Add SemaphoreCI OIDC trusted provider support

tests/common/constants.py

@@ -1,5 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
+import jwt
+
 # Pytest Fixture Constants
 
 REMOTE_ADDR = "1.2.3.4"
@@ -182,3 +184,44 @@
     "CJraWQiOiJmMTMzOGNhMjY4MzU4NjNmNjcxNDAzOTQxNzM4YTdiNDllNzQwZmMwIiwidH"
     "lwIjoiSldUIn0.wlPNSE6eTFvznJawgpa6cHC3a8sU5_VBH8si9h-sgi0"
 )
+
+"""
+    {
+    "iss": "https://example-org.semaphoreci.com",
+    "aud": "pypi",
+    "jti": "test-jti",
+    "org": "example-org",
+    "org_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
+    "prj": "example-project",
+    "prj_id": "b2c3d4e5-f6a7-8901-bcde-f01234567891",
+    "repo": "myrepo",
+    "repo_slug": "owner/myrepo",
+    "sub": "org:example-org:project:uuid:repo:myrepo:ref_type:branch:ref:main",
+    "ref": "main",
+    "ref_type": "branch",
+    "iat": 1650663865,
+    "nbf": 1650663265,
+    "exp": 1650664165
+    }
+"""
+DUMMY_SEMAPHORE_OIDC_JWT = jwt.encode(
+    {
+        "iss": "https://example-org.semaphoreci.com",
+        "aud": "pypi",
+        "jti": "test-jti",
+        "org": "example-org",
+        "org_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
+        "prj": "example-project",
+        "prj_id": "b2c3d4e5-f6a7-8901-bcde-f01234567891",
+        "repo": "myrepo",
+        "repo_slug": "owner/myrepo",
+        "sub": "org:example-org:project:uuid:repo:myrepo:ref_type:branch:ref:main",
+        "ref": "main",
+        "ref_type": "branch",
+        "iat": 1650663865,
+        "nbf": 1650663265,
+        "exp": 1650664165,
+    },
+    "secret",
+    algorithm="HS256",
+)

tests/common/db/oidc.py

@@ -12,6 +12,8 @@
     PendingGitHubPublisher,
     PendingGitLabPublisher,
     PendingGooglePublisher,
+    PendingSemaphorePublisher,
+    SemaphorePublisher,
 )
 
 from .accounts import UserFactory
@@ -122,3 +124,33 @@ class Meta:
     actor = factory.Faker("pystr", max_chars=12)
     actor_id = factory.Faker("uuid4")
     added_by = factory.SubFactory(UserFactory)
+
+
+class SemaphorePublisherFactory(WarehouseFactory):
+    class Meta:
+        model = SemaphorePublisher
+
+    id = factory.Faker("uuid4", cast_to=None)
+    organization = factory.Faker("pystr", max_chars=12)
+    semaphore_organization_id = factory.Faker("uuid4")
+    project = factory.Faker("pystr", max_chars=12)
+    semaphore_project_id = factory.Faker("uuid4")
+    repo_slug = factory.LazyAttribute(
+        lambda obj: f"{obj.organization}/{obj.project}-repo"
+    )
+
+
+class PendingSemaphorePublisherFactory(WarehouseFactory):
+    class Meta:
+        model = PendingSemaphorePublisher
+
+    id = factory.Faker("uuid4", cast_to=None)
+    project_name = factory.Faker("pystr", max_chars=12)
+    organization = factory.Faker("pystr", max_chars=12)
+    semaphore_organization_id = factory.Faker("uuid4")
+    project = factory.Faker("pystr", max_chars=12)
+    semaphore_project_id = factory.Faker("uuid4")
+    repo_slug = factory.LazyAttribute(
+        lambda obj: f"{obj.organization}/{obj.project}-repo"
+    )
+    added_by = factory.SubFactory(UserFactory)

tests/unit/oidc/forms/test_semaphore.py

@@ -0,0 +1,262 @@
+# SPDX-License-Identifier: Apache-2.0
+
+import pretend
+
+from webob.multidict import MultiDict
+
+from warehouse.oidc import forms
+
+
+class TestPendingSemaphorePublisherForm:
+    def test_validate(self, pyramid_request):
+        form = forms.PendingSemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "semaphore_organization_id": "org-id-1234",
+                    "project": "example-project",
+                    "semaphore_project_id": "proj-id-5678",
+                    "repo_slug": "owner/repo",
+                    "project_name": "example-pypi-project",
+                }
+            ),
+            route_url=pyramid_request.route_url,
+            check_project_name=lambda name: True,
+            user=pretend.stub(),
+        )
+
+        assert form.validate()
+
+    def test_validate_organization_required(self, pyramid_request):
+        form = forms.PendingSemaphorePublisherForm(
+            MultiDict(
+                {
+                    "project": "example-project",
+                    "repo_slug": "owner/repo",
+                    "project_name": "example-pypi-project",
+                }
+            ),
+            route_url=pyramid_request.route_url,
+            check_project_name=lambda name: True,
+            user=pretend.stub(),
+        )
+
+        assert not form.validate()
+        assert "organization" in form.errors
+
+    def test_validate_project_required(self, pyramid_request):
+        form = forms.PendingSemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "repo_slug": "owner/repo",
+                    "project_name": "example-pypi-project",
+                }
+            ),
+            route_url=pyramid_request.route_url,
+            check_project_name=lambda name: True,
+            user=pretend.stub(),
+        )
+
+        assert not form.validate()
+        assert "project" in form.errors
+
+    def test_validate_repo_slug_required(self, pyramid_request):
+        form = forms.PendingSemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "project": "example-project",
+                    "project_name": "example-pypi-project",
+                }
+            ),
+            route_url=pyramid_request.route_url,
+            check_project_name=lambda name: True,
+            user=pretend.stub(),
+        )
+
+        assert not form.validate()
+        assert "repo_slug" in form.errors
+
+    def test_validate_repo_slug_format(self, pyramid_request):
+        form = forms.PendingSemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "project": "example-project",
+                    "repo_slug": "invalid-format",
+                    "project_name": "example-pypi-project",
+                }
+            ),
+            route_url=pyramid_request.route_url,
+            check_project_name=lambda name: True,
+            user=pretend.stub(),
+        )
+
+        assert not form.validate()
+        assert "repo_slug" in form.errors
+
+    def test_validate_organization_format(self, pyramid_request):
+        form = forms.PendingSemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "invalid org!",
+                    "project": "example-project",
+                    "repo_slug": "owner/repo",
+                    "project_name": "example-pypi-project",
+                }
+            ),
+            route_url=pyramid_request.route_url,
+            check_project_name=lambda name: True,
+            user=pretend.stub(),
+        )
+
+        assert not form.validate()
+        assert "organization" in form.errors
+
+    def test_validate_organization_id_required(self, pyramid_request):
+        form = forms.PendingSemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "project": "example-project",
+                    "semaphore_project_id": "proj-id-5678",
+                    "repo_slug": "owner/repo",
+                    "project_name": "example-pypi-project",
+                }
+            ),
+            route_url=pyramid_request.route_url,
+            check_project_name=lambda name: True,
+            user=pretend.stub(),
+        )
+
+        assert not form.validate()
+        assert "semaphore_organization_id" in form.errors
+
+    def test_validate_project_id_required(self, pyramid_request):
+        form = forms.PendingSemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "semaphore_organization_id": "org-id-1234",
+                    "project": "example-project",
+                    "repo_slug": "owner/repo",
+                    "project_name": "example-pypi-project",
+                }
+            ),
+            route_url=pyramid_request.route_url,
+            check_project_name=lambda name: True,
+            user=pretend.stub(),
+        )
+
+        assert not form.validate()
+        assert "semaphore_project_id" in form.errors
+
+    def test_provider_property(self, pyramid_request):
+        form = forms.PendingSemaphorePublisherForm(
+            data={
+                "organization": "example-org",
+                "organization_id": "org-id-1234",
+                "project": "example-project",
+                "project_id": "proj-id-5678",
+                "repo_slug": "owner/repo",
+                "project_name": "example-pypi-project",
+            },
+            route_url=pyramid_request.route_url,
+            check_project_name=lambda name: True,
+            user=pretend.stub(),
+        )
+
+        assert form.provider == "semaphore"
+
+
+class TestSemaphorePublisherForm:
+    def test_validate(self):
+        form = forms.SemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "semaphore_organization_id": "org-id-1234",
+                    "project": "example-project",
+                    "semaphore_project_id": "proj-id-5678",
+                    "repo_slug": "owner/repo",
+                }
+            )
+        )
+
+        assert form.validate()
+
+    def test_validate_organization_required(self):
+        form = forms.SemaphorePublisherForm(
+            MultiDict(
+                {
+                    "semaphore_organization_id": "org-id-1234",
+                    "project": "example-project",
+                    "semaphore_project_id": "proj-id-5678",
+                    "repo_slug": "owner/repo",
+                }
+            )
+        )
+
+        assert not form.validate()
+        assert "organization" in form.errors
+
+    def test_validate_project_required(self):
+        form = forms.SemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "semaphore_organization_id": "org-id-1234",
+                    "semaphore_project_id": "proj-id-5678",
+                    "repo_slug": "owner/repo",
+                }
+            )
+        )
+
+        assert not form.validate()
+        assert "project" in form.errors
+
+    def test_validate_repo_slug_required(self):
+        form = forms.SemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "semaphore_organization_id": "org-id-1234",
+                    "project": "example-project",
+                    "semaphore_project_id": "proj-id-5678",
+                }
+            )
+        )
+
+        assert not form.validate()
+        assert "repo_slug" in form.errors
+
+    def test_validate_organization_id_required(self):
+        form = forms.SemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "project": "example-project",
+                    "semaphore_project_id": "proj-id-5678",
+                    "repo_slug": "owner/repo",
+                }
+            )
+        )
+
+        assert not form.validate()
+        assert "semaphore_organization_id" in form.errors
+
+    def test_validate_project_id_required(self):
+        form = forms.SemaphorePublisherForm(
+            MultiDict(
+                {
+                    "organization": "example-org",
+                    "semaphore_organization_id": "org-id-1234",
+                    "project": "example-project",
+                    "repo_slug": "owner/repo",
+                }
+            )
+        )
+
+        assert not form.validate()
+        assert "semaphore_project_id" in form.errors