From 8155a65583e78e92dda5d5c365bcc316f08807f2 Mon Sep 17 00:00:00 2001
From: Dustin Ingram <di@users.noreply.github.com>
Date: Fri, 23 Feb 2024 11:36:10 -0500
Subject: [PATCH] Add unchecked GitLab claims (#15466)

---
 tests/unit/oidc/models/test_gitlab.py | 2 ++
 warehouse/oidc/models/gitlab.py       | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/tests/unit/oidc/models/test_gitlab.py b/tests/unit/oidc/models/test_gitlab.py
index 01c2dadf5538..15883566df95 100644
--- a/tests/unit/oidc/models/test_gitlab.py
+++ b/tests/unit/oidc/models/test_gitlab.py
@@ -58,6 +58,7 @@ def test_gitlab_publisher_all_known_claims(self):
             "exp",
             "aud",
             # unchecked claims
+            "project_id",
             "namespace_id",
             "namespace_path",
             "user_id",
@@ -78,6 +79,7 @@ def test_gitlab_publisher_all_known_claims(self):
             "ci_config_sha",
             "project_visibility",
             "jti",
+            "user_access_level",
         }
 
     def test_gitlab_publisher_computed_properties(self):
diff --git a/warehouse/oidc/models/gitlab.py b/warehouse/oidc/models/gitlab.py
index f119b2c3ba2b..c2d27ef10afe 100644
--- a/warehouse/oidc/models/gitlab.py
+++ b/warehouse/oidc/models/gitlab.py
@@ -119,6 +119,9 @@ class GitLabPublisherMixin:
     }
 
     __unchecked_claims__ = {
+        # We are not currently verifying project_id or namespace_id to protect against
+        # resurrection attacks: https://github.com/pypi/warehouse/issues/13575
+        "project_id",
         "namespace_id",
         "namespace_path",
         "user_id",
@@ -139,6 +142,7 @@ class GitLabPublisherMixin:
         "ci_config_sha",
         "project_visibility",
         "jti",
+        "user_access_level",
     }
 
     @staticmethod