-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn users when GitHub/GitLab environments are not checked during Trusted Publishing #17281
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
# First we add the new trusted publisher | ||
if isinstance(publisher, GitHubPublisher): | ||
constrained_publisher = GitHubPublisher( | ||
repository_name=publisher.repository_name, | ||
repository_owner=publisher.repository_owner, | ||
repository_owner_id=publisher.repository_owner_id, | ||
workflow_filename=publisher.workflow_filename, | ||
environment=form.constrain_environment.data, | ||
) | ||
elif isinstance(publisher, GitLabPublisher): | ||
constrained_publisher = GitLabPublisher( | ||
namespace=publisher.namespace, | ||
project=publisher.project, | ||
workflow_filepath=publisher.workflow_filepath, | ||
environment=form.constrain_environment.data, | ||
) | ||
|
||
else: | ||
self.request.session.flash( | ||
"Can only constrain the environment for GitHub and GitLab publishers", | ||
queue="error", | ||
) | ||
return self.default_response | ||
|
||
if publisher.environment != "": | ||
self.request.session.flash( | ||
"Can only constrain the environment for publishers without an " | ||
"environment configured", | ||
queue="error", | ||
) | ||
return self.default_response | ||
|
||
self.request.db.add(constrained_publisher) | ||
self.request.db.flush() # ensure constrained_publisher.id is available | ||
self.project.oidc_publishers.append(constrained_publisher) | ||
|
||
self.project.record_event( | ||
tag=EventTag.Project.OIDCPublisherAdded, | ||
request=self.request, | ||
additional={ | ||
"publisher": constrained_publisher.publisher_name, | ||
"id": str(constrained_publisher.id), | ||
"specifier": str(constrained_publisher), | ||
"url": constrained_publisher.publisher_url(), | ||
"submitted_by": self.request.user.username, | ||
}, | ||
) | ||
|
||
# Then, we remove the old trusted publisher from the project | ||
# and, if there are no projects left associated with the publisher, | ||
# we delete it entirely. | ||
self.project.oidc_publishers.remove(publisher) | ||
if len(publisher.projects) == 0: | ||
self.request.db.delete(publisher) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might be missing something, but can we simplify this by modifying the publisher rather than creating a new one and deleting the old one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It wouldn't cover the case where the publisher is associated to more than one project: since the magic link is associated to a single project, it should only affect that project. And modifying a publisher would modify it for all associated projects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah right, completely forgot about that case! It might be good to leave a comment to that effect (the current comment explains it indirectly, but an explicit one might stop an over-eager refactor 🙂)
What is this?
This PR adds two things:
This means changing a publisher that allows any environment so that it only accepts one.
The email suggests constraining the Trusted Publisher so that it only accepts the environment which was just used. The email also contains the magic link from (1), so that project owners can change the TP with only one click.
This fixes #17241
Details
Magic link
$MY_PROJECT
$PUBLISHER_ID
is a valid GitHub/GitLab publisher with no configured environment$MY_PROJECT
Email
** This is done in order to avoid confusion and edge cases: if a single Trusted Publisher is configured for multiple projects, to send an email during the token exchange we would need to send it to the owners of all the projects, which might be confusing if the token exchange was for the upload of a single project's release.
Screenshots
Email
Following the magic link
cc @woodruffw @sethmlarson @di