Check for existing Trusted Publishers before constraining existing one #17576
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
di
reviewed
Feb 7, 2025
warehouse/manage/views/__init__.py
Outdated
| else: | ||
| self.request.session.flash( | ||
| "Can only constrain the environment for GitHub and GitLab publishers", | ||
| queue="error", | ||
| ) | ||
| return self.default_response | ||
|
|
||
| # The user might have already manually created the new constrained publisher | ||
| # before clicking the magic link to constrain the existing publisher. | ||
| if self._check_publisher_exists_in_db(constrained_publisher): |
There was a problem hiding this comment.
Feels like this can be constrained_publisher.exists() instead or something similar, so a) the logic is per-publisher and b) this is easy to re-use elsewhere.
There was a problem hiding this comment.
Done! See the last commit
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR makes the following changes:
OIDCPublisherAddedevent, to make debugging easierMissing check
When a user uses a Trusted Publisher with no environment configured, from a CI running in a specific environment, we send them an email suggesting they constrain the TP to only accept the specific environment they just used (see #17281).
The email contains a magic link to constrain the existing TP. However, if the user manually creates a constrained TP after the warning email was sent, but before the magic link is clicked, we get an uncaught exception due to not checking for existing TPs.
Concretely, here's the sequence of events that would trigger the issue:
(owner, repo, workflow), but no environmentmy_env(owner, repo, workflow, my_env)(owner, repo, workflow, my_env)We add a check in
constrain_environment()that checks if the constrained publisher already exists before trying to add itExtra metadata in
OIDCPublisherAddedWe add two new additional fields to the
OIDCPublisherAddedevent:These should be self-explanatory. Additionally, we now add an event when reifying a pending trusted publisher, since before there were no events for it.
cc @di @woodruffw