publish: Block token-based publishes for crates requiring trusted publishing

Turbo87 · Turbo87 · commit c12a5c620009 · 2025-11-20T16:31:46.000+01:00
diff --git a/src/controllers/krate/publish.rs b/src/controllers/krate/publish.rs
@@ -216,6 +216,16 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
         AuthType::Regular(Box::new(auth))
     };
 
+    // Check if crate requires trusted publishing
+    if let Some(existing_crate) = &existing_crate
+        && existing_crate.trustpub_only
+        && matches!(auth, AuthType::Regular(_))
+    {
+        return Err(forbidden(
+            "You tried to publish with an API token but this crate requires trusted publishing.",
+        ));
+    }
+
     let verified_email_address = if let Some(user) = auth.user() {
         let verified_email_address = user.verified_email(&mut conn).await?;
         Some(verified_email_address.ok_or_else(|| verified_email_error(&app.config.domain_name))?)
diff --git a/src/tests/krate/publish/auth.rs b/src/tests/krate/publish/auth.rs
@@ -1,6 +1,6 @@
 use crate::builders::{CrateBuilder, PublishBuilder};
 use crate::util::{MockTokenUser, RequestHelper, TestApp};
-use crates_io::schema::api_tokens;
+use crates_io::schema::{api_tokens, crates};
 use diesel::ExpressionMethods;
 use diesel_async::RunQueryDsl;
 use googletest::prelude::*;
@@ -78,3 +78,31 @@ async fn new_krate_with_bearer_token() {
     rss/updates.xml
     ");
 }
+
+#[tokio::test(flavor = "multi_thread")]
+async fn publish_with_token_rejected_when_trustpub_only() {
+    let (app, _, user, token) = TestApp::full().with_token().await;
+    let mut conn = app.db_conn().await;
+
+    // Create a crate
+    CrateBuilder::new("foo_trustpub_only", user.as_model().id)
+        .expect_build(&mut conn)
+        .await;
+
+    // Set trustpub_only to true
+    diesel::update(crates::table)
+        .filter(crates::name.eq("foo_trustpub_only"))
+        .set(crates::trustpub_only.eq(true))
+        .execute(&mut conn)
+        .await
+        .unwrap();
+
+    // Try to publish with API token - should be rejected
+    let crate_to_publish = PublishBuilder::new("foo_trustpub_only", "1.0.0");
+    let response = token.publish_crate(crate_to_publish).await;
+    assert_snapshot!(response.status(), @"403 Forbidden");
+    assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"You tried to publish with an API token but this crate requires trusted publishing."}]}"#);
+
+    assert_that!(app.stored_files().await, is_empty());
+    assert_that!(app.emails().await, is_empty());
+}
diff --git a/src/tests/krate/publish/trustpub_github.rs b/src/tests/krate/publish/trustpub_github.rs
@@ -1,6 +1,7 @@
 use crate::builders::{CrateBuilder, PublishBuilder};
 use crate::util::{MockTokenUser, RequestHelper, TestApp};
 use chrono::{TimeDelta, Utc};
+use crates_io::schema::crates;
 use crates_io_database::models::trustpub::NewToken;
 use crates_io_github::{GitHubUser, MockGitHubClient};
 use crates_io_trustpub::access_token::AccessToken;
@@ -9,7 +10,8 @@ use crates_io_trustpub::github::test_helpers::FullGitHubClaims;
 use crates_io_trustpub::keystore::MockOidcKeyStore;
 use crates_io_trustpub::test_keys::encode_for_testing;
 use diesel::QueryResult;
-use diesel_async::AsyncPgConnection;
+use diesel::prelude::*;
+use diesel_async::{AsyncPgConnection, RunQueryDsl};
 use insta::{assert_json_snapshot, assert_snapshot};
 use mockall::predicate::*;
 use p256::ecdsa::signature::digest::Output;
@@ -325,3 +327,30 @@ async fn test_token_for_wrong_crate() -> anyhow::Result<()> {
 
     Ok(())
 }
+
+#[tokio::test(flavor = "multi_thread")]
+async fn test_trustpub_works_when_trustpub_only_enabled() -> anyhow::Result<()> {
+    let (app, _client, cookie_client) = TestApp::full().with_user().await;
+
+    let mut conn = app.db_conn().await;
+
+    let owner_id = cookie_client.as_model().id;
+    let krate = CrateBuilder::new("foo", owner_id).build(&mut conn).await?;
+
+    // Set trustpub_only to true
+    diesel::update(crates::table)
+        .filter(crates::name.eq(&krate.name))
+        .set(crates::trustpub_only.eq(true))
+        .execute(&mut conn)
+        .await?;
+
+    let token = new_token(&mut conn, krate.id).await?;
+    let oidc_token_client = MockTokenUser::with_auth_header(token, app.clone());
+
+    // Publishing with trusted publishing should work
+    let pb = PublishBuilder::new(&krate.name, "1.1.0");
+    let response = oidc_token_client.publish_crate(pb).await;
+    assert_snapshot!(response.status(), @"200 OK");
+
+    Ok(())
+}
diff --git a/src/tests/krate/publish/trustpub_gitlab.rs b/src/tests/krate/publish/trustpub_gitlab.rs
@@ -1,14 +1,16 @@
 use crate::builders::{CrateBuilder, PublishBuilder};
 use crate::util::{MockTokenUser, RequestHelper, TestApp};
 use chrono::{TimeDelta, Utc};
+use crates_io::schema::crates;
 use crates_io_database::models::trustpub::NewToken;
 use crates_io_trustpub::access_token::AccessToken;
 use crates_io_trustpub::gitlab::GITLAB_ISSUER_URL;
 use crates_io_trustpub::gitlab::test_helpers::FullGitLabClaims;
 use crates_io_trustpub::keystore::MockOidcKeyStore;
 use crates_io_trustpub::test_keys::encode_for_testing;
 use diesel::QueryResult;
-use diesel_async::AsyncPgConnection;
+use diesel::prelude::*;
+use diesel_async::{AsyncPgConnection, RunQueryDsl};
 use insta::{assert_json_snapshot, assert_snapshot};
 use p256::ecdsa::signature::digest::Output;
 use secrecy::ExposeSecret;
@@ -306,3 +308,30 @@ async fn test_token_for_wrong_crate() -> anyhow::Result<()> {
 
     Ok(())
 }
+
+#[tokio::test(flavor = "multi_thread")]
+async fn test_trustpub_works_when_trustpub_only_enabled() -> anyhow::Result<()> {
+    let (app, _client, cookie_client) = TestApp::full().with_user().await;
+
+    let mut conn = app.db_conn().await;
+
+    let owner_id = cookie_client.as_model().id;
+    let krate = CrateBuilder::new("foo", owner_id).build(&mut conn).await?;
+
+    // Set trustpub_only to true
+    diesel::update(crates::table)
+        .filter(crates::name.eq(&krate.name))
+        .set(crates::trustpub_only.eq(true))
+        .execute(&mut conn)
+        .await?;
+
+    let token = new_token(&mut conn, krate.id).await?;
+    let oidc_token_client = MockTokenUser::with_auth_header(token, app.clone());
+
+    // Publishing with trusted publishing should work
+    let pb = PublishBuilder::new(&krate.name, "1.1.0");
+    let response = oidc_token_client.publish_crate(pb).await;
+    assert_snapshot!(response.status(), @"200 OK");
+
+    Ok(())
+}
