-
Notifications
You must be signed in to change notification settings - Fork 984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn users when GitHub/GitLab environments are not checked during Trusted Publishing #17281
Conversation
warehouse/manage/views/__init__.py
Outdated
# First we add the new trusted publisher | ||
if isinstance(publisher, GitHubPublisher): | ||
constrained_publisher = GitHubPublisher( | ||
repository_name=publisher.repository_name, | ||
repository_owner=publisher.repository_owner, | ||
repository_owner_id=publisher.repository_owner_id, | ||
workflow_filename=publisher.workflow_filename, | ||
environment=form.constrain_environment.data, | ||
) | ||
elif isinstance(publisher, GitLabPublisher): | ||
constrained_publisher = GitLabPublisher( | ||
namespace=publisher.namespace, | ||
project=publisher.project, | ||
workflow_filepath=publisher.workflow_filepath, | ||
environment=form.constrain_environment.data, | ||
) | ||
|
||
else: | ||
self.request.session.flash( | ||
"Can only constrain the environment for GitHub and GitLab publishers", | ||
queue="error", | ||
) | ||
return self.default_response | ||
|
||
if publisher.environment != "": | ||
self.request.session.flash( | ||
"Can only constrain the environment for publishers without an " | ||
"environment configured", | ||
queue="error", | ||
) | ||
return self.default_response | ||
|
||
self.request.db.add(constrained_publisher) | ||
self.request.db.flush() # ensure constrained_publisher.id is available | ||
self.project.oidc_publishers.append(constrained_publisher) | ||
|
||
self.project.record_event( | ||
tag=EventTag.Project.OIDCPublisherAdded, | ||
request=self.request, | ||
additional={ | ||
"publisher": constrained_publisher.publisher_name, | ||
"id": str(constrained_publisher.id), | ||
"specifier": str(constrained_publisher), | ||
"url": constrained_publisher.publisher_url(), | ||
"submitted_by": self.request.user.username, | ||
}, | ||
) | ||
|
||
# Then, we remove the old trusted publisher from the project | ||
# and, if there are no projects left associated with the publisher, | ||
# we delete it entirely. | ||
self.project.oidc_publishers.remove(publisher) | ||
if len(publisher.projects) == 0: | ||
self.request.db.delete(publisher) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might be missing something, but can we simplify this by modifying the publisher rather than creating a new one and deleting the old one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It wouldn't cover the case where the publisher is associated to more than one project: since the magic link is associated to a single project, it should only affect that project. And modifying a publisher would modify it for all associated projects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah right, completely forgot about that case! It might be good to leave a comment to that effect (the current comment explains it indirectly, but an explicit one might stop an over-eager refactor 🙂)
warehouse/templates/email/environment-ignored-in-trusted-publisher/body.html
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM otherwise
Signed-off-by: Facundo Tuesca <[email protected]>
Signed-off-by: Facundo Tuesca <[email protected]>
Signed-off-by: Facundo Tuesca <[email protected]>
Signed-off-by: Facundo Tuesca <[email protected]>
5b0a592
to
81716d2
Compare
Co-authored-by: Dustin Ingram <[email protected]>
81716d2
to
3f3f993
Compare
Looking good. My only additional thought is that this doesn't really handle the edge case where a user might be publishing from multiple environments: we would guide them to constrain it to one, and their publishing from the other(s) would then start failing. I think that might be fine, but we might want to add a note to the modal advising the user to add additional publishers if they plan to use multiple environments. |
Co-authored-by: Dustin Ingram <[email protected]>
Yeah, good point! I'll add some language to the modal explaining this. |
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
What is this?
This PR adds two things:
This means changing a publisher that allows any environment so that it only accepts one.
The email suggests constraining the Trusted Publisher so that it only accepts the environment which was just used. The email also contains a link to the PyPI page to constrain the environment to the one used, so that project owners can just follow this link and confirm the change.
This fixes #17241
Details
UI/UX
$MY_PROJECT
$PUBLISHER_ID
is a valid GitHub/GitLab publisher with no configured environment$MY_PROJECT
Email
** This is done in order to avoid confusion and edge cases: if a single Trusted Publisher is configured for multiple projects, to send an email during the token exchange we would need to send it to the owners of all the projects, which might be confusing if the token exchange was for the upload of a single project's release.
Screenshots
Email
Confirmation modal
Action successful
cc @woodruffw @sethmlarson @di