Improve file-details with certificate claims #17145
Conversation
# Conflicts: # warehouse/templates/includes/file-details.html
| @@ -220,7 +220,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ | |||
| set -x \ | |||
| && apt-get update \ | |||
| && apt-get install --no-install-recommends -y \ | |||
| libpq5 libxml2 libxslt1.1 libcurl4 \ | |||
There was a problem hiding this comment.
Just flagging for review: this needs to be removed before merge.
| {% set claims = attestation.certificate_claims %} | ||
| Source repository: | ||
| <ul> | ||
| <!-- 1.3.6.1.4.1.57264.1.12 | Source Repository URI--> | ||
| <!-- 1.3.6.1.4.1.57264.1.13 | Source Repository Digest--> | ||
| <li>Permalink: <a href="{{ repo_url_with_reference(claims.get("1.3.6.1.4.1.57264.1.12"), claims.get("1.3.6.1.4.1.57264.1.13")) }}"> | ||
| <code>{{ repository_name(bundle.publisher) }}#{{ claims.get("1.3.6.1.4.1.57264.1.13") }}</code> | ||
| </a></li> | ||
| <!-- 1.3.6.1.4.1.57264.1.14 | Source Repository Ref--> | ||
| <li>Branch / Tag: <a href="{{ repo_url_with_reference(claims.get("1.3.6.1.4.1.57264.1.12"), claims.get("1.3.6.1.4.1.57264.1.14")) }} "> | ||
| <code>{{ claims.get("1.3.6.1.4.1.57264.1.14") }}</code> | ||
| </a></li> | ||
| <!-- 1.3.6.1.4.1.57264.1.15 | Source Repository Identifier--> | ||
| <!-- 1.3.6.1.4.1.57264.1.16 | Source Repository Owner URI--> | ||
| <li>Owner: <a href="{{ claims.get("1.3.6.1.4.1.57264.1.16") }}">{{ claims.get("1.3.6.1.4.1.57264.1.16") }}</a></li> | ||
| <!-- 1.3.6.1.4.1.57264.1.17 | Source Repository Owner Identifier--> | ||
| <!-- 1.3.6.1.4.1.57264.1.22 | Source Repository Visibility At Signing--> | ||
| <li>Access: <code>{{ claims.get("1.3.6.1.4.1.57264.1.22") }}</code></li> | ||
| </ul> | ||
| Build information: | ||
| <ul> | ||
| <!-- 1.3.6.1.4.1.57264.1.8 | Issuer--> | ||
| <!-- 1.3.6.1.4.1.57264.1.9 | Build Signer URI--> | ||
| <!-- 1.3.6.1.4.1.57264.1.10 | Build Signer Digest--> | ||
| <li>Token Issuer: <code>{{ claims.get("1.3.6.1.4.1.57264.1.8") }}</code></li> | ||
| <!-- 1.3.6.1.4.1.57264.1.11 | Runner Environment--> | ||
| <li>Build Environment: <code>{{ claims.get("1.3.6.1.4.1.57264.1.11") }}</code></li> | ||
| <!-- 1.3.6.1.4.1.57264.1.18 | Build Config URI--> | ||
| <!-- 1.3.6.1.4.1.57264.1.19 | Build Config Digest--> | ||
| <li>Build Configuration File: | ||
| <a href="{{ workflow_url(bundle.publisher, claims) }}"> | ||
| <code>{{ workflow_filename(bundle.publisher) }}#{{ claims.get("1.3.6.1.4.1.57264.1.19") }}</code> | ||
| </a> | ||
| </li> | ||
| <!-- 1.3.6.1.4.1.57264.1.20 | Build Trigger--> | ||
| <li>Trigger Event: <code>{{ claims.get("1.3.6.1.4.1.57264.1.20") }}</code></li> | ||
| <!-- 1.3.6.1.4.1.57264.1.21 | Run Invocation URI--> | ||
| </ul> |
There was a problem hiding this comment.
Doing these mappings/selections within the template is likely going to be brittle/hard to test going forwards -- I think we'd be better off defining a Jinja2 function or other helper within the Python codebase to do these transforms.
(I'm not 100% sure how best to do this, since the way we render each claim varies based on its content/expected format, e.g. URLs. Maybe @di has thoughts?)
There was a problem hiding this comment.
The new version uses python helper functions - however, it still delegates the formatting to the view.
( NB: I quickly searched in the codebase to find an existing pattern to reuse, but I was not successful.)
| <!-- 1.3.6.1.4.1.57264.1.22 | Source Repository Visibility At Signing--> | ||
| <li>Access: <code>{{ claims.get("1.3.6.1.4.1.57264.1.22") }}</code></li> | ||
| </ul> | ||
| Build information: |
There was a problem hiding this comment.
"Build information" for a publish attestation is confusing, we shouldn't really be using the word "build" in the context of a "publish" attestation I think.
There was a problem hiding this comment.
I've renamed it Publication detail, but leave this conversation open if someone finds better options.
| { | ||
| "1.3.6.1.4.1.57264.1.8": "https://gitlab.com", | ||
| "1.3.6.1.4.1.57264.1.9": ( | ||
| "https://gitlab.com/facutuesca/gitlab-oidc-project//" |
There was a problem hiding this comment.
This uses @facutuesca GitLab project for a quick iteration but will be changed once a PR similar to this one will be merged #17051
| ( | ||
| "GitHub", | ||
| { | ||
| "1.3.6.1.4.1.57264.1.8": ( |
There was a problem hiding this comment.
FLAG(dm): Will update this to a better claim origin
| workflow="example.yml", | ||
| ) | ||
|
|
||
| views.get_publication_details( |
There was a problem hiding this comment.
FLAG: we do nothing yet with the tests results.
Expose Certificate Claims in UI
This PR implements the UI display of Sigstore certificate claims, providing a more comprehensive view of package attestations.
Implementation Details
pypi-attestationpypi-attestationreturns adict[str, str]mapping OIDs (dotted strings) to their decoded valuesDependencies
claimstoAttestationtrailofbits/pypi-attestations#70pypi-attestation(to be removed before merge)Closes #17122
/cc @di @woodruffw @facutuesca