Normalize both sides of case-insensitive fields for GitLab publisher lookup query (#18905)

di · web-flow · commit ed1fd3eee49f · 2025-10-20T20:45:56.000Z
* Add a failing test

* Normalize both sides of the query
diff --git a/tests/unit/oidc/models/test_gitlab.py b/tests/unit/oidc/models/test_gitlab.py
@@ -73,19 +73,36 @@ def test_lookup_fails_invalid_ci_config_ref_uri(self, environment):
         ):
             gitlab.GitLabPublisher.lookup_by_claims(pretend.stub(), signed_claims)
 
-    def test_lookup_succeeds_with_mixed_case_project_path(self, db_request):
+    @pytest.mark.parametrize(
+        ("configured_namespace", "configured_project", "project_path"),
+        [
+            (
+                "Foo",
+                "Bar",
+                "foo/bar",
+            ),
+            (
+                "foo",
+                "bar",
+                "Foo/Bar",
+            ),
+        ],
+    )
+    def test_lookup_succeeds_with_mixed_case_project_path(
+        self, db_request, configured_namespace, configured_project, project_path
+    ):
         # Test that we find a matching publisher when the project_path claims match
         # even if the case is different.
         stored_publisher = GitLabPublisherFactory(
-            namespace="Foo",
-            project="Bar",
+            namespace=configured_namespace,
+            project=configured_project,
             workflow_filepath=".gitlab-ci.yml",
             environment="",
         )
 
         signed_claims = {
-            "project_path": "foo/bar",  # different case than stored publisher
-            "ci_config_ref_uri": ("gitlab.com/foo/bar//.gitlab-ci.yml@refs/heads/main"),
+            "project_path": project_path,
+            "ci_config_ref_uri": "gitlab.com/foo/bar//.gitlab-ci.yml@refs/heads/main",
             "environment": "some_environment",
         }
 
diff --git a/warehouse/oidc/models/gitlab.py b/warehouse/oidc/models/gitlab.py
@@ -246,8 +246,8 @@ def lookup_by_claims(cls, session: Session, signed_claims: SignedClaims) -> Self
 
         query: Query = Query(cls).filter(
             # claims `project_path` is case-insensitive
-            func.lower(cls.namespace) == namespace,
-            func.lower(cls.project) == project,
+            func.lower(cls.namespace) == func.lower(namespace),
+            func.lower(cls.project) == func.lower(project),
             cls.workflow_filepath == workflow_filepath,
         )
         publishers = query.with_session(session).all()
