Warn users when GitHub/GitLab environments are not checked during Trusted Publishing #17281
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
facutuesca
changed the title
facutuesca
changed the title
woodruffw
reviewed
Dec 14, 2024
warehouse/manage/views/__init__.py
Outdated
Comment on lines
1473
to
1526
| # First we add the new trusted publisher | ||
| if isinstance(publisher, GitHubPublisher): | ||
| constrained_publisher = GitHubPublisher( | ||
| repository_name=publisher.repository_name, | ||
| repository_owner=publisher.repository_owner, | ||
| repository_owner_id=publisher.repository_owner_id, | ||
| workflow_filename=publisher.workflow_filename, | ||
| environment=form.constrain_environment.data, | ||
| ) | ||
| elif isinstance(publisher, GitLabPublisher): | ||
| constrained_publisher = GitLabPublisher( | ||
| namespace=publisher.namespace, | ||
| project=publisher.project, | ||
| workflow_filepath=publisher.workflow_filepath, | ||
| environment=form.constrain_environment.data, | ||
| ) | ||
|
|
||
| else: | ||
| self.request.session.flash( | ||
| "Can only constrain the environment for GitHub and GitLab publishers", | ||
| queue="error", | ||
| ) | ||
| return self.default_response | ||
|
|
||
| if publisher.environment != "": | ||
| self.request.session.flash( | ||
| "Can only constrain the environment for publishers without an " | ||
| "environment configured", | ||
| queue="error", | ||
| ) | ||
| return self.default_response | ||
|
|
||
| self.request.db.add(constrained_publisher) | ||
| self.request.db.flush() # ensure constrained_publisher.id is available | ||
| self.project.oidc_publishers.append(constrained_publisher) | ||
|
|
||
| self.project.record_event( | ||
| tag=EventTag.Project.OIDCPublisherAdded, | ||
| request=self.request, | ||
| additional={ | ||
| "publisher": constrained_publisher.publisher_name, | ||
| "id": str(constrained_publisher.id), | ||
| "specifier": str(constrained_publisher), | ||
| "url": constrained_publisher.publisher_url(), | ||
| "submitted_by": self.request.user.username, | ||
| }, | ||
| ) | ||
|
|
||
| # Then, we remove the old trusted publisher from the project | ||
| # and, if there are no projects left associated with the publisher, | ||
| # we delete it entirely. | ||
| self.project.oidc_publishers.remove(publisher) | ||
| if len(publisher.projects) == 0: | ||
| self.request.db.delete(publisher) |
There was a problem hiding this comment.
I might be missing something, but can we simplify this by modifying the publisher rather than creating a new one and deleting the old one?
There was a problem hiding this comment.
It wouldn't cover the case where the publisher is associated to more than one project: since the magic link is associated to a single project, it should only affect that project. And modifying a publisher would modify it for all associated projects.
There was a problem hiding this comment.
Ah right, completely forgot about that case! It might be good to leave a comment to that effect (the current comment explains it indirectly, but an explicit one might stop an over-eager refactor 🙂)
di
reviewed
Jan 2, 2025
warehouse/templates/email/environment-ignored-in-trusted-publisher/body.html
Outdated
Show resolved
Hide resolved
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
facutuesca
force-pushed
the
ft/constrain-tp-environment
branch
from
5b0a592 to
81716d2
Compare
Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
facutuesca
force-pushed
the
ft/constrain-tp-environment
branch
from
81716d2 to
3f3f993
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is this?
This PR adds two things:
This means changing a publisher that allows any environment so that it only accepts one.
The email suggests constraining the Trusted Publisher so that it only accepts the environment which was just used. The email also contains a link to the PyPI page to constrain the environment to the one used, so that project owners can just follow this link and confirm the change.
This fixes #17241
Details
UI/UX
$MY_PROJECT$PUBLISHER_IDis a valid GitHub/GitLab publisher with no configured environment$MY_PROJECTEmail
** This is done in order to avoid confusion and edge cases: if a single Trusted Publisher is configured for multiple projects, to send an email during the token exchange we would need to send it to the owners of all the projects, which might be confusing if the token exchange was for the upload of a single project's release.
Screenshots
Email
Confirmation modal
Action successful
cc @woodruffw @sethmlarson @di