fix: allow mixed case GitLab Trusted Publishers (#18824)

In the event a user has configured a Publisher with non-lowercase
characters, lowercase them at query time, as the provided JWT claims
will have lowercased them.

Resolves #18797
Closes #18805

Signed-off-by: Mike Fiedler <[email protected]>

Author: miketheman

tests/unit/oidc/models/test_gitlab.py

@@ -73,6 +73,29 @@ def test_lookup_fails_invalid_ci_config_ref_uri(self, environment):
         ):
             gitlab.GitLabPublisher.lookup_by_claims(pretend.stub(), signed_claims)
 
+    def test_lookup_succeeds_with_mixed_case_project_path(self, db_request):
+        # Test that we find a matching publisher when the project_path claims match
+        # even if the case is different.
+        stored_publisher = GitLabPublisherFactory(
+            namespace="Foo",
+            project="Bar",
+            workflow_filepath=".gitlab-ci.yml",
+            environment="",
+        )
+
+        signed_claims = {
+            "project_path": "foo/bar",  # different case than stored publisher
+            "ci_config_ref_uri": ("gitlab.com/foo/bar//.gitlab-ci.yml@refs/heads/main"),
+            "environment": "some_environment",
+        }
+
+        publisher = gitlab.GitLabPublisher.lookup_by_claims(
+            db_request.db, signed_claims
+        )
+
+        assert publisher.id == stored_publisher.id
+        assert publisher.environment == stored_publisher.environment
+
     @pytest.mark.parametrize("environment", ["SomeEnvironment", "SOME_ENVIRONMENT"])
     def test_lookup_succeeds_with_non_lowercase_environment(
         self, db_request, environment

warehouse/oidc/models/gitlab.py

@@ -10,7 +10,7 @@
 
 from more_itertools import first_true
 from pypi_attestations import GitLabPublisher as GitLabIdentity, Publisher
-from sqlalchemy import ForeignKey, String, UniqueConstraint, and_, exists
+from sqlalchemy import ForeignKey, String, UniqueConstraint, and_, exists, func
 from sqlalchemy.dialects.postgresql import UUID as PG_UUID
 from sqlalchemy.orm import Mapped, Query, mapped_column
 
@@ -244,10 +244,11 @@ def lookup_by_claims(cls, session: Session, signed_claims: SignedClaims) -> Self
                 "Could not extract workflow filename from OIDC claims"
             )
 
-        query: Query = Query(cls).filter_by(
-            namespace=namespace,
-            project=project,
-            workflow_filepath=workflow_filepath,
+        query: Query = Query(cls).filter(
+            # claims `project_path` is case-insensitive
+            func.lower(cls.namespace) == namespace,
+            func.lower(cls.project) == project,
+            cls.workflow_filepath == workflow_filepath,
         )
         publishers = query.with_session(session).all()
         if publisher := cls._get_publisher_for_environment(publishers, environment):