attestations: remove double states, simplify tests

pypi / warehouse

The Python Package Index

https://pypi.org

Apache License 2.0

3.6k stars 964 forks source link

attestations: remove double states, simplify tests #17108

Closed woodruffw closed 3 days ago

woodruffw commented 3 days ago

This removes some usage of stubs in favor of real models (via factories) where possible, and eliminates some potential sources of double-state/divergence in the original services.

In particular:

OIDCPublisherMixin.supports_attestations is now attestation_identity, and returns a Publisher | None that can be used directly for verification
OIDCPublisherMixin.publisher_verification_policy is removed, since the Publisher now encodes the verification policy
_publisher_from_oidc_publisher is removed, since attestation_identity serves the same purpose

woodruffw commented 3 days ago

To summarize: this makes it easier to enable attestations from other TP providers, since they no longer need to update multiple independent sites: each new attestation source only needs to add attestation_identity to its base mixin.

woodruffw commented 3 days ago

NB: This also removes our top-level dependency on sigstore, since all ops go through pypi_attestations (which still uses sigstore itself, of course). I can remove that in this PR or a follow-on.

di commented 3 days ago

NB: This also removes our top-level dependency on sigstore, since all ops go through pypi_attestations (which still uses sigstore itself, of course). I can remove that in this PR or a follow-on.

Let's go ahead and do it here, thanks!