disable keyring per default

python-poetry · Nov 22, 2024 · a09fed1 · a09fed1
1 parent c70cbf4
commit a09fed1
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 20 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -249,7 +249,7 @@ across all your projects if incorrectly set.
 
 **Environment Variable**: `POETRY_INSTALLER_ONLY_BINARY`
 
-*Introduced in 1.9.0*
+*Introduced in 2.0.0*
 
 When set, this configuration allows users to enforce the use of binary distribution format for all, none or
 specific packages.
@@ -495,7 +495,7 @@ Set repository credentials (`username` and `password`) for `<name>`.
 See [Repositories - Configuring credentials]({{< relref "repositories#configuring-credentials" >}})
 for more information.
 
-### `pypi-token.<name>`:
+### `pypi-token.<name>`
 
 **Type**: `string`
 
@@ -505,7 +505,7 @@ Set repository credentials (using an API token) for `<name>`.
 See [Repositories - Configuring credentials]({{< relref "repositories#configuring-credentials" >}})
 for more information.
 
-### `certificates.<name>.cert`:
+### `certificates.<name>.cert`
 
 **Type**: `string | boolean`
 
@@ -518,7 +518,7 @@ for more information.
 This configuration can be set to `false`, if TLS certificate verification should be skipped for this
 repository.
 
-### `certificates.<name>.client-cert`:
+### `certificates.<name>.client-cert`
 
 **Type**: `string`
 
@@ -528,14 +528,16 @@ Set client certificate for repository `<name>`.
 See [Repositories - Configuring credentials - Custom certificate authority]({{< relref "repositories#custom-certificate-authority-and-mutual-tls-authentication" >}})
 for more information.
 
-### `keyring.enabled`:
+### `keyring.enabled`
 
 **Type**: `boolean`
 
-**Default**: `true`
+**Default**: `false`
 
 **Environment Variable**: `POETRY_KEYRING_ENABLED`
 
+*Changed default to `false` in 2.0.0*
+
 Enable the system keyring for storing credentials.
 See [Repositories - Configuring credentials]({{< relref "repositories#configuring-credentials" >}})
 for more information.
diff --git a/docs/repositories.md b/docs/repositories.md
@@ -472,16 +472,19 @@ poetry config http-basic.pypi <username> <password>
 You can also specify the username and password when using the `publish` command
 with the `--username` and `--password` options.
 
-If a system keyring is available and supported, the password is stored to and retrieved from the keyring. In the above example, the credential will be stored using the name `poetry-repository-pypi`. If access to keyring fails or is unsupported, this will fall back to writing the password to the `auth.toml` file along with the username.
-
-Keyring support is enabled using the [keyring library](https://pypi.org/project/keyring/). For more information on supported backends refer to the [library documentation](https://keyring.readthedocs.io/en/latest/?badge=latest).
-
-If you do not want to use the keyring, you can tell Poetry to disable it and store the credentials in plaintext config files:
+If a system keyring is available and supported, the password is stored to and retrieved from the keyring.
+Otherwise, credentials are stored in plaintext config files.
+In order to use keyring, you have to enable keyring support:
 
 ```bash
-poetry config keyring.enabled false
+poetry config keyring.enabled true
 ```
 
+In the above example, the credential will be stored using the name `poetry-repository-pypi`.
+If access to keyring is disabled, fails or is unsupported, this will fall back to writing the password to the `auth.toml` file along with the username.
+
+Keyring support is enabled using the [keyring library](https://pypi.org/project/keyring/). For more information on supported backends refer to the [library documentation](https://keyring.readthedocs.io/en/latest/?badge=latest).
+
 {{% note %}}
 
 Poetry will fall back to Pip style use of keyring so that backends like

diff --git a/src/poetry/config/config.py b/src/poetry/config/config.py
@@ -134,7 +134,7 @@ class Config:
         },
         "system-git-client": False,
         "keyring": {
-            "enabled": True,
+            "enabled": False,
         },
     }
 

diff --git a/src/poetry/utils/password_manager.py b/src/poetry/utils/password_manager.py
@@ -154,7 +154,11 @@ def keyring(self) -> PoetryKeyring:
 
     @staticmethod
     def warn_plaintext_credentials_stored() -> None:
-        logger.warning("Using a plaintext file to store credentials")
+        logger.warning(
+            "Using a plaintext file to store credentials.\n"
+            "Enable keyring support (`poetry config keyring.enabled true`)"
+            " to store credentials securely."
+        )
 
     def set_pypi_token(self, repo_name: str, token: str) -> None:
         if not self.use_keyring:

diff --git a/tests/config/test_config.py b/tests/config/test_config.py
@@ -111,6 +111,10 @@ def test_config_expands_tilde_for_virtualenvs_path(
 def test_disabled_keyring_is_unavailable(
     config: Config, with_simple_keyring: None, dummy_keyring: DummyBackend
 ) -> None:
+    manager = PasswordManager(config)
+    assert not manager.use_keyring
+
+    config.config["keyring"]["enabled"] = True
     manager = PasswordManager(config)
     assert manager.use_keyring
 

diff --git a/tests/console/commands/test_config.py b/tests/console/commands/test_config.py
@@ -60,7 +60,7 @@ def test_list_displays_default_value_if_not_set(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -92,7 +92,7 @@ def test_list_displays_set_get_setting(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -145,7 +145,7 @@ def test_unset_setting(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -176,7 +176,7 @@ def test_unset_repo_setting(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -305,7 +305,7 @@ def test_list_displays_set_get_local_setting(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
@@ -344,7 +344,7 @@ def test_list_must_not_display_sources_from_pyproject_toml(
 installer.only-binary = null
 installer.parallel = true
 installer.re-resolve = true
-keyring.enabled = true
+keyring.enabled = false
 repositories.foo.url = "https://foo.bar/simple/"
 requests.max-retries = 0
 solver.lazy-wheel = true

diff --git a/tests/utils/test_authenticator.py b/tests/utils/test_authenticator.py
@@ -42,6 +42,12 @@ def repo() -> dict[str, dict[str, str]]:
     return {"foo": {"url": "https://foo.bar/simple/"}}
 
 
+@pytest.fixture
+def config(config: Config) -> Config:
+    config.config["keyring"]["enabled"] = True
+    return config
+
+
 @pytest.fixture
 def mock_config(config: Config, repo: dict[str, dict[str, str]]) -> Config:
     config.merge(

diff --git a/tests/utils/test_password_manager.py b/tests/utils/test_password_manager.py
@@ -22,6 +22,12 @@
     from tests.conftest import DummyBackend
 
 
+@pytest.fixture
+def config(config: Config) -> Config:
+    config.config["keyring"]["enabled"] = True
+    return config
+
+
 def test_set_http_password(
     config: Config, with_simple_keyring: None, dummy_keyring: DummyBackend
 ) -> None: