Authenticate Python downloads discovered from Simple API responses#139
Open
kbukum1 wants to merge 7 commits into
Open
Authenticate Python downloads discovered from Simple API responses#139kbukum1 wants to merge 7 commits into
kbukum1 wants to merge 7 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR enhances the Python index handler so it can reuse the same authentication for package file download URLs whose stable prefix is discovered from authenticated PEP 503/PEP 691 Simple API responses (instead of broadening credentials to the entire host).
Changes:
- Registers a Python index response hook in the proxy pipeline to learn download URL prefixes from Simple API responses.
- Refactors Python index auth application to reuse a shared auth representation (basic or OIDC) and persist it across request/response handling via context.
- Extends OIDC registry APIs to support “select credential” and “apply auth with known credential” flows.
Show a summary per file
| File | Description |
|---|---|
| proxy.go | Wires PythonIndexHandler.HandleResponse into the response chain. |
| internal/oidc/oidc_registry.go | Adds CredentialForRequest and TryAuthCredential to support external matching with centralized header behavior. |
| internal/handlers/python_index.go | Uses discovered download-prefix auth first; records request auth in context for response learning. |
| internal/handlers/python_index_auth.go | Introduces auth/context plumbing and an in-memory store for discovered download-prefix auth. |
| internal/handlers/python_index_download_prefixes.go | Parses Simple API HTML/JSON responses to discover and store stable download prefixes. |
| internal/handlers/python_index_test.go | Adds tests for discovered download-prefix authentication from HTML and JSON responses. |
| internal/handlers/oidc_handling_test.go | Adds an OIDC-based test to ensure discovered download prefixes reuse OIDC auth. |
Copilot's findings
- Files reviewed: 7/7 changed files
- Comments generated: 1
kbukum1
changed the title
kbukum1
force-pushed
the
kbukum/python-index-download-auth-prefix
branch
from
05e97ec to
c996d16
Compare
kbukum1
changed the title
JamieMagee
reviewed
Jun 12, 2026
JamieMagee
previously approved these changes
Jun 12, 2026
JamieMagee
left a comment
JamieMagee
left a comment
Member
There was a problem hiding this comment.
I'd like a little bit more test coverage, but it's not a blocker, and everything else looks fine.
…response handling
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
kbukum1
force-pushed
the
kbukum/python-index-download-auth-prefix
branch
from
4a60b49 to
4d36705
Compare
JamieMagee
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
Allow the proxy to authenticate Python package file downloads when an authenticated Simple API response points to a different stable download path than the configured index URL.
This is needed for Azure Artifacts Python indexes. Dependabot authenticates requests to the configured Simple API path, such as
/pypi/simple/..., but Azure can return package links under rewritten/pypi/download/...paths that include internal project/feed identifiers. Those download URLs no longer match the original credential path, so hosted Dependabot can reach the package listing but fail to download the package file.This affects dependabot/dependabot-core#15207.
Anything you want to highlight for special attention from reviewers?
The implementation intentionally keeps authentication scoped. It does not broaden Python index credentials to the whole host. Instead, the proxy only learns Azure Artifacts download prefixes from authenticated Python Simple API responses, then reuses the same basic or OIDC credential for later requests under those discovered prefixes.
Discovery is limited to successful Simple API HTML/JSON responses, bounded in memory, restricted to same-origin and same-organization download links, and capped so a long-running proxy cannot learn unbounded prefixes.
How will you know you've accomplished your goal?
The proxy test coverage exercises Python Simple API download-prefix discovery for both static and OIDC-backed credentials, including scoped matching, oversized responses, custom ports, IPv6 hosts, and negative cases where discovery must not broaden auth.
Validation run:
go test ./internal/handlers ./internal/oidcChecklist