allow multiple indexes to be trusted hosts

[kevinwojo]

Use-Case

This change/enhancement handles a case where my primary repository (Artifactory) is the only machine on the network allowed to talk to pypi.org. All consumers of PyPI packages must pull from Artifactory exclusively.

For business reasons, I cannot have the internal CA certificate installed on all points of consumption. For this reason we pull packages over plain-text HTTP. The business has agreed to risks involved.

Current State

Today, I have a single default source in my pyproject.toml file that looks something like:

[[tool.poetry.source]]
name = "foo"
url = "http://foo.internal.bar/simple/"
default = true
secondary = false

Because it is the default repository, it skips the part of the code that is responsible for appending --trusted-host.

So I propose this change to allow me to add my default repository as a trusted host.

Pip's options append each --trusted-host HOST see: https://github.com/pypa/pip/blob/main/src/pip/_internal/cli/cmdoptions.py#L397

[kevinwojo]

1. SonarCloud's analysis didn't really pick up on this nuance, did it?
2. If anyone can help me figure out why this code isn't stable across versions & platforms ... I'll buy you a coffee 😄

[sonarqubecloud]

SonarCloud Quality Gate failed.   

0 Bugs
0 Vulnerabilities
7 Security Hotspots
3 Code Smells

No Coverage information
20.2% Duplication