Launchpad itself

Merge ~cjwatson/launchpad:snap-build-macaroon-snap-base into launchpad:master

Proposed by Colin Watson on 2021-04-16

Status:	Merged
Approved by:	Colin Watson on 2021-04-19
Approved revision:	75a90a79f2d9e2f18dcf6dd26905324f7f832f48
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	~cjwatson/launchpad:snap-build-macaroon-snap-base
Merge into:	launchpad:master
Prerequisite:	~cjwatson/launchpad:macaroon-verifies-matcher
Diff against target:	90 lines (+21/-15) 3 files modified lib/lp/snappy/model/snapbase.py (+0/-5) lib/lp/snappy/model/snapbuild.py (+9/-3) lib/lp/snappy/tests/test_snapbuild.py (+12/-7)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ioana Lasc (community)		2021-04-16	Approve on 2021-04-19
Review via email: mp+401316@code.launchpad.net

Commit message

Allow snap-build macaroons to authorize SnapBase archive dependencies

Description of the change

Technically adding SnapBase archive dependencies on private archives won't quite work yet because nothing issues the relevant macaroons yet, but allowing it at this stage makes it much easier to write tests, and we're almost there anyway.

Revision history for this message

Ioana Lasc (ilasc) on 2021-04-19:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Launchpad Engineering

Christina A Reitbauer

Colin Watson

Edson_g2020_ubuntuone Gomes

Jordan

Kevin bush

Maximiliano Bertacchini

noômen

to status/vote changes:

asimbol83

 diff --git a/lib/lp/snappy/model/snapbase.py b/lib/lp/snappy/model/snapbase.py
 index 615c783..8916c61 100644
 --- a/lib/lp/snappy/model/snapbase.py
 +++ b/lib/lp/snappy/model/snapbase.py
@@ -105,11 +105,6 @@ class SnapBase(Storm):
          if archive_dependency is not None:
              raise ArchiveDependencyError(
                  "This dependency is already registered.")
--        # XXX cjwatson 2021-03-19: Relax this once we have a way to dispatch
--        # appropriate tokens for snap builds whose base has dependencies on
--        # private archives.
--        if dependency.private:
--            raise ArchiveDependencyError("This dependency is private.")
          if not dependency.enabled:
              raise ArchiveDependencyError("Dependencies must not be disabled.")
 diff --git a/lib/lp/snappy/model/snapbuild.py b/lib/lp/snappy/model/snapbuild.py
 index b742fae..76ccc0e 100644
 --- a/lib/lp/snappy/model/snapbuild.py
 +++ b/lib/lp/snappy/model/snapbuild.py
@@ -93,6 +93,7 @@ from lp.snappy.interfaces.snapbuild import (
+     )
  from lp.snappy.interfaces.snapbuildjob import ISnapStoreUploadJobSource
  from lp.snappy.mail.snapbuild import SnapBuildMailer
++from lp.snappy.model.snapbase import SnapBase
  from lp.snappy.model.snapbuildjob import (
      SnapBuildJob,
      SnapBuildJobType,
@@ -656,9 +657,9 @@ class SnapBuildMacaroonIssuer(MacaroonIssuerBase):
          """
          if not ISnapBuild.providedBy(context):
              raise BadMacaroonContext(context)
--        if not removeSecurityProxy(context).is_private:
--            raise BadMacaroonContext(
--                context, "Refusing to issue macaroon for public build.")
++        # We allow issuing macaroons for public builds.  It's harmless, and
++        # it allows using SnapBases that have archive dependencies on
++        # private PPAs.
          return removeSecurityProxy(context).id
      def checkVerificationContext(self, context, **kwargs):
@@ -712,6 +713,11 @@ class SnapBuildMacaroonIssuer(MacaroonIssuerBase):
                          Archive.id,
                          where=And(
                              ArchiveDependency.archive == Archive.id,
++                            ArchiveDependency.dependency == context))),
++                    SnapBuild.snap_base_id.is_in(Select(
++                        SnapBase.id,
++                        where=And(
++                            ArchiveDependency.snap_base == SnapBase.id,
                              ArchiveDependency.dependency == context)))))
          else:
              return False
 diff --git a/lib/lp/snappy/tests/test_snapbuild.py b/lib/lp/snappy/tests/test_snapbuild.py
 index 8887249..521cfca 100644
 --- a/lib/lp/snappy/tests/test_snapbuild.py
 +++ b/lib/lp/snappy/tests/test_snapbuild.py
@@ -902,13 +902,6 @@ class TestSnapBuildMacaroonIssuer(MacaroonTestMixin, TestCaseWithFactory):
          self.pushConfig(
              "launchpad", internal_macaroon_secret_key="some-secret")
--    def test_issueMacaroon_refuses_public_snap(self):
--        build = self.factory.makeSnapBuild()
--        issuer = getUtility(IMacaroonIssuer, "snap-build")
--        self.assertRaises(
--            BadMacaroonContext, removeSecurityProxy(issuer).issueMacaroon,
--            build)
--
      def test_issueMacaroon_good(self):
          build = self.factory.makeSnapBuild(
              snap=self.factory.makeSnap(private=True))
@@ -972,6 +965,18 @@ class TestSnapBuildMacaroonIssuer(MacaroonTestMixin, TestCaseWithFactory):
          macaroon = issuer.issueMacaroon(build)
          self.assertMacaroonVerifies(issuer, macaroon, dependency)
++    def test_verifyMacaroon_good_snap_base_archive(self):
++        snap_base = self.factory.makeSnapBase()
++        dependency = self.factory.makeArchive(private=True)
++        snap_base.addArchiveDependency(
++            dependency, PackagePublishingPocket.RELEASE)
++        build = self.factory.makeSnapBuild(snap_base=snap_base)
++        build.updateStatus(BuildStatus.BUILDING)
++        issuer = removeSecurityProxy(
++            getUtility(IMacaroonIssuer, "snap-build"))
++        macaroon = issuer.issueMacaroon(build)
++        self.assertMacaroonVerifies(issuer, macaroon, dependency)
++
      def test_verifyMacaroon_good_no_context(self):
          [ref] = self.factory.makeGitRefs(
              information_type=InformationType.USERDATA)