Add warning, tests for when password is stored

poetry/core/vcs/git.py

@@ -1,6 +1,8 @@
 # -*- coding: utf-8 -*-
+import logging
 import re
 import subprocess
+import warnings
 
 from collections import namedtuple
 from typing import Optional
@@ -95,6 +97,9 @@
 ]
 
 
+logger = logging.getLogger(__name__)
+
+
 class ParsedUrl:
     def __init__(
         self,
@@ -116,6 +121,14 @@ def __init__(
         self.name = name
         self.rev = rev
 
+        # Warn if password is stored when adding the dependency.
+        if self.is_unsafe:
+            message = "Password being stored in plain text for dependency '{name}' to pyproject.toml and poetry.lock.".format(
+                name=self.name
+            )
+            warnings.warn(message, Warning)
+            logger.warning(message)
+
     @classmethod
     def parse(cls, url):  # type: (str) -> ParsedUrl
         for pattern in PATTERNS:
@@ -132,7 +145,6 @@ def parse(cls, url):  # type: (str) -> ParsedUrl
                     groups.get("name"),
                     groups.get("rev"),
                 )
-
         raise ValueError('Invalid git url "{}"'.format(url))
 
     @property

tests/vcs/test_vcs.py

@@ -353,3 +353,18 @@ def test_parse_url_should_fail():
 )
 def test_is_unsafe(url, is_unsafe):
     assert url.is_unsafe == is_unsafe
+
+
+@pytest.mark.parametrize(
+    "url",
+    [
+        "git+https://user:fafb334-cb038533f851c23d0b63254223Abf72ce4f02987e7064b0c95566699a@hostname/project/blah.git",
+        "git+https://fafb334-cb038533f851c23d0b63254223Abf72ce4f02987e7064b0c95566699a:x-oauth-basic@hostname/project/blah.git",
+    ],
+)
+def test_is_unsafe_warning(url):
+    with pytest.warns(Warning) as records:
+        parsed_url = ParsedUrl.parse(url)
+        assert parsed_url.password is not None
+        assert parsed_url.is_unsafe
+        assert len(records) == 1