Attempt to fix type warnings

th3coop · th3coop · commit 0d2b3a57f644 · 2023-07-05T14:59:57.000-07:00
diff --git a/warehouse/oidc/models/_core.py b/warehouse/oidc/models/_core.py
@@ -211,7 +211,9 @@ def publisher_name(self) -> str:  # pragma: no cover
         # Only concrete subclasses are constructed.
         raise NotImplementedError
 
-    def publisher_url(self, claims=None) -> str | None:  # pragma: no cover
+    def publisher_url(
+        self, claims: SignedClaims | None = None
+    ) -> str:  # pragma: no cover
         """
         NOTE: This is **NOT** a `@property` because we pass `claims` to it.
         When calling, make sure to use `publisher_url()`
diff --git a/warehouse/oidc/views.py b/warehouse/oidc/views.py
@@ -28,7 +28,7 @@
 from warehouse.macaroons.interfaces import IMacaroonService
 from warehouse.macaroons.services import DatabaseMacaroonService
 from warehouse.oidc.interfaces import IOIDCPublisherService
-from warehouse.oidc.models import PendingOIDCPublisher
+from warehouse.oidc.models import OIDCPublisher, PendingOIDCPublisher
 from warehouse.oidc.services import OIDCPublisherService
 from warehouse.packaging.interfaces import IProjectService
 from warehouse.packaging.models import ProjectFactory
@@ -140,7 +140,9 @@ def process_oidc_request(
 
     # First, try to find a pending publisher.
     pending_publisher = oidc_service.find_publisher(claims, pending=True)
-    if pending_publisher is not None:
+    if pending_publisher is not None and isinstance(
+        pending_publisher, PendingOIDCPublisher
+    ):
         factory = ProjectFactory(request)
 
         # If the project already exists, this pending publisher is no longer
@@ -163,7 +165,7 @@ def process_oidc_request(
         project_service = request.find_service(IProjectService)
         new_project = project_service.create_project(
             pending_publisher.project_name,
-            pending_publisher.added_by,
+            pending_publisher.added_by_id,
             request,
             ratelimited=False,
         )
@@ -172,7 +174,7 @@ def process_oidc_request(
         # Successfully converting a pending publisher into a normal publisher
         # is a positive signal, so we reset the associated ratelimits.
         ratelimiters = _ratelimiters(request)
-        ratelimiters["user.oidc"].clear(pending_publisher.added_by.id)
+        ratelimiters["user.oidc"].clear(pending_publisher.added_by_id)
         ratelimiters["ip.oidc"].clear(request.remote_addr)
 
         # There might be other pending publishers for the same project name,
@@ -199,7 +201,44 @@ def process_oidc_request(
     # have one and we've just converted it. Either way, look for a full publisher
     # to actually do the macaroon minting with.
     publisher = oidc_service.find_publisher(claims, pending=False)
-    if not publisher:
+    if publisher is not None and isinstance(pending_publisher, OIDCPublisher):
+        # At this point, we've verified that the given JWT is valid for the given
+        # project. All we need to do is mint a new token.
+        # NOTE: For OIDC-minted API tokens, the Macaroon's description string
+        # is purely an implementation detail and is not displayed to the user.
+        macaroon_service: DatabaseMacaroonService = request.find_service(
+            IMacaroonService, context=None
+        )
+        not_before = int(time.time())
+        expires_at = not_before + 900
+        serialized, dm = macaroon_service.create_macaroon(
+            request.domain,
+            (
+                f"OpenID token: {str(publisher)} "
+                f"({datetime.fromtimestamp(not_before).isoformat()})"
+            ),
+            [
+                caveats.OIDCPublisher(
+                    oidc_publisher_id=str(publisher.id),
+                ),
+                caveats.ProjectID(project_ids=[str(p.id) for p in publisher.projects]),
+                caveats.Expiration(expires_at=expires_at, not_before=not_before),
+            ],
+            oidc_publisher_id=publisher.id,
+            additional={"oidc": {"ref": claims.get("ref"), "sha": claims.get("sha")}},
+        )
+        for project in publisher.projects:
+            project.record_event(
+                tag=EventTag.Project.ShortLivedAPITokenAdded,
+                request=request,
+                additional={
+                    "expires": expires_at,
+                    "publisher_name": publisher.publisher_name,
+                    "publisher_url": publisher.publisher_url(),
+                },
+            )
+        return {"success": True, "token": serialized}
+    else:
         return _invalid(
             errors=[
                 {
@@ -209,40 +248,3 @@ def process_oidc_request(
             ],
             request=request,
         )
-
-    # At this point, we've verified that the given JWT is valid for the given
-    # project. All we need to do is mint a new token.
-    # NOTE: For OIDC-minted API tokens, the Macaroon's description string
-    # is purely an implementation detail and is not displayed to the user.
-    macaroon_service: DatabaseMacaroonService = request.find_service(
-        IMacaroonService, context=None
-    )
-    not_before = int(time.time())
-    expires_at = not_before + 900
-    serialized, dm = macaroon_service.create_macaroon(
-        request.domain,
-        (
-            f"OpenID token: {str(publisher)} "
-            f"({datetime.fromtimestamp(not_before).isoformat()})"
-        ),
-        [
-            caveats.OIDCPublisher(
-                oidc_publisher_id=str(publisher.id),
-            ),
-            caveats.ProjectID(project_ids=[str(p.id) for p in publisher.projects]),
-            caveats.Expiration(expires_at=expires_at, not_before=not_before),
-        ],
-        oidc_publisher_id=publisher.id,
-        additional={"oidc": {"ref": claims.get("ref"), "sha": claims.get("sha")}},
-    )
-    for project in publisher.projects:
-        project.record_event(
-            tag=EventTag.Project.ShortLivedAPITokenAdded,
-            request=request,
-            additional={
-                "expires": expires_at,
-                "publisher_name": publisher.publisher_name,
-                "publisher_url": publisher.publisher_url(),
-            },
-        )
-    return {"success": True, "token": serialized}
