wip

Author: sj26

warehouse/accounts/views.py

@@ -77,9 +77,14 @@
 from warehouse.events.tags import EventTag
 from warehouse.metrics.interfaces import IMetricsService
 from warehouse.oidc.forms import DeletePublisherForm
+from warehouse.oidc.forms.buildkite import PendingBuildkitePublisherForm
 from warehouse.oidc.forms.github import PendingGitHubPublisherForm
 from warehouse.oidc.interfaces import TooManyOIDCRegistrations
-from warehouse.oidc.models import PendingGitHubPublisher, PendingOIDCPublisher
+from warehouse.oidc.models import (
+    PendingBuildkitePublisher,
+    PendingGitHubPublisher,
+    PendingOIDCPublisher,
+)
 from warehouse.organizations.interfaces import IOrganizationService
 from warehouse.organizations.models import OrganizationRole, OrganizationRoleType
 from warehouse.packaging.models import (
@@ -1488,6 +1493,13 @@ def _check_ratelimits(self):
                 )
             )
 
+    @property
+    def pending_buildkite_publisher_form(self):
+        return PendingBuildkitePublisherForm(
+            self.request.POST,
+            project_factory=self.project_factory
+        )
+
     @property
     def pending_github_publisher_form(self):
         return PendingGitHubPublisherForm(
@@ -1499,6 +1511,7 @@ def pending_github_publisher_form(self):
     @property
     def default_response(self):
         return {
+            "pending_buildkite_publisher_form": self.pending_buildkite_publisher_form,
             "pending_github_publisher_form": self.pending_github_publisher_form,
         }
 

warehouse/migrations/versions/8c83f0a1d70e_add_buildkite_oidc_models.py

@@ -0,0 +1,95 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+Add Buildkite OIDC models
+
+Revision ID: 8c83f0a1d70e
+Revises: 186f076eb60b
+Create Date: 2023-10-27 09:20:18.030874
+"""
+
+import sqlalchemy as sa
+
+from alembic import op
+
+revision = "8c83f0a1d70e"
+down_revision = "186f076eb60b"
+
+# Note: It is VERY important to ensure that a migration does not lock for a
+#       long period of time and to ensure that each individual migration does
+#       not break compatibility with the *previous* version of the code base.
+#       This is because the migrations will be ran automatically as part of the
+#       deployment process, but while the previous version of the code is still
+#       up and running. Thus backwards incompatible changes must be broken up
+#       over multiple migrations inside of multiple pull requests in order to
+#       phase them in over multiple deploys.
+#
+#       By default, migrations cannot wait more than 4s on acquiring a lock
+#       and each individual statement cannot take more than 5s. This helps
+#       prevent situations where a slow migration takes the entire site down.
+#
+#       If you need to increase this timeout for a migration, you can do so
+#       by adding:
+#
+#           op.execute("SET statement_timeout = 5000")
+#           op.execute("SET lock_timeout = 4000")
+#
+#       To whatever values are reasonable for this migration as part of your
+#       migration.
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "buildkite_oidc_publishers",
+        sa.Column("id", sa.UUID(), nullable=False),
+        sa.Column("organization_slug", sa.String(), nullable=False),
+        sa.Column("pipeline_slug", sa.String(), nullable=False),
+        sa.Column("build_branch", sa.String(), nullable=False),
+        sa.Column("build_tag", sa.String(), nullable=False),
+        sa.Column("step_key", sa.String(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["id"],
+            ["oidc_publishers.id"],
+        ),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint(
+            "organization_slug", "pipeline_slug", name="_buildkite_oidc_publisher_uc"
+        ),
+    )
+    op.create_table(
+        "pending_buildkite_oidc_publishers",
+        sa.Column("id", sa.UUID(), nullable=False),
+        sa.Column("organization_slug", sa.String(), nullable=False),
+        sa.Column("pipeline_slug", sa.String(), nullable=False),
+        sa.Column("build_branch", sa.String(), nullable=False),
+        sa.Column("build_tag", sa.String(), nullable=False),
+        sa.Column("step_key", sa.String(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["id"],
+            ["pending_oidc_publishers.id"],
+        ),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint(
+            "organization_slug",
+            "pipeline_slug",
+            name="_pending_buildkite_oidc_publisher_uc",
+        ),
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table("pending_buildkite_oidc_publishers")
+    op.drop_table("buildkite_oidc_publishers")
+    # ### end Alembic commands ###

warehouse/oidc/forms/buildkite.py

@@ -0,0 +1,88 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import re
+
+import requests
+import sentry_sdk
+import wtforms
+
+from warehouse import forms
+from warehouse.i18n import localize as _
+from warehouse.utils.project import PROJECT_NAME_RE
+
+_VALID_BUILDKITE_SLUG = re.compile(r"^[a-zA-Z0-9]+[a-zA-Z0-9\-]*$")
+
+
+class BuildkitePublisherBase(forms.Form):
+    __params__ = [
+        "organization_slug",
+        "pipeline_slug",
+        "build_branch",
+        "build_tag",
+        "step_key",
+    ]
+
+    organization_slug = wtforms.StringField(
+        validators=[
+            wtforms.validators.InputRequired(
+                message=_("Specify Buildkite organization slug"),
+            ),
+            wtforms.validators.Regexp(
+                _VALID_BUILDKITE_SLUG, message=_("Invalid pipeline slug")
+            ),
+        ]
+    )
+
+    repository = wtforms.StringField(
+        validators=[
+            wtforms.validators.InputRequired(
+                message=_("Specify Buildkite pipeline slug"),
+            ),
+            wtforms.validators.Regexp(
+                _VALID_BUILDKITE_SLUG, message=_("Invalid pipeline slug")
+            ),
+        ]
+    )
+
+    build_branch = wtforms.StringField(validators=[wtforms.validators.Optional()])
+    build_tag = wtforms.StringField(validators=[wtforms.validators.Optional()])
+    step_key = wtforms.StringField(validators=[wtforms.validators.Optional()])
+
+
+class PendingBuildkitePublisherForm(BuildkitePublisherBase):
+    __params__ = BuildkitePublisherBase.__params__ + ["project_name"]
+
+    project_name = wtforms.StringField(
+        validators=[
+            wtforms.validators.InputRequired(message=_("Specify project name")),
+            wtforms.validators.Regexp(
+                PROJECT_NAME_RE, message=_("Invalid project name")
+            ),
+        ]
+    )
+
+    def __init__(self, *args, project_factory, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._project_factory = project_factory
+
+    def validate_project_name(self, field):
+        project_name = field.data
+
+        if project_name in self._project_factory:
+            raise wtforms.validators.ValidationError(
+                _("This project name is already in use")
+            )
+
+
+class BuildkitePublisherForm(BuildkitePublisherBase):
+    pass

warehouse/oidc/models/__init__.py

@@ -11,14 +11,17 @@
 # limitations under the License.
 
 from warehouse.oidc.models._core import OIDCPublisher, PendingOIDCPublisher
+from warehouse.oidc.models.buildkite import BuildkitePublisher, PendingBuildkitePublisher
 from warehouse.oidc.models.github import GitHubPublisher, PendingGitHubPublisher
 from warehouse.oidc.models.google import GooglePublisher, PendingGooglePublisher
 
 __all__ = [
     "OIDCPublisher",
     "PendingOIDCPublisher",
+    "PendingBuildkitePublisher",
     "PendingGitHubPublisher",
     "PendingGooglePublisher",
+    "BuildkitePublisher",
     "GitHubPublisher",
     "GooglePublisher",
 ]