Merge lp:~twom/canonical-identity-provider/unexpiring-discharge-macaroon into lp:canonical-identity-provider/release
Proposed by
Tom Wardill
Status: | Merged |
---|---|
Approved by: | Tom Wardill |
Approved revision: | no longer in the source branch. |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | lp:~twom/canonical-identity-provider/unexpiring-discharge-macaroon |
Merge into: | lp:canonical-identity-provider/release |
Diff against target: |
225 lines (+95/-55) 3 files modified
django_project/settings_base.py (+0/-1) src/identityprovider/auth.py (+4/-5) src/identityprovider/tests/test_auth.py (+91/-49) |
To merge this branch: | bzr merge lp:~twom/canonical-identity-provider/unexpiring-discharge-macaroon |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Colin Watson (community) | Approve | ||
Review via email: mp+359240@code.launchpad.net |
Commit message
Remove the expiry caveat from the discharge macaroon.
Description of the change
Expiry is now handled by the root macaroons of snapauth and SCA, so remove it from SSO. This allows the other services to control their own expiry.
To post a comment you must log in.
I think you should also replace the 'expires' tests in BuildMacaroonFr omRootDischarge TestCase. test_proper_ discharging and BuildMacaroonDi schargeTestCase .test_proper_ discharging with tests that the 'expires' caveat is absent (perhaps just "return False" in the checker function if you encounter one of those). When you've done that, it should also be possible to remove MACAROON_TTL from django_ project/ settings_ base.py.
This can't be landed until the corresponding SCA and snapauth changes are on production, and I'd suggest waiting a week or two after that for safety.