Add cli flag --force-keyring.

Currently, Pip is conservative and does not query keyring at all when `--no-input` is used because the keyring might require user interaction such as prompting the user on the console.

This commit adds a flag to force keyring usage if it is installed. It defaults to `False`, making this opt-in behaviour.

Tools such as Pipx and Pipenv use Pip and have their own progress indicator that hides output from the subprocess Pip runs in. They should pass `--no-input` in my opinion, but Pip should provide some mechanism to still query the keyring in that case. Just not by default. So here we are.

Author: Dos Moonen

src/pip/_internal/cli/cmdoptions.py

@@ -244,6 +244,19 @@ class PipOption(Option):
     help="Disable prompting for input.",
 )
 
+force_keyring: Callable[..., Option] = partial(
+    Option,
+    "--force-keyring",
+    dest="force_keyring",
+    action="store_true",
+    default=False,
+    help=(
+        "Always query the keyring, regardless of pip's --no-input option. Note"
+        " that this may cause problems if the keyring expects to be able to"
+        " prompt the user interactively and no interactive user is available."
+    ),
+)
+
 proxy: Callable[..., Option] = partial(
     Option,
     "--proxy",
@@ -1019,6 +1032,7 @@ def check_list_path_option(options: Values) -> None:
         quiet,
         log,
         no_input,
+        force_keyring,
         proxy,
         retries,
         timeout,

src/pip/_internal/cli/req_command.py

@@ -151,6 +151,10 @@ def _build_session(
 
         # Determine if we can prompt the user for authentication or not
         session.auth.prompting = not options.no_input
+        # We won't use keyring when --no-input is passed unless
+        # --force-keyring is passed as well because it might require
+        # user interaction
+        session.auth.use_keyring = session.auth.prompting or options.force_keyring
 
         return session
 

src/pip/_internal/network/auth.py

@@ -128,15 +128,15 @@ def _get_password(self, service_name: str, username: str) -> Optional[str]:
         )
         if res.returncode:
             return None
-        return res.stdout.decode("utf-8").strip("\n")
+        return res.stdout.decode("utf-8").strip(os.linesep)
 
     def _set_password(self, service_name: str, username: str, password: str) -> None:
         """Mirror the implementation of keyring.set_password using cli"""
         if self.keyring is None:
             return None
 
         cmd = [self.keyring, "set", service_name, username]
-        input_ = password.encode("utf-8") + b"\n"
+        input_ = (password + os.linesep).encode("utf-8")
         env = os.environ.copy()
         env["PYTHONIOENCODING"] = "utf-8"
         res = subprocess.run(cmd, input=input_, env=env)
@@ -190,10 +190,14 @@ def get_keyring_auth(url: Optional[str], username: Optional[str]) -> Optional[Au
 
 class MultiDomainBasicAuth(AuthBase):
     def __init__(
-        self, prompting: bool = True, index_urls: Optional[List[str]] = None
+        self,
+        prompting: bool = True,
+        index_urls: Optional[List[str]] = None,
+        use_keyring: bool = True,
     ) -> None:
         self.prompting = prompting
         self.index_urls = index_urls
+        self.use_keyring = use_keyring
         self.passwords: Dict[str, AuthInfo] = {}
         # When the user is prompted to enter credentials and keyring is
         # available, we will offer to save them. If the user accepts,
@@ -227,7 +231,8 @@ def _get_index_url(self, url: str) -> Optional[str]:
     def _get_new_credentials(
         self,
         original_url: str,
-        allow_netrc: bool = True,
+        *,
+        allow_netrc: bool = False,
         allow_keyring: bool = False,
     ) -> AuthInfo:
         """Find and return credentials for the specified URL."""
@@ -348,7 +353,7 @@ def __call__(self, req: Request) -> Request:
     def _prompt_for_password(
         self, netloc: str
     ) -> Tuple[Optional[str], Optional[str], bool]:
-        username = ask_input(f"User for {netloc}: ")
+        username = ask_input(f"User for {netloc}: ") if self.prompting else None
         if not username:
             return None, None, False
         auth = get_keyring_auth(netloc, username)
@@ -359,7 +364,7 @@ def _prompt_for_password(
 
     # Factored out to allow for easy patching in tests
     def _should_save_password_to_keyring(self) -> bool:
-        if get_keyring_provider() is None:
+        if not self.prompting or get_keyring_provider() is None:
             return False
         return ask("Save credentials to keyring [y/N]: ", ["y", "n"]) == "y"
 
@@ -369,19 +374,22 @@ def handle_401(self, resp: Response, **kwargs: Any) -> Response:
         if resp.status_code != 401:
             return resp
 
+        username, password = None, None
+
+        # Query the keyring for credentials:
+        if self.use_keyring:
+            username, password = self._get_new_credentials(
+                resp.url,
+                allow_netrc=False,
+                allow_keyring=True,
+            )
+
         # We are not able to prompt the user so simply return the response
-        if not self.prompting:
+        if not self.prompting and not username and not password:
             return resp
 
         parsed = urllib.parse.urlparse(resp.url)
 
-        # Query the keyring for credentials:
-        username, password = self._get_new_credentials(
-            resp.url,
-            allow_netrc=False,
-            allow_keyring=True,
-        )
-
         # Prompt the user for a new username and password
         save = False
         if not username and not password: