https://pantsbuild.org/ logo
#general
Title
# general
r

rhythmic-battery-45198

09/24/2022, 1:40 AM
Here is a fun possible bug relating to using version controlled direct references hosted on private repositories with SSH access:
I was scratching my head trying to figure out why ssh authentication for direct reference to private git repo was failing in CI environment. I added
SSH_AUTH_SOCK
to
subprocess-environment.env_vars
. I was able to
git clone
and
pip install
using ssh authentication. But, pants was failing to authenticate. After running commands in the sandbox manually to reproduce, I noticed that removing the
--lock
argument to one of the pex commands fixed the issue. So, I checked if there was anything interesting in the lockfile and found
Copy code
"artifacts": [
            {
              "algorithm": "sha256",
              "hash": "429f5dd381fb70e5e899ff8dcaf9f1cef1a16e03034466d86d711dd06adaaa5d",
              "url": "git+ssh://****@github.com:/<my-company>/<my-repo>.git@<my-sha>"
            }
          ],
The url has literal
****
instead of
git
for the username. I had noticed this in the logs but thought that it was sensitive data being filtered from the logs. My dependency is
Copy code
<my-package>@ <git+ssh://git@github.com>:/<my-company>/<my-repo>.git@<my-sha>
h

happy-kitchen-89482

09/24/2022, 3:17 AM
Interesting. I believe this is pip filtering sensitive data from its output: https://github.com/pypa/pip/blob/main/src/pip/_internal/utils/misc.py#L456
And we are grabbing that output post-filtering, looks like
In this case it thinks git@ might be an access token
Which pants version are you using?
This reproduces at HEAD in the pex repo:
Copy code
$ python -m pex.cli lock create "ansicolors@ <git+ssh://git@github.com/jonathaneunice/colors.git@c965f5b9103c5bd32a1572adb8024ebe83278fb0>" | jq -r .locked_resolves[0].locked_requirements[0].artifacts[0].url
git+ssh://****@github.com/jonathaneunice/colors.git@c965f5b9103c5bd32a1572adb8024ebe83278fb0
I guess the hacky workaround for now is to manually rewrite those ** strings in the lockfile after you generate it, until we figure it out
r

rhythmic-battery-45198

09/24/2022, 3:36 PM
2.13.0 - and yeah I ended up manually editing the lock file and everything downstream worked as expected
h

happy-kitchen-89482

09/24/2022, 3:43 PM
Would you mind opening an issue at https://github.com/pantsbuild/pex/issues ?
r

rhythmic-battery-45198

09/24/2022, 3:48 PM
Will do.. thanks !
e

enough-analyst-54434

09/30/2022, 6:51 PM
Thanks for filing this @rhythmic-battery-45198 and researching @happy-kitchen-89482. Fix here: https://github.com/pantsbuild/pex/pull/1923
🙌 1
3 Views