feat: allow user to choose custom issuer for project (#18916)

* feat: allow user to choose custom issuer for project

If the project is owned by an organization and there is a custom issuer
configured, populate the form with the choices available.

---------

Signed-off-by: Mike Fiedler <miketheman@gmail.com>

Author: miketheman

tests/unit/accounts/test_views.py

@@ -4448,6 +4448,7 @@ def test_add_pending_oidc_publisher_invalid_form(
                         "workflow_filepath": "subfolder/some-workflow-filename.yml",
                         "environment": "some-environment",
                         "project_name": "some-project-name",
+                        "issuer_url": "https://gitlab.com",
                     }
                 ),
             ),
@@ -4638,6 +4639,7 @@ def test_add_pending_oidc_publisher_uniqueviolation(self, monkeypatch, db_reques
                         "workflow_filepath": "subfolder/some-workflow-filename.yml",
                         "environment": "some-environment",
                         "project_name": "some-project-name",
+                        "issuer_url": "https://gitlab.com",
                     }
                 ),
                 PendingGitLabPublisher,

tests/unit/manage/views/test_oidc_publishers.py

@@ -27,7 +27,7 @@
 
 class TestManageOIDCPublisherViews:
     def test_initializes(self, metrics):
-        project = pretend.stub()
+        project = pretend.stub(organization=None)
         request = pretend.stub(
             find_service=pretend.call_recorder(lambda *a, **kw: metrics),
             registry=pretend.stub(
@@ -56,7 +56,7 @@ def test_initializes(self, metrics):
         ],
     )
     def test_ratelimiting(self, metrics, ip_exceeded, user_exceeded):
-        project = pretend.stub()
+        project = pretend.stub(organization=None)
         user_rate_limiter = pretend.stub(
             hit=pretend.call_recorder(lambda *a, **kw: None),
             test=pretend.call_recorder(lambda uid: not user_exceeded),
@@ -115,7 +115,7 @@ def find_service(iface, name=None, context=None):
             view._check_ratelimits()
 
     def test_manage_project_oidc_publishers(self, monkeypatch):
-        project = pretend.stub(oidc_publishers=[])
+        project = pretend.stub(oidc_publishers=[], organization=None)
         request = pretend.stub(
             user=pretend.stub(),
             registry=pretend.stub(
@@ -157,7 +157,7 @@ def test_manage_project_oidc_publishers(self, monkeypatch):
     def test_manage_project_oidc_publishers_admin_disabled(
         self, monkeypatch, pyramid_request
     ):
-        project = pretend.stub(oidc_publishers=[])
+        project = pretend.stub(oidc_publishers=[], organization=None)
         pyramid_request.user = pretend.stub()
         pyramid_request.registry = pretend.stub(
             settings={
@@ -230,6 +230,7 @@ def test_manage_project_oidc_publishers_admin_disabled(
                     "project": "repo",
                     "workflow_filepath": "file.yml",
                     "environment": "my_env",
+                    "issuer_url": "https://gitlab.com",
                 },
             ),
             # All fields of Google provider
@@ -267,7 +268,7 @@ def test_manage_project_oidc_publishers_admin_disabled(
     def test_manage_project_oidc_publishers_prefill(
         self, monkeypatch, form_name, prefilled_data
     ):
-        project = pretend.stub(oidc_publishers=[])
+        project = pretend.stub(oidc_publishers=[], organization=None)
         request = pretend.stub(
             user=pretend.stub(),
             registry=pretend.stub(
@@ -350,7 +351,7 @@ def test_manage_project_oidc_publishers_prefill(
     def test_manage_project_oidc_publishers_prefill_partial(
         self, monkeypatch, missing_fields, prefilled_data, extra_fields
     ):
-        project = pretend.stub(oidc_publishers=[])
+        project = pretend.stub(oidc_publishers=[], organization=None)
         request = pretend.stub(
             user=pretend.stub(),
             registry=pretend.stub(
@@ -396,7 +397,7 @@ def test_manage_project_oidc_publishers_prefill_partial(
         assert view.github_publisher_form.data == expected_data
 
     def test_manage_project_oidc_publishers_prefill_unknown_provider(self, monkeypatch):
-        project = pretend.stub(oidc_publishers=[])
+        project = pretend.stub(oidc_publishers=[], organization=None)
         prefilled_data = {
             "provider": "github2",
             "owner": "owner",
@@ -649,7 +650,7 @@ def test_manage_project_oidc_publishers_constrain_environment_shared_publisher(
         ]
 
     def test_constrain_oidc_publisher_admin_disabled(self, monkeypatch):
-        project = pretend.stub()
+        project = pretend.stub(organization=None)
         request = pretend.stub(
             method="POST",
             params=MultiDict(),
@@ -687,7 +688,7 @@ def test_constrain_oidc_publisher_admin_disabled(self, monkeypatch):
         ]
 
     def test_constrain_oidc_publisher_invalid_params(self, monkeypatch, metrics):
-        project = pretend.stub()
+        project = pretend.stub(organization=None)
         request = pretend.stub(
             method="POST",
             params=MultiDict(),
@@ -727,7 +728,7 @@ def test_constrain_oidc_publisher_invalid_params(self, monkeypatch, metrics):
     def test_constrain_non_extant_oidc_publisher(
         self, monkeypatch, metrics, db_request
     ):
-        project = pretend.stub()
+        project = pretend.stub(organization=None)
         db_request.method = "POST"
         db_request.POST = MultiDict(
             {
@@ -1051,6 +1052,7 @@ def test_constrain_environment_publisher_already_exists(
                     namespace=pretend.stub(data=publisher.namespace),
                     workflow_filepath=pretend.stub(data=publisher.workflow_filepath),
                     normalized_environment=publisher.environment,
+                    issuer_url=pretend.stub(data="https://gitlab.com"),
                 ),
             ),
             (
@@ -1100,6 +1102,7 @@ def test_add_oidc_publisher_preexisting(
         project = pretend.stub(
             name="fakeproject",
             oidc_publishers=[],
+            organization=None,
             record_event=pretend.call_recorder(lambda *a, **kw: None),
             users=[],
         )
@@ -1210,6 +1213,7 @@ def test_add_oidc_publisher_preexisting(
                     namespace=pretend.stub(data="fakeowner"),
                     workflow_filepath=pretend.stub(data="subfolder/fakeworkflow.yml"),
                     normalized_environment="some-environment",
+                    issuer_url=pretend.stub(data="https://gitlab.com"),
                 ),
                 pretend.stub(publisher_name="GitLab"),
             ),
@@ -1245,6 +1249,7 @@ def test_add_oidc_publisher_created(
         project = pretend.stub(
             name="fakeproject",
             oidc_publishers=[],
+            organization=None,
             record_event=pretend.call_recorder(lambda *a, **kw: None),
             users=[fakeuser],
         )
@@ -1385,6 +1390,7 @@ def test_add_oidc_publisher_created(
                         "project": "some-repository",
                         "workflow_filepath": "subfolder/some-workflow-filename.yml",
                         "environment": "some-environment",
+                        "issuer_url": "https://gitlab.com",
                     }
                 ),
             ),
@@ -1432,6 +1438,7 @@ def test_add_oidc_publisher_already_registered_with_project(
         project = pretend.stub(
             name="fakeproject",
             oidc_publishers=[publisher],
+            organization=None,
             record_event=pretend.call_recorder(lambda *a, **kw: None),
         )
 
@@ -1528,6 +1535,7 @@ def test_add_oidc_publisher_already_registered_after_normalization(
         project = pretend.stub(
             name="fakeproject",
             oidc_publishers=[publisher],
+            organization=None,
             record_event=pretend.call_recorder(lambda *a, **kw: None),
         )
 
@@ -1598,7 +1606,7 @@ def test_add_oidc_publisher_already_registered_after_normalization(
     def test_add_oidc_publisher_ratelimited(
         self, metrics, monkeypatch, view_name, publisher_name
     ):
-        project = pretend.stub()
+        project = pretend.stub(organization=None)
 
         request = pretend.stub(
             user=pretend.stub(),
@@ -1648,7 +1656,7 @@ def test_add_oidc_publisher_ratelimited(
     def test_add_oidc_publisher_admin_disabled(
         self, monkeypatch, view_name, publisher_name
     ):
-        project = pretend.stub()
+        project = pretend.stub(organization=None)
         request = pretend.stub(
             user=pretend.stub(),
             find_service=lambda *a, **kw: None,
@@ -1691,7 +1699,7 @@ def test_add_oidc_publisher_admin_disabled(
     def test_add_oidc_publisher_invalid_form(
         self, metrics, monkeypatch, view_name, publisher_name
     ):
-        project = pretend.stub()
+        project = pretend.stub(organization=None)
         request = pretend.stub(
             user=pretend.stub(),
             find_service=lambda *a, **kw: metrics,
@@ -1966,7 +1974,7 @@ def test_delete_oidc_publisher_entirely(self, monkeypatch, db_request, publisher
 
     def test_delete_oidc_publisher_invalid_form(self, metrics, monkeypatch):
         publisher = pretend.stub()
-        project = pretend.stub(oidc_publishers=[publisher])
+        project = pretend.stub(oidc_publishers=[publisher], organization=None)
         request = pretend.stub(
             user=pretend.stub(),
             find_service=lambda *a, **kw: metrics,
@@ -2020,6 +2028,7 @@ def test_delete_oidc_publisher_not_found(
 
         project = pretend.stub(
             oidc_publishers=[publisher],
+            organization=None,
             name="fakeproject",
             record_event=pretend.call_recorder(lambda *a, **kw: None),
         )
@@ -2074,7 +2083,7 @@ def test_delete_oidc_publisher_not_found(
         assert delete_publisher_form_obj.validate.calls == [pretend.call()]
 
     def test_delete_oidc_publisher_admin_disabled(self, monkeypatch):
-        project = pretend.stub()
+        project = pretend.stub(organization=None)
         request = pretend.stub(
             user=pretend.stub(),
             find_service=lambda *a, **kw: None,

tests/unit/oidc/forms/test_gitlab.py

@@ -26,13 +26,15 @@ def test_validate(self, project_service):
                 "project": "some-repo",
                 "workflow_filepath": "subfolder/some-workflow.yml",
                 "project_name": "some-project",
+                "issuer_url": "https://gitlab.com",
             }
         )
         form = gitlab.PendingGitLabPublisherForm(
             MultiDict(data),
             route_url=route_url,
             check_project_name=project_service.check_project_name,
             user=user,
+            issuer_url_choices=["https://gitlab.com"],
         )
 
         assert form._route_url == route_url
@@ -54,6 +56,7 @@ def test_validate_project_name_already_in_use_owner(
             route_url=route_url,
             check_project_name=project_service.check_project_name,
             user=user,
+            issuer_url_choices=["https://gitlab.com"],
         )
 
         field = pretend.stub(data="some-project")
@@ -66,7 +69,7 @@ def test_validate_project_name_already_in_use_owner(
             pretend.call(
                 "manage.project.settings.publishing",
                 project_name="some-project",
-                _query={"provider": {"gitlab"}},
+                _query={"issuer_url": "https://gitlab.com", "provider": {"gitlab"}},
             )
         ]
 
@@ -99,22 +102,27 @@ class TestGitLabPublisherForm:
                 "namespace": "some-owner",
                 "project": "some-repo",
                 "workflow_filepath": "subfolder/some-workflow.yml",
+                "issuer_url": "https://gitlab.com",
             },
             {
                 "namespace": "some-group/some-subgroup",
                 "project": "some-repo",
                 "workflow_filepath": "subfolder/some-workflow.yml",
+                "issuer_url": "https://gitlab.com",
             },
             # Leading/trailing whitespace is stripped from filepath
             {
                 "namespace": "some-group/some-subgroup",
                 "project": "some-repo",
                 "workflow_filepath": "  subfolder/some-workflow.yml  ",
+                "issuer_url": "https://gitlab.com",
             },
         ],
     )
     def test_validate(self, data):
-        form = gitlab.GitLabPublisherForm(MultiDict(data))
+        form = gitlab.GitLabPublisherForm(
+            MultiDict(data), issuer_url_choices=["https://gitlab.com"]
+        )
 
         # We're testing only the basic validation here.
         assert form.validate(), str(form.errors)

tests/unit/oidc/models/test_gitlab.py

@@ -5,6 +5,7 @@
 import pytest
 
 from tests.common.db.oidc import GitLabPublisherFactory, PendingGitLabPublisherFactory
+from tests.common.db.organizations import OrganizationOIDCIssuerFactory
 from warehouse.oidc import errors
 from warehouse.oidc.models import _core, gitlab
 
@@ -897,6 +898,58 @@ def test_exists(self, db_request, exists_in_db):
 
         assert publisher.exists(db_request.db) == exists_in_db
 
+    def test_get_available_issuer_urls_default(self):
+        """By default, there's a single known GitLab issuer URL."""
+        issuer_urls = gitlab.GitLabPublisher.get_available_issuer_urls()
+        assert issuer_urls == ["https://gitlab.com"]
+
+    def test_get_available_issuer_urls_custom(self, db_session):
+        """If a custom GitLab issuer URL is configured for the org, it is included."""
+        org_oidc_issuer = OrganizationOIDCIssuerFactory(issuer_type="gitlab")
+
+        issuer_urls = gitlab.GitLabPublisher.get_available_issuer_urls(
+            org_oidc_issuer.organization
+        )
+
+        assert issuer_urls == ["https://gitlab.com", org_oidc_issuer.issuer_url]
+
+    def test_get_available_issuer_urls_multiple_custom(self, db_session):
+        """
+        If multiple custom GitLab issuer URLs are configured for the org,
+        they are all included, and sorted alphabetically after the default.
+        """
+        org_oidc_issuer1 = OrganizationOIDCIssuerFactory(
+            issuer_type="gitlab", issuer_url="https://zzz.example.com"
+        )
+        org_oidc_issuer2 = OrganizationOIDCIssuerFactory(
+            organization=org_oidc_issuer1.organization,
+            issuer_type="gitlab",
+            issuer_url="https://aaa.example.com",
+        )
+
+        issuer_urls = gitlab.GitLabPublisher.get_available_issuer_urls(
+            org_oidc_issuer1.organization
+        )
+
+        assert issuer_urls == [
+            "https://gitlab.com",
+            org_oidc_issuer2.issuer_url,
+            org_oidc_issuer1.issuer_url,
+        ]
+
+    def test_get_available_issuer_urls_custom_non_gitlab(self, db_session):
+        """
+        If a custom OIDC issuer URL of a different type is configured for the org,
+        it is not included.
+        """
+        org_oidc_issuer = OrganizationOIDCIssuerFactory(issuer_type="github")
+
+        issuer_urls = gitlab.GitLabPublisher.get_available_issuer_urls(
+            org_oidc_issuer.organization
+        )
+
+        assert issuer_urls == ["https://gitlab.com"]
+
 
 class TestPendingGitLabPublisher:
     def test_reify_does_not_exist_yet(self, db_request):