autopkgtest-cloud

Merge ~andersson123/autopkgtest-cloud:api-key-howto into autopkgtest-cloud:master

  1. Git
  2. lp:~andersson123/autopkgtest-cloud
  3. api-key-howto
  4. Merge into master
Proposed by Tim Andersson
Status: Merged
Merged at revision: 1784b6ec96ca663dc19e5dd813b99c13cf3b6f23
Proposed branch: ~andersson123/autopkgtest-cloud:api-key-howto
Merge into: autopkgtest-cloud:master
Diff against target: 63 lines (+50/-2)
1 file modified
docs/administration.rst (+50/-2)
Reviewer Review Type Date Requested Status
Skia Approve
Review via email: mp+469839@code.launchpad.net

Commit message

docs: detail how to create an API key

Currently, the docs only mention **how** an individual can use an API
key - there is no mention or guideline regarding how an admin should
create an API key for a requested user, group or bot.

This commit amends the issue by adding a new section which details how
an `autopkgtest-cloud` admin should create an API key.

Description of the change

Adds more detail to the documentation regarding how an autopkgtest admin should create API keys.

To post a comment you must log in.
Revision history for this message
Tim Andersson (andersson123) wrote :

I will look into other solutions for generating high enough entropy tokens - uuid isn't necessarily suited to be used as an API key, so some investigation is warranted

Revision history for this message
Skia (hyask) wrote :

As we discussed, I made a few research, and this [1] seems to indicate that UUID might not be the best solution.

[1]: https://security.stackexchange.com/questions/157270/using-v4-uuid-for-authentication

Revision history for this message
Skia (hyask) wrote :

Good for me! :-)

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/docs/administration.rst b/docs/administration.rst
2index 6040a9c..39c01c6 100644
3--- a/docs/administration.rst
4+++ b/docs/administration.rst
5@@ -222,8 +222,56 @@ Once those steps are done then the rows can be deleted from the database.
6 * ``sqlite3 -header -column autopkgtest.db "DELETE FROM test WHERE test.release='impish';"``
7 * ``sqlite3 -header -column autopkgtest.db "vacuum;"``
8
9-API Key Integration
10--------------------
11+Creating a new API key
12+----------------------
13+
14+API keys exist on the web workers with the following format:
15+
16+.. code-block:: bash
17+
18+ {"username": "api-key", "username": "api-key"}
19+
20+And so on and so forth. The ``username`` should be the launchpad username of the individual who is
21+requesting an API key. This is not strict, however, and could potentially be anything, as long as the user
22+attaches their API key using the correct name as provided by the Ubuntu Release Management Team. It just makes
23+the most sense to just use launchpad usernames.
24+
25+The ``username`` can also potentially be a name to refer to a group of individuals sharing the same key, or a bot.
26+
27+The convention to create API keys has thus far been the following, utilising uuid4:
28+
29+.. code-block:: bash
30+
31+ python3 -c 'import uuid; print(uuid.uuid4())'
32+
33+We use python's uuid4 from the uuid library because:
34+
35+- uuid4 is generally accepted as having the strongest guarantee of uniqueness and security out of all the uuid methods.
36+- uuid4 isn't guaranteed in the documentation to be cryptographically secure, however, it utilises urandom (https://docs.python.org/3/library/os.html#os.urandom), which is declared as suitable for cryptographic use.
37+
38+DO NOT use a uuid4 function from another source - the python implementation is guaranteed to use a
39+cryptographically secure random string generator, so for ``autopkgtest-cloud`` API tokens just use
40+what's detailed above. Other implementations may waver from this.
41+
42+Once the ``uuid`` for the api key has been created, add it to:
43+
44+.. code-block:: bash
45+
46+ /home/$STAGE-proposed-migration-environment/.local/share/mojo/LOCAL/mojo-$STAGE-proposed-migration/production/external-web-requests-api-keys.json
47+
48+Where ``$STAGE`` is either ``prod`` or ``stg``.
49+
50+After this, do a ``mojo run`` to deploy the altered file.
51+
52+Alternatively, if a ``mojo run`` is for some reason, undesirable at the time, one can also directly add the new api key to the following file on the web units:
53+
54+``/home/ubuntu/external-web-requests-api-keys.json``
55+
56+The api keys are loaded for each request, so there's no need to restart ``apache2``.
57+
58+
59+Using API Keys
60+--------------
61
62 Requests can be requested by using an API key instead of authenticating using SSO.
63 To do so, attach a cookie to whatever script is making the test request, with the name

Subscribers

People subscribed via source and target branches