Refactor: Migrate to 2.0-style security policies

pyproject.toml

@@ -38,7 +38,6 @@ module = [
     "pyramid.*", # https://github.com/Pylons/pyramid/issues/2638
     "pyramid_jinja2.*",
     "pyramid_mailer.*",
-    "pyramid_multiauth.*",
     "pyramid_retry.*",
     "pyramid_rpc.*",
     "pyqrcode.*",

requirements/main.in

@@ -35,7 +35,6 @@ pycurl
 pyqrcode
 pyramid>=2.0
 pymacaroons
-pyramid-multiauth
 pyramid_jinja2>=2.5
 pyramid_mailer>=0.14.1
 pyramid_retry>=0.3

requirements/main.txt

@@ -987,7 +987,6 @@ pyramid==2.0 \
     #   -r requirements/main.in
     #   pyramid-jinja2
     #   pyramid-mailer
-    #   pyramid-multiauth
     #   pyramid-retry
     #   pyramid-rpc
     #   pyramid-services
@@ -1000,10 +999,6 @@ pyramid-mailer==0.15.1 \
     --hash=sha256:28d4a7829ebc19dd40e712d8cb1998cec03c296ba675b2c112a503539738bdc1 \
     --hash=sha256:ec0aff54d9179b2aa2922ff82c2016a4dc8d1da5dc3408d6594f0e2096446f9b
     # via -r requirements/main.in
-pyramid-multiauth==1.0.1 \
-    --hash=sha256:6d8785558e1d0bbe0d0da43e296efc0fbe0de5071d1f9b1091e891f0e4ec9682 \
-    --hash=sha256:c265258af8021094e5b98602e8bfe094eec1350eebb56473f36cd0e076910822
-    # via -r requirements/main.in
 pyramid-retry==2.1.1 \
     --hash=sha256:b5129a60eb9d7409234ea52839006426d2ae887b4a1f0530c75ec336cabf2476 \
     --hash=sha256:baa8276ae68babad09e5f2f94efc4f7421f3b8fb526151df522052f8cd3ec0c9

tests/unit/accounts/test_auth_policy.py → tests/unit/accounts/test_security_policy.py

@@ -20,7 +20,7 @@
 from pyramid.security import Allowed, Denied
 from zope.interface.verify import verifyClass
 
-from warehouse.accounts import auth_policy
+from warehouse.accounts import security_policy
 from warehouse.accounts.interfaces import IUserService
 from warehouse.errors import WarehouseDenied
 
@@ -30,7 +30,7 @@
 class TestBasicAuthAuthenticationPolicy:
     def test_verify(self):
         assert verifyClass(
-            IAuthenticationPolicy, auth_policy.BasicAuthAuthenticationPolicy
+            IAuthenticationPolicy, security_policy.BasicAuthAuthenticationPolicy
         )
 
     def test_unauthenticated_userid_no_userid(self, monkeypatch):
@@ -41,11 +41,11 @@ def test_unauthenticated_userid_no_userid(self, monkeypatch):
             extract_http_basic_credentials,
         )
 
-        policy = auth_policy.BasicAuthAuthenticationPolicy(check=pretend.stub())
+        policy = security_policy.BasicAuthAuthenticationPolicy(check=pretend.stub())
 
         vary_cb = pretend.stub()
         add_vary_cb = pretend.call_recorder(lambda *v: vary_cb)
-        monkeypatch.setattr(auth_policy, "add_vary_callback", add_vary_cb)
+        monkeypatch.setattr(security_policy, "add_vary_callback", add_vary_cb)
 
         request = pretend.stub(
             add_response_callback=pretend.call_recorder(lambda cb: None)
@@ -66,11 +66,11 @@ def test_unauthenticated_userid_with_userid(self, monkeypatch):
             extract_http_basic_credentials,
         )
 
-        policy = auth_policy.BasicAuthAuthenticationPolicy(check=pretend.stub())
+        policy = security_policy.BasicAuthAuthenticationPolicy(check=pretend.stub())
 
         vary_cb = pretend.stub()
         add_vary_cb = pretend.call_recorder(lambda *v: vary_cb)
-        monkeypatch.setattr(auth_policy, "add_vary_callback", add_vary_cb)
+        monkeypatch.setattr(security_policy, "add_vary_callback", add_vary_cb)
 
         userid = uuid.uuid4()
         service = pretend.stub(
@@ -92,15 +92,15 @@ def test_unauthenticated_userid_with_userid(self, monkeypatch):
 class TestSessionAuthenticationPolicy:
     def test_verify(self):
         assert verifyClass(
-            IAuthenticationPolicy, auth_policy.SessionAuthenticationPolicy
+            IAuthenticationPolicy, security_policy.SessionAuthenticationPolicy
         )
 
     def test_unauthenticated_userid(self, monkeypatch):
-        policy = auth_policy.SessionAuthenticationPolicy()
+        policy = security_policy.SessionAuthenticationPolicy()
 
         vary_cb = pretend.stub()
         add_vary_cb = pretend.call_recorder(lambda *v: vary_cb)
-        monkeypatch.setattr(auth_policy, "add_vary_callback", add_vary_cb)
+        monkeypatch.setattr(security_policy, "add_vary_callback", add_vary_cb)
 
         userid = pretend.stub()
         request = pretend.stub(
@@ -116,17 +116,17 @@ def test_unauthenticated_userid(self, monkeypatch):
 class TestTwoFactorAuthorizationPolicy:
     def test_verify(self):
         assert verifyClass(
-            IAuthorizationPolicy, auth_policy.TwoFactorAuthorizationPolicy
+            IAuthorizationPolicy, security_policy.TwoFactorAuthorizationPolicy
         )
 
     def test_permits_no_active_request(self, monkeypatch):
         get_current_request = pretend.call_recorder(lambda: None)
-        monkeypatch.setattr(auth_policy, "get_current_request", get_current_request)
+        monkeypatch.setattr(security_policy, "get_current_request", get_current_request)
 
         backing_policy = pretend.stub(
             permits=pretend.call_recorder(lambda *a, **kw: pretend.stub())
         )
-        policy = auth_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
+        policy = security_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
         result = policy.permits(pretend.stub(), pretend.stub(), pretend.stub())
 
         assert result == WarehouseDenied("")
@@ -135,27 +135,27 @@ def test_permits_no_active_request(self, monkeypatch):
     def test_permits_if_context_is_not_permitted_by_backing_policy(self, monkeypatch):
         request = pretend.stub()
         get_current_request = pretend.call_recorder(lambda: request)
-        monkeypatch.setattr(auth_policy, "get_current_request", get_current_request)
+        monkeypatch.setattr(security_policy, "get_current_request", get_current_request)
 
         permits_result = Denied("Because")
         backing_policy = pretend.stub(
             permits=pretend.call_recorder(lambda *a, **kw: permits_result)
         )
-        policy = auth_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
+        policy = security_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
         result = policy.permits(pretend.stub(), pretend.stub(), pretend.stub())
 
         assert result == permits_result
 
     def test_permits_if_non_2fa_requireable_context(self, monkeypatch):
         request = pretend.stub()
         get_current_request = pretend.call_recorder(lambda: request)
-        monkeypatch.setattr(auth_policy, "get_current_request", get_current_request)
+        monkeypatch.setattr(security_policy, "get_current_request", get_current_request)
 
         permits_result = Allowed("Because")
         backing_policy = pretend.stub(
             permits=pretend.call_recorder(lambda *a, **kw: permits_result)
         )
-        policy = auth_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
+        policy = security_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
         result = policy.permits(pretend.stub(), pretend.stub(), pretend.stub())
 
         assert result == permits_result
@@ -167,13 +167,13 @@ def test_permits_if_context_does_not_require_2fa(self, monkeypatch, db_request):
             "warehouse.two_factor_requirement.enabled": True,
         }
         get_current_request = pretend.call_recorder(lambda: db_request)
-        monkeypatch.setattr(auth_policy, "get_current_request", get_current_request)
+        monkeypatch.setattr(security_policy, "get_current_request", get_current_request)
 
         permits_result = Allowed("Because")
         backing_policy = pretend.stub(
             permits=pretend.call_recorder(lambda *a, **kw: permits_result)
         )
-        policy = auth_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
+        policy = security_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
         context = ProjectFactory.create(
             owners_require_2fa=False,
             pypi_mandates_2fa=False,
@@ -193,13 +193,13 @@ def test_flashes_if_context_requires_2fa_but_not_enabled(
         db_request.session.flash = pretend.call_recorder(lambda m, queue: None)
         db_request.user = pretend.stub(has_two_factor=False)
         get_current_request = pretend.call_recorder(lambda: db_request)
-        monkeypatch.setattr(auth_policy, "get_current_request", get_current_request)
+        monkeypatch.setattr(security_policy, "get_current_request", get_current_request)
 
         permits_result = Allowed("Because")
         backing_policy = pretend.stub(
             permits=pretend.call_recorder(lambda *a, **kw: permits_result)
         )
-        policy = auth_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
+        policy = security_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
         context = ProjectFactory.create(
             owners_require_2fa=False,
             pypi_mandates_2fa=True,
@@ -239,13 +239,13 @@ def test_permits_if_user_has_2fa(
         user = pretend.stub(has_two_factor=True)
         db_request.user = user
         get_current_request = pretend.call_recorder(lambda: db_request)
-        monkeypatch.setattr(auth_policy, "get_current_request", get_current_request)
+        monkeypatch.setattr(security_policy, "get_current_request", get_current_request)
 
         permits_result = Allowed("Because")
         backing_policy = pretend.stub(
             permits=pretend.call_recorder(lambda *a, **kw: permits_result)
         )
-        policy = auth_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
+        policy = security_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
         context = ProjectFactory.create(
             owners_require_2fa=owners_require_2fa, pypi_mandates_2fa=pypi_mandates_2fa
         )
@@ -276,13 +276,13 @@ def test_denies_if_2fa_is_required_but_user_doesnt_have_2fa(
         user = pretend.stub(has_two_factor=False)
         db_request.user = user
         get_current_request = pretend.call_recorder(lambda: db_request)
-        monkeypatch.setattr(auth_policy, "get_current_request", get_current_request)
+        monkeypatch.setattr(security_policy, "get_current_request", get_current_request)
 
         permits_result = Allowed("Because")
         backing_policy = pretend.stub(
             permits=pretend.call_recorder(lambda *a, **kw: permits_result)
         )
-        policy = auth_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
+        policy = security_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
         context = ProjectFactory.create(
             owners_require_2fa=owners_require_2fa, pypi_mandates_2fa=pypi_mandates_2fa
         )
@@ -308,7 +308,7 @@ def test_principals_allowed_by_permission(self):
                 lambda *a: principals
             )
         )
-        policy = auth_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
+        policy = security_policy.TwoFactorAuthorizationPolicy(policy=backing_policy)
 
         assert (
             policy.principals_allowed_by_permission(pretend.stub(), pretend.stub())