search

luftfartsverket / reqstool-client

Reqstool is a tool for managing requirements with related software verification cases (aka tests) and verification results (test results)
https://luftfartsverket.github.io/reqstool-client/
MIT License
3 stars 0 forks source link

Support pypi sdist artifacts with reqstool files #119

Closed lfvjimisola closed 4 weeks ago

lfvjimisola commented 1 month ago
  1. Add pypi as a location source for implementations (in addition to local, git, maven) in schema
  2. Add handling of the pypi location source in the same manner as maven (i.e. download, extract and parse)
  3. more to be added

NOTE: https://pip.pypa.io/en/latest/user_guide/#using-pip-from-your-program

https://distlib.readthedocs.io/en/latest/

Beware of: https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall

Warning Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". Set filter='data' to prevent the most dangerous security issues, and read the Extraction filters section for details.

lfvjimisola commented 1 month ago

distlib does not support .netrc auth

https://github.com/pypa/distlib/issues/237

lfvjimisola commented 1 month ago

distlib does not seem to have support for downloading packages.

Otherwise, something like this would have been useful

def download_package(package_name, version=None, pypi_url=None, token=None):
    # Use the provided pypi_url or default to public PyPI
    index = PackageIndex(url=pypi_url) if pypi_url else PackageIndex()

    # Set the Authorization header if an OAuth Bearer token is provided
    if token:
        index.session.headers.update({"Authorization": f"Bearer {token}"})

    # Search for the package and get distribution info
    dist = index.get_distribution(package_name, version)

    if not dist:
        raise ValueError(f"Package {package_name} not found.")

    # Ensure that we are downloading an `sdist` file (source distribution)
    if not dist.sdist_url:
        raise ValueError(f"No sdist distribution found for package {package_name} version {version or 'latest'}.")

    download_url = dist.sdist_url

    # Download the package
    response = requests.get(download_url)
    response.raise_for_status()  # Raise an error for bad responses

    # Save the package to a file
    filename = f"{package_name}-{version or 'latest'}.tar.gz"
    with open(filename, "wb") as f:
        f.write(response.content)

    print(f"Downloaded {filename}")
jimisola commented 1 month ago

https://docs.gitlab.com/ee/user/packages/pypi_repository/#install-a-pypi-package