feat: associate gitlab accounts to pypi accounts (#19298)

Author: miketheman

dev/environment

@@ -56,6 +56,11 @@ GITHUB_OAUTH_BACKEND=warehouse.accounts.oauth.NullGitHubOAuthClient
 # For real GitHub App integration, uncomment and configure:
 # GITHUB_OAUTH_BACKEND=warehouse.accounts.oauth.GitHubAppClient client_id=Iv2.your_client_id client_secret=your_client_secret
 
+# Use NullGitLabOAuthClient for local development (no GitLab OAuth needed)
+GITLAB_OAUTH_BACKEND=warehouse.accounts.oauth.NullGitLabOAuthClient
+# For real GitLab OAuth integration, uncomment and configure:
+# GITLAB_OAUTH_BACKEND=warehouse.accounts.oauth.GitLabOAuthClient client_id=your_app_id client_secret=your_app_secret
+
 METRICS_BACKEND=warehouse.metrics.DataDogMetrics host=notdatadog
 
 STATUSPAGE_URL=https://2p66nmmycsj3.statuspage.io

tests/conftest.py

@@ -354,6 +354,7 @@ def get_app_config(database, nondefaults=None):
         "warehouse.oidc.audience": "pypi",
         "oidc.backend": "warehouse.oidc.services.NullOIDCPublisherService",
         "github.oauth.backend": "warehouse.accounts.oauth.NullGitHubOAuthClient",
+        "gitlab.oauth.backend": "warehouse.accounts.oauth.NullGitLabOAuthClient",
         "captcha.backend": "warehouse.captcha.hcaptcha.Service",
     }
 

tests/functional/manage/test_account_associations.py

@@ -338,3 +338,157 @@ def test_github_oauth_missing_code(self, webtest):
         )
         assert error_message is not None
         assert "No authorization code received from GitHub" in error_message.text
+
+    def test_connect_gitlab_account(self, webtest):
+        """A user can connect a GitLab account via OAuth."""
+        user = UserFactory.create(
+            with_verified_primary_email=True,
+            with_terms_of_service_agreement=True,
+            clear_pwd="password",
+        )
+
+        self._login_user(webtest, user)
+
+        # Click "Connect GitLab" button (initiates OAuth flow)
+        connect_response = webtest.get(
+            "/manage/account/associations/gitlab/connect",
+            status=HTTPStatus.SEE_OTHER,
+        )
+
+        # Follow the redirect to the callback URL
+        parsed_url = parse_url(connect_response.location)
+        callback_response = webtest.get(
+            parsed_url.path,
+            params=parsed_url.query,
+            status=HTTPStatus.SEE_OTHER,
+        )
+
+        # Follow redirect back to account page
+        account_page = callback_response.follow(status=HTTPStatus.OK)
+
+        # Verify association was created
+        assert "Account associations" in account_page.text
+        assert "mockuser_" in account_page.text
+
+    def test_connect_gitlab_account_invalid_state(self, webtest):
+        """GitLab OAuth flow rejects requests with invalid state tokens."""
+        user = UserFactory.create(
+            with_verified_primary_email=True,
+            with_terms_of_service_agreement=True,
+            clear_pwd="password",
+        )
+
+        self._login_user(webtest, user)
+
+        # Try to access callback directly with invalid state
+        callback_response = webtest.get(
+            "/manage/account/associations/gitlab/callback",
+            params={"code": "test", "state": "invalid"},
+            status=HTTPStatus.SEE_OTHER,
+        )
+
+        # Should redirect to account page with error
+        account_page = callback_response.follow(status=HTTPStatus.OK)
+        # Verify no association was created
+        assert "You have not connected" in account_page.text
+
+    def test_gitlab_oauth_error_response(self, webtest):
+        """GitLab OAuth flow handles error responses from GitLab."""
+        user = UserFactory.create(
+            with_verified_primary_email=True,
+            with_terms_of_service_agreement=True,
+            clear_pwd="password",
+        )
+
+        self._login_user(webtest, user)
+
+        # Start OAuth flow to get a valid state token
+        connect_response = webtest.get(
+            "/manage/account/associations/gitlab/connect",
+            status=HTTPStatus.SEE_OTHER,
+        )
+        parsed_url = parse_url(connect_response.location)
+        state = parsed_url.query.split("state=")[1].split("&")[0]
+
+        # Simulate OAuth error response with valid state
+        callback_response = webtest.get(
+            "/manage/account/associations/gitlab/callback",
+            params={
+                "state": state,
+                "error": "access_denied",
+                "error_description": "User declined",
+            },
+            status=HTTPStatus.SEE_OTHER,
+        )
+        callback_response.follow(status=HTTPStatus.OK)
+
+        # Check flash messages for the error
+        flash_messages = webtest.get(
+            "/_includes/unauthed/flash-messages/", status=HTTPStatus.OK
+        )
+        error_message = flash_messages.html.find(
+            "span", {"class": "notification-bar__message"}
+        )
+        assert error_message is not None
+        assert "GitLab OAuth failed" in error_message.text
+        assert "User declined" in error_message.text
+
+    def test_gitlab_oauth_missing_code(self, webtest):
+        """GitLab OAuth flow handles missing authorization code."""
+        user = UserFactory.create(
+            with_verified_primary_email=True,
+            with_terms_of_service_agreement=True,
+            clear_pwd="password",
+        )
+
+        self._login_user(webtest, user)
+
+        # Start OAuth flow to get a valid state token
+        connect_response = webtest.get(
+            "/manage/account/associations/gitlab/connect",
+            status=HTTPStatus.SEE_OTHER,
+        )
+        parsed_url = parse_url(connect_response.location)
+        state = parsed_url.query.split("state=")[1].split("&")[0]
+
+        # Call callback with valid state but no code
+        callback_response = webtest.get(
+            "/manage/account/associations/gitlab/callback",
+            params={"state": state},
+            status=HTTPStatus.SEE_OTHER,
+        )
+        callback_response.follow(status=HTTPStatus.OK)
+
+        # Check flash messages for the error
+        flash_messages = webtest.get(
+            "/_includes/unauthed/flash-messages/",
+            status=HTTPStatus.OK,
+        )
+        error_message = flash_messages.html.find(
+            "span", {"class": "notification-bar__message"}
+        )
+        assert error_message is not None
+        assert "No authorization code received from GitLab" in error_message.text
+
+    def test_view_account_with_gitlab_association(self, webtest):
+        """A user can view a GitLab association on the account page."""
+        user = UserFactory.create(
+            with_verified_primary_email=True,
+            with_terms_of_service_agreement=True,
+            clear_pwd="password",
+        )
+        OAuthAccountAssociationFactory.create(
+            user=user,
+            service="gitlab",
+            external_username="gitlabuser",
+        )
+
+        self._login_user(webtest, user)
+
+        # Visit account settings page
+        account_page = webtest.get("/manage/account/", status=HTTPStatus.OK)
+
+        # Verify GitLab association is present
+        assert "Account associations" in account_page.text
+        assert "gitlabuser" in account_page.text
+        assert "gitlab" in account_page.text.lower()

tests/unit/accounts/test_core.py

@@ -227,3 +227,55 @@ def test_includeme(monkeypatch):
         pretend.call(crontab(minute="*/20"), compute_user_metrics)
         in config.add_periodic_task.calls
     )
+
+    # Verify GitLab OAuth is NOT registered when setting is absent
+    assert (
+        pretend.call(
+            accounts.NullGitLabOAuthClient.create_service,
+            accounts.IOAuthProviderService,
+            name="gitlab",
+        )
+        not in config.register_service_factory.calls
+    )
+
+
+def test_includeme_with_gitlab_oauth():
+    """Verify GitLab OAuth service is registered when configured."""
+    register_service_factory = pretend.call_recorder(
+        lambda factory, iface, name=None: None
+    )
+    config = pretend.stub(
+        registry=pretend.stub(
+            settings={
+                "warehouse.account.user_login_ratelimit_string": "10 per 5 minutes",
+                "warehouse.account.ip_login_ratelimit_string": "10 per 5 minutes",
+                "warehouse.account.global_login_ratelimit_string": "1000 per 5 minutes",
+                "warehouse.account.2fa_user_ratelimit_string": "5 per 5 minutes, 20 per hour, 50 per day",  # noqa: E501
+                "warehouse.account.2fa_ip_ratelimit_string": "10 per 5 minutes, 50 per hour",  # noqa: E501
+                "warehouse.account.email_add_ratelimit_string": "2 per day",
+                "warehouse.account.verify_email_ratelimit_string": "3 per 6 hours",
+                "warehouse.account.password_reset_ratelimit_string": "5 per day",
+                "warehouse.account.accounts_search_ratelimit_string": "100 per hour",
+                "github.oauth.backend": accounts.NullGitHubOAuthClient,
+                "gitlab.oauth.backend": accounts.NullGitLabOAuthClient,
+            }
+        ),
+        register_service_factory=register_service_factory,
+        register_rate_limiter=pretend.call_recorder(lambda limit_string, name: None),
+        add_request_method=pretend.call_recorder(lambda f, name, reify=False: None),
+        set_security_policy=pretend.call_recorder(lambda p: None),
+        maybe_dotted=pretend.call_recorder(lambda path: path),
+        add_route_predicate=pretend.call_recorder(lambda name, cls: None),
+        add_periodic_task=pretend.call_recorder(lambda *a, **kw: None),
+    )
+
+    accounts.includeme(config)
+
+    assert (
+        pretend.call(
+            accounts.NullGitLabOAuthClient.create_service,
+            accounts.IOAuthProviderService,
+            name="gitlab",
+        )
+        in register_service_factory.calls
+    )