Revert PEP 740 persistence (pypi#16623)

* Revert PEP 740 persistence

Reverts:

* 16b49a1
* d1c1161

* migrations: replay reverted migrations + migrate forwards

Signed-off-by: William Woodruff <william@trailofbits.com>

---------

Signed-off-by: William Woodruff <william@trailofbits.com>

dev/environment

@@ -46,7 +46,6 @@ BREACHED_EMAILS=warehouse.accounts.NullEmailBreachedService
 BREACHED_PASSWORDS=warehouse.accounts.NullPasswordBreachedService
 
 OIDC_BACKEND=warehouse.oidc.services.NullOIDCPublisherService
-ATTESTATIONS_BACKEND=warehouse.attestations.services.NullIntegrityService
 
 METRICS_BACKEND=warehouse.metrics.DataDogMetrics host=notdatadog
 

requirements/main.in

@@ -62,8 +62,8 @@ redis>=2.8.0,<6.0.0
 rfc3986
 sentry-sdk
 setuptools
-sigstore~=3.2.0
-pypi-attestations==0.0.11
+sigstore~=3.0.0
+pypi-attestations==0.0.9
 sqlalchemy[asyncio]>=2.0,<3.0
 stdlib-list
 stripe

requirements/main.txt

@@ -1776,9 +1776,9 @@ pyparsing==3.1.4 \
     --hash=sha256:a6a7ee4235a3f944aa1fa2249307708f893fe5717dc603503c6c7969c070fb7c \
     --hash=sha256:f86ec8d1a83f11977c9a6ea7598e8c27fc5cddfa5b07ea2241edbbde1d7bc032
     # via linehaul
-pypi-attestations==0.0.11 \
-    --hash=sha256:b730e6b23874d94da0f3817b1f9dd3ecb6a80d685f62a18ad96e5b0396149ded \
-    --hash=sha256:e74329074f049568591e300373e12fcd46a35e21723110856546e33bf2949efa
+pypi-attestations==0.0.9 \
+    --hash=sha256:3bfc07f64a8db0d6e2646720e70df7c7cb01a2936056c764a2cc3268969332f2 \
+    --hash=sha256:4b38cce5d221c8145cac255bfafe650ec0028d924d2b3572394df8ba8f07a609
     # via -r requirements/main.in
 pyqrcode==1.2.1 \
     --hash=sha256:1b2812775fa6ff5c527977c4cd2ccb07051ca7d0bc0aecf937a43864abe5eff6 \
@@ -2091,9 +2091,9 @@ sentry-sdk==2.13.0 \
     --hash=sha256:6beede8fc2ab4043da7f69d95534e320944690680dd9a963178a49de71d726c6 \
     --hash=sha256:8d4a576f7a98eb2fdb40e13106e41f330e5c79d72a68be1316e7852cf4995260
     # via -r requirements/main.in
-sigstore==3.2.0 \
-    --hash=sha256:25c8a871a3a6adf959c0cde598ea8bef8794f1a29277d067111eb4ded4ba7f65 \
-    --hash=sha256:d18508f34febb7775065855e92557fa1c2c16580df88f8e8903b9514438bad44
+sigstore==3.0.0 \
+    --hash=sha256:6cc7dc92607c2fd481aada0f3c79e710e4c6086e3beab50b07daa9a50a79d109 \
+    --hash=sha256:a6a9538a648e112a0c3d8092d3f73a351c7598164764f1e73a6b5ba406a3a0bd
     # via
     #   -r requirements/main.in
     #   pypi-attestations

tests/common/db/packaging.py

@@ -34,7 +34,6 @@
 from warehouse.utils import readme
 
 from .accounts import UserFactory
-from .attestation import AttestationFactory
 from .base import WarehouseFactory
 from .observations import ObserverFactory
 
@@ -141,13 +140,6 @@ class Meta:
         )
     )
 
-    # Empty attestations by default.
-    attestations = factory.RelatedFactoryList(
-        AttestationFactory,
-        factory_related_name="file",
-        size=0,
-    )
-
 
 class FileEventFactory(WarehouseFactory):
     class Meta:

tests/conftest.py

@@ -44,8 +44,6 @@
 from warehouse.accounts import services as account_services
 from warehouse.accounts.interfaces import ITokenService, IUserService
 from warehouse.admin.flags import AdminFlag, AdminFlagValue
-from warehouse.attestations import services as attestations_services
-from warehouse.attestations.interfaces import IIntegrityService
 from warehouse.email import services as email_services
 from warehouse.email.interfaces import IEmailSender
 from warehouse.helpdesk import services as helpdesk_services
@@ -59,7 +57,7 @@
 from warehouse.organizations import services as organization_services
 from warehouse.organizations.interfaces import IOrganizationService
 from warehouse.packaging import services as packaging_services
-from warehouse.packaging.interfaces import IFileStorage, IProjectService
+from warehouse.packaging.interfaces import IProjectService
 from warehouse.subscriptions import services as subscription_services
 from warehouse.subscriptions.interfaces import IBillingService, ISubscriptionService
 
@@ -114,15 +112,6 @@ def metrics():
     )
 
 
-@pytest.fixture
-def storage_service(tmp_path):
-    """
-    A good-enough local file storage service.
-    """
-
-    return packaging_services.LocalArchiveFileStorage(tmp_path)
-
-
 @pytest.fixture
 def remote_addr():
     return "1.2.3.4"
@@ -184,8 +173,6 @@ def pyramid_services(
     project_service,
     github_oidc_service,
     activestate_oidc_service,
-    integrity_service,
-    storage_service,
     macaroon_service,
     helpdesk_service,
 ):
@@ -207,9 +194,7 @@ def pyramid_services(
     services.register_service(
         activestate_oidc_service, IOIDCPublisherService, None, name="activestate"
     )
-    services.register_service(integrity_service, IIntegrityService, None, name="")
     services.register_service(macaroon_service, IMacaroonService, None, name="")
-    services.register_service(storage_service, IFileStorage, None, name="archive")
     services.register_service(helpdesk_service, IHelpDeskService, None)
 
     return services
@@ -339,7 +324,6 @@ def get_app_config(database, nondefaults=None):
         "docs.backend": "warehouse.packaging.services.LocalDocsStorage",
         "sponsorlogos.backend": "warehouse.admin.services.LocalSponsorLogoStorage",
         "billing.backend": "warehouse.subscriptions.services.MockStripeBillingService",
-        "attestations.backend": "warehouse.attestations.services.NullIntegrityService",
         "billing.api_base": "http://stripe:12111",
         "billing.api_version": "2020-08-27",
         "mail.backend": "warehouse.email.services.SMTPEmailSender",
@@ -403,11 +387,13 @@ def get_db_session_for_app_config(app_config):
 
 @pytest.fixture(scope="session")
 def app_config(database):
+
     return get_app_config(database)
 
 
 @pytest.fixture(scope="session")
 def app_config_dbsession_from_env(database):
+
     nondefaults = {
         "warehouse.db_create_session": lambda r: r.environ.get("warehouse.db_session")
     }
@@ -553,11 +539,6 @@ def activestate_oidc_service(db_session):
     )
 
 
-@pytest.fixture
-def integrity_service(db_session):
-    return attestations_services.NullIntegrityService(db_session)
-
-
 @pytest.fixture
 def macaroon_service(db_session):
     return macaroon_services.DatabaseMacaroonService(db_session)

tests/functional/api/test_simple.py

@@ -10,22 +10,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import hashlib
-
 from http import HTTPStatus
-from pathlib import Path
-
-import pymacaroons
-
-from warehouse.macaroons import caveats
 
-from ...common.db.accounts import EmailFactory, UserFactory
-from ...common.db.macaroons import MacaroonFactory
-from ...common.db.oidc import GitHubPublisherFactory
-from ...common.db.packaging import ProjectFactory, ReleaseFactory, RoleFactory
-
-_HERE = Path(__file__).parent
-_ASSETS = _HERE.parent / "_fixtures"
+from ...common.db.packaging import ProjectFactory, ReleaseFactory
 
 
 def test_simple_api_html(webtest):
@@ -44,88 +31,3 @@ def test_simple_api_detail(webtest):
     assert resp.content_type == "text/html"
     assert "X-PyPI-Last-Serial" in resp.headers
     assert f"Links for {project.normalized_name}" in resp.text
-
-
-def test_simple_attestations_from_upload(webtest):
-    user = UserFactory.create(
-        password=(  # 'password'
-            "$argon2id$v=19$m=1024,t=6,p=6$EiLE2Nsbo9S6N+acs/beGw$ccyZDCZstr1/+Y/1s3BVZ"
-            "HOJaqfBroT0JCieHug281c"
-        )
-    )
-    EmailFactory.create(user=user, verified=True)
-    project = ProjectFactory.create(name="sampleproject")
-    RoleFactory.create(user=user, project=project, role_name="Owner")
-    publisher = GitHubPublisherFactory.create(projects=[project])
-
-    # Construct the macaroon. This needs to be based on a Trusted Publisher, which is
-    # required to upload attestations
-    dm = MacaroonFactory.create(
-        oidc_publisher_id=publisher.id,
-        caveats=[
-            caveats.OIDCPublisher(oidc_publisher_id=str(publisher.id)),
-            caveats.ProjectID(project_ids=[str(p.id) for p in publisher.projects]),
-        ],
-        additional={"oidc": {"ref": "someref", "sha": "somesha"}},
-    )
-
-    m = pymacaroons.Macaroon(
-        location="localhost",
-        identifier=str(dm.id),
-        key=dm.key,
-        version=pymacaroons.MACAROON_V2,
-    )
-    for caveat in dm.caveats:
-        m.add_first_party_caveat(caveats.serialize(caveat))
-    serialized_macaroon = f"pypi-{m.serialize()}"
-
-    with open(_ASSETS / "sampleproject-3.0.0.tar.gz", "rb") as f:
-        content = f.read()
-
-    with open(
-        _ASSETS / "sampleproject-3.0.0.tar.gz.publish.attestation",
-    ) as f:
-        attestation = f.read()
-
-    webtest.set_authorization(("Basic", ("__token__", serialized_macaroon)))
-    webtest.post(
-        "/legacy/?:action=file_upload",
-        params={
-            "name": "sampleproject",
-            "sha256_digest": (
-                "117ed88e5db073bb92969a7545745fd977ee85b7019706dd256a64058f70963d"
-            ),
-            "filetype": "sdist",
-            "metadata_version": "2.1",
-            "version": "3.0.0",
-            "attestations": f"[{attestation}]",
-        },
-        upload_files=[("content", "sampleproject-3.0.0.tar.gz", content)],
-        status=HTTPStatus.OK,
-    )
-
-    assert len(project.releases) == 1
-    assert project.releases[0].files.count() == 1
-    assert len(project.releases[0].files[0].attestations) == 1
-
-    expected_provenance = hashlib.sha256(b"sampleproject-3.0.0.tar.gz:1").hexdigest()
-    expected_filename = "sampleproject-3.0.0.tar.gz"
-
-    response = webtest.get("/simple/sampleproject/", status=HTTPStatus.OK)
-    link = response.html.find("a", text=expected_filename)
-
-    assert "data-provenance" in link.attrs
-    assert link.get("data-provenance") == expected_provenance
-
-    response = webtest.get(
-        "/simple/sampleproject/",
-        headers={"Accept": "application/vnd.pypi.simple.v1+json"},
-        status=HTTPStatus.OK,
-    )
-
-    assert response.content_type == "application/vnd.pypi.simple.v1+json"
-
-    json_content = response.json
-    assert len(json_content["files"]) == 1
-    assert json_content["files"][0]["filename"] == expected_filename
-    assert json_content["files"][0]["provenance"] == expected_provenance