warehouse, tests: devolve oidc.models (#13553)

* warehouse, tests: devolve `oidc.models`

This turns `oidc.models` into a directory, with `models.base`
for the basic OIDC publisher classes and adjacent modules
for each specific OIDC implementation (currently just
GitHub).

This will make adding additional OIDC publishers easier
and cleaner, as each will live in its own dedicated submodule.

Signed-off-by: William Woodruff <[email protected]>

* tests: devolve OIDC model tests

Signed-off-by: William Woodruff <[email protected]>

* warehouse, tests: `models.base -> models._core`

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

tests/unit/oidc/models/test_core.py

@@ -0,0 +1,29 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import pretend
+
+from warehouse.oidc.models import _core
+
+
+def test_check_claim_binary():
+    wrapped = _core._check_claim_binary(str.__eq__)
+
+    assert wrapped("foo", "bar", pretend.stub()) is False
+    assert wrapped("foo", "foo", pretend.stub()) is True
+
+
+class TestOIDCPublisher:
+    def test_oidc_publisher_not_default_verifiable(self):
+        publisher = _core.OIDCPublisher(projects=[])
+
+        assert not publisher.verify_claims(signed_claims={})

tests/unit/oidc/test_models.py renamed to tests/unit/oidc/models/test_github.py

@@ -14,31 +14,17 @@
 import pytest
 
 from tests.common.db.oidc import GitHubPublisherFactory, PendingGitHubPublisherFactory
-from warehouse.oidc import models
-
-
-def test_check_claim_binary():
-    wrapped = models._check_claim_binary(str.__eq__)
-
-    assert wrapped("foo", "bar", pretend.stub()) is False
-    assert wrapped("foo", "foo", pretend.stub()) is True
+from warehouse.oidc.models import _core, github
 
 
 @pytest.mark.parametrize("claim", ["", "repo", "repo:"])
 def test_check_sub(claim):
-    assert models._check_sub(pretend.stub(), claim, pretend.stub()) is False
-
-
-class TestOIDCPublisher:
-    def test_oidc_publisher_not_default_verifiable(self):
-        publisher = models.OIDCPublisher(projects=[])
-
-        assert not publisher.verify_claims(signed_claims={})
+    assert github._check_sub(pretend.stub(), claim, pretend.stub()) is False
 
 
 class TestGitHubPublisher:
     def test_github_publisher_all_known_claims(self):
-        assert models.GitHubPublisher.all_known_claims() == {
+        assert github.GitHubPublisher.all_known_claims() == {
             # verifiable claims
             "sub",
             "repository",
@@ -78,7 +64,7 @@ def test_github_publisher_all_known_claims(self):
         }
 
     def test_github_publisher_computed_properties(self):
-        publisher = models.GitHubPublisher(
+        publisher = github.GitHubPublisher(
             repository_name="fakerepo",
             repository_owner="fakeowner",
             repository_owner_id="fakeid",
@@ -93,7 +79,7 @@ def test_github_publisher_computed_properties(self):
         assert publisher.publisher_url == "https://github.com/fakeowner/fakerepo"
 
     def test_github_publisher_unaccounted_claims(self, monkeypatch):
-        publisher = models.GitHubPublisher(
+        publisher = github.GitHubPublisher(
             repository_name="fakerepo",
             repository_owner="fakeowner",
             repository_owner_id="fakeid",
@@ -109,12 +95,12 @@ def test_github_publisher_unaccounted_claims(self, monkeypatch):
                 )
             ),
         )
-        monkeypatch.setattr(models, "sentry_sdk", sentry_sdk)
+        monkeypatch.setattr(_core, "sentry_sdk", sentry_sdk)
 
         # We don't care if these actually verify, only that they're present.
         signed_claims = {
             claim_name: "fake"
-            for claim_name in models.GitHubPublisher.all_known_claims()
+            for claim_name in github.GitHubPublisher.all_known_claims()
         }
         signed_claims["fake-claim"] = "fake"
         signed_claims["another-fake-claim"] = "also-fake"
@@ -128,7 +114,7 @@ def test_github_publisher_unaccounted_claims(self, monkeypatch):
         assert scope.fingerprint == ["another-fake-claim", "fake-claim"]
 
     def test_github_publisher_missing_claims(self, monkeypatch):
-        publisher = models.GitHubPublisher(
+        publisher = github.GitHubPublisher(
             repository_name="fakerepo",
             repository_owner="fakeowner",
             repository_owner_id="fakeid",
@@ -144,11 +130,11 @@ def test_github_publisher_missing_claims(self, monkeypatch):
                 )
             ),
         )
-        monkeypatch.setattr(models, "sentry_sdk", sentry_sdk)
+        monkeypatch.setattr(_core, "sentry_sdk", sentry_sdk)
 
         signed_claims = {
             claim_name: "fake"
-            for claim_name in models.GitHubPublisher.all_known_claims()
+            for claim_name in github.GitHubPublisher.all_known_claims()
         }
         # Pop the first signed claim, so that it's the first one to fail.
         signed_claims.pop("sub")
@@ -161,7 +147,7 @@ def test_github_publisher_missing_claims(self, monkeypatch):
         assert scope.fingerprint == ["sub"]
 
     def test_github_publisher_missing_optional_claims(self, monkeypatch):
-        publisher = models.GitHubPublisher(
+        publisher = github.GitHubPublisher(
             repository_name="fakerepo",
             repository_owner="fakeowner",
             repository_owner_id="fakeid",
@@ -170,11 +156,11 @@ def test_github_publisher_missing_optional_claims(self, monkeypatch):
         )
 
         sentry_sdk = pretend.stub(capture_message=pretend.call_recorder(lambda s: None))
-        monkeypatch.setattr(models, "sentry_sdk", sentry_sdk)
+        monkeypatch.setattr(_core, "sentry_sdk", sentry_sdk)
 
         signed_claims = {
             claim_name: getattr(publisher, claim_name)
-            for claim_name in models.GitHubPublisher.__required_verifiable_claims__
+            for claim_name in github.GitHubPublisher.__required_verifiable_claims__
         }
         signed_claims["ref"] = "ref"
         signed_claims["job_workflow_ref"] = publisher.job_workflow_ref + "@ref"
@@ -185,10 +171,10 @@ def test_github_publisher_missing_optional_claims(self, monkeypatch):
     @pytest.mark.parametrize("environment", [None, "some-environment"])
     @pytest.mark.parametrize(
         "missing_claims",
-        [set(), models.GitHubPublisher.__optional_verifiable_claims__.keys()],
+        [set(), github.GitHubPublisher.__optional_verifiable_claims__.keys()],
     )
     def test_github_publisher_verifies(self, monkeypatch, environment, missing_claims):
-        publisher = models.GitHubPublisher(
+        publisher = github.GitHubPublisher(
             repository_name="fakerepo",
             repository_owner="fakeowner",
             repository_owner_id="fakeid",
@@ -214,7 +200,7 @@ def test_github_publisher_verifies(self, monkeypatch, environment, missing_claim
 
         signed_claims = {
             claim_name: "fake"
-            for claim_name in models.GitHubPublisher.all_known_claims()
+            for claim_name in github.GitHubPublisher.all_known_claims()
             if claim_name not in missing_claims
         }
         assert publisher.verify_claims(signed_claims=signed_claims)
@@ -271,14 +257,14 @@ def test_github_publisher_verifies(self, monkeypatch, environment, missing_claim
         ],
     )
     def test_github_publisher_job_workflow_ref(self, claim, ref, valid):
-        publisher = models.GitHubPublisher(
+        publisher = github.GitHubPublisher(
             repository_name="bar",
             repository_owner="foo",
             repository_owner_id=pretend.stub(),
             workflow_filename="baz.yml",
         )
 
-        check = models.GitHubPublisher.__required_verifiable_claims__[
+        check = github.GitHubPublisher.__required_verifiable_claims__[
             "job_workflow_ref"
         ]
         assert check(publisher.job_workflow_ref, claim, {"ref": ref}) is valid
@@ -294,7 +280,7 @@ def test_github_publisher_job_workflow_ref(self, claim, ref, valid):
         ],
     )
     def test_github_publisher_sub_claim(self, truth, claim, valid):
-        check = models.GitHubPublisher.__required_verifiable_claims__["sub"]
+        check = github.GitHubPublisher.__required_verifiable_claims__["sub"]
         assert check(truth, claim, pretend.stub()) is valid
 
     @pytest.mark.parametrize(
@@ -309,15 +295,15 @@ def test_github_publisher_sub_claim(self, truth, claim, valid):
         ],
     )
     def test_github_publisher_environment_claim(self, truth, claim, valid):
-        check = models.GitHubPublisher.__optional_verifiable_claims__["environment"]
+        check = github.GitHubPublisher.__optional_verifiable_claims__["environment"]
         assert check(truth, claim, pretend.stub()) is valid
 
 
 class TestPendingGitHubPublisher:
     def test_reify_does_not_exist_yet(self, db_request):
         pending_publisher = PendingGitHubPublisherFactory.create()
         assert (
-            db_request.db.query(models.GitHubPublisher)
+            db_request.db.query(github.GitHubPublisher)
             .filter_by(
                 repository_name=pending_publisher.repository_name,
                 repository_owner=pending_publisher.repository_owner,
@@ -332,7 +318,7 @@ def test_reify_does_not_exist_yet(self, db_request):
 
         # If an OIDC publisher for this pending publisher does not already exist,
         # a new one is created and the pending publisher is marked for deletion.
-        assert isinstance(publisher, models.GitHubPublisher)
+        assert isinstance(publisher, github.GitHubPublisher)
         assert pending_publisher in db_request.db.deleted
         assert publisher.repository_name == pending_publisher.repository_name
         assert publisher.repository_owner == pending_publisher.repository_owner

warehouse/oidc/models/__init__.py

@@ -0,0 +1,21 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from warehouse.oidc.models._core import OIDCPublisher, PendingOIDCPublisher
+from warehouse.oidc.models.github import GitHubPublisher, PendingGitHubPublisher
+
+__all__ = [
+    "OIDCPublisher",
+    "PendingOIDCPublisher",
+    "PendingGitHubPublisher",
+    "GitHubPublisher",
+]