Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: Follow-up tasks #12915

Merged
merged 34 commits into from
Feb 22, 2023
Merged

OIDC: Follow-up tasks #12915

merged 34 commits into from
Feb 22, 2023

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Jan 31, 2023
edited
Loading

WIP; I'm going to use this PR to polish off all the remaining tasks listed in #11296.

Specific tasks:

  • Actually handling pending OIDC providers inside of mint-token
  • The provider pages should list existing providers first, followed by form(s) to add new providers
  • Both provider types should be listed under /manage/account/publishing
    - [ ] The admin app should provide a list of pending providers, and possibly some functionality for administering them

Closes #11296.

@woodruffw woodruffw self-assigned this Jan 31, 2023
@woodruffw
Copy link
Member Author

woodruffw commented Feb 1, 2023
edited
Loading

  • Both provider types should be listed under /manage/account/publishing

Hmm, this is going to be a little annoying: "normal" OIDC providers are conceptually untied to individual users and can be spread across multiple projects with disjoint maintainer sets, so removing a normal OIDC provider from the account view isn't well-defined: it isn't clear whether it means "remove the OIDC provider entirely" (probably not, since that might disable the provider for projects the user doesn't have permission to modify), or whether it means "remove the OIDC provider from some specific project" (probably, but then we need to duplicate the provider row N times for each project it occurs in).

The solution here might be to stop being overly clever with the OIDC provider data relations: rather than having a many-many relationship between [Project] <-> [OIDCProvider], we could ratchet things down to Project -> OIDCProvider and allow "duplicate" OIDC providers as duplicate DB entries. This would then mean that every project conceptually only has a single valid OIDC provider, although "equivalent" OIDC providers can be registered to multiple projects at once.

Edit: Actually, that doesn't work either: we need the provider -> [project] relationship to mint tokens with the right caveats.

Edit: Thinking about this more, maybe we can avoid the provider -> [project] relationship by bridging the gap at the claim and services level: rather than have each provider track the list of projects its registered to, each project has a single (non-unique) project registered to it. Then, the OIDCProviderService can do a claims -> [project] lookup that's completely transparent in terms of the underlying project/provider relationships.

The downside would then be that there'd be no OIDCProvider to directly record in events, which isn't great.

Edit: Or maybe all of this could be sidestepped by not trying to shoehorn the two different provider types into the exact same table -- I could just have them be two tables, one on top of the other (with the "normal" one not having delete buttons because it doesn't make sense in the account management view).

@woodruffw
Copy link
Member Author

9af0e13 has a rough sketch of the pending provider conversion -- we search for a pending provider matching the JWT, create a project for it if it doesn't exist, and then use that newly created project to register a "reified" copy of the provider so that we can subsequently issue a temporary API token.

woodruffw
woodruffw commented Feb 1, 2023
View reviewed changes
warehouse/oidc/views.py Outdated Show resolved Hide resolved
@woodruffw
Copy link
Member Author

woodruffw commented Feb 7, 2023
edited
Loading

Edit: Or maybe all of this could be sidestepped by not trying to shoehorn the two different provider types into the exact same table -- I could just have them be two tables, one on top of the other (with the "normal" one not having delete buttons because it doesn't make sense in the account management view).

Going with this one.

Edit: e161633

woodruffw
woodruffw commented Feb 8, 2023
View reviewed changes
warehouse/oidc/utils.py Outdated


def reify_pending_provider(
session, pending_provider: PendingOIDCProvider, remote_addr: str
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flagging for review: I plumbed the remote_addr through here since we need it for the various events we create, but it's a little out of place. The other option I could think of was plumbing the entire request in, but that felt a little strange as well (given that this util is called from the OIDCService).

@woodruffw woodruffw mentioned this pull request Feb 8, 2023
Closed
@woodruffw
Copy link
Member Author

This changeset is growing rapidly, so I'll do the admin app changes in another follow-up.

@woodruffw woodruffw marked this pull request as ready for review February 9, 2023 17:55
@woodruffw woodruffw requested a review from a team as a code owner February 9, 2023 17:55
@woodruffw
Copy link
Member Author

Lint is failing, for reasons that aren't immediately obvious to me:

+ python -m mypy -p warehouse
warehouse/oidc/models.py:328: error: Unexpected keyword argument "repository_name" for "GitHubProvider"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "GitHubProvider" defined here
warehouse/oidc/models.py:328: error: Unexpected keyword argument "repository_owner" for "GitHubProvider"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "GitHubProvider" defined here
warehouse/oidc/models.py:328: error: Unexpected keyword argument "repository_owner_id" for "GitHubProvider"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "GitHubProvider" defined here
warehouse/oidc/models.py:328: error: Unexpected keyword argument "workflow_filename" for "GitHubProvider"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "GitHubProvider" defined here
warehouse/oidc/models.py:328: error: Unexpected keyword argument "repository_name" for "GitHubProvider"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "GitHubProvider" defined here
warehouse/oidc/models.py:328: error: Unexpected keyword argument "repository_owner" for "GitHubProvider"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "GitHubProvider" defined here
warehouse/oidc/models.py:328: error: Unexpected keyword argument "repository_owner_id" for "GitHubProvider"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "GitHubProvider" defined here
warehouse/oidc/models.py:328: error: Unexpected keyword argument "workflow_filename" for "GitHubProvider"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "GitHubProvider" defined here
warehouse/oidc/utils.py:69: error: "Type[Model]" has no attribute "workflow_filename"
warehouse/oidc/utils.py:93: error: Unexpected keyword argument "name" for "Project"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "Project" defined here
warehouse/oidc/utils.py:97: error: Unexpected keyword argument "name" for "JournalEntry"
warehouse/oidc/utils.py:100: error: "PendingOIDCProvider" has no attribute "added_by"; maybe "added_by_id"?
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:97: error: Unexpected keyword argument "action" for "JournalEntry"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:97: error: Unexpected keyword argument "submitted_by" for "JournalEntry"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:97: error: Unexpected keyword argument "submitted_from" for "JournalEntry"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:108: error: "PendingOIDCProvider" has no attribute "added_by"; maybe "added_by_id"?
warehouse/oidc/utils.py:112: error: Unexpected keyword argument "user" for "Role"
warehouse/oidc/utils.py:112: error: "PendingOIDCProvider" has no attribute "added_by"; maybe "added_by_id"?
/opt/hostedtoolcache/Python/3.11.1/x[64](https://github.com/pypi/warehouse/actions/runs/4137032670/jobs/7151688458#step:9:65)/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "Role" defined here
warehouse/oidc/utils.py:112: error: Unexpected keyword argument "project" for "Role"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "Role" defined here
warehouse/oidc/utils.py:112: error: Unexpected keyword argument "role_name" for "Role"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "Role" defined here
warehouse/oidc/utils.py:116: error: Unexpected keyword argument "name" for "JournalEntry"
warehouse/oidc/utils.py:118: error: "PendingOIDCProvider" has no attribute "added_by"; maybe "added_by_id"?
warehouse/oidc/utils.py:119: error: "PendingOIDCProvider" has no attribute "added_by"; maybe "added_by_id"?
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:116: error: Unexpected keyword argument "action" for "JournalEntry"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:116: error: Unexpected keyword argument "submitted_by" for "JournalEntry"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:116: error: Unexpected keyword argument "submitted_from" for "JournalEntry"
/opt/hostedtoolcache/Python/3.11.1/x64/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:127: error: "PendingOIDCProvider" has no attribute "added_by"; maybe "added_by_id"?
warehouse/oidc/utils.py:129: error: "PendingOIDCProvider" has no attribute "added_by"; maybe "added_by_id"?
warehouse/oidc/utils.py:134: error: "Project" has no attribute "oidc_providers"

@woodruffw woodruffw requested a review from di February 9, 2023 18:02
@woodruffw
Copy link
Member Author

In particular, this doesn't make sense to me:

warehouse/oidc/utils.py:116: error: Unexpected keyword argument "action" for "JournalEntry"
/opt/warehouse/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:116: error: Unexpected keyword argument "submitted_by" for "JournalEntry"
/opt/warehouse/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here
warehouse/oidc/utils.py:116: error: Unexpected keyword argument "submitted_from" for "JournalEntry"
/opt/warehouse/lib/python3.11/site-packages/mypy/typeshed/stdlib/builtins.pyi:90: note: "JournalEntry" defined here

That's from a JournalEntry(...) ctor call, but it's identical to other parts of the codebase (like forklift/legacy.py) where mypy doesn't complain. As far as I can tell, it isn't configured to ignore that file, either.

woodruffw
woodruffw commented Feb 14, 2023
View reviewed changes
warehouse/oidc/utils.py Outdated Show resolved Hide resolved
@woodruffw @di
tests, warehouse: simplify payload ValidationError
5e4e42d 
Have Pydantic do all the lifting.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
tests, warehouse: lintage
64f3dca 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
tests: lintage
36d1ab4 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
templates/*/publishing: invert
a719158 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
warehouse: make translations
d668195 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
warehouse/oidc: WIP pending conversion
865fb08 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
warehouse: TODO, NOTE
31198bd 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
templates: separate tables for providers
9725d2e 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
oidc: refactor token minting
4210ec6 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
warehouse/locale: make translations
355f1c8 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
tests, warehouse: reformat, fix tests
a28d790 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
warehouse: lintage
92c7904 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
tests, warehouse: lintage, coverage
1fb9fbd 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
tests: lintages
8e66aca 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
oidc/services: hints
c9391c6 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
oidc: hush mypy
2b204e0 
Signed-off-by: William Woodruff <[email protected]>
@di
Revert "oidc: hush mypy"
17fcaca 
This reverts commit e0cdd6a1336ec1f19e2180637c42253ea277f180.
@di
Remove type hints
1ccdccd
@di di force-pushed the tob-pending-oidc-followup branch from 00ac057 to 1ccdccd Compare February 16, 2023 22:45
di
di reviewed Feb 17, 2023
View reviewed changes
warehouse/forklift/legacy.py Outdated Show resolved Hide resolved
warehouse/oidc/models.py Outdated Show resolved Hide resolved
warehouse/oidc/utils.py Outdated Show resolved Hide resolved
warehouse/oidc/models.py Show resolved Hide resolved
warehouse/templates/manage/account/publishing.html Outdated Show resolved Hide resolved
@woodruffw
Copy link
Member Author

#13018 is merged, so I'll update here and resume.

@woodruffw
Merge branch 'main' into tob-pending-oidc-followup
f181d03
@woodruffw
oidc: simplify reification using ProjectService
49e1b97 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Merge branch 'main' into tob-pending-oidc-followup
415da6d
@woodruffw
oidc: use ProjectService correctly
faba872 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
oidc: lintage
096779c 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests, warehouse: pending OIDC invalidation email
baf47df 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Merge remote-tracking branch 'upstream/main' into tob-pending-oidc-fo…
f465364 
…llowup
@woodruffw
warehouse/locale: make translations
aeb8524 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests, warehouse: actually send emails
77b14a2 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests: lintage
89f8d5b 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests: coverage, fixage
378a184 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests: lintage
10f5b9c 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw requested a review from di February 22, 2023 16:26
woodruffw and others added 3 commits February 22, 2023 11:27
@woodruffw
legacy: remove old TODO
ce551cf 
Orphaned pending providers are now pruned during minting.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw
warehouse: language, don't render empty table
1617165 
Signed-off-by: William Woodruff <[email protected]>
@di
Tweak email language
f2cc012
@di di merged commit 29e8063 into pypi:main Feb 22, 2023
@di di deleted the tob-pending-oidc-followup branch February 22, 2023 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

"De novo" project creation via API tokens/OIDC
2 participants
@woodruffw @di