repository credential resolution from config is ambiguous

• I am on the latest Poetry version.

• I have searched the issues of this repo and believe that this is not a duplicate.

• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• Poetry 1.1.4

Issue

As a practical example, gitlab provides public/private package registries on projects which follow the general url form: https://gitlab.com/api/v4/projects/<project id>/packages/pypi/simple.

Let’s say a user is part of two separate (private) projects on gitlab, foo and bar, and they configure poetry on their system as follows:

poetry config repositories.foo-pypi "https://gitlab.com/api/v4/projects/foo/packages/pypi/simple"
poetry config http-basic.foo-pypi "foo-username" "foo-password"
poetry config repositories.bar-pypi "https://gitlab.com/api/v4/projects/bar/packages/pypi/simple"
poetry config http-basic.bar-pypi "bar-username" "bar-password"

In project baz they have the following dependency

[tool.poetry.dependencies]
bar-library = {version = "^1.0.0", source = "bar-pypi"}

When poetry goes to look up bar-library, it will try to use the foo-username and foo-password credentials, which will fail as these are the wrong credentials (this is somewhat heinous in gitlab’s case, as it just replies with a 404 on bad credentials, I believe to avoid leaking information about private resources. The 404 just looks like a missing package to poetry rather than a credential error, so it ends up erroring in the solver).

The reason the wrong credentials are used is in poetry/installation/authenticator.py, specifically in Authenticator._get_credentials_for_netloc_from_config. The problem is that poetry does a credential lookup based on the netloc component of the parsed repository URL (in this case, gitlab.com) and it compares it to the netloc component of each repository URL in the config until it finds a match. Because both of the configured repositories have the same netloc in their URL, the credentials for the first one stored in the configuration file will always be used.

I suspect an appropriate fix would involve passing the repository name through to the authenticator (when available) rather than performing the potentially lossy process of name -> url -> name that is currently used.