Models, routes and views for creating OIDC publishers

warehouse/migrations/versions/f345394c444f_add_initial_oidc_provider_models.py

@@ -0,0 +1,92 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+Add initial OIDC provider models
+
+Revision ID: f345394c444f
+Revises: 29a8901a4635
+Create Date: 2022-02-15 21:11:41.693791
+"""
+
+import sqlalchemy as sa
+
+from alembic import op
+from sqlalchemy.dialects import postgresql
+
+revision = "f345394c444f"
+down_revision = "29a8901a4635"
+
+# Note: It is VERY important to ensure that a migration does not lock for a
+#       long period of time and to ensure that each individual migration does
+#       not break compatibility with the *previous* version of the code base.
+#       This is because the migrations will be ran automatically as part of the
+#       deployment process, but while the previous version of the code is still
+#       up and running. Thus backwards incompatible changes must be broken up
+#       over multiple migrations inside of multiple pull requests in order to
+#       phase them in over multiple deploys.
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "oidc_providers",
+        sa.Column(
+            "id",
+            postgresql.UUID(as_uuid=True),
+            server_default=sa.text("gen_random_uuid()"),
+            nullable=False,
+        ),
+        sa.Column("discriminator", sa.String(), nullable=True),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_table(
+        "github_oidc_providers",
+        sa.Column("id", postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column("repository_name", sa.String(), nullable=True),
+        sa.Column("owner", sa.String(), nullable=True),
+        sa.Column("owner_id", sa.String(), nullable=True),
+        sa.Column("workflow_name", sa.String(), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["id"],
+            ["oidc_providers.id"],
+        ),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_table(
+        "oidc_provider_project_association",
+        sa.Column(
+            "id",
+            postgresql.UUID(as_uuid=True),
+            server_default=sa.text("gen_random_uuid()"),
+            nullable=False,
+        ),
+        sa.Column("oidc_provider_id", postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column("project_id", postgresql.UUID(as_uuid=True), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["oidc_provider_id"],
+            ["oidc_providers.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["project_id"],
+            ["projects.id"],
+        ),
+        sa.PrimaryKeyConstraint("id", "oidc_provider_id", "project_id"),
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table("oidc_provider_project_association")
+    op.drop_table("github_oidc_providers")
+    op.drop_table("oidc_providers")
+    # ### end Alembic commands ###

warehouse/oidc/interfaces.py

@@ -26,7 +26,14 @@ def get_key(key_id):
         """
         pass
 
-    def verify(token):
+    def verify_signature_only(token):
         """
-        Verify the given JWT.
+        Verify the given JWT's signature and basic claims, returning
+        a tuple of (valid, decoded) where `valid` indicates
+        the validity of the JWT and `decoded` is the decoded JWT,
+        or `None` if invalid.
+
+        This function **does not** verify the token's suitability
+        for a particular action; subsequent checks on the decoded token's
+        third party claims must be done to ensure that.
         """

warehouse/oidc/models.py

@@ -0,0 +1,144 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import sentry_sdk
+
+from sqlalchemy import Column, ForeignKey, String, orm
+from sqlalchemy.dialects.postgresql import UUID
+
+from warehouse import db
+from warehouse.packaging.models import Project
+
+
+class OIDCProviderProjectAssociation(db.Model):
+    __tablename__ = "oidc_provider_project_association"
+
+    oidc_provider_id = Column(
+        UUID(as_uuid=True),
+        ForeignKey("oidc_providers.id"),
+        nullable=False,
+        primary_key=True,
+    )
+    project_id = Column(
+        UUID(as_uuid=True), ForeignKey("projects.id"), nullable=False, primary_key=True
+    )
+
+
+class OIDCProvider(db.Model):
+    __tablename__ = "oidc_providers"
+
+    discriminator = Column(String)
+    projects = orm.relationship(
+        Project,
+        secondary=OIDCProviderProjectAssociation.__table__,
+        backref="oidc_providers",
+    )
+
+    __mapper_args__ = {"polymorphic_on": discriminator}
+
+    # A map of claim names to "check" functions, each of which
+    # has the signature `check(ground-truth, signed-claim) -> bool`.
+    __verifiable_claims__ = dict()
+
+    # Claims that have already been verified during the JWT signature
+    # verification phase.
+    __preverified_claims__ = {
+        "iss",
+        "iat",
+        "nbf",
+        "exp",
+        "aud",
+    }
+
+    # Individual providers should explicitly override this set,
+    # indicating any custom claims that are known to be present but are
+    # not checked as part of verifying the JWT.
+    __unchecked_claims__ = set()
+
+    def verify_claims(self, signed_claims):
+        """
+        Given a JWT that has been successfully decoded (checked for a valid
+        signature and basic claims), verify it against the more specific
+        claims of this provider.
+        """
+
+        # Defensive programming: treat the absence of any claims to verify
+        # as a failure rather than trivially valid.
+        if not self.__verifiable_claims__:
+            return False
+
+        # All claims should be accounted for.
+        # The presence of an unaccounted claim is not an error, only a warning
+        # that the JWT payload has changed.
+        known_claims = self.__verifiable_claims__.keys().union(
+            self.__preverified_claims__, self.__unchecked_claims__
+        )
+        unaccounted_claims = known_claims.difference(signed_claims.keys())
+        if unaccounted_claims:
+            sentry_sdk.capture_message(
+                f"JWT for {self.__class__.__name__} has unaccounted claims: {unaccounted_claims}"
+            )
+
+        # Finally, perform the actual claim verification.
+        for claim_name, check in self.__verifiable_claims__.items():
+            if not check(self.getattr(claim_name), signed_claims[claim_name]):
+                return False
+
+        return True
+
+
+class GitHubProvider(OIDCProvider):
+    __tablename__ = "github_oidc_providers"
+    __mapper_args__ = {"polymorphic_identity": "GitHubProvider"}
+
+    id = Column(UUID(as_uuid=True), ForeignKey(OIDCProvider.id), primary_key=True)
+    repository_name = Column(String)
+    owner = Column(String)
+    owner_id = Column(String)
+    workflow_name = Column(String)
+
+    __verifiable_claims__ = {
+        "repository": str.__eq__,
+        "job_workflow_ref": str.startswith,
+        "actor": str.__eq__,
+        "workflow": str.__eq__,
+    }
+
+    __unchecked_claims__ = {
+        "jti",
+        "sub",
+        "ref",
+        "sha",
+        "run_id",
+        "run_number",
+        "run_attempt",
+        "head_ref",
+        "base_ref",
+        "event_name",
+        "ref_type",
+    }
+
+    @property
+    def repository(self):
+        return f"{self.owner}/{self.repository_name}"
+
+    @property
+    def job_workflow_ref(self):
+        return f"{self.repository}/.github/workflows/{self.workflow_name}.yml"
+
+    @property
+    def actor(self):
+        return self.owner
+
+    @property
+    def workflow(self):
+        return self.workflow_name

warehouse/oidc/services.py

@@ -12,11 +12,11 @@
 
 import json
 
+import jwt
 import redis
 import requests
 import sentry_sdk
 
-from jwt import PyJWK
 from zope.interface import implementer
 
 from warehouse.metrics.interfaces import IMetricsService
@@ -148,10 +148,51 @@ def get_key(self, key_id):
                 tags=[f"provider:{self.provider}", f"key_id:{key_id}"],
             )
             return None
-        return PyJWK(keyset[key_id])
+        return jwt.PyJWK(keyset[key_id])
 
-    def verify(self, token):
-        return NotImplemented
+    def _get_key_for_token(self, token):
+        """
+        Return a JWK suitable for verifying the given JWT.
+
+        The JWT is not verified at this point, and this step happens
+        prior to any verification.
+        """
+        unverified_header = jwt.get_unverified_header(token)
+        return self.get_key(unverified_header["kid"])
+
+    def verify_signature_only(self, token):
+        key = self._get_key_for_token(token)
+
+        try:
+            # NOTE: Many of the keyword arguments here are defaults, but we
+            # set them explicitly to assert the intended verification behavior.
+            valid_token = jwt.decode(
+                token,
+                key=key,
+                algorithms=["RS256"],
+                verify_signature=True,
+                # "require" only checks for the presence of these claims, not
+                # their validity. Each has a corresponding "verify_" kwarg
+                # that enforces their actual validity.
+                require=["iss", "iat", "nbf", "exp", "aud"],
+                verify_iss=True,
+                verify_iat=True,
+                verify_nbf=True,
+                verify_exp=True,
+                verify_aud=True,
+                issuer=self.issuer_url,
+                audience="pypi",
+                leeway=30,
+            )
+            return True, valid_token
+        except jwt.PyJWTError:
+            return False, None
+        except Exception as e:
+            # We expect pyjwt to only raise subclasses of PyJWTError, but
+            # we can't enforce this. Other exceptions indicate an abstraction
+            # leak, so we log them for upstream reporting.
+            sentry_sdk.capture_message(f"JWT verify raised generic error: {e}")
+            return False, None
 
 
 class OIDCProviderServiceFactory: