WIP

Author: Turbo87

Cargo.lock

@@ -70,6 +70,7 @@ crates_io_env_vars = { path = "crates/crates_io_env_vars" }
 crates_io_github = { path = "crates/crates_io_github" }
 crates_io_index = { path = "crates/crates_io_index" }
 crates_io_markdown = { path = "crates/crates_io_markdown" }
+crates_io_trusted_publishing = { path = "crates/crates_io_trusted_publishing" }
 crates_io_pagerduty = { path = "crates/crates_io_pagerduty" }
 crates_io_session = { path = "crates/crates_io_session" }
 crates_io_tarball = { path = "crates/crates_io_tarball" }
@@ -139,13 +140,15 @@ utoipa-axum = "=0.2.0"
 bytes = "=1.10.1"
 crates_io_github = { path = "crates/crates_io_github", features = ["mock"] }
 crates_io_index = { path = "crates/crates_io_index", features = ["testing"] }
+crates_io_trusted_publishing = { path = "crates/crates_io_trusted_publishing", features = ["mock"] }
 crates_io_tarball = { path = "crates/crates_io_tarball", features = ["builder"] }
 crates_io_team_repo = { path = "crates/crates_io_team_repo", features = ["mock"] }
 crates_io_test_db = { path = "crates/crates_io_test_db" }
 claims = "=0.8.0"
 diesel = { version = "=2.2.10", features = ["r2d2"] }
 googletest = "=0.14.0"
 insta = { version = "=1.43.0", features = ["glob", "json", "redactions"] }
+jsonwebtoken = "=9.3.1"
 regex = "=1.11.1"
 sentry = { version = "=0.37.0", features = ["test"] }
 tokio = "=1.44.2"

Cargo.toml

@@ -33,5 +33,6 @@ pub mod krate;
 mod owner;
 pub mod team;
 pub mod token;
+pub mod trustpub;
 pub mod user;
 pub mod version;

crates/crates_io_database/src/models/mod.rs

@@ -0,0 +1,37 @@
+use crate::schema::trustpub_configs_github;
+use chrono::{DateTime, Utc};
+use diesel::prelude::*;
+use diesel_async::{AsyncPgConnection, RunQueryDsl};
+
+#[derive(Debug, Identifiable, Queryable, Selectable)]
+#[diesel(table_name = trustpub_configs_github, check_for_backend(diesel::pg::Pg))]
+pub struct GitHubConfig {
+    pub id: i32,
+    pub crate_id: i32,
+    pub repository_owner: String,
+    pub repository_owner_id: i32,
+    pub repository_name: String,
+    pub workflow_filename: String,
+    pub environment: Option<String>,
+    pub created_at: DateTime<Utc>,
+}
+
+#[derive(Debug, Insertable)]
+#[diesel(table_name = trustpub_configs_github, check_for_backend(diesel::pg::Pg))]
+pub struct NewGitHubConfig<'a> {
+    pub crate_id: i32,
+    pub repository_owner: &'a str,
+    pub repository_owner_id: i32,
+    pub repository_name: &'a str,
+    pub workflow_filename: &'a str,
+    pub environment: Option<&'a str>,
+}
+
+impl NewGitHubConfig<'_> {
+    pub async fn insert(&self, conn: &mut AsyncPgConnection) -> QueryResult<GitHubConfig> {
+        self.insert_into(trustpub_configs_github::table)
+            .returning(GitHubConfig::as_returning())
+            .get_result(conn)
+            .await
+    }
+}

crates/crates_io_database/src/models/trustpub/github_config.rs

@@ -0,0 +1,3 @@
+pub mod github_config;
+pub mod token;
+pub mod used_jti;

crates/crates_io_database/src/models/trustpub/mod.rs

@@ -0,0 +1,22 @@
+use crate::schema::trustpub_tokens;
+use chrono::{DateTime, Utc};
+use diesel::prelude::*;
+use diesel_async::{AsyncPgConnection, RunQueryDsl};
+
+#[derive(Debug, Insertable)]
+#[diesel(table_name = trustpub_tokens, check_for_backend(diesel::pg::Pg))]
+pub struct NewToken<'a> {
+    pub expires_at: DateTime<Utc>,
+    pub hashed_token: &'a [u8],
+    pub crate_ids: &'a [i32],
+}
+
+impl NewToken<'_> {
+    pub async fn insert(&self, conn: &mut AsyncPgConnection) -> QueryResult<()> {
+        self.insert_into(trustpub_tokens::table)
+            .execute(conn)
+            .await?;
+
+        Ok(())
+    }
+}

crates/crates_io_database/src/models/trustpub/token.rs

@@ -0,0 +1,24 @@
+use crate::schema::trustpub_used_jtis;
+use chrono::{DateTime, Utc};
+use diesel::prelude::*;
+use diesel_async::{AsyncPgConnection, RunQueryDsl};
+
+#[derive(Debug, Insertable)]
+#[diesel(table_name = trustpub_used_jtis, check_for_backend(diesel::pg::Pg))]
+pub struct NewUsedJti<'a> {
+    pub jti: &'a str,
+    pub expires_at: DateTime<Utc>,
+}
+
+impl<'a> NewUsedJti<'a> {
+    pub fn new(jti: &'a str, expires_at: DateTime<Utc>) -> Self {
+        Self { jti, expires_at }
+    }
+
+    pub async fn insert(&self, conn: &mut AsyncPgConnection) -> QueryResult<usize> {
+        diesel::insert_into(trustpub_used_jtis::table)
+            .values(self)
+            .execute(conn)
+            .await
+    }
+}

crates/crates_io_database/src/models/trustpub/used_jti.rs

@@ -91,7 +91,7 @@ pub struct NewVersion<'a> {
     license: Option<&'a str>,
     #[builder(default, name = "size")]
     crate_size: i32,
-    published_by: i32,
+    published_by: Option<i32>,
     checksum: &'a str,
     links: Option<&'a str>,
     rust_version: Option<&'a str>,
@@ -110,7 +110,7 @@ impl NewVersion<'_> {
     pub async fn save(
         &self,
         conn: &mut AsyncPgConnection,
-        published_by_email: &str,
+        published_by_email: Option<&str>,
     ) -> QueryResult<Version> {
         use diesel::insert_into;
 
@@ -122,13 +122,15 @@ impl NewVersion<'_> {
                     .get_result(conn)
                     .await?;
 
-                insert_into(versions_published_by::table)
-                    .values((
-                        versions_published_by::version_id.eq(version.id),
-                        versions_published_by::email.eq(published_by_email),
-                    ))
-                    .execute(conn)
-                    .await?;
+                if let Some(published_by_email) = published_by_email {
+                    insert_into(versions_published_by::table)
+                        .values((
+                            versions_published_by::version_id.eq(version.id),
+                            versions_published_by::email.eq(published_by_email),
+                        ))
+                        .execute(conn)
+                        .await?;
+                }
 
                 Ok(version)
             }

crates/crates_io_database/src/models/version.rs

@@ -0,0 +1,28 @@
+[package]
+name = "crates_io_trusted_publishing"
+version = "0.0.0"
+license = "MIT OR Apache-2.0"
+edition = "2024"
+
+[lints]
+workspace = true
+
+[features]
+mock = ["dep:mockall", "dep:serde_json"]
+
+[dependencies]
+anyhow = "=1.0.98"
+async-trait = "=0.1.88"
+chrono = { version = "=0.4.40", features = ["serde"] }
+jsonwebtoken = "=9.3.1"
+mockall = { version = "=0.13.1", optional = true }
+reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
+regex = "=1.11.1"
+serde = { version = "=1.0.219", features = ["derive"] }
+serde_json = { version = "=1.0.140", optional = true }
+tokio = { version = "=1.44.2", features = ["sync"] }
+
+[dev-dependencies]
+insta = { version = "=1.43.0", features = ["json", "redactions"] }
+mockito = "=1.7.0"
+tokio = { version = "=1.44.2", features = ["macros", "rt-multi-thread"] }

crates/crates_io_trusted_publishing/Cargo.toml

@@ -0,0 +1 @@
+# crates_io_trusted_publishing