Warn users when GitHub/GitLab environments are not checked during Tru…

…sted Publishing (pypi#17281) * Add magic link to constrain environment existing Trusted Publisher Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> * Warn when Trusted Publisher without environment is used with one Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> * Remove translation markers from email Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> * Use a modal confirm dialog to constrain the environment Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> * Update warehouse/templates/manage/project/publishing.html Co-authored-by: Dustin Ingram <di@users.noreply.github.com> * Update warehouse/templates/manage/project/publishing.html Co-authored-by: Dustin Ingram <di@users.noreply.github.com> * add callout about multiple envs Signed-off-by: William Woodruff <william@trailofbits.com> * language tweaks Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Dustin Ingram <di@users.noreply.github.com> Co-authored-by: William Woodruff <william@yossarian.net> Co-authored-by: William Woodruff <william@trailofbits.com>
miketheman · Jan 14, 2025 · ef8cc62 · ef8cc62
1 parent d583427
commit ef8cc62
Show file tree

Hide file tree

Showing 12 changed files with 1,151 additions and 57 deletions.
diff --git a/tests/unit/email/test_init.py b/tests/unit/email/test_init.py
@@ -6218,3 +6218,99 @@ def test_pep625_emails(
                 },
             )
         ]
+
+    def test_environment_ignored_in_trusted_publisher_emails(
+        self, pyramid_request, pyramid_config, monkeypatch
+    ):
+        template_name = "environment-ignored-in-trusted-publisher"
+        stub_user_owner = pretend.stub(
+            id="id_owner",
+            username="username_owner",
+            name="",
+            email="email@example.com",
+            primary_email=pretend.stub(email="email@example.com", verified=True),
+        )
+        subject_renderer = pyramid_config.testing_add_renderer(
+            f"email/{template_name}/subject.txt"
+        )
+        subject_renderer.string_response = "Email Subject"
+        body_renderer = pyramid_config.testing_add_renderer(
+            f"email/{template_name}/body.txt"
+        )
+        body_renderer.string_response = "Email Body"
+        html_renderer = pyramid_config.testing_add_renderer(
+            f"email/{template_name}/body.html"
+        )
+        html_renderer.string_response = "Email HTML Body"
+
+        send_email = pretend.stub(
+            delay=pretend.call_recorder(lambda *args, **kwargs: None)
+        )
+        pyramid_request.task = pretend.call_recorder(lambda *args, **kwargs: send_email)
+        monkeypatch.setattr(email, "send_email", send_email)
+
+        pyramid_request.db = pretend.stub(
+            query=lambda a: pretend.stub(
+                filter=lambda *a: pretend.stub(
+                    one=lambda: pretend.stub(user_id=stub_user_owner.id)
+                )
+            ),
+        )
+        fakepublisher = pretend.stub(
+            publisher_name="fakepublisher",
+            repository_owner="fakeowner",
+            repository_name="fakerepository",
+            environment="",
+        )
+        fakeenvironment = "fakeenvironment"
+        pyramid_request.user = stub_user_owner
+        pyramid_request.registry.settings = {"mail.sender": "noreply@example.com"}
+
+        project_name = "test_project"
+        result = email.send_environment_ignored_in_trusted_publisher_email(
+            pyramid_request,
+            [stub_user_owner],
+            project_name=project_name,
+            publisher=fakepublisher,
+            environment_name=fakeenvironment,
+        )
+
+        assert result == {
+            "project_name": project_name,
+            "publisher": fakepublisher,
+            "environment_name": fakeenvironment,
+        }
+        subject_renderer.assert_()
+        body_renderer.assert_()
+        html_renderer.assert_(
+            project_name=project_name,
+            publisher=fakepublisher,
+            environment_name=fakeenvironment,
+        )
+        assert pyramid_request.task.calls == [
+            pretend.call(send_email),
+        ]
+        assert send_email.delay.calls == [
+            pretend.call(
+                f"{stub_user_owner.username} <{stub_user_owner.email}>",
+                {
+                    "sender": None,
+                    "subject": "Email Subject",
+                    "body_text": "Email Body",
+                    "body_html": (
+                        "<html>\n<head></head>\n"
+                        "<body><p>Email HTML Body</p></body>\n</html>\n"
+                    ),
+                },
+                {
+                    "tag": "account:email:sent",
+                    "user_id": stub_user_owner.id,
+                    "additional": {
+                        "from_": "noreply@example.com",
+                        "to": stub_user_owner.email,
+                        "subject": "Email Subject",
+                        "redact_ip": False,
+                    },
+                },
+            ),
+        ]