Add a Google trusted publisher

Author: di

tests/unit/accounts/test_views.py

@@ -3340,11 +3340,19 @@ def test_manage_publishing(self, metrics, monkeypatch):
         monkeypatch.setattr(
             views, "PendingGitHubPublisherForm", pending_github_publisher_form_cls
         )
+        pending_google_publisher_form_obj = pretend.stub()
+        pending_google_publisher_form_cls = pretend.call_recorder(
+            lambda *a, **kw: pending_google_publisher_form_obj
+        )
+        monkeypatch.setattr(
+            views, "PendingGooglePublisherForm", pending_google_publisher_form_cls
+        )
 
         view = views.ManageAccountPublishingViews(request)
 
         assert view.manage_publishing() == {
             "pending_github_publisher_form": pending_github_publisher_form_obj,
+            "pending_google_publisher_form": pending_google_publisher_form_obj,
         }
 
         assert request.flags.disallow_oidc.calls == [pretend.call()]
@@ -3382,11 +3390,19 @@ def test_manage_publishing_admin_disabled(self, monkeypatch, pyramid_request):
         monkeypatch.setattr(
             views, "PendingGitHubPublisherForm", pending_github_publisher_form_cls
         )
+        pending_google_publisher_form_obj = pretend.stub()
+        pending_google_publisher_form_cls = pretend.call_recorder(
+            lambda *a, **kw: pending_google_publisher_form_obj
+        )
+        monkeypatch.setattr(
+            views, "PendingGooglePublisherForm", pending_google_publisher_form_cls
+        )
 
         view = views.ManageAccountPublishingViews(pyramid_request)
 
         assert view.manage_publishing() == {
             "pending_github_publisher_form": pending_github_publisher_form_obj,
+            "pending_google_publisher_form": pending_google_publisher_form_obj,
         }
 
         assert pyramid_request.flags.disallow_oidc.calls == [pretend.call()]
@@ -3434,11 +3450,19 @@ def test_add_pending_github_oidc_publisher_admin_disabled(
         monkeypatch.setattr(
             views, "PendingGitHubPublisherForm", pending_github_publisher_form_cls
         )
+        pending_google_publisher_form_obj = pretend.stub()
+        pending_google_publisher_form_cls = pretend.call_recorder(
+            lambda *a, **kw: pending_google_publisher_form_obj
+        )
+        monkeypatch.setattr(
+            views, "PendingGooglePublisherForm", pending_google_publisher_form_cls
+        )
 
         view = views.ManageAccountPublishingViews(pyramid_request)
 
         assert view.add_pending_github_oidc_publisher() == {
             "pending_github_publisher_form": pending_github_publisher_form_obj,
+            "pending_google_publisher_form": pending_google_publisher_form_obj,
         }
 
         assert pyramid_request.flags.disallow_oidc.calls == [
@@ -3490,11 +3514,19 @@ def test_add_pending_github_oidc_publisher_user_cannot_register(
         monkeypatch.setattr(
             views, "PendingGitHubPublisherForm", pending_github_publisher_form_cls
         )
+        pending_google_publisher_form_obj = pretend.stub()
+        pending_google_publisher_form_cls = pretend.call_recorder(
+            lambda *a, **kw: pending_google_publisher_form_obj
+        )
+        monkeypatch.setattr(
+            views, "PendingGooglePublisherForm", pending_google_publisher_form_cls
+        )
 
         view = views.ManageAccountPublishingViews(pyramid_request)
 
         assert view.add_pending_github_oidc_publisher() == {
             "pending_github_publisher_form": pending_github_publisher_form_obj,
+            "pending_google_publisher_form": pending_google_publisher_form_obj,
         }
 
         assert pyramid_request.flags.disallow_oidc.calls == [
@@ -3889,11 +3921,19 @@ def test_delete_pending_oidc_publisher_admin_disabled(
         monkeypatch.setattr(
             views, "PendingGitHubPublisherForm", pending_github_publisher_form_cls
         )
+        pending_google_publisher_form_obj = pretend.stub()
+        pending_google_publisher_form_cls = pretend.call_recorder(
+            lambda *a, **kw: pending_google_publisher_form_obj
+        )
+        monkeypatch.setattr(
+            views, "PendingGooglePublisherForm", pending_google_publisher_form_cls
+        )
 
         view = views.ManageAccountPublishingViews(pyramid_request)
 
         assert view.delete_pending_oidc_publisher() == {
             "pending_github_publisher_form": pending_github_publisher_form_obj,
+            "pending_google_publisher_form": pending_google_publisher_form_obj,
         }
 
         assert pyramid_request.flags.disallow_oidc.calls == [pretend.call()]

tests/unit/manage/test_views.py

@@ -5837,6 +5837,7 @@ def test_manage_project_oidc_publishers(self, monkeypatch):
         assert view.manage_project_oidc_publishers() == {
             "project": project,
             "github_publisher_form": view.github_publisher_form,
+            "google_publisher_form": view.google_publisher_form,
         }
 
         assert request.flags.disallow_oidc.calls == [pretend.call()]
@@ -5865,6 +5866,7 @@ def test_manage_project_oidc_publishers_admin_disabled(
         assert view.manage_project_oidc_publishers() == {
             "project": project,
             "github_publisher_form": view.github_publisher_form,
+            "google_publisher_form": view.google_publisher_form,
         }
 
         assert pyramid_request.flags.disallow_oidc.calls == [pretend.call()]
@@ -5935,6 +5937,11 @@ def test_add_github_oidc_publisher_preexisting(self, metrics, monkeypatch):
             lambda *a, **kw: github_publisher_form_obj
         )
         monkeypatch.setattr(views, "GitHubPublisherForm", github_publisher_form_cls)
+        google_publisher_form_obj = pretend.stub()
+        google_publisher_form_cls = pretend.call_recorder(
+            lambda *a, **kw: google_publisher_form_obj
+        )
+        monkeypatch.setattr(views, "GooglePublisherForm", google_publisher_form_cls)
 
         view = views.ManageOIDCPublisherViews(project, request)
         monkeypatch.setattr(
@@ -6025,6 +6032,11 @@ def test_add_github_oidc_publisher_created(self, metrics, monkeypatch):
             lambda *a, **kw: github_publisher_form_obj
         )
         monkeypatch.setattr(views, "GitHubPublisherForm", github_publisher_form_cls)
+        google_publisher_form_obj = pretend.stub()
+        google_publisher_form_cls = pretend.call_recorder(
+            lambda *a, **kw: google_publisher_form_obj
+        )
+        monkeypatch.setattr(views, "GooglePublisherForm", google_publisher_form_cls)
         monkeypatch.setattr(
             views,
             "send_trusted_publisher_added_email",
@@ -6129,6 +6141,12 @@ def test_add_github_oidc_publisher_already_registered_with_project(
             "_lookup_owner",
             lambda *a: {"login": "some-owner", "id": "some-owner-id"},
         )
+        google_publisher_form_obj = pretend.stub()
+        google_publisher_form_cls = pretend.call_recorder(
+            lambda *a, **kw: google_publisher_form_obj
+        )
+        monkeypatch.setattr(views, "GooglePublisherForm", google_publisher_form_cls)
+
         monkeypatch.setattr(
             view, "_hit_ratelimits", pretend.call_recorder(lambda: None)
         )
@@ -6139,6 +6157,7 @@ def test_add_github_oidc_publisher_already_registered_with_project(
         assert view.add_github_oidc_publisher() == {
             "project": project,
             "github_publisher_form": view.github_publisher_form,
+            "google_publisher_form": view.google_publisher_form,
         }
         assert view.metrics.increment.calls == [
             pretend.call(

warehouse/accounts/views.py

@@ -77,10 +77,17 @@
 )
 from warehouse.events.tags import EventTag
 from warehouse.metrics.interfaces import IMetricsService
-from warehouse.oidc.forms import DeletePublisherForm
-from warehouse.oidc.forms.github import PendingGitHubPublisherForm
+from warehouse.oidc.forms import (
+    DeletePublisherForm,
+    PendingGitHubPublisherForm,
+    PendingGooglePublisherForm,
+)
 from warehouse.oidc.interfaces import TooManyOIDCRegistrations
-from warehouse.oidc.models import PendingGitHubPublisher, PendingOIDCPublisher
+from warehouse.oidc.models import (
+    PendingGitHubPublisher,
+    PendingGooglePublisher,
+    PendingOIDCPublisher,
+)
 from warehouse.organizations.interfaces import IOrganizationService
 from warehouse.organizations.models import OrganizationRole, OrganizationRoleType
 from warehouse.packaging.models import (
@@ -1467,6 +1474,10 @@ def __init__(self, request):
             api_token=self.request.registry.settings.get("github.token"),
             project_factory=self.project_factory,
         )
+        self.pending_google_publisher_form = PendingGooglePublisherForm(
+            self.request.POST,
+            project_factory=self.project_factory,
+        )
 
     @property
     def _ratelimiters(self):
@@ -1502,6 +1513,7 @@ def _check_ratelimits(self):
     def default_response(self):
         return {
             "pending_github_publisher_form": self.pending_github_publisher_form,
+            "pending_google_publisher_form": self.pending_google_publisher_form,
         }
 
     @view_config(request_method="GET")
@@ -1640,6 +1652,29 @@ def _add_pending_oidc_publisher(
 
         return HTTPSeeOther(self.request.path)
 
+    @view_config(
+        request_method="POST",
+        request_param=PendingGooglePublisherForm.__params__,
+    )
+    def add_pending_google_oidc_publisher(self):
+        form = self.default_response["pending_google_publisher_form"]
+        return self._add_pending_oidc_publisher(
+            publisher_name="Google",
+            publisher_class=PendingGooglePublisher,
+            admin_flag=AdminFlagValue.DISALLOW_GOOGLE_OIDC,
+            form=form,
+            make_pending_publisher=lambda request, form: PendingGooglePublisher(
+                project_name=form.project_name.data,
+                added_by=request.user,
+                email=form.email.data,
+                sub=form.sub.data,
+            ),
+            make_existence_filters=lambda form: dict(
+                email=form.email.data,
+                sub=form.sub.data,
+            ),
+        )
+
     @view_config(
         request_method="POST",
         request_param=PendingGitHubPublisherForm.__params__,

warehouse/manage/views/__init__.py

@@ -99,10 +99,13 @@
     user_projects,
 )
 from warehouse.metrics.interfaces import IMetricsService
-from warehouse.oidc.forms import DeletePublisherForm
-from warehouse.oidc.forms.github import GitHubPublisherForm
+from warehouse.oidc.forms import (
+    DeletePublisherForm,
+    GitHubPublisherForm,
+    GooglePublisherForm,
+)
 from warehouse.oidc.interfaces import TooManyOIDCRegistrations
-from warehouse.oidc.models import GitHubPublisher, OIDCPublisher
+from warehouse.oidc.models import GitHubPublisher, GooglePublisher, OIDCPublisher
 from warehouse.organizations.interfaces import IOrganizationService
 from warehouse.organizations.models import (
     OrganizationProject,
@@ -1135,6 +1138,7 @@ def __init__(self, project, request):
             self.request.POST,
             api_token=self.request.registry.settings.get("github.token"),
         )
+        self.google_publisher_form = GooglePublisherForm(self.request.POST)
 
     @property
     def _ratelimiters(self):
@@ -1171,6 +1175,7 @@ def default_response(self):
         return {
             "project": self.project,
             "github_publisher_form": self.github_publisher_form,
+            "google_publisher_form": self.google_publisher_form,
         }
 
     @view_config(request_method="GET")
@@ -1299,6 +1304,114 @@ def add_github_oidc_publisher(self):
 
         return HTTPSeeOther(self.request.path)
 
+    @view_config(
+        request_method="POST",
+        request_param=GooglePublisherForm.__params__,
+    )
+    def add_google_oidc_publisher(self):
+        if self.request.flags.disallow_oidc(AdminFlagValue.DISALLOW_GOOGLE_OIDC):
+            self.request.session.flash(
+                self.request._(
+                    "Google-based trusted publishing is temporarily disabled. "
+                    "See https://pypi.org/help#admin-intervention for details."
+                ),
+                queue="error",
+            )
+            return self.default_response
+
+        self.metrics.increment(
+            "warehouse.oidc.add_publisher.attempt", tags=["publisher:Google"]
+        )
+
+        try:
+            self._check_ratelimits()
+        except TooManyOIDCRegistrations as exc:
+            self.metrics.increment(
+                "warehouse.oidc.add_publisher.ratelimited", tags=["publisher:Google"]
+            )
+            return HTTPTooManyRequests(
+                self.request._(
+                    "There have been too many attempted trusted publisher "
+                    "registrations. Try again later."
+                ),
+                retry_after=exc.resets_in.total_seconds(),
+            )
+
+        self._hit_ratelimits()
+
+        response = self.default_response
+        form = response["google_publisher_form"]
+
+        if not form.validate():
+            self.request.session.flash(
+                self.request._("The trusted publisher could not be registered"),
+                queue="error",
+            )
+            return response
+
+        # Google OIDC publishers are unique on the tuple of (email, sub), so we
+        # check for an already registered one before creating.
+        publisher = (
+            self.request.db.query(GooglePublisher)
+            .filter(
+                GooglePublisher.email == form.email.data,
+                GooglePublisher.sub == form.sub.data,
+            )
+            .one_or_none()
+        )
+        if publisher is None:
+            publisher = GooglePublisher(
+                email=form.email.data,
+                sub=form.sub.data,
+            )
+
+            self.request.db.add(publisher)
+
+        # Each project has a unique set of OIDC publishers; the same
+        # publisher can't be registered to the project more than once.
+        if publisher in self.project.oidc_publishers:
+            self.request.session.flash(
+                self.request._(
+                    f"{publisher} is already registered with {self.project.name}"
+                ),
+                queue="error",
+            )
+            return response
+
+        for user in self.project.users:
+            send_trusted_publisher_added_email(
+                self.request,
+                user,
+                project_name=self.project.name,
+                publisher=publisher,
+            )
+
+        self.project.oidc_publishers.append(publisher)
+
+        self.project.record_event(
+            tag=EventTag.Project.OIDCPublisherAdded,
+            ip_address=self.request.remote_addr,
+            request=self.request,
+            additional={
+                "publisher": publisher.publisher_name,
+                "id": str(publisher.id),
+                "specifier": str(publisher),
+                "url": publisher.publisher_url(),
+                "submitted_by": self.request.user.username,
+            },
+        )
+
+        self.request.session.flash(
+            f"Added {publisher} in {publisher.publisher_url()} to {self.project.name}",
+            queue="success",
+        )
+
+        self.metrics.increment(
+            "warehouse.oidc.add_publisher.ok", tags=["publisher:GitHub"]
+        )
+
+        return HTTPSeeOther(self.request.path)
+
     @view_config(
         request_method="POST",
         request_param=DeletePublisherForm.__params__,

warehouse/oidc/forms/__init__.py

@@ -12,9 +12,12 @@
 
 from warehouse.oidc.forms._core import DeletePublisherForm
 from warehouse.oidc.forms.github import GitHubPublisherForm, PendingGitHubPublisherForm
+from warehouse.oidc.forms.google import GooglePublisherForm, PendingGooglePublisherForm
 
 __all__ = [
     "DeletePublisherForm",
     "GitHubPublisherForm",
     "PendingGitHubPublisherForm",
+    "GooglePublisherForm",
+    "PendingGooglePublisherForm",
 ]