Enable user-level management of index credentials via uv (& keyring)

[stoney95]

Summary

Currently reading credentials from keyring is only supported when a username is provided in the URL of the index. This prohibits to define indexes - in pyproject.toml - that are shared within a team. See these two issues for further details:

• Secure authentication method needed #8810
• [FEATURE REQUEST] User-level management of index credentials via uv #9165

In general this PR provides two things:

Setting credentials for an index via CLI

With this MR you can run uv index credentials add --name <name-of-the-index> [--username <username>]
This will ask for the password of the user. A keyring entry will be made with the url of the index, the username and the password. The username and the index will be appended to "<uv_cache_dir>/auth.toml". "auth.toml" has the following structure

[indexes.index1]
username = "my_user1"

[indexes.index2]
username = "my_other_user"

Using credentials

When reading the credentials in uv_distribution_types::index::Index.credentials it's now additionally checked if credentials have been configured via "<uv_cache_dir>/auth.toml" and keyring. The current implementation of reading the credentials from the environment variables UV_INDEX_XXX has priority over keyring authentication.

Test Plan

I have added unit tests to the newly defined uv_auth::keyring_config which takes care of loading, storing and modifying the auth configuration.

I also want to add a test for uv_auth::credentials::Credentials.from_keyring. But am currently struggling with mocking keyring and config file.

I manually tested the new command uv index credentials add --name <name-of-the-index> as I could not find examples for testing commands.

Further remarks

I am a noobie in this context

• I am new to rust
• I am new to uv

=> I am curious about your opinion and suggestions for improvements

Not completely ready

The current version of the PR is a draft. Especially in regards of error handling and logging. Also testing can be improved.
I open this PR to discuss the direction in which the implementation is heading. As I am new to rust & uv I would also like to receive your guideance upfront 🙂

[bschoenmaeckers]

It would be nice to add a --password <password> option and store/retrieve it using the keyring crate. It should still fall back to the subprocess method for dynamic passwords.

[stoney95]

@bschoenmaeckers, I think adding --password <password> can be seen independently of the keyring crate (https://docs.rs/keyring/latest/keyring/?).

One part is implementing an import keyring-provider. This would rely on the keyring crate. Also, it should be implemented independently of this topic, if it is required.

The other part is providing a --password option. Which could be processed with any implemented keyring-provider - currently only subprocess. I can add this part to this PR.

[farndt]

@stoney95 Thx for starting integration of kering-rs into uv!

How to use credentials already defined in credential store?

[stoney95]

@zanieb, clippy is configured to not allow the usage of fs::File, fs::read_to_string & fs::remove_file (see this check). Should the async version provided by tokio be used instead? Or is there another reason why the usage is not allowed?

[lejmr]

I was super curious whether it would be difficult to interact with keyring-rs directly, so I quickly implemented alternative Credential constructor (tests are necessary!), but it works with locally configured auth.toml and hand-crafted secret in keychain already..

I like what you tried to achieve, but I think it would be good to implement the configuration to be similar to poetry, so users don't have to think and be surprised.

Have a look here: https://github.com/astral-sh/uv/compare/main...lejmr:uv:simple-poetry-like-version?expand=1