chore: remove remaining Basic Authentication stuff (#15196)

Co-authored-by: Dustin Ingram <[email protected]>

Author: miketheman

tests/unit/email/test_init.py

@@ -1384,88 +1384,6 @@ def test_password_compromised_email(
         ]
 
 
-class TestBasicAuthWith2FAEmail:
-    @pytest.mark.parametrize("verified", [True, False])
-    def test_basic_auth_with_2fa_email(
-        self, pyramid_request, pyramid_config, monkeypatch, verified, metrics
-    ):
-        stub_user = pretend.stub(
-            id="id",
-            username="username",
-            name="",
-            email="[email protected]",
-            primary_email=pretend.stub(email="[email protected]", verified=verified),
-        )
-        subject_renderer = pyramid_config.testing_add_renderer(
-            "email/basic-auth-with-2fa/subject.txt"
-        )
-        subject_renderer.string_response = "Email Subject"
-        body_renderer = pyramid_config.testing_add_renderer(
-            "email/basic-auth-with-2fa/body.txt"
-        )
-        body_renderer.string_response = "Email Body"
-        html_renderer = pyramid_config.testing_add_renderer(
-            "email/basic-auth-with-2fa/body.html"
-        )
-        html_renderer.string_response = "Email HTML Body"
-
-        send_email = pretend.stub(
-            delay=pretend.call_recorder(lambda *args, **kwargs: None)
-        )
-        pyramid_request.task = pretend.call_recorder(lambda *args, **kwargs: send_email)
-        monkeypatch.setattr(email, "send_email", send_email)
-
-        pyramid_request.db = pretend.stub(
-            query=lambda a: pretend.stub(
-                filter=lambda *a: pretend.stub(
-                    one=lambda: pretend.stub(user_id=stub_user.id)
-                )
-            ),
-        )
-        pyramid_request.user = stub_user
-        pyramid_request.registry.settings = {"mail.sender": "[email protected]"}
-        project_name = "exampleproject"
-        result = email.send_basic_auth_with_two_factor_email(
-            pyramid_request, stub_user, project_name=project_name
-        )
-
-        assert result == {"project_name": project_name}
-        assert pyramid_request.task.calls == [pretend.call(send_email)]
-        assert send_email.delay.calls == [
-            pretend.call(
-                f"{stub_user.username} <{stub_user.email}>",
-                {
-                    "subject": "Email Subject",
-                    "body_text": "Email Body",
-                    "body_html": (
-                        "<html>\n<head></head>\n"
-                        "<body><p>Email HTML Body</p></body>\n</html>\n"
-                    ),
-                },
-                {
-                    "tag": "account:email:sent",
-                    "user_id": stub_user.id,
-                    "additional": {
-                        "from_": "[email protected]",
-                        "to": stub_user.email,
-                        "subject": "Email Subject",
-                        "redact_ip": False,
-                    },
-                },
-            )
-        ]
-        assert metrics.increment.calls == [
-            pretend.call(
-                "warehouse.emails.scheduled",
-                tags=[
-                    "template_name:basic-auth-with-2fa",
-                    "allow_unverified:True",
-                    "repeat_window:86400.0",
-                ],
-            )
-        ]
-
-
 class TestGPGSignatureUploadedEmail:
     def test_gpg_signature_uploaded_email(
         self, pyramid_request, pyramid_config, monkeypatch

tests/unit/forklift/test_legacy.py

@@ -33,7 +33,6 @@
 
 from warehouse.admin.flags import AdminFlag, AdminFlagValue
 from warehouse.classifiers.models import Classifier
-from warehouse.errors import BasicAuthTwoFactorEnabled
 from warehouse.forklift import legacy
 from warehouse.metrics import IMetricsService
 from warehouse.oidc.interfaces import SignedClaims
@@ -50,7 +49,6 @@
     Role,
 )
 from warehouse.packaging.tasks import sync_file_to_cache, update_bigquery_release_files
-from warehouse.utils.security_policy import AuthenticationMethod
 
 from ...common.db.accounts import EmailFactory, UserFactory
 from ...common.db.classifiers import ClassifierFactory
@@ -2591,58 +2589,6 @@ def test_upload_fails_without_oidc_publisher_permission(
             "See /the/help/url/ for more information."
         ).format(project.name)
 
-    def test_basic_auth_upload_fails_with_2fa_enabled(
-        self, pyramid_config, db_request, metrics, monkeypatch
-    ):
-        user = UserFactory.create(totp_secret=b"secret")
-        EmailFactory.create(user=user)
-        project = ProjectFactory.create()
-        RoleFactory.create(user=user, project=project)
-
-        pyramid_config.testing_securitypolicy(identity=user)
-        db_request.user = user
-        db_request.user_agent = "warehouse-tests/6.6.6"
-        db_request.POST = MultiDict(
-            {
-                "metadata_version": "1.2",
-                "name": project.name,
-                "version": "1.0.0",
-                "summary": "This is my summary!",
-                "filetype": "sdist",
-                "md5_digest": _TAR_GZ_PKG_MD5,
-                "content": pretend.stub(
-                    filename="{}-{}.tar.gz".format(project.name, "1.0.0"),
-                    file=io.BytesIO(_TAR_GZ_PKG_TESTDATA),
-                    type="application/tar",
-                ),
-            }
-        )
-        db_request.authentication_method = AuthenticationMethod.BASIC_AUTH
-
-        send_email = pretend.call_recorder(lambda *a, **kw: None)
-        monkeypatch.setattr(legacy, "send_basic_auth_with_two_factor_email", send_email)
-
-        storage_service = pretend.stub(store=lambda path, filepath, meta: None)
-        db_request.find_service = lambda svc, name=None, context=None: {
-            IFileStorage: storage_service,
-            IMetricsService: metrics,
-        }.get(svc)
-
-        with pytest.raises(BasicAuthTwoFactorEnabled) as excinfo:
-            legacy.file_upload(db_request)
-
-        resp = excinfo.value
-
-        assert resp.status_code == 401
-        assert resp.status == (
-            f"401 User { user.username } has two factor auth enabled, "
-            "an API Token or Trusted Publisher must be used to upload "
-            "in place of password."
-        )
-        assert send_email.calls == [
-            pretend.call(db_request, user, project_name=project.name)
-        ]
-
     @pytest.mark.parametrize(
         "plat",
         [

tests/unit/test_config.py

@@ -21,11 +21,9 @@
 
 from pyramid import renderers
 from pyramid.authorization import Allow, Authenticated
-from pyramid.httpexceptions import HTTPForbidden, HTTPUnauthorized
 from pyramid.tweens import EXCVIEW
 
 from warehouse import config
-from warehouse.errors import BasicAuthBreachedPassword, BasicAuthFailedPassword
 from warehouse.utils.wsgi import ProxyFixer, VhmRootRemover
 
 
@@ -78,24 +76,6 @@ def test_activate_hook(path, expected):
     assert config.activate_hook(request) == expected
 
 
-@pytest.mark.parametrize(
-    ("exc_info", "expected"),
-    [
-        (None, False),
-        ((ValueError, ValueError(), None), True),
-        ((HTTPForbidden, HTTPForbidden(), None), True),
-        ((HTTPUnauthorized, HTTPUnauthorized(), None), True),
-        ((BasicAuthBreachedPassword, BasicAuthBreachedPassword(), None), False),
-        ((BasicAuthFailedPassword, BasicAuthFailedPassword(), None), False),
-    ],
-)
-def test_commit_veto(exc_info, expected):
-    request = pretend.stub(exc_info=exc_info)
-    response = pretend.stub()
-
-    assert bool(config.commit_veto(request, response)) == expected
-
-
 @pytest.mark.parametrize("route_kw", [None, {}, {"foo": "bar"}])
 def test_template_view(route_kw):
     configobj = pretend.stub(
@@ -405,7 +385,6 @@ def __init__(self):
             {
                 "tm.manager_hook": mock.ANY,
                 "tm.activate_hook": config.activate_hook,
-                "tm.commit_veto": config.commit_veto,
                 "tm.annotate_user": False,
             }
         ),

warehouse/config.py

@@ -29,7 +29,6 @@
 from pyramid.tweens import EXCVIEW
 from pyramid_rpc.xmlrpc import XMLRPCRenderer
 
-from warehouse.errors import BasicAuthBreachedPassword, BasicAuthFailedPassword
 from warehouse.utils.static import ManifestCacheBuster
 from warehouse.utils.wsgi import ProxyFixer, VhmRootRemover
 
@@ -98,19 +97,6 @@ def activate_hook(request):
     return True
 
 
-def commit_veto(request, response):
-    # By default pyramid_tm will veto the commit anytime request.exc_info is not None,
-    # we are going to copy that logic with one difference, we are still going to commit
-    # if the exception was for a BasicAuthFailedPassword or BreachedPassword.
-    # TODO: We should probably use a registry or something instead of hardcoded.
-    allowed_types = (BasicAuthBreachedPassword, BasicAuthFailedPassword)
-
-    try:
-        return not isinstance(request.exc_info[1], allowed_types)
-    except (AttributeError, TypeError):
-        return False
-
-
 def template_view(config, name, route, template, route_kw=None, view_kw=None):
     if route_kw is None:
         route_kw = {}
@@ -553,7 +539,6 @@ def configure(settings=None):
         {
             "tm.manager_hook": lambda request: transaction.TransactionManager(),
             "tm.activate_hook": activate_hook,
-            "tm.commit_veto": commit_veto,
             "tm.annotate_user": False,
         }
     )

warehouse/email/__init__.py

@@ -333,15 +333,6 @@ def send_token_compromised_email_leak(request, user, *, public_url, origin):
     return {"username": user.username, "public_url": public_url, "origin": origin}
 
 
-@_email(
-    "basic-auth-with-2fa",
-    allow_unverified=True,
-    repeat_window=datetime.timedelta(days=1),
-)
-def send_basic_auth_with_two_factor_email(request, user, *, project_name):
-    return {"project_name": project_name}
-
-
 @_email(
     "two-factor-not-yet-enabled",
     allow_unverified=True,

warehouse/errors.py

@@ -10,22 +10,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from pyramid.httpexceptions import HTTPForbidden, HTTPUnauthorized
 from pyramid.security import Denied
 
 
-class BasicAuthFailedPassword(HTTPForbidden):
-    pass
-
-
-class BasicAuthBreachedPassword(HTTPUnauthorized):
-    pass
-
-
-class BasicAuthTwoFactorEnabled(HTTPUnauthorized):
-    pass
-
-
 class WarehouseDenied(Denied):
     def __new__(cls, s, *args, reason=None, **kwargs):
         inner = super().__new__(cls, s, *args, **kwargs)

warehouse/forklift/legacy.py

@@ -48,11 +48,9 @@
 from warehouse.admin.flags import AdminFlagValue
 from warehouse.classifiers.models import Classifier
 from warehouse.email import (
-    send_basic_auth_with_two_factor_email,
     send_gpg_signature_uploaded_email,
     send_two_factor_not_yet_enabled_email,
 )
-from warehouse.errors import BasicAuthTwoFactorEnabled
 from warehouse.events.tags import EventTag
 from warehouse.metrics import IMetricsService
 from warehouse.packaging.interfaces import IFileStorage, IProjectService
@@ -70,7 +68,6 @@
 from warehouse.rate_limiting.interfaces import RateLimiterException
 from warehouse.utils import http, readme
 from warehouse.utils.project import PROJECT_NAME_RE, validate_project_name
-from warehouse.utils.security_policy import AuthenticationMethod
 
 ONE_MB = 1 * 1024 * 1024
 ONE_GB = 1 * 1024 * 1024 * 1024
@@ -993,25 +990,6 @@ def file_upload(request):
             )
         raise _exc_with_message(HTTPForbidden, msg)
 
-    # Check if the user has 2FA and used basic auth
-    # NOTE: We don't need to guard request.user here because basic auth
-    # can only be used with user identities.
-    if (
-        request.authentication_method == AuthenticationMethod.BASIC_AUTH
-        and request.user.has_two_factor
-    ):
-        send_basic_auth_with_two_factor_email(
-            request, request.user, project_name=project.name
-        )
-        raise _exc_with_message(
-            BasicAuthTwoFactorEnabled,
-            (
-                f"User { request.user.username } has two factor auth enabled, "
-                "an API Token or Trusted Publisher must be used to upload "
-                "in place of password."
-            ),
-        )
-
     # Update name if it differs but is still equivalent. We don't need to check if
     # they are equivalent when normalized because that's already been done when we
     # queried for the project.