Having a new check to avoid redirects from PyPI

[dukecat0]

Fixes #310

We should also update the redirect test as it is using https://test.pypi.org/legacy for the test, which is replaced by the exception InvalidPyPIUploadURLinstead of RedirectDetected currently. Any suggestions? (I think we need a new URL to test.)

twine/tests/test_upload.py

Lines 251 to 278 in f543114

	def test_exception_for_redirect(make_settings):
	# Not using fixtures because this setup is significantly different
	upload_settings = make_settings(
	"""
	[pypi]
	repository: https://test.pypi.org/legacy
	username:foo
	password:bar
	"""
	)
	stub_response = pretend.stub(
	is_redirect=True,
	status_code=301,
	headers={"location": "https://test.pypi.org/legacy/"},
	)
	stub_repository = pretend.stub(
	upload=lambda package: stub_response, close=lambda: None
	)
	upload_settings.create_repository = lambda: stub_repository
	with pytest.raises(exceptions.RedirectDetected) as err:
	upload.upload(upload_settings, [helpers.WHEEL_FIXTURE])
	assert "https://test.pypi.org/legacy/" in err.value.args[0]

Old:

$ twine upload -r pypitest dist/*
[...]
RedirectDetected: https://test.pypi.org/legacy attempted to redirect to https://test.pypi.org/legacy/.
If you trust these URLs, set https://test.pypi.org/legacy/ as your repository URL.
Aborting.

New:

$ twine upload -r pypitest dist/*
InvalidPyPIUploadURL: The configured repository https://test.pypi.org/legacy is not a known PyPI repository.
Did you mean https://upload.pypi.org/legacy/ or https://test.pypi.org/legacy/ ?
Check your --repository-url value or modify the url in ~/.pypirc (if you are using -r or --repository),
so twine can upload your distributions properly.
See https://packaging.python.org/specifications/pypirc/ for more details.

[sigmavirus24]

I don't think the parenthetical is necessary or helpful as written

[dukecat0]

Using --repository-url https://test.pypi.org/legacy will also raise InvalidPyPIUploadURL. Probably folks who use --repository-url won't know what is ~/.pypirc and makes confusion to them?

[bhrutledge]

I haven't looked at the failing test yet, but that should be fixed, and probably a new one added for this behavior.

[bhrutledge]

Following up on #809 (comment), I generalized the logic to catch more cases, and tweaked the message. Here's what it looks like:

% twine upload --repository-url https://upload.pypi.org/legacy dist/*
InvalidPyPIUploadURL: The configured repository https://upload.pypi.org/legacy is not a known PyPI repository.
You probably want https://upload.pypi.org/legacy/ or https://test.pypi.org/legacy/.
Check your --repository-url value or the repository configuration in ~/.pypirc.
See https://packaging.python.org/specifications/pypirc/ for more details.

In the process, I noted that the logic and messages is very similar to twine.utils.check_status_code. I'd really like to refactor that, maybe by moving the messages into the exception definitions. But I'm guessing that should be a follow-up PR, related to #586.

[dukecat0]

I haven't looked at the failing test yet, but that should be fixed, and probably a new one added for this behavior.

Yes, and the failing test is about the redirecting test. Probably we need a new link to pass the test.

#809 (comment)

[bhrutledge]

I fixed the failing test and adding coverage for the new behavior in 414625b, but looking at the drop in coverage via Codecov emphasized my point in #809 (comment), i.e. that this is similar to utils.check_status_code.

Taking a closer look at that, plus the comments in #310, plus my initial attempt in #460 to offer a better error message, I'm now wondering if it's needlessly redundant, with the primary difference being that this executes before an upload, while check_status_code executes afterwards. Instead, maybe we could improve the post-upload RedirectDetected message by tweaking the language, possibly with a special message for a trailing slash, regardless of whether or not it's a pypi.org hostname.

In other words, this feels like a case of "Look Before You Leap" vs "It's Easter to Ask Forgiveness than Permission", and with this PR, I think we're doing both. I'm going to mull this over a bit, and maybe put up another PR that improves the EAFP approach.

@meowmeowmeowcat Apologies for the confusion here; I should have taken a closer look at the existing behavior.

[dukecat0]

@bhrutledge I think the improved message in #812 would be also helpful:

RedirectDetected: https://upload.pypi.org/legacy attempted to redirect to https://upload.pypi.org/legacy/.
Your repository URL is missing a trailing slash. Please add it and try again.

But I also think that having this check will save folks' time. They will know there is an error in the config or --repository-url before twine tries to upload their distributions, although this check is similar to utils.check_status_code.

[bhrutledge]

It's true that it will save a little bit of time, but I'm not sure it's worth the added complexity and technical debt of duplicated logic. It's also not as robust as the repository-independent implementation in #812. Furthermore, if PyPI ever supports a different URL, then this implementation will block people from uploading to it at all.

[dukecat0]

I see. Probably this PR can be closed? The improved message in #812 is enough.

[bhrutledge]

I'd like to get @sigmavirus24's feedback on #812 first.

[bhrutledge]

Closing in favor of #812 (which I'll merge once I've added a changelog entry). Thanks again for the effort, @meowmeowmeowcat.