Verify also URLs of existing releases

facutuesca · facutuesca · commit 19d4e219c583 · 2024-07-19T17:58:00.000+02:00
diff --git a/tests/unit/forklift/test_legacy.py b/tests/unit/forklift/test_legacy.py
@@ -3815,11 +3815,11 @@ def failing_verify(_self, _verifier, _policy, _dist):
             ("https://google.com", False),  # Totally different
             ("https://github.com/foo", False),  # Missing parts
             ("https://github.com/foo/bar/", True),  # Exactly the same
-            ("https://github.com/foo/bar/readme.md", True),  # Additonal parts
+            ("https://github.com/foo/bar/readme.md", True),  # Additional parts
             ("https://github.com/foo/bar", True),  # Missing trailing slash
         ],
     )
-    def test_release_url_verified(
+    def test_new_release_url_verified(
         self, monkeypatch, pyramid_config, db_request, metrics, url, expected
     ):
         project = ProjectFactory.create()
@@ -3878,6 +3878,86 @@ def test_release_url_verified(
         assert release_url is not None
         assert release_url.verified == expected
 
+    def test_new_publisher_verifies_existing_release_url(
+        self,
+        monkeypatch,
+        pyramid_config,
+        db_request,
+        metrics,
+    ):
+        repo_name = "my_new_repo"
+        verified_url = "https://github.com/foo/bar"
+        unverified_url = f"https://github.com/foo/{repo_name}"
+
+        project = ProjectFactory.create()
+        release = ReleaseFactory.create(project=project, version="1.0")
+        # We start with an existing release, with one verified URL and one unverified
+        # URL. Uploading a new file with a Trusted Publisher that matches the unverified
+        # URL should mark it as verified.
+        release.project_urls = {
+            "verified_url": {"url": verified_url, "verified": True},
+            "unverified_url": {"url": unverified_url, "verified": False},
+        }
+        publisher = GitHubPublisherFactory.create(projects=[project])
+        publisher.repository_owner = "foo"
+        publisher.repository_name = repo_name
+        claims = {"sha": "somesha"}
+        identity = PublisherTokenContext(publisher, SignedClaims(claims))
+        db_request.oidc_publisher = identity.publisher
+        db_request.oidc_claims = identity.claims
+
+        db_request.db.add(Classifier(classifier="Environment :: Other Environment"))
+        db_request.db.add(Classifier(classifier="Programming Language :: Python"))
+
+        filename = "{}-{}.tar.gz".format(project.name, "1.0")
+
+        pyramid_config.testing_securitypolicy(identity=identity)
+        db_request.user_agent = "warehouse-tests/6.6.6"
+        db_request.POST = MultiDict(
+            {
+                "metadata_version": "1.2",
+                "name": project.name,
+                "version": "1.0",
+                "summary": "This is my summary!",
+                "filetype": "sdist",
+                "md5_digest": _TAR_GZ_PKG_MD5,
+                "content": pretend.stub(
+                    filename=filename,
+                    file=io.BytesIO(_TAR_GZ_PKG_TESTDATA),
+                    type="application/tar",
+                ),
+            }
+        )
+        db_request.POST.extend(
+            [
+                ("classifiers", "Environment :: Other Environment"),
+                ("classifiers", "Programming Language :: Python"),
+                ("requires_dist", "foo"),
+                ("requires_dist", "bar (>1.0)"),
+                ("requires_external", "Cheese (>1.0)"),
+                ("provides", "testing"),
+            ]
+        )
+        db_request.POST.add("project_urls", f"verified_url, {verified_url}")
+        db_request.POST.add("project_urls", f"unverified_url, {unverified_url}")
+
+        storage_service = pretend.stub(store=lambda path, filepath, meta: None)
+        db_request.find_service = lambda svc, name=None, context=None: {
+            IFileStorage: storage_service,
+            IMetricsService: metrics,
+        }.get(svc)
+
+        legacy.file_upload(db_request)
+
+        # After successful upload, the Release should have now both URLs verified
+        release_urls = (
+            db_request.db.query(ReleaseURL).filter(Release.project == project).all()
+        )
+        release_urls = {r.name: r.verified for r in release_urls}
+        assert "verified_url" in release_urls and "unverified_url" in release_urls
+        assert release_urls["verified_url"]
+        assert release_urls["unverified_url"]
+
     @pytest.mark.parametrize(
         "version, expected_version",
         [
diff --git a/warehouse/forklift/legacy.py b/warehouse/forklift/legacy.py
@@ -817,6 +817,7 @@ def file_upload(request):
         }
     )
     try:
+        is_new_release = False
         canonical_version = packaging.utils.canonicalize_version(meta.version)
         release = (
             request.db.query(Release)
@@ -908,6 +909,7 @@ def file_upload(request):
             uploaded_via=request.user_agent,
         )
         request.db.add(release)
+        is_new_release = True
 
         # TODO: This should be handled by some sort of database trigger or
         #       a SQLAlchemy hook or the like instead of doing it inline in
@@ -1307,6 +1309,19 @@ def file_upload(request):
                 },
             )
 
+    # For existing releases, we check if any of the existing project URLs are unverified
+    # and have been verified in the current upload. In that case, we mark them as
+    # verified.
+    if not is_new_release and project_urls:
+        for name, release_url in release._project_urls.items():
+            if (
+                not release_url.verified
+                and name in project_urls
+                and project_urls[name]["url"] == release_url.url
+                and project_urls[name]["verified"]
+            ):
+                release_url.verified = True
+
     # Check if the user has any 2FA methods enabled, and if not, email them.
     if request.user and not request.user.has_two_factor:
         warnings.append("Two factor authentication is not enabled for your account.")
diff --git a/warehouse/migrations/versions/26455e3712a2_create_verified_field_for_releaseurl.py b/warehouse/migrations/versions/26455e3712a2_create_verified_field_for_releaseurl.py
@@ -13,7 +13,7 @@
 create verified field for ReleaseUrl
 
 Revision ID: 26455e3712a2
-Revises: b14df478c48f
+Revises: bb6943882aa9
 Create Date: 2024-04-30 18:40:17.149050
 """
 
@@ -22,7 +22,7 @@
 from alembic import op
 
 revision = "26455e3712a2"
-down_revision = "b14df478c48f"
+down_revision = "bb6943882aa9"
 
 
 def upgrade():
