Merge branch 'main' into upload-attestations

docker-compose.yml

@@ -153,7 +153,7 @@ services:
   worker:
     image: warehouse:docker-compose
     pull_policy: never
-    command: hupper -m celery -A warehouse worker --beat --scheduler redbeat.RedBeatScheduler -l info
+    command: hupper --shutdown-interval 10 --reload-interval 10 -m celery -A warehouse worker --beat --scheduler redbeat.RedBeatScheduler -l info
     volumes:
       - ./warehouse:/opt/warehouse/src/warehouse:z
       - packages:/var/opt/warehouse/packages

requirements/main.txt

@@ -1541,12 +1541,12 @@ protobuf==4.25.3 \
     #   googleapis-common-protos
     #   grpcio-status
     #   proto-plus
-psycopg[c]==3.1.19 \
-    --hash=sha256:92d7b78ad82426cdcf1a0440678209faa890c6e1721361c2f8901f0dccd62961 \
-    --hash=sha256:dca5e5521c859f6606686432ae1c94e8766d29cc91f2ee595378c510cc5b0731
+psycopg[c]==3.2.1 \
+    --hash=sha256:dc8da6dc8729dacacda3cc2f17d2c9397a70a66cf0d2b69c91065d60d5f00cb7 \
+    --hash=sha256:ece385fb413a37db332f97c49208b36cf030ff02b199d7635ed2fbd378724175
     # via -r requirements/main.in
-psycopg-c==3.1.19 \
-    --hash=sha256:8e90f53c430e7d661cb3a9298e2761847212ead1b24c5fb058fc9d0fd9616017
+psycopg-c==3.2.1 \
+    --hash=sha256:2d09943cc8a855c42c1e23b4298957b7ce8f27bf3683258c52fd139f601f7cda
     # via psycopg
 pyasn1==0.6.0 \
     --hash=sha256:3a35ab2c4b5ef98e17dfdec8ab074046fbda76e281c5a706ccd82328cfc8f64c \

requirements/tests.txt

@@ -225,9 +225,9 @@ psutil==6.0.0 \
     --hash=sha256:fc8c9510cde0146432bbdb433322861ee8c3efbf8589865c8bf8d21cb30c4d14 \
     --hash=sha256:ffe7fc9b6b36beadc8c322f84e1caff51e8703b88eee1da46d1e3a6ae11b4fd0
     # via mirakuru
-psycopg==3.1.19 \
-    --hash=sha256:92d7b78ad82426cdcf1a0440678209faa890c6e1721361c2f8901f0dccd62961 \
-    --hash=sha256:dca5e5521c859f6606686432ae1c94e8766d29cc91f2ee595378c510cc5b0731
+psycopg==3.2.1 \
+    --hash=sha256:dc8da6dc8729dacacda3cc2f17d2c9397a70a66cf0d2b69c91065d60d5f00cb7 \
+    --hash=sha256:ece385fb413a37db332f97c49208b36cf030ff02b199d7635ed2fbd378724175
     # via pytest-postgresql
 pytest==8.2.2 \
     --hash=sha256:c434598117762e2bd304e526244f67bf66bbd7b5d6cf22138be51ff661980343 \

tests/unit/accounts/test_core.py

@@ -29,7 +29,7 @@
     database_login_factory,
 )
 from warehouse.accounts.tasks import compute_user_metrics
-from warehouse.accounts.utils import UserTokenContext
+from warehouse.accounts.utils import UserContext
 from warehouse.oidc.interfaces import SignedClaims
 from warehouse.oidc.models import OIDCPublisher
 from warehouse.oidc.utils import PublisherTokenContext
@@ -40,15 +40,16 @@
 
 
 class TestUser:
-    def test_with_user(self, db_request):
+    def test_with_user_context_no_macaroon(self, db_request):
         user = UserFactory.create()
-        request = pretend.stub(identity=user)
+        user_ctx = UserContext(user, None)
+        request = pretend.stub(identity=user_ctx)
 
         assert accounts._user(request) is user
 
-    def test_with_user_token_context(self, db_request):
+    def test_with_user_token_context_macaroon(self, db_request):
         user = UserFactory.create()
-        user_ctx = UserTokenContext(user, pretend.stub())
+        user_ctx = UserContext(user, pretend.stub())
         request = pretend.stub(identity=user_ctx)
 
         assert accounts._user(request) is user
@@ -107,7 +108,7 @@ class TestOrganizationAccess:
     def test_organization_access(self, db_session, identity, flag, orgs, expected):
         user = None if not identity else UserFactory()
         request = pretend.stub(
-            identity=user,
+            identity=UserContext(user, None),
             find_service=lambda interface, context=None: pretend.stub(
                 get_organizations_by_user=lambda x: orgs
             ),

tests/unit/accounts/test_security_policy.py

@@ -18,7 +18,7 @@
 from pyramid.interfaces import ISecurityPolicy
 from zope.interface.verify import verifyClass
 
-from warehouse.accounts import security_policy
+from warehouse.accounts import UserContext, security_policy
 from warehouse.accounts.interfaces import IUserService
 from warehouse.utils.security_policy import AuthenticationMethod
 
@@ -451,7 +451,7 @@ def test_identity(self, monkeypatch):
             remote_addr="1.2.3.4",
         )
 
-        assert policy.identity(request) is user
+        assert policy.identity(request).user is user
         assert request.authentication_method == AuthenticationMethod.SESSION
         assert session_helper_obj.authenticated_userid.calls == [pretend.call(request)]
         assert session_helper_cls.calls == [pretend.call()]
@@ -518,14 +518,15 @@ class TestPermits:
         "principals,expected", [("user:5", True), ("user:1", False)]
     )
     def test_acl(self, monkeypatch, policy_class, principals, expected):
-        monkeypatch.setattr(security_policy, "User", pretend.stub)
-
         request = pretend.stub(
             flags=pretend.stub(enabled=lambda flag: False),
-            identity=pretend.stub(
-                __principals__=lambda: principals,
-                has_primary_verified_email=True,
-                has_two_factor=True,
+            identity=UserContext(
+                user=pretend.stub(
+                    __principals__=lambda: principals,
+                    has_primary_verified_email=True,
+                    has_two_factor=True,
+                ),
+                macaroon=None,
             ),
             matched_route=pretend.stub(name="random.route"),
         )
@@ -535,13 +536,14 @@ def test_acl(self, monkeypatch, policy_class, principals, expected):
         assert bool(policy.permits(request, context, "myperm")) == expected
 
     def test_permits_with_unverified_email(self, monkeypatch, policy_class):
-        monkeypatch.setattr(security_policy, "User", pretend.stub)
-
         request = pretend.stub(
-            identity=pretend.stub(
-                __principals__=lambda: ["user:5"],
-                has_primary_verified_email=False,
-                has_two_factor=False,
+            identity=UserContext(
+                user=pretend.stub(
+                    __principals__=lambda: ["user:5"],
+                    has_primary_verified_email=False,
+                    has_two_factor=False,
+                ),
+                macaroon=None,
             ),
             matched_route=pretend.stub(name="manage.projects"),
         )
@@ -551,13 +553,14 @@ def test_permits_with_unverified_email(self, monkeypatch, policy_class):
         assert not policy.permits(request, context, "myperm")
 
     def test_permits_manage_projects_with_2fa(self, monkeypatch, policy_class):
-        monkeypatch.setattr(security_policy, "User", pretend.stub)
-
         request = pretend.stub(
-            identity=pretend.stub(
-                __principals__=lambda: ["user:5"],
-                has_primary_verified_email=True,
-                has_two_factor=True,
+            identity=UserContext(
+                user=pretend.stub(
+                    __principals__=lambda: ["user:5"],
+                    has_primary_verified_email=True,
+                    has_two_factor=True,
+                ),
+                macaroon=None,
             ),
             matched_route=pretend.stub(name="manage.projects"),
         )
@@ -567,14 +570,15 @@ def test_permits_manage_projects_with_2fa(self, monkeypatch, policy_class):
         assert policy.permits(request, context, "myperm")
 
     def test_deny_manage_projects_without_2fa(self, monkeypatch, policy_class):
-        monkeypatch.setattr(security_policy, "User", pretend.stub)
-
         request = pretend.stub(
             flags=pretend.stub(enabled=lambda flag: False),
-            identity=pretend.stub(
-                __principals__=lambda: ["user:5"],
-                has_primary_verified_email=True,
-                has_two_factor=False,
+            identity=UserContext(
+                user=pretend.stub(
+                    __principals__=lambda: ["user:5"],
+                    has_primary_verified_email=True,
+                    has_two_factor=False,
+                ),
+                macaroon=None,
             ),
             matched_route=pretend.stub(name="manage.projects"),
         )
@@ -584,14 +588,15 @@ def test_deny_manage_projects_without_2fa(self, monkeypatch, policy_class):
         assert not policy.permits(request, context, "myperm")
 
     def test_deny_forklift_file_upload_without_2fa(self, monkeypatch, policy_class):
-        monkeypatch.setattr(security_policy, "User", pretend.stub)
-
         request = pretend.stub(
             flags=pretend.stub(enabled=lambda flag: False),
-            identity=pretend.stub(
-                __principals__=lambda: ["user:5"],
-                has_primary_verified_email=True,
-                has_two_factor=False,
+            identity=UserContext(
+                user=pretend.stub(
+                    __principals__=lambda: ["user:5"],
+                    has_primary_verified_email=True,
+                    has_two_factor=False,
+                ),
+                macaroon=None,
             ),
             matched_route=pretend.stub(name="forklift.legacy.file_upload"),
         )
@@ -614,13 +619,14 @@ def test_deny_forklift_file_upload_without_2fa(self, monkeypatch, policy_class):
     def test_permits_2fa_routes_without_2fa(
         self, monkeypatch, policy_class, matched_route
     ):
-        monkeypatch.setattr(security_policy, "User", pretend.stub)
-
         request = pretend.stub(
-            identity=pretend.stub(
-                __principals__=lambda: ["user:5"],
-                has_primary_verified_email=True,
-                has_two_factor=False,
+            identity=UserContext(
+                user=pretend.stub(
+                    __principals__=lambda: ["user:5"],
+                    has_primary_verified_email=True,
+                    has_two_factor=False,
+                ),
+                macaroon=None,
             ),
             matched_route=pretend.stub(name=matched_route),
         )

tests/unit/forklift/test_legacy.py

@@ -37,7 +37,7 @@
 from trove_classifiers import classifiers
 from webob.multidict import MultiDict
 
-from warehouse.accounts.utils import UserTokenContext
+from warehouse.accounts.utils import UserContext
 from warehouse.admin.flags import AdminFlag, AdminFlagValue
 from warehouse.classifiers.models import Classifier
 from warehouse.forklift import legacy, metadata
@@ -975,7 +975,7 @@ def test_upload_escapes_nul_characters(self, pyramid_config, db_request):
 
         assert "\x00" not in db_request.POST["summary"]
 
-    @pytest.mark.parametrize("token_context", [True, False])
+    @pytest.mark.parametrize("macaroon_in_user_context", [True, False])
     @pytest.mark.parametrize(
         ("digests",),
         [
@@ -1004,7 +1004,7 @@ def test_successful_upload(
         pyramid_config,
         db_request,
         digests,
-        token_context,
+        macaroon_in_user_context,
         metrics,
     ):
         monkeypatch.setattr(tempfile, "tempdir", str(tmpdir))
@@ -1020,11 +1020,10 @@ def test_successful_upload(
         filename = f"{project.name}-{release.version}.tar.gz"
 
         db_request.user = user
-        if token_context:
-            user_context = UserTokenContext(user, pretend.stub())
-            pyramid_config.testing_securitypolicy(identity=user_context)
-        else:
-            pyramid_config.testing_securitypolicy(identity=user)
+        user_context = UserContext(
+            user, pretend.stub() if macaroon_in_user_context else None
+        )
+        pyramid_config.testing_securitypolicy(identity=user_context)
 
         db_request.user_agent = "warehouse-tests/6.6.6"
 
@@ -4480,7 +4479,7 @@ def test_upload_with_token_api_warns_if_trusted_publisher_configured(
                 [caveats.RequestUser(user_id=str(maintainer.id))],
                 user_id=maintainer.id,
             )
-            identity = UserTokenContext(maintainer, macaroon)
+            identity = UserContext(maintainer, macaroon)
         else:
             claims = {"sha": "somesha"}
             identity = PublisherTokenContext(publisher, SignedClaims(claims))

tests/unit/macaroons/test_caveats.py

@@ -20,7 +20,7 @@
 from pymacaroons import Macaroon
 
 from warehouse.accounts import _oidc_publisher
-from warehouse.accounts.utils import UserTokenContext
+from warehouse.accounts.utils import UserContext
 from warehouse.macaroons import caveats
 from warehouse.macaroons.caveats import (
     Caveat,
@@ -271,21 +271,32 @@ def test_verify_no_identity(self):
 
         assert result == Failure("token with user restriction without a user")
 
-    def test_verify_invalid_identity(self):
+    def test_verify_invalid_identity_no_user(self):
         caveat = RequestUser(user_id="invalid")
         result = caveat.verify(
             pretend.stub(identity=pretend.stub()), pretend.stub(), pretend.stub()
         )
 
         assert result == Failure("token with user restriction without a user")
 
+    def test_verify_invalid_identity_no_macaroon(self, db_request):
+        user = UserFactory.create()
+        user_context = UserContext(user, None)
+
+        caveat = RequestUser(user_id=str(user.id))
+        result = caveat.verify(
+            pretend.stub(identity=user_context), pretend.stub(), pretend.stub()
+        )
+
+        assert result == Failure("token with user restriction without a macaroon")
+
     def test_verify_invalid_user_id(self, db_request):
         user = UserFactory.create()
-        user_token_context = UserTokenContext(user, pretend.stub())
+        user_context = UserContext(user, pretend.stub())
 
         caveat = RequestUser(user_id="invalid")
         result = caveat.verify(
-            pretend.stub(identity=user_token_context), pretend.stub(), pretend.stub()
+            pretend.stub(identity=user_context), pretend.stub(), pretend.stub()
         )
 
         assert result == Failure(
@@ -294,11 +305,11 @@ def test_verify_invalid_user_id(self, db_request):
 
     def test_verify_ok(self, db_request):
         user = UserFactory.create()
-        user_token_context = UserTokenContext(user, pretend.stub())
+        user_context = UserContext(user, pretend.stub())
 
         caveat = RequestUser(user_id=str(user.id))
         result = caveat.verify(
-            pretend.stub(identity=user_token_context), pretend.stub(), pretend.stub()
+            pretend.stub(identity=user_context), pretend.stub(), pretend.stub()
         )
 
         assert result == Success()

tests/unit/macaroons/test_security_policy.py

@@ -20,7 +20,7 @@
 from zope.interface.verify import verifyClass
 
 from warehouse.accounts.interfaces import IUserService
-from warehouse.accounts.utils import UserTokenContext
+from warehouse.accounts.utils import UserContext
 from warehouse.authnz import Permissions
 from warehouse.macaroons import security_policy
 from warehouse.macaroons.interfaces import IMacaroonService
@@ -215,7 +215,7 @@ def test_identity_user(self, monkeypatch):
             ),
         )
 
-        assert policy.identity(request) == UserTokenContext(user, macaroon)
+        assert policy.identity(request) == UserContext(user, macaroon)
         assert extract_http_macaroon.calls == [pretend.call(request)]
         assert request.find_service.calls == [
             pretend.call(IMacaroonService, context=None),

tests/unit/macaroons/test_utils.py

@@ -13,12 +13,12 @@
 import pretend
 
 from tests.common.db.accounts import UserFactory
-from warehouse.accounts.utils import UserTokenContext
+from warehouse.accounts.utils import UserContext
 from warehouse.utils.security_policy import principals_for
 
 
-def test_usertoken_context_principals(db_request):
+def test_user_context_principals(db_request):
     user = UserFactory.create()
     assert principals_for(
-        UserTokenContext(user=user, macaroon=pretend.stub())
+        UserContext(user=user, macaroon=pretend.stub())
     ) == principals_for(user)