Ensure new add-on submissions with a reserved GUID are already signed with privileged certificate (#18707)

src/olympia/devhub/tests/test_views.py

@@ -1517,7 +1517,25 @@ class TestUploadDetail(UploadMixin, TestCase):
         ]
 
     @mock.patch('olympia.devhub.tasks.run_addons_linter')
-    def test_restricted_addon_allowed(self, run_addons_linter_mock):
+    def test_restricted_guid_addon_allowed_because_signed_and_has_permission(
+        self, run_addons_linter_mock
+    ):
+        user = user_factory()
+        self.grant_permission(user, 'SystemAddon:Submit')
+        assert self.client.login(email=user.email)
+        run_addons_linter_mock.return_value = self.validation_ok()
+        self.upload_file('../../../files/fixtures/files/mozilla_guid_signed.xpi')
+        upload = FileUpload.objects.get()
+        response = self.client.get(
+            reverse('devhub.upload_detail', args=[upload.uuid.hex, 'json'])
+        )
+        data = json.loads(force_str(response.content))
+        assert data['validation']['messages'] == []
+
+    @mock.patch('olympia.devhub.tasks.run_addons_linter')
+    def test_restricted_guid_addon_not_allowed_because_not_signed(
+        self, run_addons_linter_mock
+    ):
         user = user_factory()
         self.grant_permission(user, 'SystemAddon:Submit')
         assert self.client.login(email=user.email)
@@ -1528,12 +1546,22 @@ class TestUploadDetail(UploadMixin, TestCase):
             reverse('devhub.upload_detail', args=[upload.uuid.hex, 'json'])
         )
         data = json.loads(force_str(response.content))
-        assert data['validation']['messages'] == []
+        assert data['validation']['messages'] == [
+            {
+                'tier': 1,
+                'message': (
+                    'Add-ons using an ID ending with this suffix need to be signed '
+                    'with privileged certificate before being submitted'
+                ),
+                'fatal': True,
+                'type': 'error',
+            }
+        ]
 
     @mock.patch('olympia.devhub.tasks.run_addons_linter')
-    def test_restricted_addon_not_allowed(self, run_addons_linter_mock):
-        user_factory(email='redpanda@mozilla.com')
-        assert self.client.login(email='redpanda@mozilla.com')
+    def test_restricted_guid_addon_not_allowed(self, run_addons_linter_mock):
+        user = user_factory()
+        assert self.client.login(email=user.email)
         run_addons_linter_mock.return_value = self.validation_ok()
         self.upload_file('../../../files/fixtures/files/mozilla_guid.xpi')
         upload = FileUpload.objects.get()

src/olympia/files/utils.py

@@ -923,6 +923,19 @@ def check_xpi_info(xpi_info, addon=None, xpi_file=None, user=None):
             gettext('You cannot submit a Mozilla Signed Extension')
         )
 
+    if (
+        not addon
+        and guid
+        and guid.lower().endswith(amo.RESERVED_ADDON_GUIDS)
+        and not xpi_info.get('is_mozilla_signed_extension')
+    ):
+        raise forms.ValidationError(
+            gettext(
+                'Add-ons using an ID ending with this suffix need to be signed with '
+                'privileged certificate before being submitted'
+            )
+        )
+
     if not acl.langpack_submission_allowed(user, xpi_info):
         raise forms.ValidationError(gettext('You cannot submit a language pack'))
 

src/olympia/signing/tests/test_views.py

@@ -332,7 +332,7 @@ class TestUploadVersion(BaseUploadVersionTestMixin, TestCase):
             'You cannot submit a Mozilla Signed Extension'
         )
 
-    def test_system_addon_allowed(self):
+    def test_restricted_guid_addon_allowed_because_signed_and_has_permission(self):
         guid = 'systemaddon@mozilla.org'
         self.grant_permission(self.user, 'SystemAddon:Submit')
         qs = Addon.unfiltered.filter(guid=guid)
@@ -341,7 +341,7 @@ class TestUploadVersion(BaseUploadVersionTestMixin, TestCase):
             'PUT',
             guid=guid,
             version='0.0.1',
-            filename='src/olympia/files/fixtures/files/mozilla_guid.xpi',
+            filename='src/olympia/files/fixtures/files/mozilla_guid_signed.xpi',
         )
         assert response.status_code == 201
         assert qs.exists()
@@ -352,7 +352,24 @@ class TestUploadVersion(BaseUploadVersionTestMixin, TestCase):
         assert latest_version
         assert latest_version.channel == amo.RELEASE_CHANNEL_UNLISTED
 
-    def test_restricted_addon_not_allowed(self):
+    def test_restricted_guid_addon_not_allowed_because_not_signed(self):
+        guid = 'systemaddon@mozilla.org'
+        self.grant_permission(self.user, 'SystemAddon:Submit')
+        qs = Addon.unfiltered.filter(guid=guid)
+        assert not qs.exists()
+        response = self.request(
+            'PUT',
+            guid=guid,
+            version='0.0.1',
+            filename='src/olympia/files/fixtures/files/mozilla_guid.xpi',
+        )
+        assert response.status_code == 400
+        assert response.data['error'] == (
+            'Add-ons using an ID ending with this suffix need to be signed with '
+            'privileged certificate before being submitted'
+        )
+
+    def test_restricted_guid_addon_not_allowed_because_lacking_permission(self):
         guid = 'systemaddon@mozilla.com'
         qs = Addon.unfiltered.filter(guid=guid)
         assert not qs.exists()
@@ -367,7 +384,7 @@ class TestUploadVersion(BaseUploadVersionTestMixin, TestCase):
             'You cannot submit an add-on using an ID ending with this suffix'
         )
 
-    def test_restricted_addon_update_allowed(self):
+    def test_restricted_guid_addon_update_allowed(self):
         """Updates to restricted IDs are allowed from anyone."""
         guid = 'systemaddon@mozilla.org'
         self.user.update(email='pinkpanda@notzilla.com')