Merge branch 'refs/heads/main' into dm/store-attestations

# Conflicts:
#	warehouse/forklift/legacy.py

Author: DarkaMaul

.github/workflows/ci.yml

@@ -93,3 +93,41 @@ jobs:
           key: ${{ runner.os }}-mypy-${{ env.pythonLocation }}-${{ hashFiles('requirements.txt', 'requirements/*.txt') }}
       - name: Run ${{ matrix.name }}
         run: ${{ matrix.command }}
+
+  check_db:
+    name: Check Database Consistency
+    needs: build
+    runs-on: depot-ubuntu-22.04-arm
+    continue-on-error: true
+    container:
+      image: registry.depot.dev/rltf7cln5v:${{ needs.build.outputs.buildId }}
+      credentials:
+        username: x-token
+        password: ${{ needs.build.outputs.token }}
+    services:
+      postgres:
+        image: postgres:16.1
+        ports:
+        - 5432:5432
+        env:
+          POSTGRES_DB: warehouse
+          POSTGRES_HOST_AUTH_METHOD: trust  # never do this in production!
+          POSTGRES_INITDB_ARGS: '--no-sync --set fsync=off --set full_page_writes=off'
+        # Set health checks to wait until postgres has started
+        options: --health-cmd "pg_isready --username=postgres --dbname=postgres" --health-interval 10s --health-timeout 5s --health-retries 5
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Dotenv Action
+        # We need to load the environment variables to run the CLI
+        id: dotenv
+        uses: falti/dotenv-action@v1
+        with:
+          path: dev/environment
+          export-variables: true
+          keys-case: upper
+      - name: Check Database
+        run: bin/db-check
+        env:
+          # override the hostname set in `dev/environment`
+          DATABASE_URL: 'postgresql+psycopg://postgres@postgres/warehouse'

Makefile

@@ -145,6 +145,9 @@ inittuf: .state/db-migrated
 runmigrations: .state/docker-build-base
 	docker compose run --rm web python -m warehouse db upgrade head
 
+checkdb: .state/docker-build-base
+	docker compose run --rm web bin/db-check
+
 reindex: .state/docker-build-base
 	docker compose run --rm web python -m warehouse search reindex
 
@@ -168,4 +171,4 @@ purge: stop clean
 stop:
 	docker compose stop
 
-.PHONY: default build serve resetdb initdb shell dbshell tests dev-docs user-docs deps clean purge debug stop compile-pot runmigrations
+.PHONY: default build serve resetdb initdb shell dbshell tests dev-docs user-docs deps clean purge debug stop compile-pot runmigrations checkdb

bin/db-check

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -e
+
+# When on GitHub Actions, if a label is present on the PR, skip the check.
+if [ -n "$GITHUB_ACTIONS" ]; then
+  if [ -n "$GITHUB_EVENT_PATH" ]; then
+    if jq -e '.pull_request.labels | map(.name) | index("skip-db-check")' < "$GITHUB_EVENT_PATH" > /dev/null; then
+      echo "Skipping database check due to 'skip-db-check' label"
+      exit 0
+    fi
+  fi
+fi
+
+# Check for outstanding database migrations
+python -m warehouse db upgrade head
+python -m warehouse db check

tests/unit/cli/test_db.py

@@ -24,6 +24,7 @@
 import warehouse.db
 
 from warehouse.cli.db.branches import branches
+from warehouse.cli.db.check import check
 from warehouse.cli.db.current import current
 from warehouse.cli.db.downgrade import downgrade
 from warehouse.cli.db.heads import heads
@@ -299,6 +300,18 @@ def test_upgrade_command(monkeypatch, cli, pyramid_config):
     assert alembic_upgrade.calls == [pretend.call(alembic_config, "foo")]
 
 
+def test_check_command(monkeypatch, cli, pyramid_config):
+    alembic_check = pretend.call_recorder(lambda config: None)
+    monkeypatch.setattr(alembic.command, "check", alembic_check)
+
+    alembic_config = pretend.stub(attributes={})
+    pyramid_config.alembic_config = lambda: alembic_config
+
+    result = cli.invoke(check, obj=pyramid_config)
+    assert result.exit_code == 0
+    assert alembic_check.calls == [pretend.call(alembic_config)]
+
+
 def test_dbml_command(monkeypatch, cli):
     generate_dbml_file = pretend.call_recorder(lambda tables, path: None)
     monkeypatch.setattr(warehouse.cli.db.dbml, "generate_dbml_file", generate_dbml_file)

tests/unit/forklift/test_legacy.py

@@ -1961,7 +1961,9 @@ def test_upload_fails_with_existing_filename_diff_content(
                 ),
             }
         )
-
+        blake2_256_digest = hashlib.blake2b(
+            file_content.getvalue(), digest_size=256 // 8
+        ).hexdigest()
         db_request.db.add(
             FileFactory.create(
                 release=release,
@@ -1985,7 +1987,9 @@ def test_upload_fails_with_existing_filename_diff_content(
         assert db_request.help_url.calls == [pretend.call(_anchor="file-name-reuse")]
         assert resp.status_code == 400
         assert resp.status == (
-            "400 File already exists. See /the/help/url/ for more information."
+            f"400 File already exists ({filename!r}, "
+            f"with blake2_256 hash {blake2_256_digest!r}). "
+            "See /the/help/url/ for more information."
         )
 
     def test_upload_fails_with_diff_filename_same_blake2(
@@ -2017,15 +2021,16 @@ def test_upload_fails_with_diff_filename_same_blake2(
             }
         )
 
+        blake2_256_digest = hashlib.blake2b(
+            file_content.getvalue(), digest_size=256 // 8
+        ).hexdigest()
         db_request.db.add(
             FileFactory.create(
                 release=release,
                 filename=filename,
                 md5_digest=hashlib.md5(file_content.getvalue()).hexdigest(),
                 sha256_digest=hashlib.sha256(file_content.getvalue()).hexdigest(),
-                blake2_256_digest=hashlib.blake2b(
-                    file_content.getvalue(), digest_size=256 // 8
-                ).hexdigest(),
+                blake2_256_digest=blake2_256_digest,
                 path="source/{name[0]}/{name}/{filename}".format(
                     name=project.name, filename=filename
                 ),
@@ -2041,7 +2046,9 @@ def test_upload_fails_with_diff_filename_same_blake2(
         assert db_request.help_url.calls == [pretend.call(_anchor="file-name-reuse")]
         assert resp.status_code == 400
         assert resp.status == (
-            "400 File already exists. See /the/help/url/ for more information."
+            f"400 File already exists ({db_request.POST['content'].filename!r}, "
+            f"with blake2_256 hash {blake2_256_digest!r}). "
+            "See /the/help/url/ for more information."
         )
 
     @pytest.mark.parametrize(
@@ -4536,12 +4543,145 @@ def test_missing_trailing_slash_redirect(pyramid_request):
             "https://github.com",
             False,
         ),
-        (  # Publisher URL is None
-            "https://github.com/owner/project",
-            None,
+    ],
+)
+def test_verify_url_with_trusted_publisher(url, publisher_url, expected):
+    assert legacy._verify_url_with_trusted_publisher(url, publisher_url) == expected
+
+
+@pytest.mark.parametrize(
+    ("url", "project_name", "project_normalized_name", "expected"),
+    [
+        (  # PyPI /project/ case
+            "https://pypi.org/project/myproject",
+            "myproject",
+            "myproject",
+            True,
+        ),
+        (  # PyPI /p/ case
+            "https://pypi.org/p/myproject",
+            "myproject",
+            "myproject",
+            True,
+        ),
+        (  # pypi.python.org /project/ case
+            "https://pypi.python.org/project/myproject",
+            "myproject",
+            "myproject",
+            True,
+        ),
+        (  # pypi.python.org /p/ case
+            "https://pypi.python.org/p/myproject",
+            "myproject",
+            "myproject",
+            True,
+        ),
+        (  # python.org/pypi/  case
+            "https://python.org/pypi/myproject",
+            "myproject",
+            "myproject",
+            True,
+        ),
+        (  # PyPI /project/ case
+            "https://pypi.org/project/myproject",
+            "myproject",
+            "myproject",
+            True,
+        ),
+        (  # Normalized name differs from URL
+            "https://pypi.org/project/my_project",
+            "my_project",
+            "my-project",
+            True,
+        ),
+        (  # Normalized name same as URL
+            "https://pypi.org/project/my-project",
+            "my_project",
+            "my-project",
+            True,
+        ),
+        (  # Trailing slash
+            "https://pypi.org/project/myproject/",
+            "myproject",
+            "myproject",
+            True,
+        ),
+        (  # Domains are case insensitive
+            "https://PyPI.org/project/myproject",
+            "myproject",
+            "myproject",
+            True,
+        ),
+        (  # Paths are case-sensitive
+            "https://pypi.org/Project/myproject",
+            "myproject",
+            "myproject",
+            False,
+        ),
+        (  # Wrong domain
+            "https://example.com/project/myproject",
+            "myproject",
+            "myproject",
+            False,
+        ),
+        (  # Wrong path
+            "https://pypi.org/something/myproject",
+            "myproject",
+            "myproject",
+            False,
+        ),
+        (  # Path has extra components
+            "https://pypi.org/something/myproject/something",
+            "myproject",
+            "myproject",
+            False,
+        ),
+        (  # Wrong package name
+            "https://pypi.org/project/otherproject",
+            "myproject",
+            "myproject",
+            False,
+        ),
+        (  # Similar package name
+            "https://pypi.org/project/myproject",
+            "myproject2",
+            "myproject2",
+            False,
+        ),
+        (  # Similar package name
+            "https://pypi.org/project/myproject2",
+            "myproject",
+            "myproject",
             False,
         ),
     ],
 )
-def test_verify_url(url, publisher_url, expected):
-    assert legacy._verify_url(url, publisher_url) == expected
+def test_verify_url_pypi(url, project_name, project_normalized_name, expected):
+    assert (
+        legacy._verify_url_pypi(url, project_name, project_normalized_name) == expected
+    )
+
+
+def test_verify_url():
+    # `_verify_url` is just a helper function that calls `_verify_url_pypi` and
+    # `_verify_url_with_trusted_publisher`, where the actual verification logic lives.
+    assert legacy._verify_url(
+        url="https://pypi.org/project/myproject/",
+        publisher_url=None,
+        project_name="myproject",
+        project_normalized_name="myproject",
+    )
+
+    assert legacy._verify_url(
+        url="https://github.com/org/myproject/issues",
+        publisher_url="https://github.com/org/myproject",
+        project_name="myproject",
+        project_normalized_name="myproject",
+    )
+
+    assert not legacy._verify_url(
+        url="example.com",
+        publisher_url="https://github.com/or/myproject",
+        project_name="myproject",
+        project_normalized_name="myproject",
+    )

warehouse/cli/db/check.py

@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import alembic.command
+import click
+
+from warehouse.cli.db import db
+
+
+@db.command()
+@click.pass_obj
+def check(config):
+    """
+    Check if autogenerate will create new operations.
+    """
+    alembic.command.check(config.alembic_config())