Remove per-project 2FA requirements (#15131)

* Remove per-project 2FA requirements

* Add back manage_2fa_required redirect

* Add migration

* Update translations

* Add back missing test case

Author: di

requirements/dev.txt

@@ -2,3 +2,4 @@ asyncudp>=0.7
 hupper>=1.9
 pip-tools>=1.0
 pyramid_debugtoolbar>=2.5
+pip-api

requirements/main.in

@@ -38,7 +38,6 @@ packaging_legacy
 paginate>=0.5.2
 paginate_sqlalchemy
 passlib>=1.6.4
-pip-api
 premailer
 psycopg[c]
 pycurl

requirements/main.txt

@@ -1158,10 +1158,6 @@ pastedeploy==3.1.0 \
     --hash=sha256:76388ad53a661448d436df28c798063108f70e994ddc749540d733cdbd1b38cf \
     --hash=sha256:9ddbaf152f8095438a9fe81f82c78a6714b92ae8e066bed418b6a7ff6a095a95
     # via plaster-pastedeploy
-pip-api==0.0.30 \
-    --hash=sha256:2a0314bd31522eb9ffe8a99668b0d07fee34ebc537931e7b6483001dbedcbdc9 \
-    --hash=sha256:a05df2c7aa9b7157374bcf4273544201a0c7bae60a9c65bcf84f3959ef3896f3
-    # via -r requirements/main.in
 plaster==1.1.2 \
     --hash=sha256:42992ab1f4865f1278e2ad740e8ad145683bb4022e03534265528f0c23c0df2d \
     --hash=sha256:f8befc54bf8c1147c10ab40297ec84c2676fa2d4ea5d6f524d9436a80074ef98
@@ -1789,10 +1785,6 @@ zxcvbn==4.4.28 \
     # via -r requirements/main.in
 
 # The following packages are considered to be unsafe in a requirements file:
-pip==23.3.2 \
-    --hash=sha256:5052d7889c1f9d05224cd41741acb7c5d6fa735ab34e339624a614eaaa7e7d76 \
-    --hash=sha256:7fd9972f96db22c8077a1ee2691b172c8089b17a5652a44494a9ecb0d78f9149
-    # via pip-api
 setuptools==69.0.3 \
     --hash=sha256:385eb4edd9c9d5c17540511303e39a147ce2fc04bc55289c322b9e5904fe2c05 \
     --hash=sha256:be1af57fc409f93647f2e8e4573a142ed38724b8cdd389706a867bb4efcf1e78

tests/unit/accounts/test_security_policy.py

@@ -586,136 +586,6 @@ def test_acl(self, monkeypatch, policy_class, principals, expected):
         policy = policy_class()
         assert bool(policy.permits(request, context, "myperm")) == expected
 
-    @pytest.mark.parametrize(
-        "mfa_required,has_mfa,expected",
-        [
-            (True, True, True),
-            (False, True, True),
-            (True, False, False),
-            (False, False, True),
-        ],
-    )
-    def test_2fa_owner_requires(
-        self, monkeypatch, policy_class, mfa_required, has_mfa, expected
-    ):
-        monkeypatch.setattr(security_policy, "User", pretend.stub)
-        monkeypatch.setattr(security_policy, "TwoFactorRequireable", pretend.stub)
-
-        request = pretend.stub(
-            flags=pretend.stub(enabled=lambda flag: False),
-            identity=pretend.stub(
-                __principals__=lambda: ["user:5"],
-                has_primary_verified_email=True,
-                has_two_factor=has_mfa,
-                date_joined=datetime(2022, 8, 1),
-            ),
-            matched_route=pretend.stub(name="random.route"),
-            registry=pretend.stub(
-                settings={
-                    "warehouse.two_factor_requirement.enabled": True,
-                    "warehouse.two_factor_mandate.enabled": False,
-                    "warehouse.two_factor_mandate.available": False,
-                }
-            ),
-        )
-        context = pretend.stub(
-            __acl__=[(Allow, "user:5", "myperm")], owners_require_2fa=mfa_required
-        )
-
-        policy = policy_class()
-        assert bool(policy.permits(request, context, "myperm")) == expected
-
-    @pytest.mark.parametrize(
-        "mfa_required,has_mfa,expected",
-        [
-            (True, True, True),
-            (False, True, True),
-            (True, False, False),
-            (False, False, True),
-        ],
-    )
-    def test_2fa_pypi_mandates_2fa(
-        self, monkeypatch, policy_class, mfa_required, has_mfa, expected
-    ):
-        monkeypatch.setattr(security_policy, "User", pretend.stub)
-        monkeypatch.setattr(security_policy, "TwoFactorRequireable", pretend.stub)
-
-        request = pretend.stub(
-            flags=pretend.stub(enabled=lambda flag: False),
-            identity=pretend.stub(
-                __principals__=lambda: ["user:5"],
-                has_primary_verified_email=True,
-                has_two_factor=has_mfa,
-                date_joined=datetime(2022, 8, 1),
-            ),
-            matched_route=pretend.stub(name="random.route"),
-            registry=pretend.stub(
-                settings={
-                    "warehouse.two_factor_requirement.enabled": False,
-                    "warehouse.two_factor_mandate.enabled": True,
-                    "warehouse.two_factor_mandate.available": False,
-                }
-            ),
-        )
-        context = pretend.stub(
-            __acl__=[(Allow, "user:5", "myperm")], pypi_mandates_2fa=mfa_required
-        )
-
-        policy = policy_class()
-        assert bool(policy.permits(request, context, "myperm")) == expected
-
-    @pytest.mark.parametrize(
-        "mfa_required,has_mfa,expected",
-        [
-            (True, True, True),
-            (False, True, True),
-            (True, False, False),
-            (False, False, True),
-        ],
-    )
-    def test_2fa_pypi_mandates_2fa_with_warning(
-        self, monkeypatch, policy_class, mfa_required, has_mfa, expected
-    ):
-        monkeypatch.setattr(security_policy, "User", pretend.stub)
-        monkeypatch.setattr(security_policy, "TwoFactorRequireable", pretend.stub)
-
-        request = pretend.stub(
-            flags=pretend.stub(enabled=lambda flag: False),
-            identity=pretend.stub(
-                __principals__=lambda: ["user:5"],
-                has_primary_verified_email=True,
-                has_two_factor=has_mfa,
-                date_joined=datetime(2022, 8, 1),
-            ),
-            matched_route=pretend.stub(name="random.route"),
-            registry=pretend.stub(
-                settings={
-                    "warehouse.two_factor_requirement.enabled": False,
-                    "warehouse.two_factor_mandate.enabled": False,
-                    "warehouse.two_factor_mandate.available": True,
-                }
-            ),
-            session=pretend.stub(flash=pretend.call_recorder(lambda msg, queue: None)),
-        )
-        context = pretend.stub(
-            __acl__=[(Allow, "user:5", "myperm")], pypi_mandates_2fa=mfa_required
-        )
-
-        policy = policy_class()
-        assert bool(policy.permits(request, context, "myperm"))
-
-        if not expected:
-            assert request.session.flash.calls == [
-                pretend.call(
-                    "This project is included in PyPI's two-factor mandate "
-                    "for critical projects. In the future, you will be unable to "
-                    "perform this action without enabling 2FA for your account",
-                    queue="warning",
-                )
-            ]
-        else:
-            assert request.session.flash.calls == []
-
     def test_permits_with_unverified_email(self, monkeypatch, policy_class):
         monkeypatch.setattr(security_policy, "User", pretend.stub)
 

tests/unit/cli/test_two_factor.py

@@ -807,16 +807,6 @@ def test_validate_name_with_organization(self):
         ]
 
 
-class TestToggle2FARequirementForm:
-    def test_creation(self):
-        # TODO
-        pass
-
-    def test_validate(self):
-        # TODO
-        pass
-
-
 class TestSaveOrganizationNameForm:
     def test_save(self, pyramid_request):
         pyramid_request.POST = MultiDict({"name": "my_org_name"})