oidc: Refactor lookup strategies into single functions (#18169)

Co-authored-by: Mike Fiedler <[email protected]>

Author: facutuesca

tests/common/constants.py

@@ -97,3 +97,88 @@
     "YzMjY1LCJleHAiOjE2NTA2NjQxNjUsImlhdCI6MTY1MDY2Mzg2NX0.R4q-vWAFXHrBSBK"
     "AZuHHIsGOkqlirPxEtLfjLIDiLr0"
 )
+
+"""
+    {
+    "namespace_id": "123",
+    "namespace_path": "foo",
+    "project_id": "55235664",
+    "project_path": "foo/bar",
+    "user_id": "123",
+    "user_login": "user",
+    "user_email": "[email protected]",
+    "user_access_level": "owner",
+    "pipeline_id": "123",
+    "pipeline_source": "push",
+    "job_id": "123",
+    "ref": "main",
+    "ref_type": "branch",
+    "ref_path": "refs/heads/main",
+    "ref_protected": "true",
+    "runner_id": 123,
+    "runner_environment": "gitlab-hosted",
+    "sha": "93969f556a29853b507bdcd9dec6b4217a4ea2e7",
+    "project_visibility": "private",
+    "ci_config_ref_uri": "gitlab.com/foo/bar//.gitlab-ci.yml@refs/heads/main",
+    "ci_config_sha": "93969f556a29853b507bdcd9dec6b4217a4ea2e7",
+    "jti": "2a5381a8-baf5-43c5-823d-544a08a067fb",
+    "iat": 1750405794,
+    "nbf": 1750405789,
+    "exp": 1750409394,
+    "iss": "https://gitlab.com",
+    "sub": "project_path:foo/bar:ref_type:branch:ref:main",
+    "aud": "pypi"
+    }
+"""
+DUMMY_GITLAB_OIDC_JWT = (
+    "eyJraWQiOiI0aTNzRkU3c3hxTlBPVDdGZHZjR0ExWlZHR0lfci10c0RYbkV1WVQ0WnFFI"
+    "iwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJuYW1lc3BhY2VfaWQiOiIxMjMiLCJ"
+    "uYW1lc3BhY2VfcGF0aCI6ImZvbyIsInByb2plY3RfaWQiOiI1NTIzNTY2NCIsInByb2pl"
+    "Y3RfcGF0aCI6ImZvby9iYXIiLCJ1c2VyX2lkIjoiMTIzIiwidXNlcl9sb2dpbiI6InVzZ"
+    "XIiLCJ1c2VyX2VtYWlsIjoidXNlckBleGFtcGxlLmNvbSIsInVzZXJfYWNjZXNzX2xldm"
+    "VsIjoib3duZXIiLCJwaXBlbGluZV9pZCI6IjEyMyIsInBpcGVsaW5lX3NvdXJjZSI6InB"
+    "1c2giLCJqb2JfaWQiOiIxMjMiLCJyZWYiOiJtYWluIiwicmVmX3R5cGUiOiJicmFuY2gi"
+    "LCJyZWZfcGF0aCI6InJlZnMvaGVhZHMvbWFpbiIsInJlZl9wcm90ZWN0ZWQiOiJ0cnVlI"
+    "iwicnVubmVyX2lkIjoxMjMsInJ1bm5lcl9lbnZpcm9ubWVudCI6ImdpdGxhYi1ob3N0ZW"
+    "QiLCJzaGEiOiI5Mzk2OWY1NTZhMjk4NTNiNTA3YmRjZDlkZWM2YjQyMTdhNGVhMmU3Iiw"
+    "icHJvamVjdF92aXNpYmlsaXR5IjoicHJpdmF0ZSIsImNpX2NvbmZpZ19yZWZfdXJpIjoi"
+    "Z2l0bGFiLmNvbS9mb28vYmFyLy8uZ2l0bGFiLWNpLnltbEByZWZzL2hlYWRzL21haW4iL"
+    "CJjaV9jb25maWdfc2hhIjoiOTM5NjlmNTU2YTI5ODUzYjUwN2JkY2Q5ZGVjNmI0MjE3YT"
+    "RlYTJlNyIsImp0aSI6IjJhNTM4MWE4LWJhZjUtNDNjNS04MjNkLTU0NGEwOGEwNjdmYiI"
+    "sImlhdCI6MTc1MDQwNTc5NCwibmJmIjoxNzUwNDA1Nzg5LCJleHAiOjE3NTA0MDkzOTQs"
+    "ImlzcyI6Imh0dHBzOi8vZ2l0bGFiLmNvbSIsInN1YiI6InByb2plY3RfcGF0aDpmb28vY"
+    "mFyOnJlZl90eXBlOmJyYW5jaDpyZWY6bWFpbiIsImF1ZCI6InB5cGkifQ.g3ceS-5KkGC"
+    "28nIKI-9HNf6lOPmBNyUAcQI-IjwZKpwcrWTcIM0lb6qKn1DyIqz2nE2W-SW3-hfZOIq9"
+    "6xJhGuZfl2bAV7uj_WwUnEoh2hSqW99T2_2bqkrLqkwcJ2w5yvEE2WtzUsxpRqEmuhxHH"
+    "uTOMLJPgydTqnJ2qe2oQxxWtpv_P0VjpZ_QXOk_KP6dBOHNdj7Iu7myCgybU5BTSyT33N"
+    "kbWMiZHHBL6Andl3dU9eQD17-BYkuoQCzLxepoAzNKgiIRL3OULljfWP8wXcLymDXaj1Q"
+    "A0sI9uulFYYx3ZgEmziSjv_e297kkrW3E_kbGyyGkTFxiOX6zSsKfUg"
+)
+
+"""
+    {
+    "iss": "https://accounts.google.com",
+    "azp": "32555350559.apps.googleusercontent.com",
+    "aud": "pypi",
+    "sub": "111260650121185072906",
+    "hd": "google.com",
+    "email": "[email protected]",
+    "email_verified": "true",
+    "at_hash": "_LLKKivfvfme9eoQ3WcMIg",
+    "iat": "1650053185",
+    "exp": "1650056785",
+    "alg": "RS256",
+    "kid": "f1338ca26835863f671403941738a7b49e740fc0",
+    "typ": "JWT"
+}
+"""
+DUMMY_GOOGLE_OIDC_JWT = (
+    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FjY291bnRz"
+    "Lmdvb2dsZS5jb20iLCJhenAiOiIzMjU1NTM1MDU1OS5hcHBzLmdvb2dsZXVzZXJjb250Z"
+    "W50LmNvbSIsImF1ZCI6InB5cGkiLCJzdWIiOiIxMTEyNjA2NTAxMjExODUwNzI5MDYiLC"
+    "JoZCI6Imdvb2dsZS5jb20iLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJlbWFpbF9"
+    "2ZXJpZmllZCI6InRydWUiLCJhdF9oYXNoIjoiX0xMS0tpdmZ2Zm1lOWVvUTNXY01JZyIs"
+    "ImlhdCI6IjE2NTAwNTMxODUiLCJleHAiOiIxNjUwMDU2Nzg1IiwiYWxnIjoiUlMyNTYiL"
+    "CJraWQiOiJmMTMzOGNhMjY4MzU4NjNmNjcxNDAzOTQxNzM4YTdiNDllNzQwZmMwIiwidH"
+    "lwIjoiSldUIn0.wlPNSE6eTFvznJawgpa6cHC3a8sU5_VBH8si9h-sgi0"
+)

tests/conftest.py

@@ -339,6 +339,9 @@ def get_app_config(database, nondefaults=None):
         "statuspage.url": "https://2p66nmmycsj3.statuspage.io",
         "warehouse.xmlrpc.cache.url": "redis://localhost:0/",
         "terms.revision": "initial",
+        "oidc.jwk_cache_url": "redis://localhost:0/",
+        "warehouse.oidc.audience": "pypi",
+        "oidc.backend": "warehouse.oidc.services.NullOIDCPublisherService",
     }
 
     if nondefaults:
@@ -599,6 +602,28 @@ def db_request(pyramid_request, db_session, tm):
     return pyramid_request
 
 
+@pytest.fixture
+def _enable_all_oidc_providers(webtest):
+    flags = (
+        AdminFlagValue.DISALLOW_ACTIVESTATE_OIDC,
+        AdminFlagValue.DISALLOW_GITLAB_OIDC,
+        AdminFlagValue.DISALLOW_GITHUB_OIDC,
+        AdminFlagValue.DISALLOW_GOOGLE_OIDC,
+    )
+    original_flag_values = {}
+    db_sess = webtest.extra_environ["warehouse.db_session"]
+
+    for flag in flags:
+        flag_db = db_sess.get(AdminFlag, flag.value)
+        original_flag_values[flag] = flag_db.enabled
+        flag_db.enabled = False
+    yield
+
+    for flag in flags:
+        flag_db = db_sess.get(AdminFlag, flag.value)
+        flag_db.enabled = original_flag_values[flag]
+
+
 @pytest.fixture
 def _enable_organizations(db_request):
     flag = db_request.db.get(AdminFlag, AdminFlagValue.DISABLE_ORGANIZATIONS.value)

tests/functional/forklift/test_legacy.py

@@ -11,10 +11,21 @@
 
 from webob.multidict import MultiDict
 
-from tests.common.db.oidc import GitHubPublisherFactory
+from tests.common.db.oidc import (
+    ActiveStatePublisherFactory,
+    GitHubPublisherFactory,
+    GitLabPublisherFactory,
+    GooglePublisherFactory,
+)
 from tests.common.db.packaging import ProjectFactory, RoleFactory
 from warehouse.macaroons import caveats
 
+from ...common.constants import (
+    DUMMY_ACTIVESTATE_OIDC_JWT,
+    DUMMY_GITHUB_OIDC_JWT,
+    DUMMY_GITLAB_OIDC_JWT,
+    DUMMY_GOOGLE_OIDC_JWT,
+)
 from ...common.db.accounts import UserFactory
 from ...common.db.macaroons import MacaroonFactory
 
@@ -397,3 +408,173 @@ def test_provenance_upload(webtest):
         status=HTTPStatus.OK,
     )
     assert response.json == project.releases[0].files[0].provenance.provenance
+
+
+@pytest.mark.parametrize(
+    ("publisher_factory", "publisher_data", "oidc_jwt"),
+    [
+        (
+            GitHubPublisherFactory,
+            {
+                "repository_name": "bar",
+                "repository_owner": "foo",
+                "repository_owner_id": "123",
+                "workflow_filename": "example.yml",
+                "environment": "fake",
+            },
+            DUMMY_GITHUB_OIDC_JWT,
+        ),
+        (
+            ActiveStatePublisherFactory,
+            {
+                "organization": "fakeorg",
+                "activestate_project_name": "fakeproject",
+                "actor": "foo",
+                "actor_id": "fake",
+            },
+            DUMMY_ACTIVESTATE_OIDC_JWT,
+        ),
+        (
+            GitLabPublisherFactory,
+            {
+                "namespace": "foo",
+                "project": "bar",
+                "workflow_filepath": ".gitlab-ci.yml",
+                "environment": "",
+            },
+            DUMMY_GITLAB_OIDC_JWT,
+        ),
+        (
+            GooglePublisherFactory,
+            {
+                "email": "[email protected]",
+                "sub": "111260650121185072906",
+            },
+            DUMMY_GOOGLE_OIDC_JWT,
+        ),
+    ],
+)
+@pytest.mark.usefixtures("_enable_all_oidc_providers")
+def test_trusted_publisher_upload_ok(
+    webtest, publisher_factory, publisher_data, oidc_jwt
+):
+    user = UserFactory.create(with_verified_primary_email=True, clear_pwd="password")
+    project = ProjectFactory.create(name="sampleproject")
+    RoleFactory.create(user=user, project=project, role_name="Owner")
+    publisher_factory.create(
+        projects=[project],
+        **publisher_data,
+    )
+
+    response = webtest.post_json(
+        "/_/oidc/mint-token",
+        params={
+            "token": oidc_jwt,
+        },
+        status=HTTPStatus.OK,
+    )
+
+    assert "success" in response.json
+    assert response.json["success"]
+    assert "token" in response.json
+    pypi_token = response.json["token"]
+    assert pypi_token.startswith("pypi-")
+
+    with open(_ASSETS / "sampleproject-3.0.0.tar.gz", "rb") as f:
+        content = f.read()
+
+    webtest.set_authorization(("Basic", ("__token__", pypi_token)))
+    webtest.post(
+        "/legacy/?:action=file_upload",
+        params={
+            "name": "sampleproject",
+            "sha256_digest": (
+                "117ed88e5db073bb92969a7545745fd977ee85b7019706dd256a64058f70963d"
+            ),
+            "filetype": "sdist",
+            "metadata_version": "2.1",
+            "version": "3.0.0",
+        },
+        upload_files=[("content", "sampleproject-3.0.0.tar.gz", content)],
+        status=HTTPStatus.OK,
+    )
+
+    assert len(project.releases) == 1
+    release = project.releases[0]
+    assert release.files.count() == 1
+
+
+@pytest.mark.parametrize(
+    ("publisher_factory", "publisher_data", "oidc_jwt"),
+    [
+        (
+            GitHubPublisherFactory,
+            {
+                "repository_name": "wrong",
+                "repository_owner": "foo",
+                "repository_owner_id": "123",
+                "workflow_filename": "example.yml",
+                "environment": "fake",
+            },
+            DUMMY_GITHUB_OIDC_JWT,
+        ),
+        (
+            ActiveStatePublisherFactory,
+            {
+                "organization": "wrong",
+                "activestate_project_name": "fakeproject",
+                "actor": "foo",
+                "actor_id": "fake",
+            },
+            DUMMY_ACTIVESTATE_OIDC_JWT,
+        ),
+        (
+            GitLabPublisherFactory,
+            {
+                "namespace": "wrong",
+                "project": "bar",
+                "workflow_filepath": ".gitlab-ci.yml",
+                "environment": "fake",
+            },
+            DUMMY_GITLAB_OIDC_JWT,
+        ),
+        (
+            GooglePublisherFactory,
+            {
+                "email": "[email protected]",
+                "sub": "111260650121185072906",
+            },
+            DUMMY_GOOGLE_OIDC_JWT,
+        ),
+    ],
+)
+@pytest.mark.usefixtures("_enable_all_oidc_providers")
+def test_trusted_publisher_upload_fails_wrong_publisher(
+    webtest, publisher_factory, publisher_data, oidc_jwt
+):
+    user = UserFactory.create(with_verified_primary_email=True, clear_pwd="password")
+    project = ProjectFactory.create(name="sampleproject")
+    RoleFactory.create(user=user, project=project, role_name="Owner")
+    publisher_factory.create(
+        projects=[project],
+        **publisher_data,
+    )
+    response = webtest.post_json(
+        "/_/oidc/mint-token",
+        params={
+            "token": oidc_jwt,
+        },
+        status=HTTPStatus.UNPROCESSABLE_CONTENT,
+    )
+
+    assert "token" not in response.json
+    assert "message" in response.json
+    assert response.json["message"] == "Token request failed"
+    assert "errors" in response.json
+    assert response.json["errors"] == [
+        {
+            "code": "invalid-publisher",
+            "description": "valid token, but no corresponding publisher "
+            "(Publisher with matching claims was not found)",
+        }
+    ]