Merge

Author: sigurdm

.gitignore

@@ -12,6 +12,8 @@ build/
 *.sum
 
 # Ignore files built when the server is started
+/static/css/dartdoc.css
+/static/css/dartdoc.css.map
 /static/css/style.css
 /static/css/style.css.map
 /static/js/script.dart.js

CHANGELOG.md

@@ -3,6 +3,9 @@ AppEngine version, listed here to ease deployment and troubleshooting.
 
 ## Next Release (replace with git tag when deployed)
  * Upgraded runtime Dart SDK to `3.5.0-196.0.dev`.
+ * Upgraded runtimeVersion to `2024.06.11`
+
+## `20240606t114600-all`
  * Bumped runtimeVersion to `2024.05.30`.
  * Upgraded pana to `0.22.5`.
 
@@ -110,7 +113,7 @@ AppEngine version, listed here to ease deployment and troubleshooting.
  * Upgraded stable Flutter analysis SDK to `3.16.9`.
  * Upgraded preview Dart analysis SDK to `3.3.0-279.3.beta`.
  * Upgraded preview Flutter analysis SDK to `3.19.0-0.4.pre`.
- * Note: started to populare audit log records with extended `agentId` for service accounts.
+ * Note: started to populate audit log records with extended `agentId` for service accounts.
 
 ## `20240201t145300-all`
  * Note: temporarily disabled email notification on package published events.
@@ -197,7 +200,7 @@ AppEngine version, listed here to ease deployment and troubleshooting.
  * Upgraded pana to `0.21.40`.
 
 ## `20231019t115400-all`
- * Moved search index building and seach GC jobs into `analyzer` instance.
+ * Moved search index building and search GC jobs into `analyzer` instance.
  * Increased memory on `analyzer` instances to 16G, running two of them.
 
 ## `20231018t131100-all`
@@ -252,7 +255,7 @@ AppEngine version, listed here to ease deployment and troubleshooting.
  * Upgraded runtime Dart SDK to `3.1.0`.
  * Upgraded dependencies.
  * Note: `DartdocRun`, `Job` and `ScoreCard` entities will be deleted in Datastore.
- * Note: `dartdoc` backend no longer deletes entries from `Configuraiton.dartdocStorageBucketName`.
+ * Note: `dartdoc` backend no longer deletes entries from `Configuration.dartdocStorageBucketName`.
          TODO: delete the bucket after this release becomes obsolete.
 
 ## `20230822t112400-all`
@@ -325,7 +328,7 @@ AppEngine version, listed here to ease deployment and troubleshooting.
 
 ## `20230606t110900-all`
  * Bumped runtimeVersion to `2023.05.31`.
- * Note: Dart 3 compatiblity check uses the same SDK as the analysis.
+ * Note: Dart 3 compatibility check uses the same SDK as the analysis.
 
 ## `20230531t083600-all`
  * Bumped runtimeVersion to `2023.05.30`.
@@ -1039,7 +1042,7 @@ AppEngine version, listed here to ease deployment and troubleshooting.
  * NOTE: Expected reduction in Job-related API calls.
 
 ## `20210325t074600-all`
- * Tempoarily disabled youtube integration.
+ * Temporarily disabled youtube integration.
 
 ## `20210324t155000-all`
 
@@ -1098,7 +1101,7 @@ AppEngine version, listed here to ease deployment and troubleshooting.
          `delete-expired-consents`, `delete-expired-sessions`,
          `delete-old-jobs`, `delete-old-scorecards`.
  * Removed all usage of `app/static/js/gtag.js` it can be removed after a few
-   runtimeVerions when we are no-longer serving old generated dartdoc files.
+   runtimeVersions when we are no-longer serving old generated dartdoc files.
 
 ## `20210203t120700-all`
 
@@ -1608,5 +1611,5 @@ AppEngine version, listed here to ease deployment and troubleshooting.
 ## `20190306t115839-all`
 
  * Run `app/bin/tools/backfill_packageversions.dart` to backfill `PubSpec`
-   entities in datastore (these entitites are not in use yet).
+   entities in datastore (these entities are not in use yet).
  * Bumped runtimeVersion to `2019.03.05`.

app/lib/account/agent.dart

@@ -106,7 +106,7 @@ void checkAgentParam(String value) {
 ///  * A user using the `pub` client.
 ///  * A user using the `pub.dev` UI.
 ///  * A GCP service account may authenticate using an OIDC `id_token`,
-///  * A Github Action may authenticate using an OIDC `id_token`.
+///  * A GitHub Action may authenticate using an OIDC `id_token`.
 abstract class AuthenticatedAgent {
   /// The unique identifier of the agent.
   /// Must pass the [looksLikeUserIdOrServiceAgent] check.
@@ -116,7 +116,7 @@ abstract class AuthenticatedAgent {
   ///  * For automated publishing we use [KnownAgents] identifiers.
   String get agentId;
 
-  /// The formatted identfier of the agent, which may be publicly visible
+  /// The formatted identifier of the agent, which may be publicly visible
   /// in logs and audit records.
   ///
   /// Examples:
@@ -129,7 +129,7 @@ abstract class AuthenticatedAgent {
   String? get email;
 }
 
-/// Holds the authenticated Github Action information.
+/// Holds the authenticated GitHub Action information.
 ///
 /// The [agentId] has the following format: `service:github-actions:<repositoryOwnerId>/<repositoryId>`
 class AuthenticatedGithubAction implements AuthenticatedAgent {

app/lib/account/backend.dart

@@ -162,7 +162,7 @@ Future<AuthenticatedAgent?> _tryAuthenticateServiceAgent(String token) async {
       idToken.payload.aud.single !=
           activeConfiguration.externalServiceAudience) {
     throw AssertionError(
-        'authProvider.tryAuthenticateAsServiceToken should not return a parsed token with audience missmatch.');
+        'authProvider.tryAuthenticateAsServiceToken should not return a parsed token with audience mismatch.');
   }
 
   if (idToken.payload.iss == GitHubJwtPayload.issuerUrl) {

app/lib/account/consent_backend.dart

@@ -60,8 +60,13 @@ class ConsentBackend {
     InvalidInputException.checkUlid(consentId, 'consentId');
     final c = await _lookupAndCheck(consentId, user);
     final action = _actions[c.kind]!;
-    final invitingUserEmail =
-        (await accountBackend.getEmailOfUserId(c.fromUserId!))!;
+    final fromAgent = c.fromAgent!;
+    late String invitingUserEmail;
+    if (looksLikeUserId(fromAgent)) {
+      invitingUserEmail = (await accountBackend.getEmailOfUserId(fromAgent))!;
+    } else {
+      invitingUserEmail = fromAgent;
+    }
     return api.Consent(
       titleText: action.renderInviteTitleText(invitingUserEmail, c.args!),
       descriptionHtml: action.renderInviteHtml(
@@ -106,7 +111,6 @@ class ConsentBackend {
     required String kind,
     required List<String> args,
     required AuditLogRecord auditLogRecord,
-    required bool createdBySiteAdmin,
   }) async {
     return retry(() async {
       // First check for existing consents with identical dedupId.
@@ -138,7 +142,7 @@ class ConsentBackend {
         email: email,
         kind: kind,
         args: args,
-        createdBySiteAdmin: createdBySiteAdmin,
+        createdBySiteAdmin: activeAgent is SupportAgent,
       );
       await _db.commit(inserts: [
         consent,
@@ -154,7 +158,6 @@ class ConsentBackend {
     required User activeUser,
     required String packageName,
     required String uploaderEmail,
-    bool createdBySiteAdmin = false,
   }) async {
     return await _invite(
       activeAgent: agent,
@@ -167,7 +170,6 @@ class ConsentBackend {
         package: packageName,
         uploaderEmail: uploaderEmail,
       ),
-      createdBySiteAdmin: createdBySiteAdmin,
     );
   }
 
@@ -186,7 +188,6 @@ class ConsentBackend {
       args: [publisherId, contactEmail],
       auditLogRecord: await AuditLogRecord.publisherContactInvited(
           user: user, publisherId: publisherId, contactEmail: contactEmail),
-      createdBySiteAdmin: false,
     );
   }
 
@@ -196,7 +197,6 @@ class ConsentBackend {
     required User activeUser,
     required String publisherId,
     required String invitedUserEmail,
-    bool createdBySiteAdmin = false,
   }) async {
     return await _invite(
       activeAgent: authenticatedAgent,
@@ -209,7 +209,6 @@ class ConsentBackend {
         publisherId: publisherId,
         memberEmail: invitedUserEmail,
       ),
-      createdBySiteAdmin: createdBySiteAdmin,
     );
   }
 
@@ -330,19 +329,16 @@ class _PackageUploaderAction extends ConsentAction {
   Future<void> onAccept(Consent consent) async {
     final packageName = consent.args![0];
     final createdBySiteAdmin = consent.createdBySiteAdmin ?? false;
-    final fromUserId = consent.fromUserId!;
-    final fromUserEmail = (await accountBackend.getEmailOfUserId(fromUserId))!;
     final currentUser = await requireAuthenticatedWebUser();
     if (currentUser.email?.toLowerCase() != consent.email?.toLowerCase()) {
       throw NotAcceptableException(
           'Current user and consent user does not match.');
     }
 
     await packageBackend.confirmUploader(
-      fromUserId,
-      fromUserEmail,
       packageName,
       currentUser.user,
+      consentRequestFromAgent: consent.fromAgent!,
       consentRequestCreatedBySiteAdmin: createdBySiteAdmin,
     );
   }
@@ -352,7 +348,7 @@ class _PackageUploaderAction extends ConsentAction {
     final packageName = consent.args![0];
     await withRetryTransaction(dbService, (tx) async {
       tx.insert(await AuditLogRecord.uploaderInviteRejected(
-        fromUserId: consent.fromUserId,
+        fromAgent: consent.fromAgent,
         package: packageName,
         uploaderEmail: user?.email ?? consent.email!,
         userId: user?.userId,
@@ -365,7 +361,7 @@ class _PackageUploaderAction extends ConsentAction {
     final packageName = consent.args![0];
     await withRetryTransaction(dbService, (tx) async {
       tx.insert(await AuditLogRecord.uploaderInviteExpired(
-        fromUserId: consent.fromUserId,
+        fromAgent: consent.fromAgent,
         package: packageName,
         uploaderEmail: consent.email!,
       ));
@@ -408,7 +404,7 @@ class _PublisherContactAction extends ConsentAction {
     await publisherBackend.updateContactWithVerifiedEmail(
       publisherId,
       contactEmail,
-      consentRequestFromUserId: consent.fromUserId!,
+      consentRequestFromAgent: consent.fromAgent!,
       consentRequestCreatedBySiteAdmin: consent.createdBySiteAdmin ?? false,
     );
   }
@@ -418,7 +414,7 @@ class _PublisherContactAction extends ConsentAction {
     final publisherId = consent.args![0];
     await withRetryTransaction(dbService, (tx) async {
       tx.insert(await AuditLogRecord.publisherContactInviteRejected(
-        fromUserId: consent.fromUserId,
+        fromAgent: consent.fromAgent,
         publisherId: publisherId,
         contactEmail: consent.email!,
         userEmail: user?.email,
@@ -432,7 +428,7 @@ class _PublisherContactAction extends ConsentAction {
     final publisherId = consent.args![0];
     await withRetryTransaction(dbService, (tx) async {
       tx.insert(await AuditLogRecord.publisherContactInviteExpired(
-        fromUserId: consent.fromUserId,
+        fromAgent: consent.fromAgent,
         publisherId: publisherId,
         contactEmail: consent.email!,
       ));
@@ -488,7 +484,7 @@ class _PublisherMemberAction extends ConsentAction {
     await publisherBackend.inviteConsentGranted(
       publisherId,
       currentUser.userId,
-      consentRequestFromUserId: consent.fromUserId!,
+      consentRequestFromAgent: consent.fromAgent!,
       consentRequestCreatedBySiteAdmin: consent.createdBySiteAdmin ?? false,
     );
   }
@@ -498,7 +494,7 @@ class _PublisherMemberAction extends ConsentAction {
     final publisherId = consent.args![0];
     await withRetryTransaction(dbService, (tx) async {
       tx.insert(await AuditLogRecord.publisherMemberInviteRejected(
-        fromUserId: consent.fromUserId,
+        fromAgent: consent.fromAgent,
         publisherId: publisherId,
         memberEmail: user?.email ?? consent.email!,
         userId: user?.userId,
@@ -511,7 +507,7 @@ class _PublisherMemberAction extends ConsentAction {
     final publisherId = consent.args![0];
     await withRetryTransaction(dbService, (tx) async {
       tx.insert(await AuditLogRecord.publisherMemberInviteExpired(
-        fromUserId: consent.fromUserId,
+        fromAgent: consent.fromAgent,
         publisherId: publisherId,
         memberEmail: consent.email!,
       ));

app/lib/account/default_auth_provider.dart

@@ -462,7 +462,7 @@ abstract class BaseAuthProvider extends AuthProvider {
 /// do is to attempt authentication as both kinds of tokens. However, in
 /// practice Google oauth2 `access_token`s starts with `'ya29.'` and do not
 /// match the regular expression for JWTs. Thus, we can avoid significant
-/// overhead by trying the most likley approach first.
+/// overhead by trying the most likely approach first.
 bool _isLikelyAccessToken(String token) {
   // access_tokens starts with 'ya29.'
   if (token.startsWith('ya29.')) {

app/lib/account/session_cookie.dart

@@ -68,7 +68,7 @@ ClientSessionCookieStatus parseClientSessionCookies(
 /// Create a set of HTTP headers that clears a session cookie.
 ///
 /// If clearing the session cookie, remember that the most important part is to
-/// invalidate the serverside session. The user might be logging out because
+/// invalidate the server side session. The user might be logging out because
 /// the local session store was compromised.
 Map<String, Object> clearSessionCookies() {
   return {

app/lib/admin/actions/actions.dart

@@ -3,7 +3,9 @@
 // BSD-style license that can be found in the LICENSE file.
 
 import '../../shared/exceptions.dart';
+import 'create_moderation_case.dart';
 import 'create_publisher.dart';
+import 'delete_moderation_case.dart';
 import 'delete_publisher.dart';
 import 'merge_moderated_package_into_existing.dart';
 import 'moderate_package.dart';
@@ -15,10 +17,12 @@ import 'package_version_retraction.dart';
 import 'publisher_block.dart';
 import 'publisher_members_list.dart';
 import 'remove_package_from_publisher.dart';
+import 'resolve_moderation_case.dart';
 import 'send_email.dart';
 import 'task_bump_priority.dart';
 import 'tool_execute.dart';
 import 'tool_list.dart';
+import 'update_moderation_case.dart';
 import 'uploader_count_report.dart';
 import 'user_info.dart';
 
@@ -73,7 +77,9 @@ final class AdminAction {
   }
 
   static List<AdminAction> actions = [
+    createModerationCase,
     createPublisher,
+    deleteModerationCase,
     deletePublisher,
     mergeModeratedPackageIntoExisting,
     moderatePackage,
@@ -85,10 +91,12 @@ final class AdminAction {
     publisherBlock,
     publisherMembersList,
     removePackageFromPublisher,
+    resolveModerationCase,
     sendEmail,
     taskBumpPriority,
     toolExecute,
     toolList,
+    updateModerationCase,
     uploaderCountReport,
     userInfo,
   ];