Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

warehouse: OIDC beta flag/controls #13073

Merged
merged 33 commits into from
Mar 6, 2023
Merged

warehouse: OIDC beta flag/controls #13073

merged 33 commits into from
Mar 6, 2023

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Feb 23, 2023
edited
Loading

WIP.

See #12965.

@woodruffw
warehouse: initial OIDC ACLs
e6825b4 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw self-assigned this Feb 23, 2023
@woodruffw
config: OIDC permissions in RootFactory
ab74ac7 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
warehouse: centralize OIDC beta perms
65a9580 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
packaging/models: add group:oidc_beta perms
989f5d5 
We need to do this explicitly, since traversing `Project`
means that `RootFactory` is not traversed.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw
config: drop unused permissions
a8c0ec5 
These need to be handled separately in `Project.__acl__`.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw
warehouse: User.has_oidc_beta_access + TODOs
1ad6ec4 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
migrations: User.has_oidc_beta_access
9bb1bc2 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw changed the title warehouse: initial OIDC ACLs warehouse: OIDC beta ACLs Feb 23, 2023
@woodruffw

This comment was marked as outdated.

Sign in to view
@woodruffw
Copy link
Member Author

Just remembered another thing I need to do here: the admin panel should allow Warehouse's admins to enable/disable OIDC beta status for a user.

@woodruffw
admin: checkbox for OIDC beta
468d079 
Signed-off-by: William Woodruff <[email protected]>
woodruffw
woodruffw commented Feb 23, 2023
View reviewed changes
@woodruffw
tests, warehouse: fix coverage
ce7536a 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
warehouse/locale: make translations
10ceb40 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Merge remote-tracking branch 'upstream/main' into tob-oidc-acls
fac89ad
@woodruffw
Merge branch 'main' into tob-oidc-acls
4d042f6
@woodruffw
tests, warehouse: drop ACL hackery
50929d4 
Use the feature flag directly.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests: begin fixing tests
9fe5f1c 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
warehouse/locale: make translations
f440196 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests, warehouse: more test fixage
5780f58 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests, warehouse: fix condition
9e54ff8 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests: more coverage
b580129 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
tests: more coverage
6b4f096 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw marked this pull request as ready for review February 26, 2023 15:03
@woodruffw woodruffw requested a review from a team as a code owner February 26, 2023 15:03
@woodruffw
Copy link
Member Author

This should be good to go -- I've added the User feature flag plus an admin control for it, along with checks to each OIDC view (+ menu renderers).

@woodruffw woodruffw changed the title warehouse: OIDC beta ACLs warehouse: OIDC beta flag/controls Feb 26, 2023
@woodruffw woodruffw mentioned this pull request Feb 26, 2023
Closed
di
di reviewed Feb 28, 2023
View reviewed changes
ewdurbin
ewdurbin reviewed Mar 1, 2023
View reviewed changes
warehouse/accounts/models.py
@@ -96,6 +96,9 @@ class User(SitemapMixin, HasEvents, db.Model):
totp_secret = Column(LargeBinary(length=20), nullable=True)
last_totp_value = Column(String, nullable=True)

# XXX: Can be removed once OIDC is removed from beta.
has_oidc_beta_access = Column(Boolean, nullable=False, server_default=sql.false())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bleh, I'm -1 on a column directly on the User model, but won't block the PR on this.

The aspiration was a more extensible AdminFlags or similar to manage this kind of thing, but obviously that hasn't come to fruition yet.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AdminFlags are just global flags that can be set by admins -- they don't allow us to set per-user flags (unless we want to overhaul them, which is probably out of scope here).

We tried to do this with ACLs but given how this currently works with the User model, it was a bit more janky than this, which will be temporary.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'm not super happy with this approach either, but I think it's the shortest + lowest friction path here.

woodruffw and others added 7 commits March 6, 2023 11:57
@woodruffw
Merge remote-tracking branch 'upstream/main' into tob-oidc-acls
f3ddcba 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw @di
Apply suggestions from code review
6b3d22a 
Co-authored-by: Dustin Ingram <[email protected]>
@woodruffw
templates: disable form button w/o beta
8329310 
If the user can see OIDC publishers because a beta user has added them
but is not themselves in the OIDC beta, we disable the OIDC form's
button.

The form would 403 anyways; this just prevents obvious misuse.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw
templates: disable OIDC deletion as well
301cfa4 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Merge remote-tracking branch 'upstream/main' into tob-oidc-acls
bba4d26
@woodruffw
templates: disable the whole "add" form
ca2cee5 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
locale: make translations
6bd0095 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw requested review from di and ewdurbin March 6, 2023 18:31
di
di reviewed Mar 6, 2023
View reviewed changes
Copy link
Member

@di di left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM aside from two tweaks

@woodruffw woodruffw requested a review from di March 6, 2023 23:24
@di di merged commit 28badc7 into pypi:main Mar 6, 2023
@di di deleted the tob-oidc-acls branch March 6, 2023 23:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

@ewdurbin ewdurbin Awaiting requested review from ewdurbin

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@woodruffw @di @ewdurbin