WIP

Author: Turbo87

Cargo.lock

@@ -110,6 +110,7 @@ paste = "=1.0.15"
 postgres-native-tls = "=0.5.1"
 prometheus = { version = "=0.14.0", default-features = false }
 rand = "=0.9.1"
+regex = "=1.11.1"
 reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
 rss = { version = "=2.0.12", default-features = false, features = ["atom"] }
 secrecy = "=0.10.3"
@@ -143,11 +144,12 @@ crates_io_index = { path = "crates/crates_io_index", features = ["testing"] }
 crates_io_tarball = { path = "crates/crates_io_tarball", features = ["builder"] }
 crates_io_team_repo = { path = "crates/crates_io_team_repo", features = ["mock"] }
 crates_io_test_db = { path = "crates/crates_io_test_db" }
+crates_io_trustpub = { path = "crates/crates_io_trustpub", features = ["mock"] }
 claims = "=0.8.0"
 diesel = { version = "=2.2.10", features = ["r2d2"] }
 googletest = "=0.14.0"
 insta = { version = "=1.43.1", features = ["glob", "json", "redactions"] }
-regex = "=1.11.1"
+jsonwebtoken = "=9.3.1"
 sentry = { version = "=0.37.0", features = ["test"] }
 tokio = "=1.45.0"
 zip = { version = "=2.6.1", default-features = false, features = ["deflate"] }

Cargo.toml

@@ -8,7 +8,7 @@ edition = "2024"
 workspace = true
 
 [features]
-mock = ["dep:mockall"]
+mock = ["dep:mockall", "dep:serde_json"]
 
 [dependencies]
 anyhow = "=1.0.98"
@@ -19,6 +19,7 @@ mockall = { version = "=0.13.1", optional = true }
 reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
 regex = "=1.11.1"
 serde = { version = "=1.0.219", features = ["derive"] }
+serde_json = { version = "=1.0.140", optional = true }
 thiserror = "=2.0.12"
 tokio = { version = "=1.45.0", features = ["sync"] }
 

crates/crates_io_trustpub/Cargo.toml

@@ -18,3 +18,21 @@ pub trait OidcKeyStore: Send + Sync {
     /// is an error while fetching the key, it will return an error.
     async fn get_oidc_key(&self, key_id: &str) -> anyhow::Result<Option<DecodingKey>>;
 }
+
+#[cfg(feature = "mock")]
+impl MockOidcKeyStore {
+    /// Creates a new instance of [`MockOidcKeyStore`] based on the RSA keys
+    /// provided in the [`crate::test_keys`] module.
+    pub fn with_test_key() -> Self {
+        use crate::test_keys::{DECODING_KEY, KEY_ID};
+        use mockall::predicate::*;
+
+        let mut mock = Self::new();
+
+        mock.expect_get_oidc_key()
+            .with(eq(KEY_ID))
+            .returning(|_| Ok(Some(DECODING_KEY.clone())));
+
+        mock
+    }
+}

crates/crates_io_trustpub/src/keystore/mod.rs

@@ -2,7 +2,7 @@
 
 pub mod github;
 pub mod keystore;
-#[cfg(test)]
+#[cfg(any(test, feature = "mock"))]
 pub mod test_keys;
 pub mod unverified;
 

crates/crates_io_trustpub/src/lib.rs

@@ -1,16 +1,18 @@
 #[macro_use]
 extern crate tracing;
 
+use axum::ServiceExt;
 use crates_io::middleware::normalize_path::normalize_path;
 use crates_io::{App, Emails, metrics::LogEncoder};
-use std::{sync::Arc, time::Duration};
-
-use axum::ServiceExt;
 use crates_io_github::RealGitHubClient;
+use crates_io_trustpub::github::GITHUB_ISSUER_URL;
+use crates_io_trustpub::keystore::{OidcKeyStore, RealOidcKeyStore};
 use prometheus::Encoder;
 use reqwest::Client;
+use std::collections::HashMap;
 use std::io::Write;
 use std::net::SocketAddr;
+use std::{sync::Arc, time::Duration};
 use tokio::net::TcpListener;
 use tokio::signal::unix::{SignalKind, signal};
 use tower::Layer;
@@ -33,10 +35,15 @@ fn main() -> anyhow::Result<()> {
     let github = RealGitHubClient::new(client);
     let github = Box::new(github);
 
+    let github_key_store: Box<dyn OidcKeyStore> = Box::new(RealOidcKeyStore::github());
+    let oidc_key_stores: HashMap<String, Box<dyn OidcKeyStore>> =
+        HashMap::from([(GITHUB_ISSUER_URL.into(), github_key_store)]);
+
     let app = App::builder()
         .databases_from_config(&config.db)
         .github(github)
         .github_oauth_from_config(&config)
+        .oidc_key_stores(oidc_key_stores)
         .emails(emails)
         .storage_from_config(&config.storage)
         .rate_limiter_from_config(config.rate_limiter.clone())

src/bin/server.rs

@@ -1,7 +1,11 @@
 //! Functionality related to publishing a new crate or version of a crate.
 
 use crate::app::AppState;
-use crate::auth::AuthCheck;
+use crate::auth::{AuthCheck, Authentication};
+use crate::models::{
+    Category, Crate, DependencyKind, Keyword, NewCrate, NewVersion, NewVersionOwnerAction,
+    VersionAction, default_versions::Version as DefaultVersion,
+};
 use crate::worker::jobs::{
     self, CheckTyposquat, SendPublishNotificationsJob, UpdateDefaultVersion,
 };
@@ -11,27 +15,22 @@ use cargo_manifest::{Dependency, DepsSet, TargetDepsSet};
 use chrono::{DateTime, SecondsFormat, Utc};
 use crates_io_tarball::{TarballError, process_tarball};
 use crates_io_worker::{BackgroundJob, EnqueueError};
-use diesel::dsl::{exists, select};
+use diesel::dsl::{exists, now, select};
 use diesel::prelude::*;
 use diesel::sql_types::Timestamptz;
 use diesel_async::scoped_futures::ScopedFutureExt;
 use diesel_async::{AsyncConnection, AsyncPgConnection, RunQueryDsl};
 use futures_util::TryFutureExt;
 use futures_util::TryStreamExt;
 use hex::ToHex;
-use http::StatusCode;
 use http::request::Parts;
+use http::{StatusCode, header};
 use sha2::{Digest, Sha256};
 use std::collections::HashMap;
 use tokio::io::{AsyncRead, AsyncReadExt};
 use tokio_util::io::StreamReader;
 use url::Url;
 
-use crate::models::{
-    Category, Crate, DependencyKind, Keyword, NewCrate, NewVersion, NewVersionOwnerAction,
-    VersionAction, default_versions::Version as DefaultVersion,
-};
-
 use crate::controllers::helpers::authorization::Rights;
 use crate::licenses::parse_license_expr;
 use crate::middleware::log_request::RequestLogExt;
@@ -51,6 +50,11 @@ const MISSING_RIGHTS_ERROR_MESSAGE: &str = "this crate exists but you don't seem
 
 const MAX_DESCRIPTION_LENGTH: usize = 1000;
 
+enum AuthType {
+    Regular(Box<Authentication>),
+    Oidc(),
+}
+
 /// Publish a new crate/version.
 ///
 /// Used by `cargo publish` to publish a new crate or to publish a new version of an
@@ -130,30 +134,62 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
         None => EndpointScope::PublishNew,
     };
 
-    let auth = AuthCheck::default()
-        .with_endpoint_scope(endpoint_scope)
-        .for_crate(&metadata.name)
-        .check(&req, &mut conn)
-        .await?;
+    let bearer = req
+        .headers
+        .get(header::AUTHORIZATION)
+        .and_then(|h| h.as_bytes().strip_prefix(b"Bearer "));
 
-    let verified_email_address = auth.user().verified_email(&mut conn).await?;
-    let verified_email_address = verified_email_address.ok_or_else(|| {
-        bad_request(format!(
-            "A verified email address is required to publish crates to crates.io. \
-             Visit https://{}/settings/profile to set and verify your email address.",
-            app.config.domain_name,
-        ))
-    })?;
+    let auth = match (bearer, &existing_crate) {
+        (Some(bearer), Some(existing_crate)) if bearer.starts_with(b"crates.io/oidc/") => {
+            let hashed_token = Sha256::digest(bearer);
+
+            trustpub_tokens::table
+                .filter(trustpub_tokens::crate_ids.contains(vec![existing_crate.id]))
+                .filter(trustpub_tokens::hashed_token.eq(hashed_token.as_slice()))
+                .filter(trustpub_tokens::expires_at.gt(now))
+                .select(trustpub_tokens::id)
+                .get_result::<i64>(&mut conn)
+                .await?;
 
-    // Use a different rate limit whether this is a new or an existing crate.
-    let rate_limit_action = match existing_crate {
-        Some(_) => LimitedAction::PublishUpdate,
-        None => LimitedAction::PublishNew,
+            AuthType::Oidc()
+        }
+        _ => {
+            let auth = AuthCheck::default()
+                .with_endpoint_scope(endpoint_scope)
+                .for_crate(&metadata.name)
+                .check(&req, &mut conn)
+                .await?;
+
+            AuthType::Regular(Box::new(auth))
+        }
     };
 
-    app.rate_limiter
-        .check_rate_limit(auth.user().id, rate_limit_action, &mut conn)
-        .await?;
+    let verified_email_address = match &auth {
+        AuthType::Regular(auth) => {
+            let verified_email_address = auth.user().verified_email(&mut conn).await?;
+            let verified_email_address = verified_email_address.ok_or_else(|| {
+                bad_request(format!(
+                    "A verified email address is required to publish crates to crates.io. \
+             Visit https://{}/settings/profile to set and verify your email address.",
+                    app.config.domain_name,
+                ))
+            })?;
+            Some(verified_email_address)
+        }
+        AuthType::Oidc() => None,
+    };
+
+    if let AuthType::Regular(auth) = &auth {
+        // Use a different rate limit whether this is a new or an existing crate.
+        let rate_limit_action = match existing_crate {
+            Some(_) => LimitedAction::PublishUpdate,
+            None => LimitedAction::PublishNew,
+        };
+
+        app.rate_limiter
+            .check_rate_limit(auth.user().id, rate_limit_action, &mut conn)
+            .await?;
+    }
 
     let max_upload_size = existing_crate
         .as_ref()
@@ -342,9 +378,6 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
         validate_dependency(dep)?;
     }
 
-    let api_token_id = auth.api_token_id();
-    let user = auth.user();
-
     // Create a transaction on the database, if there are no errors,
     // commit the transactions to record a new or updated crate.
     conn.transaction(|conn| async move {
@@ -368,17 +401,29 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
             return Err(bad_request("cannot upload a crate with a reserved name"));
         }
 
-        // To avoid race conditions, we try to insert
-        // first so we know whether to add an owner
-        let krate = match persist.create(conn, user.id).await.optional()? {
-            Some(krate) => krate,
-            None => persist.update(conn).await?,
-        };
+        let krate = match &auth {
+            AuthType::Regular(auth) => {
+                let user = auth.user();
 
-        let owners = krate.owners(conn).await?;
-        if Rights::get(user, &*app.github, &owners).await? < Rights::Publish {
-            return Err(custom(StatusCode::FORBIDDEN, MISSING_RIGHTS_ERROR_MESSAGE));
-        }
+                // To avoid race conditions, we try to insert
+                // first so we know whether to add an owner
+                let krate = match persist.create(conn, user.id).await.optional()? {
+                    Some(krate) => krate,
+                    None => persist.update(conn).await?,
+                };
+
+                let owners = krate.owners(conn).await?;
+                if Rights::get(user, &*app.github, &owners).await? < Rights::Publish {
+                    return Err(custom(StatusCode::FORBIDDEN, MISSING_RIGHTS_ERROR_MESSAGE));
+                }
+
+                krate
+            }
+            AuthType::Oidc() => {
+                // OIDC does not support creating new crates
+                persist.update(conn).await?
+            }
+        };
 
         if krate.name != *name {
             return Err(bad_request(format_args!(
@@ -407,6 +452,11 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
 
         let edition = edition.map(|edition| edition.as_str());
 
+        let published_by = match &auth {
+            AuthType::Regular(auth) => Some(auth.user().id),
+            AuthType::Oidc() => None,
+        };
+
         // Read tarball from request
         let hex_cksum: String = Sha256::digest(&tarball_bytes).encode_hex();
 
@@ -417,7 +467,7 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
             // Downcast is okay because the file length must be less than the max upload size
             // to get here, and max upload sizes are way less than i32 max
             .size(content_length as i32)
-            .published_by(user.id)
+            .maybe_published_by(published_by)
             .checksum(&hex_cksum)
             .maybe_links(package.links.as_deref())
             .maybe_rust_version(rust_version.as_deref())
@@ -432,7 +482,7 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
             .keywords(&keywords)
             .build();
 
-        let version = new_version.save(conn, &verified_email_address).await.map_err(|error| {
+        let version = new_version.save(conn, verified_email_address.as_deref()).await.map_err(|error| {
             use diesel::result::{Error, DatabaseErrorKind};
             match error {
                 Error::DatabaseError(DatabaseErrorKind::UniqueViolation, _) =>
@@ -441,14 +491,16 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
             }
         })?;
 
-        NewVersionOwnerAction::builder()
-            .version_id(version.id)
-            .user_id(user.id)
-            .maybe_api_token_id(api_token_id)
-            .action(VersionAction::Publish)
-            .build()
-            .insert(conn)
-            .await?;
+        if let AuthType::Regular(auth) = &auth {
+            NewVersionOwnerAction::builder()
+                .version_id(version.id)
+                .user_id(auth.user().id)
+                .maybe_api_token_id(auth.api_token_id())
+                .action(VersionAction::Publish)
+                .build()
+                .insert(conn)
+                .await?;
+        }
 
         // Link this new version to all dependencies
         add_dependencies(conn, &deps, version.id).await?;

src/controllers/krate/publish.rs

@@ -1 +1,2 @@
 pub mod github_configs;
+pub mod tokens;