Enable system keyring integration via --keyring-provider native
#14559
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jtfmumm
commented
Jul 11, 2025
| /// Store credentials for the given [`Url`] to the keyring if the | ||
| /// keyring provider backend is `Native`. | ||
| #[instrument(skip_all, fields(url = % url.to_string(), username))] | ||
| pub fn store_if_native(&self, url: &DisplaySafeUrl, credentials: &Credentials) { |
There was a problem hiding this comment.
We could extend this to the Python keyring as well, but for this PR I've limited the scope to the new native backend.
| @@ -374,6 +397,9 @@ impl AuthMiddleware { | |||
| .as_ref() | |||
| .is_ok_and(|response| response.error_for_status_ref().is_ok()) | |||
| { | |||
| if let (Some(index_url), Some(keyring)) = (index_url, &self.keyring) { | |||
There was a problem hiding this comment.
This is currently only storing credentials on successful authentication if this is an index URL.
jtfmumm
force-pushed
the
jtfm/keyring-exploration
branch
from
371fe09 to
56755c7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proof of concept integration of system keyring for credentials, using the keyring-rs crate.
This PR adds a new keyring provider backend called
KeyringProviderBackend::Nativeand configured via--keyring-provider native. When this backend is enabled, uv auth middleware will attempt to retrieve missing credentials from the system keyring. It will also store index credentials in the system keyring upon successful authentication, enabling users to provide their credentials for an index once and successfully authenticate on future invocations.Credentials are stored in the system keyring for a "service"/username pair. For the service, this currently prefixes the index URL with
uv-credentials-. This prefix could help prevent collisions but would also be useful for determining which keyring credentials have been set by uv. Note that this is currently using the index URL instead of the index name for the service.Left to do:
libdbus, which is not currently installed in CI--previewflag, unless we think it's enough that you must explicitly configure anativekeyring provider (we've discussed making it the default, but that's not the behavior here)