Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-20705

pypi proxy remote simple indexes with absolute URLs are not rewritten correctly causing the pip client to bypass nxrm

    XMLWordPrintable

    Details

    • Story Points:
      1
    • Notability:
      2

      Description

      1. Create a PyPi proxy repository to https://pypi.rasa.com
      2. Execute an install:

      > pip install --index-url http://localhost:8081/repository/rasa/simple rasa-x==0.19.5
      DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
      Looking in indexes: http://localhost:8081/repository/rasa/simple
      Collecting rasa-x==0.19.5
      User for localhost:8081: admin
      Password: 
      Downloading https://pypi.rasa.com/api/package/rasa-x/rasa-x-0.19.5.tar.gz (1.8MB)
      100% |████████████████████████████████| 1.8MB 1.4MB/s 
      Installing build dependencies ... error
      Complete output from command /usr/local/opt/python@2/bin/python2.7 /usr/local/lib/python2.7/site-packages/pip install --ignore-installed --no-user --prefix /private/var/folders/w6/y8296l093llf7sl1pm50fr540000gn/T/pip-build-env-HqkGa6/overlay --no-warn-script-location --no-binary :none: --only-binary :none: -i http://localhost:8081/repository/rasa/simple -- setuptools>=30.3.0 wheel setuptools_scm==3.2.0:
      DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
      Looking in indexes: http://localhost:8081/repository/rasa/simple
      Collecting setuptools>=30.3.0
      ....
      

      The problem is the pip client tries to access other hosts ( "Downloading https://pypi.rasa.com/api/package/rasa-x/rasa-x-0.19.5.tar.gz" ) to install packages.

      Loading this page: http://localhost:8081/repository/rasa/simple/rasa-x

      Will return HTML with absolute URLs to other hosts:

      <html lang="en">
      <head><title>Links for rasa-x</title>
        <meta name="api-version" value="2"/>
      </head>
      <body><h1>Links for rasa-x</h1>
          <a href="https://pypi.rasa.com/api/package/rasa-x/rasa-x-0.19.0.tar.gz" rel="internal">rasa-x-0.19.0.tar.gz</a><br/>
          <a href="https://pypi.rasa.com/api/package/rasa-x/rasa-x-0.19.0a8.dev31+g18fd4db.tar.gz" rel="internal">rasa-x-0.19.0a8.dev31+g18fd4db.tar.gz</a><br/>
          <a href="https://pypi.rasa.com/api/package/rasa-x/rasa-x-0.19.0a8.dev41+g1abdee3.tar.gz" rel="internal">rasa-x-0.19.0a8.dev41+g1abdee3.tar.gz</a><br/>
          <a href="https://pypi.rasa.com/api/package/rasa-x/rasa-x-0.19.0a8.dev42+g7e791dc.tar.gz" rel="internal">rasa-x-0.19.0a8.dev42+g7e791dc.tar.gz</a><br/>
       ...
      

      Expected

      A pip client properly configured to access NXRM PyPi repos should always send requests for packages to the configured index/indexUrl repository.

      The simple index that NXRM returns to the client should contain URLs mapped to repository from which it is served.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mjohnson Matt Johnson
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Michael Prescott Michael Prescott
              Team:
              NXRM - Neo
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title