Check for existing Trusted Publishers before constraining existing one (#17576)

* Add check before creating constrained Trusted Publisher

Signed-off-by: Facundo Tuesca <[email protected]>

* Add extra information to OIDCPublisherAdded event

Signed-off-by: Facundo Tuesca <[email protected]>

* Move exists() check to Trusted Publisher classes

Signed-off-by: Facundo Tuesca <[email protected]>

---------

Signed-off-by: Facundo Tuesca <[email protected]>
Co-authored-by: Dustin Ingram <[email protected]>

Author: facutuesca

tests/unit/manage/test_views.py

@@ -6573,6 +6573,8 @@ def test_manage_project_oidc_publishers_constrain_environment(
                     "specifier": str(constrained_publisher),
                     "url": publisher.publisher_url(),
                     "submitted_by": db_request.user.username,
+                    "reified_from_pending_publisher": False,
+                    "constrained_from_existing_publisher": True,
                 },
             ),
             pretend.call(
@@ -6672,6 +6674,8 @@ def test_manage_project_oidc_publishers_constrain_environment_shared_publisher(
                     "specifier": str(constrained_publisher),
                     "url": publisher.publisher_url(),
                     "submitted_by": db_request.user.username,
+                    "reified_from_pending_publisher": False,
+                    "constrained_from_existing_publisher": True,
                 },
             ),
             pretend.call(
@@ -6923,7 +6927,7 @@ def test_constrain_unsupported_publisher(
             )
         ]
 
-    def test_constrain_publisher_already_constrained(
+    def test_constrain_publisher_with_nonempty_environment(
         self, monkeypatch, metrics, db_request
     ):
         owner = UserFactory.create()
@@ -6978,6 +6982,81 @@ def test_constrain_publisher_already_constrained(
             )
         ]
 
+    @pytest.mark.parametrize(
+        ("publisher_class", "publisher_kwargs"),
+        [
+            (
+                GitHubPublisher,
+                {
+                    "repository_name": "some-repository",
+                    "repository_owner": "some-owner",
+                    "repository_owner_id": "666",
+                    "workflow_filename": "some-workflow-filename.yml",
+                },
+            ),
+            (
+                GitLabPublisher,
+                {
+                    "namespace": "some-namespace",
+                    "project": "some-project",
+                    "workflow_filepath": "some-workflow-filename.yml",
+                },
+            ),
+        ],
+    )
+    def test_constrain_environment_publisher_already_exists(
+        self, monkeypatch, metrics, db_request, publisher_class, publisher_kwargs
+    ):
+        owner = UserFactory.create()
+        db_request.user = owner
+
+        # Create unconstrained and constrained versions of the publisher
+        unconstrained = publisher_class(environment="", **publisher_kwargs)
+        constrained = publisher_class(environment="fakeenv", **publisher_kwargs)
+
+        project = ProjectFactory.create(oidc_publishers=[unconstrained, constrained])
+        project.record_event = pretend.call_recorder(lambda *a, **kw: None)
+        RoleFactory.create(user=owner, project=project, role_name="Owner")
+
+        db_request.db.add_all([unconstrained, constrained])
+        db_request.db.flush()  # To get the ids
+
+        db_request.method = "POST"
+        db_request.POST = MultiDict(
+            {
+                "constrained_publisher_id": str(unconstrained.id),
+                "constrained_environment_name": "fakeenv",
+            }
+        )
+        db_request.find_service = lambda *a, **kw: metrics
+        db_request.session = pretend.stub(
+            flash=pretend.call_recorder(lambda *a, **kw: None)
+        )
+        db_request.flags = pretend.stub(
+            disallow_oidc=pretend.call_recorder(lambda f=None: False)
+        )
+        db_request._ = lambda s: s
+
+        view = views.ManageOIDCPublisherViews(project, db_request)
+        default_response = {"_": pretend.stub()}
+        monkeypatch.setattr(
+            views.ManageOIDCPublisherViews, "default_response", default_response
+        )
+
+        assert view.constrain_environment() == default_response
+        assert view.metrics.increment.calls == [
+            pretend.call(
+                "warehouse.oidc.constrain_publisher_environment.attempt",
+            ),
+        ]
+        assert project.record_event.calls == []
+        assert db_request.session.flash.calls == [
+            pretend.call(
+                f"{unconstrained} is already registered with {project.name}",
+                queue="error",
+            )
+        ]
+
     @pytest.mark.parametrize(
         ("view_name", "publisher", "make_form"),
         [
@@ -7135,6 +7214,8 @@ def test_add_oidc_publisher_preexisting(
                     "specifier": "fakespecifier",
                     "url": publisher.publisher_url(),
                     "submitted_by": "some-user",
+                    "reified_from_pending_publisher": False,
+                    "constrained_from_existing_publisher": False,
                 },
             )
         ]
@@ -7286,6 +7367,8 @@ def test_add_oidc_publisher_created(
                     "specifier": str(publisher),
                     "url": publisher.publisher_url(),
                     "submitted_by": "some-user",
+                    "reified_from_pending_publisher": False,
+                    "constrained_from_existing_publisher": False,
                 },
             )
         ]

tests/unit/oidc/models/test_activestate.py

@@ -366,6 +366,21 @@ def test_activestate_publisher_verify_url(self, url, expected):
         )
         assert publisher.verify_url(url) == expected
 
+    @pytest.mark.parametrize("exists_in_db", [True, False])
+    def test_exists(self, db_request, exists_in_db):
+        publisher = ActiveStatePublisher(
+            organization="repository_name",
+            activestate_project_name="project_name",
+            actor_id=ACTOR_ID,
+            actor=ACTOR,
+        )
+
+        if exists_in_db:
+            db_request.db.add(publisher)
+            db_request.db.flush()
+
+        assert publisher.exists(db_request.db) == exists_in_db
+
 
 class TestPendingActiveStatePublisher:
     def test_reify_does_not_exist_yet(self, db_request):

tests/unit/oidc/models/test_github.py

@@ -685,6 +685,22 @@ def test_github_publisher_attestation_identity(self, environment):
         else:
             assert identity.environment == publisher.environment
 
+    @pytest.mark.parametrize("exists_in_db", [True, False])
+    def test_exists(self, db_request, exists_in_db):
+        publisher = github.GitHubPublisher(
+            repository_name="repository_name",
+            repository_owner="repository_owner",
+            repository_owner_id="666",
+            workflow_filename="workflow_filename.yml",
+            environment="",
+        )
+
+        if exists_in_db:
+            db_request.db.add(publisher)
+            db_request.db.flush()
+
+        assert publisher.exists(db_request.db) == exists_in_db
+
 
 class TestPendingGitHubPublisher:
     def test_reify_does_not_exist_yet(self, db_request):

tests/unit/oidc/models/test_gitlab.py

@@ -741,6 +741,21 @@ def test_gitlab_publisher_attestation_identity(self, environment):
         else:
             assert identity.environment == publisher.environment
 
+    @pytest.mark.parametrize("exists_in_db", [True, False])
+    def test_exists(self, db_request, exists_in_db):
+        publisher = gitlab.GitLabPublisher(
+            project="repository_name",
+            namespace="repository_owner",
+            workflow_filepath="subfolder/worflow_filename.yml",
+            environment="",
+        )
+
+        if exists_in_db:
+            db_request.db.add(publisher)
+            db_request.db.flush()
+
+        assert publisher.exists(db_request.db) == exists_in_db
+
 
 class TestPendingGitLabPublisher:
     def test_reify_does_not_exist_yet(self, db_request):

tests/unit/oidc/models/test_google.py

@@ -196,6 +196,19 @@ def test_google_publisher_sub_is_optional(self, expected_sub, actual_sub, valid)
                 )
             assert str(e.value) == "Check failed for optional claim 'sub'"
 
+    @pytest.mark.parametrize("exists_in_db", [True, False])
+    def test_exists(self, db_request, exists_in_db):
+        publisher = google.GooglePublisher(
+            email="[email protected]",
+            sub="fakesubject",
+        )
+
+        if exists_in_db:
+            db_request.db.add(publisher)
+            db_request.db.flush()
+
+        assert publisher.exists(db_request.db) == exists_in_db
+
 
 class TestPendingGooglePublisher:
     @pytest.mark.parametrize("sub", ["fakesubject", None])

tests/unit/oidc/test_views.py

@@ -32,11 +32,13 @@
 from warehouse.metrics import IMetricsService
 from warehouse.oidc import errors, views
 from warehouse.oidc.interfaces import IOIDCPublisherService, SignedClaims
+from warehouse.oidc.models import GitHubPublisher
 from warehouse.oidc.views import (
     is_from_reusable_workflow,
     should_send_environment_warning_email,
 )
 from warehouse.packaging import services
+from warehouse.packaging.models import Project
 from warehouse.rate_limiting.interfaces import IRateLimiter
 
 
@@ -446,6 +448,7 @@ def test_mint_token_from_oidc_pending_publisher_ok(
     dummy_github_oidc_jwt,
 ):
     user = UserFactory.create()
+
     pending_publisher = PendingGitHubPublisherFactory.create(
         project_name="does-not-exist",
         added_by=user,
@@ -476,6 +479,25 @@ def test_mint_token_from_oidc_pending_publisher_ok(
         pretend.call(db_request.remote_addr),
     ]
 
+    project = (
+        db_request.db.query(Project)
+        .filter(Project.name == pending_publisher.project_name)
+        .one()
+    )
+    publisher = db_request.db.query(GitHubPublisher).one()
+    event = project.events.where(
+        Project.Event.tag == EventTag.Project.OIDCPublisherAdded
+    ).one()
+    assert event.additional == {
+        "publisher": publisher.publisher_name,
+        "id": str(publisher.id),
+        "specifier": str(publisher),
+        "url": publisher.publisher_url(),
+        "submitted_by": "OpenID created token",
+        "reified_from_pending_publisher": True,
+        "constrained_from_existing_publisher": False,
+    }
+
 
 def test_mint_token_from_pending_trusted_publisher_invalidates_others(
     monkeypatch, db_request, dummy_github_oidc_jwt
@@ -543,6 +565,25 @@ def test_mint_token_from_pending_trusted_publisher_invalidates_others(
         pretend.call(db_request.remote_addr),
     ]
 
+    project = (
+        db_request.db.query(Project)
+        .filter(Project.name == pending_publisher.project_name)
+        .one()
+    )
+    publisher = db_request.db.query(GitHubPublisher).one()
+    event = project.events.where(
+        Project.Event.tag == EventTag.Project.OIDCPublisherAdded
+    ).one()
+    assert event.additional == {
+        "publisher": publisher.publisher_name,
+        "id": str(publisher.id),
+        "specifier": str(publisher),
+        "url": publisher.publisher_url(),
+        "submitted_by": "OpenID created token",
+        "reified_from_pending_publisher": True,
+        "constrained_from_existing_publisher": False,
+    }
+
 
 @pytest.mark.parametrize(
     ("claims_in_token", "claims_input"),