Models, routes and views for creating OIDC publishers by woodruffw · Pull Request #10753 · pypi/warehouse (original) (raw)

• warehouse/oidc: rough model skeleton

• warehouse/oidc: fix imports

• warehouse/migrations: add migration for OIDC models

• warehouse/migrations: reformat

• warehouse/oidc: add basic verification logic

• oidc/services: reduce clock skew leeway to 30s

• warehouse/oidc: refactor claim verification

• oidc/models: fill in missing properties

• warehouse/migrations: remove original OIDC migration

Add many-many project-provider association.

• warehouse: add OIDC migration, fix association

• warehouse: reformat

• warehouse: OIDC route/view skeleton work

• warehouse: form, view logic for adding OIDC providers

• manage/views: disable HTTP cache, add TODO

• warehouse: move oidc views to "publishing"

...and make it a sub-page for project management.

• warehouse: provider deletion routing

• warehouse: shore up constraints, better error flashes

• warehouse/migrations: rebase revision

• warehouse/templates: update OIDC language

Refer to OIDC providers as "OpenID Connect publishers"

• warehouse: OIDC rate limiting groundwork

• manage/views: clean up OIDC events

• warehouse: use GitHub token for API requests, when available

• oidc/forms: special casing for rate limiting

Record errors with Sentry.

• warehouse: split user/repo form inputs apart

• warehouse/templates: link to GitHub's OIDC docs

• oidc/models: remove actor from checked claims

• templates/email: add OIDC email templates

• warehouse: fix templates, add email sending logic

• warehouse: add an AdminFlag for OIDC control

• oidc/models: use set operators

• oidc/forms: exception driven handling for GitHub API errors

• warehouse: OIDC ratelimiting logic

Also some small HTML fixes.

• warehouse/locale: update translations

• warehouse: lintage

• templates/manage/settings: remove vestigial HTML

• warehouse: address feedback

• Simplify form handling

• Validate GitHub usernames against a regex

• Fix form error presentation

• manage/views: more feedback addressing

• Prevent an infoleak in a session flash

• Reword a confusing comment

• Update warehouse/manage/views.py

Co-authored-by: Dustin Ingram di@users.noreply.github.com

• manage/views: fixups

• warehouse: add "OIDC provider removed" emails

• oidc/forms: use GH org regex in callable validator body

• warehouse/locale: update translations

• tests, warehouse: begin writing unit tests

• More tests, restructure for testing

• tests: fill in GitHubProviderForm tests

• tests, warehouse: more tests, adaptations for testing

• tests: more manage/view tests

• tests, warehouse: ratelimit tests, fix bug

• tests: round out ratelimiting

• tests: more tests

• tests, warehouse: OIDC deletion tests

Also, gets some coverage for free by reusing a helper.

• tests, warehouse: fill in model checks

Accommodations for testing.

• oidc/models: type hints

• warehouse/locale: make translations

• tests, warehouse: site-wide OIDC feature flag

• warehouse: make translations

• treewide: route to 404 when OIDC is disabled

Enable OIDC by default for development environments; update tests.

• warehouse: make translations

• Update warehouse/templates/manage/publishing.html

Co-authored-by: Joachim Jablon ewjoachim@gmail.com

• oidc/{interfaces,services}: simplify API

• tests: update

• warehouse/migrations: rebase

• tests, warehouse: move ratelimit hit up

• warehouse: make translations

• warehouse: plug in more OIDC metrics

Adds additional metrics on:

• Publisher configuration (attempt + ok)

• Publisher removal (attempt + ok)

• JWT signature verification (attempt + ok)

• warehouse/oidc: add a verify_for_helper iface method

This encapsulates the entire JWT verification process. It isn't hooked up to anything yet, but just to get something down.

• manage/views: add provider names to metrics

• oidc/services: add project tag to metrics during JWT verification

• oidc/services: include provider name in metrics too

• tests/unit: plumb metrics through OIDC unit tests

• tests/unit: fill in coverage

• warehouse: make translations

• tests, warehouse: disable job_workflow_ref

For now.

• Apply suggestions from code review

Co-authored-by: Dustin Ingram di@users.noreply.github.com

• tests, warehouse: update tests for changes

Also use workflow_filename consistently.

• warehouse, tests: email all users on OIDC changes

Instead of just owners.

• warehouse, tests: include publisher info in OIDC emails

• warehouse: make translations

Co-authored-by: Dustin Ingram di@users.noreply.github.com Co-authored-by: Joachim Jablon ewjoachim@gmail.com