip_requirements=(),  # type: Tuple[Requirement, ...]
+    keyring_provider=None,  # type: Optional[str]
     result_type=InstallableType.INSTALLED_WHEEL_CHROOT,  # type: InstallableType.Value
     dependency_configuration=DependencyConfiguration(),  # type: DependencyConfiguration
 ):
@@ -311,6 +315,7 @@ def resolve_from_lock(
                     password_entries=PasswordDatabase.from_netrc().append(password_entries).entries,
                     use_pip_config=use_pip_config,
                     extra_pip_requirements=extra_pip_requirements,
+                    keyring_provider=keyring_provider,
                 ),
                 max_parallel_jobs=max_parallel_jobs,
             ),
@@ -332,6 +337,7 @@ def resolve_from_lock(
             resolver=resolver,
             use_pip_config=use_pip_config,
             extra_pip_requirements=extra_pip_requirements,
+            keyring_provider=keyring_provider,
         )
         for resolved_subset in subset_result.subsets
     }
@@ -450,6 +456,7 @@ def resolve_from_lock(
                 password_entries=PasswordDatabase.from_netrc().append(password_entries).entries,
                 use_pip_config=use_pip_config,
                 extra_pip_requirements=extra_pip_requirements,
+                keyring_provider=keyring_provider,
             ),
             compile=compile,
             build_configuration=build_configuration,

diff --git a/pex/resolve/lockfile/create.py b/pex/resolve/lockfile/create.py
@@ -379,6 +379,7 @@ def create(
         ),
         use_pip_config=pip_configuration.use_pip_config,
         extra_pip_requirements=pip_configuration.extra_requirements,
+        keyring_provider=pip_configuration.keyring_provider,
     )
 
     configured_resolver = ConfiguredResolver(pip_configuration=pip_configuration)
@@ -427,6 +428,7 @@ def create(
             resolver=configured_resolver,
             use_pip_config=pip_configuration.use_pip_config,
             extra_pip_requirements=pip_configuration.extra_requirements,
+            keyring_provider=pip_configuration.keyring_provider,
             dependency_configuration=dependency_configuration,
         )
     except resolvers.ResolveError as e:

diff --git a/pex/resolve/pre_resolved_resolver.py b/pex/resolve/pre_resolved_resolver.py
@@ -102,6 +102,7 @@ def resolve_from_dists(
                 password_entries=pip_configuration.repos_configuration.password_entries,
                 use_pip_config=pip_configuration.use_pip_config,
                 extra_pip_requirements=pip_configuration.extra_requirements,
+                keyring_provider=pip_configuration.keyring_provider,
             )
             build_and_install = BuildAndInstallRequest(
                 build_requests=[

diff --git a/pex/resolve/resolver_configuration.py b/pex/resolve/resolver_configuration.py
@@ -200,6 +200,7 @@ class PipConfiguration(object):
     allow_version_fallback = attr.ib(default=True)  # type: bool
     use_pip_config = attr.ib(default=False)  # type: bool
     extra_requirements = attr.ib(default=())  # type Tuple[Requirement, ...]
+    keyring_provider = attr.ib(default=None)  # type: Optional[str]
 
 
 @attr.s(frozen=True)

diff --git a/pex/resolve/resolver_options.py b/pex/resolve/resolver_options.py
@@ -135,8 +135,18 @@ def register(
             "See: https://pip.pypa.io/en/stable/topics/authentication/#keyring-support"
         ),
     )
+
     register_use_pip_config(parser)
 
+    parser.add_argument(
+        "--keyring-provider",
+        metavar="PROVIDER",
+        dest="keyring_provider",
+        type=str,
+        default=None,
+        help="`keyring` provider to configure `pip` to use.",
+    )
+
     register_repos_options(parser)
     register_network_options(parser)
 
@@ -681,6 +691,7 @@ def create_pip_configuration(
         allow_version_fallback=options.allow_pip_version_fallback,
         use_pip_config=get_use_pip_config_value(options),
         extra_requirements=tuple(options.extra_pip_requirements),
+        keyring_provider=options.keyring_provider,
     )
 
 

diff --git a/pex/resolver.py b/pex/resolver.py
@@ -1023,6 +1023,7 @@ def resolve(
     resolver=None,  # type: Optional[Resolver]
     use_pip_config=False,  # type: bool
     extra_pip_requirements=(),  # type: Tuple[Requirement, ...]
+    keyring_provider=None,  # type: Optional[str]
     result_type=InstallableType.INSTALLED_WHEEL_CHROOT,  # type: InstallableType.Value
     dependency_configuration=DependencyConfiguration(),  # type: DependencyConfiguration
 ):
@@ -1108,6 +1109,7 @@ def resolve(
         password_entries=password_entries,
         use_pip_config=use_pip_config,
         extra_pip_requirements=extra_pip_requirements,
+        keyring_provider=keyring_provider,
     )
 
     if not build_configuration.allow_wheels:
@@ -1276,6 +1278,7 @@ def download(
     resolver=None,  # type: Optional[Resolver]
     use_pip_config=False,  # type: bool
     extra_pip_requirements=(),  # type: Tuple[Requirement, ...]
+    keyring_provider=None,  # type: Optional[str]
     dependency_configuration=DependencyConfiguration(),  # type: DependencyConfiguration
 ):
     # type: (...) -> Downloaded
@@ -1322,6 +1325,7 @@ def download(
         password_entries=password_entries,
         use_pip_config=use_pip_config,
         extra_pip_requirements=extra_pip_requirements,
+        keyring_provider=keyring_provider,
     )
     build_requests, download_results = _download_internal(
         targets=targets,

diff --git a/tests/test_pip.py b/tests/test_pip.py
@@ -115,15 +115,21 @@ def test_no_duplicate_constraints_pex_warnings(
 def package_index_configuration(
     pip_version,  # type: PipVersionValue
     use_pip_config=False,  # type: bool
+    keyring_provider=None,  # type: Optional[str]
 ):
     # type: (...) -> PackageIndexConfiguration
     if pip_version is PipVersion.v23_2:
         # N.B.: Pip 23.2 has a bug handling PEP-658 metadata with the legacy resolver; so we use the
         # 2020 resolver to work around. See: https://github.com/pypa/pip/issues/12156
         return PackageIndexConfiguration.create(
-            pip_version, resolver_version=ResolverVersion.PIP_2020, use_pip_config=use_pip_config
+            pip_version,
+            resolver_version=ResolverVersion.PIP_2020,
+            use_pip_config=use_pip_config,
+            keyring_provider=keyring_provider,
         )
-    return PackageIndexConfiguration.create(use_pip_config=use_pip_config)
+    return PackageIndexConfiguration.create(
+        use_pip_config=use_pip_config, keyring_provider=keyring_provider
+    )
 
 
 @pytest.mark.skipif(
@@ -395,6 +401,39 @@ def test_use_pip_config(
         assert "invalid --python-version value: 'invalid'" in str(exc.value.stderr)
 
 
+@applicable_pip_versions
+def test_keyring_provider(
+    create_pip,  # type: CreatePip
+    version,  # type: PipVersionValue
+    current_interpreter,  # type: PythonInterpreter
+    tmpdir,  # type: Any
+):
+    # type: (...) -> None
+
+    pip = create_pip(current_interpreter, version=version)
+
+    download_dir = os.path.join(str(tmpdir), "downloads")
+    assert not os.path.exists(download_dir)
+
+    with ENV.patch(PIP_KEYRING_PROVIDER="invalid") as env, environment_as(**env):
 bootstrap_pip_version = try_( 
     compatible_version( 
         targets, 
         PipVersion.VENDORED, 
         context="Bootstrapping Pip {version}".format(version=version), 
         warn=False, 
     ) 
 ) 
 if bootstrap_pip_version is not PipVersion.VENDORED and not extra_requirements: 
     return _pip_installation( 
         version=version, 
         iter_distribution_locations=_bootstrap_pip(version, interpreter=interpreter), 
         interpreter=interpreter, 
         fingerprint=_fingerprint(extra_requirements), 
         use_system_time=use_system_time, 
     ) 
 bootstrap_pip_version = try_( 
     compatible_version( 
         targets, 
         PipVersion.VENDORED, 
         context="Bootstrapping Pip {version}".format(version=version), 
         warn=False, 
     ) 
 ) 
 if bootstrap_pip_version is not PipVersion.VENDORED and not extra_requirements: 
     return _pip_installation( 
         version=version, 
         iter_distribution_locations=_bootstrap_pip(version, interpreter=interpreter), 
         interpreter=interpreter, 
         fingerprint=_fingerprint(extra_requirements), 
         use_system_time=use_system_time, 
     ) 
+        assert "invalid" == os.environ["PIP_KEYRING_PROVIDER"]
+        job = pip.spawn_download_distributions(
+            download_dir=download_dir,
+            requirements=["ansicolors==1.1.8"],
+            package_index_configuration=package_index_configuration(
+                pip_version=version, keyring_provider="auto"
+            ),
+        )
+        keyring_arg = job._command.index("--keyring-provider")
+        if keyring_arg != -1:
+            assert job._command[keyring_arg : keyring_arg + 2] == ("--keyring-provider", "auto")
+        else:
+            pytest.fail("--keyring-provider was not present in the invoked pip command")
+
+        with pytest.raises(Job.Error) as exc:
+            job.wait()
+
+
 @applicable_pip_versions
 def test_extra_pip_requirements_pip_not_allowed(
     create_pip,  # type: CreatePip