oidc/gitlab: make project path comparison case insensitive (#15512)

facutuesca · web-flow · commit 09d53438a162 · 2024-02-29T16:59:06.000-05:00
diff --git a/tests/unit/oidc/models/test_gitlab.py b/tests/unit/oidc/models/test_gitlab.py
@@ -238,6 +238,32 @@ def test_gitlab_publisher_verifies(self, monkeypatch, environment, missing_claim
             optional_verifiable_claims
         )
 
+    @pytest.mark.parametrize(
+        ("truth", "claim", "valid"),
+        [
+            # invalid: claim should never be empty or missing
+            ("", None, False),
+            ("foo/bar", None, False),
+            ("", "", False),
+            ("foo/bar", "", False),
+            # valid: exact and case-insensitive matches
+            ("foo/bar", "foo/bar", True),
+            ("Foo/bar", "foo/bar", True),
+            ("Foo/bar", "Foo/bar", True),
+            ("foo/bar", "Foo/bar", True),
+            ("FOO/bar", "foo/bar", True),
+            ("foo/bar", "FOO/bar", True),
+            ("foo/Bar", "foo/bar", True),
+            ("foo/Bar", "Foo/Bar", True),
+            ("foo/bar", "foo/Bar", True),
+            ("foo/BAR", "foo/bar", True),
+            ("foo/bar", "foo/BAR", True),
+        ],
+    )
+    def test_check_project_path(self, truth, claim, valid):
+        check = gitlab.GitLabPublisher.__required_verifiable_claims__["project_path"]
+        assert check(truth, claim, pretend.stub()) == valid
+
     @pytest.mark.parametrize(
         ("claim", "ref_path", "sha", "valid", "expected"),
         [
diff --git a/warehouse/oidc/models/gitlab.py b/warehouse/oidc/models/gitlab.py
@@ -23,10 +23,18 @@
     CheckClaimCallable,
     OIDCPublisher,
     PendingOIDCPublisher,
-    check_claim_binary,
 )
 
 
+def _check_project_path(ground_truth, signed_claim, all_signed_claims):
+    # Defensive: GitLab should never give us an empty project_path claim.
+    if not signed_claim:
+        return False
+
+    # GitLab project paths are case-insensitive.
+    return signed_claim.lower() == ground_truth.lower()
+
+
 def _check_ci_config_ref_uri(ground_truth, signed_claim, all_signed_claims):
     # We expect a string formatted as follows:
     #   gitlab.com/OWNER/REPO//WORKFLOW_PATH/WORKFLOW_FILE.yml@REF
@@ -108,7 +116,7 @@ class GitLabPublisherMixin:
 
     __required_verifiable_claims__: dict[str, CheckClaimCallable[Any]] = {
         "sub": _check_sub,
-        "project_path": check_claim_binary(str.__eq__),
+        "project_path": _check_project_path,
         "ci_config_ref_uri": _check_ci_config_ref_uri,
     }
 
