Skip to content

Commit

Permalink
Use new pypi-attestations verification API
Browse files Browse the repository at this point in the history
  • Loading branch information
facutuesca committed Oct 22, 2024
1 parent 3f52f08 commit 549107f
Showing 2 changed files with 7 additions and 47 deletions.
38 changes: 6 additions & 32 deletions src/pip_plugin_pep740/_impl.py
Original file line number Diff line number Diff line change
@@ -9,15 +9,11 @@
from packaging.utils import parse_sdist_filename, parse_wheel_filename
from pydantic import ValidationError
from pypi_attestations import (
AttestationBundle,
AttestationError,
Distribution,
GitHubPublisher,
GitLabPublisher,
Provenance,
)
from rfc3986 import builder
from sigstore.verify import Verifier, policy

if TYPE_CHECKING:
from pathlib import Path # pragma: no cover
@@ -68,24 +64,6 @@ def _get_provenance(filename: str) -> Provenance | None:
raise ValueError(msg) from e


def _get_verification_policy(bundle: AttestationBundle) -> policy.VerificationPolicy:
"""Construct a verification policy from the Trusted Publisher in the bundle."""
publisher = bundle.publisher
if isinstance(publisher, GitHubPublisher):
issuer = "https://token.actions.githubusercontent.com"
repository = f"https://github.com/{publisher.repository}"
elif isinstance(publisher, GitLabPublisher):
issuer = "https://gitlab.com"
repository = f"https://gitlab.com/{publisher.repository}"

return policy.AllOf(
[
policy.OIDCIssuerV2(issuer),
policy.OIDCSourceRepositoryURI(repository),
]
)


def plugin_type() -> PluginType:
"""Return the plugin type."""
return "dist-inspector"
@@ -102,17 +80,13 @@ def pre_download(url: str, filename: str, digest: str) -> None: # noqa: ARG001
if not provenance:
return
distribution = Distribution(name=filename, digest=digest)
verifier = Verifier.production()
for bundle in provenance.attestation_bundles:
# Each bundle has their own trusted publisher information, so each
# needs its own verification policy.
policy = _get_verification_policy(bundle)
try:
try:
for bundle in provenance.attestation_bundles:
for a in bundle.attestations:
a.verify(verifier=verifier, policy=policy, dist=distribution)
except AttestationError as e:
msg = f"Provenance failed verification: {e}"
raise ValueError(msg) from e
a.verify(bundle.publisher, dist=distribution)
except AttestationError as e:
msg = f"Provenance failed verification: {e}"
raise ValueError(msg) from e
return


16 changes: 1 addition & 15 deletions test/test_impl.py
Original file line number Diff line number Diff line change
@@ -6,8 +6,7 @@
import pytest
import requests
import requests_mock
from pypi_attestations import AttestationBundle, Distribution, GitLabPublisher
from sigstore.verify.policy import AllOf, OIDCIssuerV2, OIDCSourceRepositoryURI
from pypi_attestations import Distribution

import pip_plugin_pep740

@@ -166,18 +165,5 @@ def test_pre_download_malformed_provenance_valid_json(self) -> None:
digest=DIST_DIGEST_1,
)

def test_get_verification_policy_gitlab(self) -> None:
bundle = AttestationBundle(
publisher=GitLabPublisher(repository="namespace/pkg"), attestations=[]
)
policy = pip_plugin_pep740._impl._get_verification_policy(bundle) # noqa: SLF001
assert isinstance(policy, AllOf)
issuer_policy = policy._children[0] # noqa: SLF001
assert isinstance(issuer_policy, OIDCIssuerV2)
assert issuer_policy._value == "https://gitlab.com" # noqa: SLF001
repository_policy = policy._children[1] # noqa: SLF001
assert isinstance(repository_policy, OIDCSourceRepositoryURI)
assert repository_policy._value == "https://gitlab.com/namespace/pkg" # noqa: SLF001

def test_pre_extract(self) -> None:
assert pip_plugin_pep740.pre_extract(dist=Path("filename")) is None

0 comments on commit 549107f

Please sign in to comment.