GitHub repository in Trusted Publisher should (probably) be case insensitive

[woodruffw]

From pypa/gh-action-pypi-publish#217: some users configure their trusted publisher with a different casing than their actual GitHub repository (e.g. the repo might be Bar and they configure bar).

GitHub appears to treat these names as equivalent (repo names appear to be case insensitive generally), but PyPI performs a case sensitive comparison. As a result, some trusted publishing activities are erroneously rejected, as in the linked issue.

I think the fix here is just to switch to case insensitive comparisons on the repository claim, and (maybe?) on the repository_owner as well.

[miketheman]

GitHub appears to treat these names as equivalent

Is this common across all of our publishers, or unique to GitHub?

[woodruffw]

Is this common across all of our publishers, or unique to GitHub?

We'll have to check that as well 😅 -- CCing @facutuesca for GitLab.

[webknjaz]

Is this common across all of our publishers, or unique to GitHub?

I think yes, but I also have similar concerns and was thinking that maybe it's better to loudly tell the users to check the spelling on the UI..

[facutuesca]

For GitHub, we already do case-insensitive comparisons for the sub claim, which includes the repo name:

warehouse/warehouse/oidc/models/github.py

Line 99 in 01be76a

return f"{org}:{repo}".lower() == ground_truth.lower()

.

Extending that to the repository claim can be done by modifying

warehouse/warehouse/oidc/models/github.py

Lines 113 to 119 in 01be76a

	__required_verifiable_claims__: dict[str, CheckClaimCallable[Any]] = {
	"sub": _check_sub,
	"repository": check_claim_binary(str.__eq__),
	"repository_owner": check_claim_binary(str.__eq__),
	"repository_owner_id": check_claim_binary(str.__eq__),
	"job_workflow_ref": _check_job_workflow_ref,
	}

so that repository is checked by a new _check_repository() function that behaves similarly to _check_job_workflow_ref()

[facutuesca]

The GitLab behavior is the same (case-insensitive checking of sub, normal equality checks for the repo name claim). The only difference is that in GitLab we check the project_path claim, which includes both the repo owner and the repo name

[facutuesca]

and (maybe?) on the repository_owner as well.

@woodruffw When creating a GitHub trusted publisher, PyPI queries GitHub to see if the owner exists, and stores the name returned by GitHub as the "ground truth":

warehouse/warehouse/manage/views/__init__.py

Line 1273 in e50010a

GitHubPublisher.repository_owner == form.normalized_owner,

So for the repository_owner claim the normal (case-sensitive) string comparison should be fine, since the ground truth is whatever normalized name GitHub returned during that first check.

[woodruffw]

#15501 should fix this.