Skip to content

attestations: remove double states, simplify tests #17108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 18, 2024
Merged

attestations: remove double states, simplify tests #17108

merged 6 commits into from
Nov 18, 2024

Conversation

woodruffw
Copy link
Member

This removes some usage of stubs in favor of real models (via factories) where possible, and eliminates some potential sources of double-state/divergence in the original services.

In particular:

  • OIDCPublisherMixin.supports_attestations is now attestation_identity, and returns a Publisher | None that can be used directly for verification
  • OIDCPublisherMixin.publisher_verification_policy is removed, since the Publisher now encodes the verification policy
  • _publisher_from_oidc_publisher is removed, since attestation_identity serves the same purpose

@woodruffw
attestations: remove double states, simplify tests
b0695db 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
remove publisher_verification_policy
53f2628 
Handled latently via the Publisher identity.

Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
oidc/models: test_github_publisher_attestation_identity
9f035d7 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw self-assigned this Nov 18, 2024
@woodruffw woodruffw marked this pull request as ready for review November 18, 2024 20:30
@woodruffw woodruffw requested a review from a team as a code owner November 18, 2024 20:30
@woodruffw
Copy link
Member Author

To summarize: this makes it easier to enable attestations from other TP providers, since they no longer need to update multiple independent sites: each new attestation source only needs to add attestation_identity to its base mixin.

@woodruffw woodruffw mentioned this pull request Nov 18, 2024
Merged
@woodruffw
cleanup, remove old imports
e57f4d0 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Member Author

woodruffw commented Nov 18, 2024
edited
Loading

NB: This also removes our top-level dependency on sigstore, since all ops go through pypi_attestations (which still uses sigstore itself, of course). I can remove that in this PR or a follow-on.

@di
Copy link
Member

di commented Nov 18, 2024

NB: This also removes our top-level dependency on sigstore, since all ops go through pypi_attestations (which still uses sigstore itself, of course). I can remove that in this PR or a follow-on.

Let's go ahead and do it here, thanks!

@woodruffw
requirements: remove top-level sigstore dep
70a73e1 
Signed-off-by: William Woodruff <william@trailofbits.com>
di
di approved these changes Nov 18, 2024
View reviewed changes
Copy link
Member

@di di left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM aside from 1 nit.

@woodruffw
remove _build_provenance helper
7ca30cd 
Signed-off-by: William Woodruff <william@trailofbits.com>
@di di merged commit a2b945e into pypi:main Nov 18, 2024
20 checks passed
@woodruffw woodruffw deleted the ww/simplify-integrity-services branch November 18, 2024 21:15
@woodruffw woodruffw mentioned this pull request Nov 18, 2024
Open
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@woodruffw @di