Always remove pending publishers when project is created (#15020)

di · miketheman · web-flow · commit f37d932f52c2 · 2024-01-03T15:23:08.000-05:00
* Always remove pending publishers when project is created

* Fix failing organization test

* Update tests/unit/manage/views/test_organizations.py

Co-authored-by: Mike Fiedler &lt;miketheman@gmail.com&gt;

* Linting

---------

Co-authored-by: Mike Fiedler &lt;miketheman@gmail.com&gt;
diff --git a/tests/unit/manage/views/test_organizations.py b/tests/unit/manage/views/test_organizations.py
@@ -1590,11 +1590,13 @@ def test_add_organization_project_new_project(
         view = org_views.ManageOrganizationProjectsViews(organization, db_request)
         result = view.add_organization_project()
 
-        # The project was created, and belongs to the organization.
-        project = (
-            db_request.db.query(Project).filter_by(name="fakepackage").one_or_none()
-        )
-        assert project is not None
+        # The project was created
+        project = db_request.db.query(Project).filter_by(name="fakepackage").one()
+
+        # Refresh the project in the DB session to ensure it is not stale
+        db_request.db.refresh(project)
+
+        # The project belongs to the organization.
         assert project.organization == organization
 
         assert isinstance(result, HTTPSeeOther)
diff --git a/tests/unit/oidc/test_views.py b/tests/unit/oidc/test_views.py
@@ -25,6 +25,7 @@
 from warehouse.macaroons.interfaces import IMacaroonService
 from warehouse.oidc import errors, views
 from warehouse.oidc.interfaces import IOIDCPublisherService
+from warehouse.packaging import services
 from warehouse.rate_limiting.interfaces import IRateLimiter
 
 
@@ -322,7 +323,7 @@ def test_mint_token_from_pending_trusted_publisher_invalidates_others(
         lambda *a, **kw: None
     )
     monkeypatch.setattr(
-        views,
+        services,
         "send_pending_trusted_publisher_invalidated_email",
         send_pending_trusted_publisher_invalidated_email,
     )
diff --git a/warehouse/oidc/views.py b/warehouse/oidc/views.py
@@ -17,16 +17,13 @@
 from pydantic import BaseModel, StrictStr, ValidationError
 from pyramid.response import Response
 from pyramid.view import view_config
-from sqlalchemy import func
 
 from warehouse.admin.flags import AdminFlagValue
-from warehouse.email import send_pending_trusted_publisher_invalidated_email
 from warehouse.events.tags import EventTag
 from warehouse.macaroons import caveats
 from warehouse.macaroons.interfaces import IMacaroonService
 from warehouse.oidc.errors import InvalidPublisherError
 from warehouse.oidc.interfaces import IOIDCPublisherService
-from warehouse.oidc.models import PendingOIDCPublisher
 from warehouse.packaging.interfaces import IProjectService
 from warehouse.packaging.models import ProjectFactory
 from warehouse.rate_limiting.interfaces import IRateLimiter
@@ -126,14 +123,18 @@ def _invalid(errors):
                 ]
             )
 
-        # Create the new project, and reify the pending publisher against it.
+        # Create the new project
         project_service = request.find_service(IProjectService)
         new_project = project_service.create_project(
             pending_publisher.project_name,
             pending_publisher.added_by,
             request,
             ratelimited=False,
         )
+
+        # Creating the project will remove all pending publishers, EXCEPT the
+        # pending publisher created by the uploader. If such a pending
+        # publisher exists, reify it against the newly created project.
         oidc_service.reify_pending_publisher(pending_publisher, new_project)
 
         # Successfully converting a pending publisher into a normal publisher
@@ -142,25 +143,6 @@ def _invalid(errors):
         ratelimiters["user.oidc"].clear(pending_publisher.added_by.id)
         ratelimiters["ip.oidc"].clear(request.remote_addr)
 
-        # There might be other pending publishers for the same project name,
-        # which we've now invalidated by creating the project. These would
-        # be disposed of on use, but we explicitly dispose of them here while
-        # also sending emails to their owners.
-        stale_pending_publishers = (
-            request.db.query(PendingOIDCPublisher)
-            .filter(
-                func.normalize_pep426_name(PendingOIDCPublisher.project_name)
-                == func.normalize_pep426_name(pending_publisher.project_name)
-            )
-            .all()
-        )
-        for stale_publisher in stale_pending_publishers:
-            send_pending_trusted_publisher_invalidated_email(
-                request,
-                stale_publisher.added_by,
-                project_name=stale_publisher.project_name,
-            )
-            request.db.delete(stale_publisher)
     except InvalidPublisherError:
         # If the claim set isn't valid for a pending publisher, it's OK, we
         # will try finding a regular publisher
diff --git a/warehouse/packaging/services.py b/warehouse/packaging/services.py
@@ -25,10 +25,13 @@
 import google.api_core.retry
 import sentry_sdk
 
+from sqlalchemy import func
 from zope.interface import implementer
 
+from warehouse.email import send_pending_trusted_publisher_invalidated_email
 from warehouse.events.tags import EventTag
 from warehouse.metrics import IMetricsService
+from warehouse.oidc.models import PendingOIDCPublisher
 from warehouse.packaging.interfaces import (
     IDocsStorage,
     IFileStorage,
@@ -458,6 +461,28 @@ def create_project(
                 },
             )
 
+        # Remove all pending publishers not owned by the creator.
+        # There might be other pending publishers for the same project name,
+        # which we've now invalidated by creating the project. These would
+        # be disposed of on use, but we explicitly dispose of them here while
+        # also sending emails to their owners.
+        stale_pending_publishers = (
+            request.db.query(PendingOIDCPublisher)
+            .filter(
+                func.normalize_pep426_name(PendingOIDCPublisher.project_name)
+                == func.normalize_pep426_name(project.name),
+                PendingOIDCPublisher.added_by != creator,
+            )
+            .all()
+        )
+        for stale_publisher in stale_pending_publishers:
+            send_pending_trusted_publisher_invalidated_email(
+                request,
+                stale_publisher.added_by,
+                project_name=stale_publisher.project_name,
+            )
+            request.db.delete(stale_publisher)
+
         if ratelimited:
             self._hit_ratelimits(request, creator)
         return project

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@`
`25`	`25`	`from warehouse.macaroons.interfaces import IMacaroonService`
`26`	`26`	`from warehouse.oidc import errors, views`
`27`	`27`	`from warehouse.oidc.interfaces import IOIDCPublisherService`
	`28`	`+from warehouse.packaging import services`
`28`	`29`	`from warehouse.rate_limiting.interfaces import IRateLimiter`
`29`	`30`
`30`	`31`
`@@ -322,7 +323,7 @@ def test_mint_token_from_pending_trusted_publisher_invalidates_others(`
`322`	`323`	`lambda a, *kw: None`
`323`	`324`	`)`
`324`	`325`	`monkeypatch.setattr(`
`325`		`- views,`
	`326`	`+ services,`
`326`	`327`	`"send_pending_trusted_publisher_invalidated_email",`
`327`	`328`	`send_pending_trusted_publisher_invalidated_email,`
`328`	`329`	`)`