Exit early on auth failures to improve first-index security by default

Author: jtfmumm

Cargo.lock

@@ -60,6 +60,10 @@ pub struct Index {
     pub auth_policy: AuthPolicy,
 }
 
+// TODO(john): Multiple methods in this struct need to iterate over
+// all the indexes in the set. There are probably not many URLs to
+// iterate through, but we could use a trie instead of a HashSet here
+// for more efficient search.
 #[derive(Debug, Default, Clone, Eq, PartialEq)]
 pub struct Indexes(FxHashSet<Index>);
 
@@ -79,26 +83,20 @@ impl Indexes {
 
     /// Get the index URL prefix for a URL if one exists.
     pub fn index_url_for(&self, url: &Url) -> Option<&Url> {
-        // TODO(john): There are probably not many URLs to iterate through,
-        // but we could use a trie instead of a HashSet here for more
-        // efficient search.
-        self.0
-            .iter()
-            .find(|index| is_url_prefix(&index.url, url))
-            .map(|index| &index.url)
+        self.find_prefix_index(url).map(|index| &index.url)
     }
 
     /// Get the [`AuthPolicy`] for a URL.
-    pub fn policy_for(&self, url: &Url) -> AuthPolicy {
-        // TODO(john): There are probably not many URLs to iterate through,
-        // but we could use a trie instead of a HashMap here for more
-        // efficient search.
-        for index in &self.0 {
-            if is_url_prefix(&index.root_url, url) {
-                return index.auth_policy;
-            }
-        }
-        AuthPolicy::Auto
+    pub fn auth_policy_for(&self, url: &Url) -> AuthPolicy {
+        self.find_prefix_index(url)
+            .map(|index| index.auth_policy)
+            .unwrap_or(AuthPolicy::Auto)
+    }
+
+    fn find_prefix_index(&self, url: &Url) -> Option<&Index> {
+        self.0
+            .iter()
+            .find(|&index| is_url_prefix(&index.root_url, url))
     }
 }
 

crates/uv-auth/src/index.rs

@@ -182,7 +182,7 @@ impl Middleware for AuthMiddleware {
         // to the headers so for display purposes we restore some information
         let url = tracing_url(&request, request_credentials.as_ref());
         let maybe_index_url = self.indexes.index_url_for(request.url());
-        let auth_policy = self.indexes.policy_for(request.url());
+        let auth_policy = self.indexes.auth_policy_for(request.url());
         trace!("Handling request for {url} with authentication policy {auth_policy}");
 
         let credentials: Option<Arc<Credentials>> = if matches!(auth_policy, AuthPolicy::Never) {

crates/uv-auth/src/middleware.rs

@@ -9,7 +9,7 @@ use async_http_range_reader::AsyncHttpRangeReader;
 use futures::{FutureExt, StreamExt, TryStreamExt};
 use http::HeaderMap;
 use itertools::Either;
-use reqwest::{Proxy, Response, StatusCode};
+use reqwest::{Proxy, Response};
 use reqwest_middleware::ClientWithMiddleware;
 use rustc_hash::FxHashMap;
 use tokio::sync::{Mutex, Semaphore};
@@ -23,7 +23,7 @@ use uv_configuration::{IndexStrategy, TrustedHost};
 use uv_distribution_filename::{DistFilename, SourceDistFilename, WheelFilename};
 use uv_distribution_types::{
     BuiltDist, File, FileLocation, IndexCapabilities, IndexFormat, IndexLocations,
-    IndexMetadataRef, IndexUrl, IndexUrls, Name,
+    IndexMetadataRef, IndexStatusCodeDecision, IndexStatusCodeStrategy, IndexUrl, IndexUrls, Name,
 };
 use uv_metadata::{read_metadata_async_seek, read_metadata_async_stream};
 use uv_normalize::PackageName;
@@ -331,8 +331,15 @@ impl RegistryClient {
                     let _permit = download_concurrency.acquire().await;
                     match index.format {
                         IndexFormat::Simple => {
+                            let status_code_strategy =
+                                self.index_urls.status_code_strategy_for(index.url);
                             if let Some(metadata) = self
-                                .simple_single_index(package_name, index.url, capabilities)
+                                .simple_single_index(
+                                    package_name,
+                                    index.url,
+                                    capabilities,
+                                    &status_code_strategy,
+                                )
                                 .await?
                             {
                                 results.push((index.url, MetadataFormat::Simple(metadata)));
@@ -357,8 +364,15 @@ impl RegistryClient {
                         let _permit = download_concurrency.acquire().await;
                         match index.format {
                             IndexFormat::Simple => {
+                                let status_code_strategy =
+                                    self.index_urls.status_code_strategy_for(index.url);
                                 let metadata = self
-                                    .simple_single_index(package_name, index.url, capabilities)
+                                    .simple_single_index(
+                                        package_name,
+                                        index.url,
+                                        capabilities,
+                                        &status_code_strategy,
+                                    )
                                     .await?;
                                 Ok((index.url, metadata.map(MetadataFormat::Simple)))
                             }
@@ -445,6 +459,7 @@ impl RegistryClient {
         package_name: &PackageName,
         index: &IndexUrl,
         capabilities: &IndexCapabilities,
+        status_code_strategy: &IndexStatusCodeStrategy,
     ) -> Result<Option<OwnedArchive<SimpleMetadata>>, Error> {
         // Format the URL for PyPI.
         let mut url = index.url().clone();
@@ -490,18 +505,19 @@ impl RegistryClient {
             Ok(metadata) => Ok(Some(metadata)),
             Err(err) => match err.into_kind() {
                 // The package could not be found in the remote index.
-                ErrorKind::WrappedReqwestError(url, err) => match err.status() {
-                    Some(StatusCode::NOT_FOUND) => Ok(None),
-                    Some(StatusCode::UNAUTHORIZED) => {
-                        capabilities.set_unauthorized(index.clone());
-                        Ok(None)
-                    }
-                    Some(StatusCode::FORBIDDEN) => {
-                        capabilities.set_forbidden(index.clone());
-                        Ok(None)
+                ErrorKind::WrappedReqwestError(url, err) => {
+                    let decision = if let Some(status) = err.status() {
+                        status_code_strategy.handle_status_code(status, index, capabilities)
+                    } else {
+                        IndexStatusCodeDecision::Stop
+                    };
+                    match decision {
+                        IndexStatusCodeDecision::Continue => Ok(None),
+                        IndexStatusCodeDecision::Stop => {
+                            Err(ErrorKind::WrappedReqwestError(url, err).into())
+                        }
                     }
-                    _ => Err(ErrorKind::WrappedReqwestError(url, err).into()),
-                },
+                }
 
                 // The package is unavailable due to a lack of connectivity.
                 ErrorKind::Offline(_) => Ok(None),

crates/uv-client/src/registry_client.rs

@@ -30,8 +30,10 @@ uv-pypi-types = { workspace = true }
 uv-small-str = { workspace = true }
 
 arcstr = { workspace = true }
+anyhow = { workspace = true }
 bitflags = { workspace = true }
 fs-err = { workspace = true }
+http = { workspace = true }
 itertools = { workspace = true }
 jiff = { workspace = true }
 owo-colors = { workspace = true }

crates/uv-distribution-types/Cargo.toml

@@ -1,18 +1,18 @@
 use std::path::Path;
 use std::str::FromStr;
 
+use http::StatusCode;
+use serde::{Deserialize, Deserializer, Serialize};
 use thiserror::Error;
 use url::Url;
 
 use uv_auth::{AuthPolicy, Credentials};
 
 use crate::index_name::{IndexName, IndexNameError};
 use crate::origin::Origin;
-use crate::{IndexUrl, IndexUrlError};
+use crate::{IndexStatusCodeStrategy, IndexUrl, IndexUrlError};
 
-#[derive(
-    Debug, Clone, Hash, Eq, PartialEq, Ord, PartialOrd, serde::Serialize, serde::Deserialize,
-)]
+#[derive(Debug, Clone, Hash, Eq, PartialEq, Ord, PartialOrd, Serialize, Deserialize)]
 #[cfg_attr(feature = "schemars", derive(schemars::JsonSchema))]
 #[serde(rename_all = "kebab-case")]
 pub struct Index {
@@ -94,6 +94,17 @@ pub struct Index {
     /// ```
     #[serde(default)]
     pub authenticate: AuthPolicy,
+    /// Status codes that uv should ignore when deciding whether
+    /// to continue searching in the next index after a failure.
+    ///
+    /// ```toml
+    /// [[tool.uv.index]]
+    /// name = "my-index"
+    /// url = "https://<omitted>/simple"
+    /// ignore-error-codes = [401, 403]
+    /// ```
+    #[serde(deserialize_with = "validate_error_codes", default)]
+    pub ignore_error_codes: Vec<u16>,
 }
 
 #[derive(
@@ -131,6 +142,7 @@ impl Index {
             format: IndexFormat::Simple,
             publish_url: None,
             authenticate: AuthPolicy::default(),
+            ignore_error_codes: Vec::new(),
         }
     }
 
@@ -145,6 +157,7 @@ impl Index {
             format: IndexFormat::Simple,
             publish_url: None,
             authenticate: AuthPolicy::default(),
+            ignore_error_codes: Vec::new(),
         }
     }
 
@@ -159,6 +172,7 @@ impl Index {
             format: IndexFormat::Flat,
             publish_url: None,
             authenticate: AuthPolicy::default(),
+            ignore_error_codes: Vec::new(),
         }
     }
 
@@ -214,6 +228,15 @@ impl Index {
         }
         Ok(self)
     }
+
+    /// Return the [`IndexStatusCodeStrategy`] for this index.
+    pub fn status_code_strategy(&self) -> IndexStatusCodeStrategy {
+        if !self.ignore_error_codes.is_empty() {
+            IndexStatusCodeStrategy::from_ignored_error_codes(&self.ignore_error_codes)
+        } else {
+            IndexStatusCodeStrategy::from_index_url(self.url.url())
+        }
+    }
 }
 
 impl From<IndexUrl> for Index {
@@ -227,6 +250,7 @@ impl From<IndexUrl> for Index {
             format: IndexFormat::Simple,
             publish_url: None,
             authenticate: AuthPolicy::default(),
+            ignore_error_codes: Vec::new(),
         }
     }
 }
@@ -249,6 +273,7 @@ impl FromStr for Index {
                     format: IndexFormat::Simple,
                     publish_url: None,
                     authenticate: AuthPolicy::default(),
+                    ignore_error_codes: Vec::new(),
                 });
             }
         }
@@ -264,6 +289,7 @@ impl FromStr for Index {
             format: IndexFormat::Simple,
             publish_url: None,
             authenticate: AuthPolicy::default(),
+            ignore_error_codes: Vec::new(),
         })
     }
 }
@@ -349,6 +375,25 @@ impl<'a> From<&'a IndexUrl> for IndexMetadataRef<'a> {
     }
 }
 
+/// Validate the provided error codes.
+fn validate_error_codes<'de, D>(deserializer: D) -> Result<Vec<u16>, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let status_codes = Option::<Vec<u16>>::deserialize(deserializer)?;
+    if let Some(codes) = status_codes {
+        for code in &codes {
+            if StatusCode::from_u16(*code).is_err() {
+                return Err(serde::de::Error::custom(format!(
+                    "{code} is not a valid HTTP status code"
+                )));
+            }
+        }
+        return Ok(codes);
+    }
+    Ok(Vec::new())
+}
+
 /// An error that can occur when parsing an [`Index`].
 #[derive(Error, Debug)]
 pub enum IndexSourceError {

crates/uv-distribution-types/src/index.rs

@@ -5,14 +5,15 @@ use std::path::Path;
 use std::str::FromStr;
 use std::sync::{Arc, LazyLock, RwLock};
 
+use http::StatusCode;
 use itertools::Either;
 use rustc_hash::{FxHashMap, FxHashSet};
 use thiserror::Error;
 use url::{ParseError, Url};
 
 use uv_pep508::{split_scheme, Scheme, VerbatimUrl, VerbatimUrlError};
 
-use crate::{Index, Verbatim};
+use crate::{Index, IndexStatusCodeStrategy, Verbatim};
 
 static PYPI_URL: LazyLock<Url> = LazyLock::new(|| Url::parse("https://pypi.org/simple").unwrap());
 
@@ -536,6 +537,16 @@ impl<'a> IndexUrls {
     pub fn no_index(&self) -> bool {
         self.no_index
     }
+
+    /// Return the [`IndexStatusCodeStrategy`] for an [`IndexUrl`].
+    pub fn status_code_strategy_for(&self, url: &IndexUrl) -> IndexStatusCodeStrategy {
+        for index in &self.indexes {
+            if index.url() == url {
+                return index.status_code_strategy();
+            }
+        }
+        IndexStatusCodeStrategy::Default
+    }
 }
 
 bitflags::bitflags! {
@@ -579,6 +590,18 @@ impl IndexCapabilities {
             .insert(Flags::NO_RANGE_REQUESTS);
     }
 
+    pub fn set_by_status_code(&self, status_code: StatusCode, index_url: &IndexUrl) {
+        match status_code {
+            StatusCode::UNAUTHORIZED => {
+                self.set_unauthorized(index_url.clone());
+            }
+            StatusCode::FORBIDDEN => {
+                self.set_forbidden(index_url.clone());
+            }
+            _ => {}
+        }
+    }
+
     /// Returns `true` if the given [`IndexUrl`] returns a `401 Unauthorized` status code.
     pub fn unauthorized(&self, index_url: &IndexUrl) -> bool {
         self.0

crates/uv-distribution-types/src/index_url.rs

@@ -75,6 +75,7 @@ pub use crate::requirement::*;
 pub use crate::resolution::*;
 pub use crate::resolved::*;
 pub use crate::specified_requirement::*;
+pub use crate::status_code_strategy::*;
 pub use crate::traits::*;
 
 mod annotation;
@@ -101,6 +102,7 @@ mod requirement;
 mod resolution;
 mod resolved;
 mod specified_requirement;
+mod status_code_strategy;
 mod traits;
 
 #[derive(Debug, Clone)]