Add PATCH /api/v1/crates/{name} endpoint for updating the trustpub_only flag

Author: Turbo87

crates/crates_io_test_utils/src/builders/krate.rs

@@ -16,6 +16,7 @@ pub struct CrateBuilder<'a> {
     krate: NewCrate<'a>,
     owner_id: i32,
     recent_downloads: Option<i32>,
+    trustpub_only: bool,
     updated_at: Option<DateTime<Utc>>,
     versions: Vec<VersionBuilder>,
 }
@@ -34,6 +35,7 @@ impl<'a> CrateBuilder<'a> {
             },
             owner_id,
             recent_downloads: None,
+            trustpub_only: false,
             updated_at: None,
             versions: Vec::new(),
         }
@@ -113,6 +115,12 @@ impl<'a> CrateBuilder<'a> {
         self
     }
 
+    /// Sets the crate's `trustpub_only` flag.
+    pub fn trustpub_only(mut self, trustpub_only: bool) -> Self {
+        self.trustpub_only = trustpub_only;
+        self
+    }
+
     pub async fn build(mut self, connection: &mut AsyncPgConnection) -> anyhow::Result<Crate> {
         use diesel::{insert_into, select, update};
 
@@ -171,6 +179,14 @@ impl<'a> CrateBuilder<'a> {
                 .await?;
         }
 
+        if self.trustpub_only {
+            krate = update(&krate)
+                .set(crates::trustpub_only.eq(true))
+                .returning(Crate::as_returning())
+                .get_result(connection)
+                .await?;
+        }
+
         update_default_version(krate.id, connection).await?;
 
         Ok(krate)

src/controllers/krate.rs

@@ -15,6 +15,7 @@ pub mod owners;
 pub mod publish;
 pub mod rev_deps;
 pub mod search;
+pub mod update;
 pub mod versions;
 
 #[derive(Deserialize, FromRequestParts, IntoParams)]

src/controllers/krate/update.rs

@@ -0,0 +1,199 @@
+use crate::app::AppState;
+use crate::auth::AuthCheck;
+use crate::controllers::krate::CratePath;
+use crate::email::EmailMessage;
+use crate::middleware::real_ip::RealIp;
+use crate::models::{Crate, User};
+use crate::schema::*;
+use crate::util::errors::{AppResult, crate_not_found, custom};
+use crate::views::EncodableCrate;
+use anyhow::Context;
+use axum::{Extension, Json};
+use diesel::prelude::*;
+use diesel_async::scoped_futures::ScopedFutureExt;
+use diesel_async::{AsyncConnection, RunQueryDsl};
+use http::{StatusCode, request::Parts};
+use serde::{Deserialize, Serialize};
+use tracing::{info, warn};
+
+#[derive(Debug, Deserialize, utoipa::ToSchema)]
+pub struct PatchRequest {
+    /// Whether this crate can only be published via Trusted Publishing.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub trustpub_only: Option<bool>,
+}
+
+#[derive(Debug, Serialize, utoipa::ToSchema)]
+pub struct PatchResponse {
+    /// The updated crate metadata.
+    #[serde(rename = "crate")]
+    krate: EncodableCrate,
+}
+
+/// Update crate settings.
+#[utoipa::path(
+    patch,
+    path = "/api/v1/crates/{name}",
+    params(CratePath),
+    request_body = PatchRequest,
+    security(
+        ("api_token" = []),
+        ("cookie" = []),
+    ),
+    tag = "crates",
+    responses((status = 200, description = "Successful Response", body = inline(PatchResponse))),
+)]
+pub async fn update_crate(
+    app: AppState,
+    path: CratePath,
+    req: Parts,
+    Extension(real_ip): Extension<RealIp>,
+    Json(body): Json<PatchRequest>,
+) -> AppResult<Json<PatchResponse>> {
+    let mut conn = app.db_write().await?;
+
+    // Check that the user is authenticated
+    let auth = AuthCheck::only_cookie().check(&req, &mut conn).await?;
+
+    // Check that the crate exists
+    let krate = path.load_crate(&mut conn).await?;
+
+    // Update crate settings in a transaction
+    conn.transaction(|conn| {
+        update_inner(conn, &app, &krate, auth.user(), &real_ip, body).scope_boxed()
+    })
+    .await
+}
+
+async fn update_inner(
+    conn: &mut diesel_async::AsyncPgConnection,
+    app: &AppState,
+    krate: &Crate,
+    user: &User,
+    real_ip: &RealIp,
+    body: PatchRequest,
+) -> AppResult<Json<PatchResponse>> {
+    // Query user owners to check permissions and send emails
+    let user_owners = crate_owners::table
+        .inner_join(users::table)
+        .inner_join(emails::table.on(users::id.eq(emails::user_id)))
+        .filter(crate_owners::crate_id.eq(krate.id))
+        .filter(crate_owners::deleted.eq(false))
+        .filter(crate_owners::owner_kind.eq(crate::models::OwnerKind::User))
+        .select((users::id, users::gh_login, emails::email, emails::verified))
+        .load::<(i32, String, String, bool)>(conn)
+        .await?;
+
+    // Check that the authenticated user is an owner
+    if !user_owners.iter().any(|(id, _, _, _)| *id == user.id) {
+        let msg = "only owners have permission to modify crate settings";
+        return Err(custom(StatusCode::FORBIDDEN, msg));
+    }
+
+    // Update trustpub_only if provided
+    if let Some(trustpub_only) = body.trustpub_only {
+        diesel::update(crates::table)
+            .filter(crates::id.eq(krate.id))
+            .set(crates::trustpub_only.eq(trustpub_only))
+            .execute(conn)
+            .await?;
+
+        // Audit log the setting change
+        info!(
+            target: "audit",
+            action = "trustpub_only_change",
+            krate.name = %krate.name,
+            network.client.ip = %**real_ip,
+            usr.id = user.id,
+            usr.name = %user.gh_login,
+            "User {} set trustpub_only={trustpub_only} for crate {}",
+            user.gh_login,
+            krate.name
+        );
+
+        // Send email notifications to all crate owners
+        for (_, gh_login, email_address, email_verified) in &user_owners {
+            if *email_verified {
+                let email = TrustpubOnlyChangedEmail {
+                    recipient: gh_login,
+                    auth_user: user,
+                    krate,
+                    trustpub_only,
+                };
+
+                if let Err(err) = email.send(app, email_address).await {
+                    warn!("Failed to send trustpub_only notification to {email_address}: {err}");
+                }
+            }
+        }
+    }
+
+    // Reload the crate to get updated data
+    let (krate, downloads, recent_downloads, default_version, yanked, num_versions): (
+        Crate,
+        i64,
+        Option<i64>,
+        Option<String>,
+        Option<bool>,
+        Option<i32>,
+    ) = Crate::by_name(&krate.name)
+        .inner_join(crate_downloads::table)
+        .left_join(recent_crate_downloads::table)
+        .left_join(default_versions::table)
+        .left_join(versions::table.on(default_versions::version_id.eq(versions::id)))
+        .select((
+            Crate::as_select(),
+            crate_downloads::downloads,
+            recent_crate_downloads::downloads.nullable(),
+            versions::num.nullable(),
+            versions::yanked.nullable(),
+            default_versions::num_versions.nullable(),
+        ))
+        .first(conn)
+        .await
+        .optional()?
+        .ok_or_else(|| crate_not_found(&krate.name))?;
+
+    let encodable_crate = EncodableCrate::from(
+        krate,
+        default_version.as_deref(),
+        num_versions.unwrap_or_default(),
+        yanked,
+        None,
+        None,
+        None,
+        None,
+        false,
+        downloads,
+        recent_downloads,
+    );
+
+    Ok(Json(PatchResponse {
+        krate: encodable_crate,
+    }))
+}
+
+#[derive(Serialize)]
+struct TrustpubOnlyChangedEmail<'a> {
+    /// The GitHub login of the email recipient.
+    recipient: &'a str,
+    /// The user who changed the setting.
+    auth_user: &'a User,
+    /// The crate for which the setting was changed.
+    krate: &'a Crate,
+    /// The new value of the trustpub_only flag.
+    trustpub_only: bool,
+}
+
+impl TrustpubOnlyChangedEmail<'_> {
+    async fn send(&self, state: &AppState, email_address: &str) -> anyhow::Result<()> {
+        let email = EmailMessage::from_template("trustpub_only_changed", self);
+        let email = email.context("Failed to render email template")?;
+
+        state
+            .emails
+            .send(email_address, email)
+            .await
+            .context("Failed to send email")
+    }
+}

src/email/templates/trustpub_only_changed/body.txt.j2

@@ -0,0 +1,25 @@
+{% extends "base.txt.j2" %}
+
+{% block content %}
+Hello {{ recipient }}!
+
+{% if recipient == auth_user.gh_login -%}
+You changed the publishing method restriction for your crate "{{ krate.name }}".
+{%- else -%}
+crates.io user {{ auth_user.gh_login }} changed the publishing method restriction for a crate that you manage ("{{ krate.name }}").
+{%- endif %}
+
+{% if trustpub_only -%}
+This crate can now ONLY be published via Trusted Publishing. Publishing with API tokens has been disabled.
+
+This means that only trusted publishers (like GitHub Actions or GitLab CI workflows) that you have configured will be able to publish new versions of this crate. API tokens will no longer work for publishing.
+{%- else -%}
+This crate can now be published via both Trusted Publishing and API tokens.
+
+This means that both trusted publishers (like GitHub Actions or GitLab CI workflows) and users with API tokens will be able to publish new versions of this crate.
+{%- endif %}
+
+If you did not make this change and you think it was made maliciously, you can revert the setting from the "Settings" tab on the crate's page.
+
+If you are unable to revert the change and need to do so, you can email [email protected] for assistance.
+{% endblock %}

src/email/templates/trustpub_only_changed/subject.txt.j2

@@ -0,0 +1 @@
+crates.io: Publishing method restriction changed for {{ krate.name }}

src/router.rs

@@ -31,6 +31,7 @@ pub fn build_axum_router(state: AppState) -> Router<()> {
         // Routes used by the frontend
         .routes(routes!(
             krate::metadata::find_crate,
+            krate::update::update_crate,
             krate::delete::delete_crate
         ))
         .routes(routes!(

src/tests/routes/crates/mod.rs

@@ -7,4 +7,5 @@ mod new;
 pub mod owners;
 mod read;
 mod reverse_dependencies;
+mod update;
 pub mod versions;

src/tests/routes/crates/snapshots/integration__routes__crates__update__disable_trustpub_only-2.snap

@@ -0,0 +1,38 @@
+---
+source: src/tests/routes/crates/update.rs
+expression: response.json()
+---
+{
+  "crate": {
+    "badges": [],
+    "categories": null,
+    "created_at": "[datetime]",
+    "default_version": "0.99.0",
+    "description": null,
+    "documentation": null,
+    "downloads": 0,
+    "exact_match": false,
+    "homepage": null,
+    "id": "foo",
+    "keywords": null,
+    "links": {
+      "owner_team": "/api/v1/crates/foo/owner_team",
+      "owner_user": "/api/v1/crates/foo/owner_user",
+      "owners": "/api/v1/crates/foo/owners",
+      "reverse_dependencies": "/api/v1/crates/foo/reverse_dependencies",
+      "version_downloads": "/api/v1/crates/foo/downloads",
+      "versions": "/api/v1/crates/foo/versions"
+    },
+    "max_stable_version": null,
+    "max_version": "0.0.0",
+    "name": "foo",
+    "newest_version": "0.0.0",
+    "num_versions": 1,
+    "recent_downloads": null,
+    "repository": null,
+    "trustpub_only": false,
+    "updated_at": "[datetime]",
+    "versions": null,
+    "yanked": false
+  }
+}