pip-audit doesnt allow authenticating into an extra index

[nickanna42]

Bug description

When running a pip-audit -r requirements.txt which contains an --extra-index-url flag that links to an index which requires authentication, pip-audit hangs on the "Installing package in isolated environment" step

Reproduction steps

requirements.txt contents:

protobuf == 4.21.12
pyproj
--extra-index-url https://my_internal_index_site

run pip-audit -r requirements.txt

Expected behavior

A prompt asking for username and password pops up when pip-audit encounters an index which requires authentication

Screenshots and logs

If applicable, add screenshots to help explain your problem.

Similarly, if applicable and possible, re-run the command with --verbose,
and paste the logs in the code block below:

Paste logs here, or remove me if not applicable!

Platform information

• OS name and version: Ubuntu in WSL2 container
• pip-audit version (pip-audit -V): 2.6.1
• Python version (python -V or python3 -V): 3.11.7
• pip version (pip -V or pip3 -V): 23.2.1

[woodruffw]

Thanks for the report!

Could you say a bit more about your use case, and how (if) you have pip configured?

pip has a few authentication mechanisms that don't require interactivity; do any of these work for you?

[nickanna42]

Thanks for the report!

Could you say a bit more about your use case, and how (if) you have pip configured?

pip has a few authentication mechanisms that don't require interactivity; do any of these work for you?

If I do the static url authentication everything does go through. However, the behaviour (the hangup) was unexpected. Im assuming this is happening at the point in the workflow the underlying pip is asking for user input of username and password. The ability to input the data or, alternately, it erroring out, would be, I humbly suggest, better behaviour. Or perhaps a documentation update saying interactive auth isnt supported.

[woodruffw]

If I do the static url authentication everything does go through.

Got it, thank you for confirming -- that makes sense; I just wanted to establish that pip-audit hadn't somehow broken authentication more profoundly 🙂

However, the behaviour (the hangup) was unexpected. Im assuming this is happening at the point in the workflow the underlying pip is asking for user input of username and password.

Yep, that's unexpected and a bug on our end -- I'll be opening a PR for that. I think we'll probably start with erroring out, since plumbing input into the pip subprocess will require some architectural changes that we'll need to evaluate the benefit of.

[woodruffw]

@nickanna42 would you be able to try out the changes in #707 and see if they produce an error for you, rather than blocking indefinitely?

[fgsalomon]

Hi @woodruffw,

Sorry for hijacking this issue but I'm facing a problem that I think is related.

The authentication mechanism that I'm using is through the keyring with the Google Artifact Registry backend.
I can install my private package without issue by providing the extra index url but when I run pip-audit with --extra-index-url MY_INDEX_URL it can't find the package:

ERROR: Could not find a version that satisfies the requirement MY_PRIVATE_PACKAGE==X.Y.Z (from versions: none)
ERROR: No matching distribution found for MY_PRIVATE_PACKAGE==X.Y.Z

The pip-audit version is 2.7.1.

Do you know what I'm doing wrong?

Thank you!

[woodruffw]

@fgsalomon Sorry, there isn't enough information there for me to know for certain 🙂. Depending on how you're invoking pip-audit, that could either be known behavior (e.g. for pyproject.toml or another bug with how we're handling requirements files/wrapping pip internally.

I apologize for the extra bit of work, but could you file a new issue for your behavior? The bug report form contains a bunch of steps that make triage way simpler and faster on our side.

[fgsalomon]

I'm sorry, I should have done it in the first place. I hope I've done it right now.

[woodruffw]

Much appreciated!