warehouse: PEP 740 models (#16625)

woodruffw · DarkaMaul · di · web-flow · commit cc0b96def5fd · 2024-09-11T10:24:50.000-04:00
* warehouse: PEP 740 models This is a breakout from #16624, to reduce the complexity/headache of zippered reverts. Signed-off-by: William Woodruff <william@trailofbits.com> * tests: AttestationFactory helper Signed-off-by: William Woodruff <william@trailofbits.com> * tests: attestation coverage Signed-off-by: William Woodruff <william@trailofbits.com> * switch to a Provenance model Signed-off-by: William Woodruff <william@trailofbits.com> * provenance model carries a digest Signed-off-by: William Woodruff <william@trailofbits.com> * remove unused factory Signed-off-by: William Woodruff <william@trailofbits.com> * use SHA-256 for provenance digest Signed-off-by: William Woodruff <william@trailofbits.com> * mark provenance column as deferred Signed-off-by: William Woodruff <william@trailofbits.com> * Add a ProvenanceFactory object and a simple test. * Revert "Add a ProvenanceFactory object and a simple test." This reverts commit 34ec661. * Update warehouse/packaging/models.py --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alexis <alexis.challande@trailofbits.com> Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
diff --git a/tests/unit/attestations/__init__.py b/tests/unit/attestations/__init__.py
@@ -0,0 +1,11 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
diff --git a/warehouse/attestations/__init__.py b/warehouse/attestations/__init__.py
@@ -0,0 +1,11 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
diff --git a/warehouse/attestations/models.py b/warehouse/attestations/models.py
@@ -0,0 +1,52 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from __future__ import annotations
+
+import typing
+
+from uuid import UUID
+
+from sqlalchemy import ForeignKey, orm
+from sqlalchemy.dialects.postgresql import CITEXT, JSONB
+from sqlalchemy.orm import Mapped, mapped_column
+
+from warehouse import db
+
+if typing.TYPE_CHECKING:
+    from warehouse.packaging.models import File
+
+
+class Provenance(db.Model):
+    """
+    A table for PEP 740 provenance objects.
+
+    Provenance objects contain one or more attestation objects.
+    These attestation objects are grouped into "bundles," each of which
+    contains one or more attestations along with the Trusted Publisher
+    identity that produced them.
+    """
+
+    __tablename__ = "provenance"
+
+    file_id: Mapped[UUID] = mapped_column(
+        ForeignKey("release_files.id", onupdate="CASCADE", ondelete="CASCADE"),
+    )
+    file: Mapped[File] = orm.relationship(back_populates="provenance")
+
+    # This JSONB has the structure of a PEP 740 provenance object.
+    provenance: Mapped[dict] = mapped_column(JSONB, nullable=False, deferred=True)
+
+    # The SHA-2/256 digest of the provenance object stored in this row.
+    # Postgres uses a compact binary representation under the hood and is
+    # unlikely to provide a permanently stable serialization, so this is the
+    # hash of the RFC 8785 serialization.
+    provenance_digest: Mapped[str] = mapped_column(CITEXT)
diff --git a/warehouse/migrations/versions/1b9ae6ec6ec0_add_provenance_table.py b/warehouse/migrations/versions/1b9ae6ec6ec0_add_provenance_table.py
@@ -0,0 +1,48 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+add provenance table
+
+Revision ID: 1b9ae6ec6ec0
+Revises: dcf1e3986782
+Create Date: 2024-09-03 23:39:30.853147
+"""
+
+import sqlalchemy as sa
+
+from alembic import op
+from sqlalchemy.dialects import postgresql
+
+revision = "1b9ae6ec6ec0"
+down_revision = "dcf1e3986782"
+
+
+def upgrade():
+    op.create_table(
+        "provenance",
+        sa.Column("file_id", sa.UUID(), nullable=False),
+        sa.Column(
+            "provenance", postgresql.JSONB(astext_type=sa.Text()), nullable=False
+        ),
+        sa.Column("provenance_digest", postgresql.CITEXT(), nullable=False),
+        sa.Column(
+            "id", sa.UUID(), server_default=sa.text("gen_random_uuid()"), nullable=False
+        ),
+        sa.ForeignKeyConstraint(
+            ["file_id"], ["release_files.id"], onupdate="CASCADE", ondelete="CASCADE"
+        ),
+        sa.PrimaryKeyConstraint("id"),
+    )
+
+
+def downgrade():
+    op.drop_table("provenance")
diff --git a/warehouse/packaging/models.py b/warehouse/packaging/models.py
@@ -62,6 +62,7 @@
 
 from warehouse import db
 from warehouse.accounts.models import User
+from warehouse.attestations.models import Provenance
 from warehouse.authnz import Permissions
 from warehouse.classifiers.models import Classifier
 from warehouse.events.models import HasEvents
@@ -839,6 +840,13 @@ def __table_args__(cls):  # noqa
         comment="If True, the metadata for the file cannot be backfilled.",
     )
 
+    # PEP 740
+    provenance: Mapped[Provenance] = orm.relationship(
+        cascade="all, delete-orphan",
+        lazy="joined",
+        passive_deletes=True,
+    )
+
     @property
     def uploaded_via_trusted_publisher(self) -> bool:
         """Return True if the file was uploaded via a trusted publisher."""
