Add support for Google trusted publishing (pypi#15144)

* Add a Google trusted publisher * Make PendingPublisher tests more generic * Add Google PendingPublisher tests * Remove old ip_address param * This is why we write tests * Make Publisher tests more generic * Add Google Publisher tests * Update translations * Update warehouse/templates/manage/account/publishing.html Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> * Update translations * Add missing help text * Have the AdminFlag disable the creation form as well * Add links to Google docs in form * Fixup tests * Update email address validators * Linting --------- Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
miketheman · Jan 10, 2024 · 4023254 · 4023254
1 parent 6a5a612
commit 4023254
Show file tree

Hide file tree

Showing 11 changed files with 1,279 additions and 398 deletions.
diff --git a/tests/unit/accounts/test_views.py b/tests/unit/accounts/test_views.py
diff --git a/tests/unit/manage/test_views.py b/tests/unit/manage/test_views.py
diff --git a/warehouse/accounts/forms.py b/warehouse/accounts/forms.py
@@ -259,9 +259,7 @@ class NewEmailMixin:
         validators=[
             wtforms.validators.InputRequired(),
             PreventNullBytesValidator(),
-            wtforms.validators.Regexp(
-                r".+@.+\..+", message=_("The email address isn't valid. Try again.")
-            ),
+            wtforms.validators.Email(),
             wtforms.validators.Length(
                 max=254, message=_("The email address is too long. Try again.")
             ),

diff --git a/warehouse/accounts/views.py b/warehouse/accounts/views.py
@@ -77,10 +77,17 @@
 )
 from warehouse.events.tags import EventTag
 from warehouse.metrics.interfaces import IMetricsService
-from warehouse.oidc.forms import DeletePublisherForm
-from warehouse.oidc.forms.github import PendingGitHubPublisherForm
+from warehouse.oidc.forms import (
+    DeletePublisherForm,
+    PendingGitHubPublisherForm,
+    PendingGooglePublisherForm,
+)
 from warehouse.oidc.interfaces import TooManyOIDCRegistrations
-from warehouse.oidc.models import PendingGitHubPublisher, PendingOIDCPublisher
+from warehouse.oidc.models import (
+    PendingGitHubPublisher,
+    PendingGooglePublisher,
+    PendingOIDCPublisher,
+)
 from warehouse.organizations.interfaces import IOrganizationService
 from warehouse.organizations.models import OrganizationRole, OrganizationRoleType
 from warehouse.packaging.models import (
@@ -1467,6 +1474,10 @@ def __init__(self, request):
             api_token=self.request.registry.settings.get("github.token"),
             project_factory=self.project_factory,
         )
+        self.pending_google_publisher_form = PendingGooglePublisherForm(
+            self.request.POST,
+            project_factory=self.project_factory,
+        )
 
     @property
     def _ratelimiters(self):
@@ -1502,6 +1513,15 @@ def _check_ratelimits(self):
     def default_response(self):
         return {
             "pending_github_publisher_form": self.pending_github_publisher_form,
+            "pending_google_publisher_form": self.pending_google_publisher_form,
+            "disabled": {
+                "GitHub": self.request.flags.disallow_oidc(
+                    AdminFlagValue.DISALLOW_GITHUB_OIDC
+                ),
+                "Google": self.request.flags.disallow_oidc(
+                    AdminFlagValue.DISALLOW_GOOGLE_OIDC
+                ),
+            },
         }
 
     @view_config(request_method="GET")
@@ -1640,6 +1660,29 @@ def _add_pending_oidc_publisher(
 
         return HTTPSeeOther(self.request.path)
 
+    @view_config(
+        request_method="POST",
+        request_param=PendingGooglePublisherForm.__params__,
+    )
+    def add_pending_google_oidc_publisher(self):
+        form = self.default_response["pending_google_publisher_form"]
+        return self._add_pending_oidc_publisher(
+            publisher_name="Google",
+            publisher_class=PendingGooglePublisher,
+            admin_flag=AdminFlagValue.DISALLOW_GOOGLE_OIDC,
+            form=form,
+            make_pending_publisher=lambda request, form: PendingGooglePublisher(
+                project_name=form.project_name.data,
+                added_by=request.user,
+                email=form.email.data,
+                sub=form.sub.data,
+            ),
+            make_existence_filters=lambda form: dict(
+                email=form.email.data,
+                sub=form.sub.data,
+            ),
+        )
+
     @view_config(
         request_method="POST",
         request_param=PendingGitHubPublisherForm.__params__,