From 5587c729a812c218ae9818e3ff5a8a5b22ddaddb Mon Sep 17 00:00:00 2001
From: Dustin Ingram <di@users.noreply.github.com>
Date: Fri, 12 Jan 2024 17:54:21 -0500
Subject: [PATCH] The _check_sub verifier should check if empty (#15203)

---
 tests/unit/oidc/models/test_google.py | 2 +-
 warehouse/oidc/models/google.py       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/unit/oidc/models/test_google.py b/tests/unit/oidc/models/test_google.py
index 0f708db1fd91..a9f31ff36862 100644
--- a/tests/unit/oidc/models/test_google.py
+++ b/tests/unit/oidc/models/test_google.py
@@ -159,7 +159,7 @@ def test_google_publisher_email_verified(self, email_verified, valid):
             ("fakesubject", "fakesubject", True),
             ("fakesubject", "wrongsubject", False),
             # Publisher configured without subject: any subject is acceptable.
-            (None, "anysubject", True),
+            ("", "anysubject", True),
             # Publisher configured with subject, none provided: must fail.
             ("fakesubject", None, False),
         ],
diff --git a/warehouse/oidc/models/google.py b/warehouse/oidc/models/google.py
index 26cdd27750c2..362a9e9edd4d 100644
--- a/warehouse/oidc/models/google.py
+++ b/warehouse/oidc/models/google.py
@@ -31,7 +31,7 @@ def _check_sub(
 ) -> bool:
     # If we haven't set a subject for the publisher, we don't need to check
     # this claim.
-    if ground_truth is None:
+    if ground_truth == "":
         return True
 
     # Defensive: Google should never send us an empty or null subject, but