Skip to content

Commit 683ff3d

Browse files
author
Jake Sanders
committed
Add package vulnerability API
Signed-off-by: Jake Sanders <[email protected]>
1 parent 7506154 commit 683ff3d

File tree

15 files changed

+855
-194
lines changed

15 files changed

+855
-194
lines changed

tests/unit/integration/github/test_utils.py

Lines changed: 57 additions & 82 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
import pytest
2020
import requests
2121

22+
from warehouse.integrations import verifier
2223
from warehouse.integrations.github import tasks, utils
2324

2425

@@ -81,55 +82,27 @@ def test_token_leak_disclosure_request_from_api_record():
8182
assert request.public_url == "http://example.com"
8283

8384

84-
class TestCache:
85-
def test_set(self):
86-
cache = utils.PublicKeysCache(cache_time=10)
87-
cache.set(now=1, value="foo")
88-
89-
assert cache.cached_at == 1
90-
assert cache.cache == "foo"
91-
92-
def test_get_no_cache(self):
93-
cache = utils.PublicKeysCache(cache_time=10)
94-
95-
with pytest.raises(utils.CacheMiss):
96-
cache.get(now=1)
97-
98-
def test_get_old_cache(self):
99-
cache = utils.PublicKeysCache(cache_time=10)
100-
cache.set(now=5, value="foo")
101-
102-
with pytest.raises(utils.CacheMiss):
103-
cache.get(now=20)
104-
105-
def test_get_valid(self):
106-
cache = utils.PublicKeysCache(cache_time=10)
107-
cache.set(now=5, value="foo")
108-
109-
assert cache.get(now=10) == "foo"
110-
111-
11285
class TestGitHubTokenScanningPayloadVerifier:
11386
def test_init(self):
11487
metrics = pretend.stub()
11588
session = pretend.stub()
11689
token = "api_token"
11790
url = "http://foo"
118-
cache = utils.PublicKeysCache(cache_time=12)
91+
cache = verifier.PublicKeysCache(cache_time=12)
11992

120-
verifier = utils.GitHubTokenScanningPayloadVerifier(
121-
api_url=url,
93+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
94+
api_url="http://foo",
12295
session=session,
12396
metrics=metrics,
12497
api_token=token,
12598
public_keys_cache=cache,
12699
)
127100

128-
assert verifier._session is session
129-
assert verifier._metrics is metrics
130-
assert verifier._api_token == token
131-
assert verifier._api_url == url
132-
assert verifier._public_keys_cache is cache
101+
assert github_verifier._session is session
102+
assert github_verifier._metrics is metrics
103+
assert github_verifier._api_token == token
104+
assert github_verifier._api_url == url
105+
assert github_verifier._public_keys_cache is cache
133106

134107
def test_verify_cache_miss(self):
135108
# Example taken from
@@ -152,8 +125,8 @@ def test_verify_cache_miss(self):
152125
)
153126
session = pretend.stub(get=lambda *a, **k: response)
154127
metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
155-
cache = utils.PublicKeysCache(cache_time=12)
156-
verifier = utils.GitHubTokenScanningPayloadVerifier(
128+
cache = verifier.PublicKeysCache(cache_time=12)
129+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
157130
api_url="http://foo",
158131
session=session,
159132
metrics=metrics,
@@ -172,7 +145,8 @@ def test_verify_cache_miss(self):
172145
b'b0dd59c0b500650cacd4551ca5989a6194001b10/production.env"}]'
173146
)
174147
assert (
175-
verifier.verify(payload=payload, key_id=key_id, signature=signature) is True
148+
github_verifier.verify(payload=payload, key_id=key_id, signature=signature)
149+
is True
176150
)
177151

178152
assert metrics.increment.calls == [
@@ -183,7 +157,7 @@ def test_verify_cache_miss(self):
183157
def test_verify_cache_hit(self):
184158
session = pretend.stub()
185159
metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
186-
cache = utils.PublicKeysCache(cache_time=12)
160+
cache = verifier.PublicKeysCache(cache_time=12)
187161
cache.cached_at = time.time()
188162
cache.cache = [
189163
{
@@ -195,7 +169,7 @@ def test_verify_cache_hit(self):
195169
"-----END PUBLIC KEY-----",
196170
}
197171
]
198-
verifier = utils.GitHubTokenScanningPayloadVerifier(
172+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
199173
api_url="http://foo",
200174
session=session,
201175
metrics=metrics,
@@ -215,7 +189,8 @@ def test_verify_cache_hit(self):
215189
b'b0dd59c0b500650cacd4551ca5989a6194001b10/production.env"}]'
216190
)
217191
assert (
218-
verifier.verify(payload=payload, key_id=key_id, signature=signature) is True
192+
github_verifier.verify(payload=payload, key_id=key_id, signature=signature)
193+
is True
219194
)
220195

221196
assert metrics.increment.calls == [
@@ -225,19 +200,19 @@ def test_verify_cache_hit(self):
225200

226201
def test_verify_error(self):
227202
metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
228-
cache = utils.PublicKeysCache(cache_time=12)
229-
verifier = utils.GitHubTokenScanningPayloadVerifier(
203+
cache = verifier.PublicKeysCache(cache_time=12)
204+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
230205
api_url="http://foo",
231206
session=pretend.stub(),
232207
metrics=metrics,
233208
api_token="api-token",
234209
public_keys_cache=cache,
235210
)
236-
verifier._retrieve_public_key_payload = pretend.raiser(
237-
utils.InvalidTokenLeakRequest("Bla", "bla")
211+
github_verifier.retrieve_public_key_payload = pretend.raiser(
212+
verifier.InvalidPayloadSignature("Bla", "bla")
238213
)
239214

240-
assert verifier.verify(payload={}, key_id="a", signature="a") is False
215+
assert github_verifier.verify(payload={}, key_id="a", signature="a") is False
241216

242217
assert metrics.increment.calls == [
243218
pretend.call("warehouse.token_leak.github.auth.cache.miss"),
@@ -284,14 +259,14 @@ def test_retrieve_public_key_payload(self):
284259
session = pretend.stub(get=pretend.call_recorder(lambda *a, **k: response))
285260
metrics = pretend.stub(increment=pretend.call_recorder(lambda str: None))
286261

287-
verifier = utils.GitHubTokenScanningPayloadVerifier(
262+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
288263
api_url="http://foo",
289264
session=session,
290265
metrics=metrics,
291266
api_token="api-token",
292267
public_keys_cache=pretend.stub(),
293268
)
294-
assert verifier._retrieve_public_key_payload() == meta_payload
269+
assert github_verifier.retrieve_public_key_payload() == meta_payload
295270
assert session.get.calls == [
296271
pretend.call(
297272
"http://foo",
@@ -302,33 +277,33 @@ def test_retrieve_public_key_payload(self):
302277
def test_get_cached_public_key_cache_hit(self):
303278
metrics = pretend.stub()
304279
session = pretend.stub()
305-
cache = utils.PublicKeysCache(cache_time=12)
280+
cache = verifier.PublicKeysCache(cache_time=12)
306281
cache_value = pretend.stub()
307282
cache.set(now=time.time(), value=cache_value)
308283

309-
verifier = utils.GitHubTokenScanningPayloadVerifier(
284+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
310285
api_url="http://foo",
311286
session=session,
312287
metrics=metrics,
313288
public_keys_cache=cache,
314289
)
315290

316-
assert verifier._get_cached_public_keys() is cache_value
291+
assert github_verifier._get_cached_public_keys() is cache_value
317292

318293
def test_get_cached_public_key_cache_miss_no_cache(self):
319294
metrics = pretend.stub()
320295
session = pretend.stub()
321-
cache = utils.PublicKeysCache(cache_time=12)
296+
cache = verifier.PublicKeysCache(cache_time=12)
322297

323-
verifier = utils.GitHubTokenScanningPayloadVerifier(
298+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
324299
api_url="http://foo",
325300
session=session,
326301
metrics=metrics,
327302
public_keys_cache=cache,
328303
)
329304

330-
with pytest.raises(utils.CacheMiss):
331-
verifier._get_cached_public_keys()
305+
with pytest.raises(verifier.CacheMiss):
306+
github_verifier._get_cached_public_keys()
332307

333308
def test_retrieve_public_key_payload_http_error(self):
334309
response = pretend.stub(
@@ -339,14 +314,14 @@ def test_retrieve_public_key_payload_http_error(self):
339314
session = pretend.stub(
340315
get=lambda *a, **k: response,
341316
)
342-
verifier = utils.GitHubTokenScanningPayloadVerifier(
317+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
343318
api_url="http://foo",
344319
session=session,
345320
metrics=pretend.stub(),
346321
public_keys_cache=pretend.stub(),
347322
)
348323
with pytest.raises(utils.GitHubPublicKeyMetaAPIError) as exc:
349-
verifier._retrieve_public_key_payload()
324+
github_verifier.retrieve_public_key_payload()
350325

351326
assert str(exc.value) == "Invalid response code 418: I'm a teapot"
352327
assert exc.value.reason == "public_key_api.status.418"
@@ -358,30 +333,30 @@ def test_retrieve_public_key_payload_json_error(self):
358333
raise_for_status=lambda: None,
359334
)
360335
session = pretend.stub(get=lambda *a, **k: response)
361-
verifier = utils.GitHubTokenScanningPayloadVerifier(
336+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
362337
api_url="http://foo",
363338
session=session,
364339
metrics=pretend.stub(),
365340
public_keys_cache=pretend.stub(),
366341
)
367342
with pytest.raises(utils.GitHubPublicKeyMetaAPIError) as exc:
368-
verifier._retrieve_public_key_payload()
343+
github_verifier.retrieve_public_key_payload()
369344

370345
assert str(exc.value) == "Non-JSON response received: Still a non-json teapot"
371346
assert exc.value.reason == "public_key_api.invalid_json"
372347

373348
def test_retrieve_public_key_payload_connection_error(self):
374349
session = pretend.stub(get=pretend.raiser(requests.ConnectionError))
375350

376-
verifier = utils.GitHubTokenScanningPayloadVerifier(
351+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
377352
api_url="http://foo",
378353
session=session,
379354
metrics=pretend.stub(),
380355
public_keys_cache=pretend.stub(),
381356
)
382357

383358
with pytest.raises(utils.GitHubPublicKeyMetaAPIError) as exc:
384-
verifier._retrieve_public_key_payload()
359+
github_verifier.retrieve_public_key_payload()
385360

386361
assert str(exc.value) == "Could not connect to GitHub"
387362
assert exc.value.reason == "public_key_api.network_error"
@@ -400,15 +375,15 @@ def test_extract_public_keys(self):
400375
}
401376
]
402377
}
403-
cache = utils.PublicKeysCache(cache_time=12)
404-
verifier = utils.GitHubTokenScanningPayloadVerifier(
378+
cache = verifier.PublicKeysCache(cache_time=12)
379+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
405380
api_url="http://foo",
406381
session=pretend.stub(),
407382
metrics=pretend.stub(),
408383
public_keys_cache=cache,
409384
)
410385

411-
keys = verifier._extract_public_keys(pubkey_api_data=meta_payload)
386+
keys = github_verifier.extract_public_keys(pubkey_api_data=meta_payload)
412387

413388
assert keys == [
414389
{
@@ -443,23 +418,23 @@ def test_extract_public_keys(self):
443418
],
444419
)
445420
def test_extract_public_keys_error(self, payload, expected):
446-
cache = utils.PublicKeysCache(cache_time=12)
447-
verifier = utils.GitHubTokenScanningPayloadVerifier(
421+
cache = verifier.PublicKeysCache(cache_time=12)
422+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
448423
api_url="http://foo",
449424
session=pretend.stub(),
450425
metrics=pretend.stub(),
451426
public_keys_cache=cache,
452427
)
453428

454429
with pytest.raises(utils.GitHubPublicKeyMetaAPIError) as exc:
455-
list(verifier._extract_public_keys(pubkey_api_data=payload))
430+
list(github_verifier.extract_public_keys(pubkey_api_data=payload))
456431

457432
assert exc.value.reason == "public_key_api.format_error"
458433
assert str(exc.value) == expected
459434
assert cache.cache is None
460435

461436
def test_check_public_key(self):
462-
verifier = utils.GitHubTokenScanningPayloadVerifier(
437+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
463438
api_url="http://foo",
464439
session=pretend.stub(),
465440
metrics=pretend.stub(),
@@ -470,24 +445,24 @@ def test_check_public_key(self):
470445
{"key_id": "a", "key": "b"},
471446
{"key_id": "c", "key": "d"},
472447
]
473-
assert verifier._check_public_key(github_public_keys=keys, key_id="c") == "d"
448+
assert github_verifier._check_public_key(public_keys=keys, key_id="c") == "d"
474449

475450
def test_check_public_key_error(self):
476-
verifier = utils.GitHubTokenScanningPayloadVerifier(
451+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
477452
api_url="http://foo",
478453
session=pretend.stub(),
479454
metrics=pretend.stub(),
480455
public_keys_cache=pretend.stub(),
481456
)
482457

483-
with pytest.raises(utils.InvalidTokenLeakRequest) as exc:
484-
verifier._check_public_key(github_public_keys=[], key_id="c")
458+
with pytest.raises(verifier.InvalidPayloadSignature) as exc:
459+
github_verifier._check_public_key(public_keys=[], key_id="c")
485460

486-
assert str(exc.value) == "Key c not found in github public keys"
461+
assert str(exc.value) == "Key c not found in public keys"
487462
assert exc.value.reason == "wrong_key_id"
488463

489464
def test_check_signature(self):
490-
verifier = utils.GitHubTokenScanningPayloadVerifier(
465+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
491466
api_url="http://foo",
492467
session=pretend.stub(),
493468
metrics=pretend.stub(),
@@ -510,14 +485,14 @@ def test_check_signature(self):
510485
b'b0dd59c0b500650cacd4551ca5989a6194001b10/production.env"}]'
511486
)
512487
assert (
513-
verifier._check_signature(
488+
github_verifier._check_signature(
514489
payload=payload, public_key=public_key, signature=signature
515490
)
516491
is None
517492
)
518493

519494
def test_check_signature_invalid_signature(self):
520-
verifier = utils.GitHubTokenScanningPayloadVerifier(
495+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
521496
api_url="http://foo",
522497
session=pretend.stub(),
523498
metrics=pretend.stub(),
@@ -540,16 +515,16 @@ def test_check_signature_invalid_signature(self):
540515
b'f43808034d7f5","url":" https://github.com/github/faketestrepo/blob/'
541516
b'b0dd59c0b500650cacd4551ca5989a6194001b10/production.env"}]'
542517
)
543-
with pytest.raises(utils.InvalidTokenLeakRequest) as exc:
544-
verifier._check_signature(
518+
with pytest.raises(verifier.InvalidPayloadSignature) as exc:
519+
github_verifier._check_signature(
545520
payload=payload, public_key=public_key, signature=signature
546521
)
547522

548523
assert str(exc.value) == "Invalid signature"
549524
assert exc.value.reason == "invalid_signature"
550525

551526
def test_check_signature_invalid_crypto(self):
552-
verifier = utils.GitHubTokenScanningPayloadVerifier(
527+
github_verifier = utils.GitHubTokenScanningPayloadVerifier(
553528
api_url="http://foo",
554529
session=pretend.stub(),
555530
metrics=pretend.stub(),
@@ -560,8 +535,8 @@ def test_check_signature_invalid_crypto(self):
560535

561536
payload = "yeah, nope, that won't pass"
562537

563-
with pytest.raises(utils.InvalidTokenLeakRequest) as exc:
564-
verifier._check_signature(
538+
with pytest.raises(verifier.InvalidPayloadSignature) as exc:
539+
github_verifier._check_signature(
565540
payload=payload, public_key=public_key, signature=signature
566541
)
567542

0 commit comments

Comments
 (0)