Launchpad itself

Merge ~cjwatson/launchpad:archive-translate-path-private-urls into launchpad:master

Proposed by Colin Watson on 2022-10-14

Status:	Merged
Approved by:	Colin Watson on 2022-10-14
Approved revision:	006491f5932a6cf82ecc2c8251105427d71b596a
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	~cjwatson/launchpad:archive-translate-path-private-urls
Merge into:	launchpad:master
Diff against target:	183 lines (+118/-4) 2 files modified lib/lp/soyuz/xmlrpc/archive.py (+3/-3) lib/lp/soyuz/xmlrpc/tests/test_archive.py (+115/-1)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Andrey Fedoseev (community)		2022-10-14	Approve on 2022-10-14
Review via email: mp+431535@code.launchpad.net

Commit message

Include tokens in URLs returned by ArchiveAPI.translatePath

Description of the change

Files in the restricted librarian can only be accessed with some kind of authentication token, either a `TimeLimitedToken` or a macaroon; without adding something like that to the URLs returned by `ArchiveAPI.translatePath`, there's no way to use it to access files in private PPAs. Macaroons don't offer any advantages in this case since we can't constrain them in any interesting way, but a simple `TimeLimitedToken` is fine.

Revision history for this message

Andrey Fedoseev (andrey-fedoseev) on 2022-10-14:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Launchpad Engineering

Christina A Reitbauer

Colin Watson

Edson_g2020_ubuntuone Gomes

Jordan

Kevin bush

Maximiliano Bertacchini

noômen

to status/vote changes:

asimbol83

 diff --git a/lib/lp/soyuz/xmlrpc/archive.py b/lib/lp/soyuz/xmlrpc/archive.py
 index a23b7fa..c0e7b25 100644
 --- a/lib/lp/soyuz/xmlrpc/archive.py
 +++ b/lib/lp/soyuz/xmlrpc/archive.py
@@ -144,7 +144,7 @@ class ArchiveAPI(LaunchpadXMLRPCView):
              path.as_posix(),
              archive_file.library_file.id,
+         )
--        return archive_file.library_file.getURL()
++        return archive_file.library_file.getURL(include_token=True)
      def _translatePathNonPool(
          self, archive_reference: str, archive, path: PurePath
@@ -163,7 +163,7 @@ class ArchiveAPI(LaunchpadXMLRPCView):
              path.as_posix(),
              archive_file.library_file.id,
+         )
--        return archive_file.library_file.getURL()
++        return archive_file.library_file.getURL(include_token=True)
      def _translatePathPool(
          self, archive_reference: str, archive, path: PurePath
@@ -178,7 +178,7 @@ class ArchiveAPI(LaunchpadXMLRPCView):
              path.as_posix(),
              lfa.id,
+         )
--        return lfa.getURL()
++        return lfa.getURL(include_token=True)
      @return_fault
      def _translatePath(self, archive_reference: str, path: PurePath) -> str:
 diff --git a/lib/lp/soyuz/xmlrpc/tests/test_archive.py b/lib/lp/soyuz/xmlrpc/tests/test_archive.py
 index cdb7d7d..c8ba612 100644
 --- a/lib/lp/soyuz/xmlrpc/tests/test_archive.py
 +++ b/lib/lp/soyuz/xmlrpc/tests/test_archive.py
@@ -14,7 +14,7 @@ from lp.services.macaroons.interfaces import IMacaroonIssuer
  from lp.soyuz.enums import ArchiveRepositoryFormat, PackagePublishingStatus
  from lp.soyuz.interfaces.archive import NAMED_AUTH_TOKEN_FEATURE_FLAG
  from lp.soyuz.xmlrpc.archive import ArchiveAPI
--from lp.testing import TestCaseWithFactory
++from lp.testing import TestCaseWithFactory, person_logged_in
  from lp.testing.layers import LaunchpadFunctionalLayer
  from lp.xmlrpc import faults
@@ -324,6 +324,31 @@ class TestArchiveAPI(TestCaseWithFactory):
              % (archive.reference, path, archive_file.library_file.id)
+         )
++    def test_translatePath_by_hash_checksum_found_private(self):
++        archive = removeSecurityProxy(self.factory.makeArchive(private=True))
++        self.factory.makeArchiveFile(
++            archive=archive,
++            container="release:jammy",
++            path="dists/jammy/InRelease",
++        )
++        archive_file = self.factory.makeArchiveFile(
++            archive=archive,
++            container="release:jammy",
++            path="dists/jammy/InRelease",
++        )
++        path = (
++            "dists/jammy/by-hash/SHA256/%s"
++            % archive_file.library_file.content.sha256
++        )
++        self.assertStartsWith(
++            archive_file.library_file.getURL() + "?token=",
++            self.archive_api.translatePath(archive.reference, path),
++        )
++        self.assertLogs(
++            "%s: %s (by-hash) -> LFA %d"
++            % (archive.reference, path, archive_file.library_file.id)
++        )
++
      def test_translatePath_non_pool_not_found(self):
          archive = removeSecurityProxy(self.factory.makeArchive())
          self.factory.makeArchiveFile(archive=archive)
@@ -354,6 +379,25 @@ class TestArchiveAPI(TestCaseWithFactory):
+             )
+         )
++    def test_translatePath_non_pool_found_private(self):
++        archive = removeSecurityProxy(self.factory.makeArchive(private=True))
++        self.factory.makeArchiveFile(archive=archive)
++        archive_file = self.factory.makeArchiveFile(archive=archive)
++        self.assertStartsWith(
++            archive_file.library_file.getURL() + "?token=",
++            self.archive_api.translatePath(
++                archive.reference, archive_file.path
++            ),
++        )
++        self.assertLogs(
++            "%s: %s (non-pool) -> LFA %d"
++            % (
++                archive.reference,
++                archive_file.path,
++                archive_file.library_file.id,
++            )
++        )
++
      def test_translatePath_pool_bad_file_name(self):
          archive = removeSecurityProxy(self.factory.makeArchive())
          path = "pool/nonexistent"
@@ -413,6 +457,38 @@ class TestArchiveAPI(TestCaseWithFactory):
              % (archive.reference, path, sprf.libraryfile.id)
+         )
++    def test_translatePath_pool_source_found_private(self):
++        archive = removeSecurityProxy(self.factory.makeArchive(private=True))
++        with person_logged_in(archive.owner):
++            spph = self.factory.makeSourcePackagePublishingHistory(
++                archive=archive,
++                status=PackagePublishingStatus.PUBLISHED,
++                sourcepackagename="test-package",
++                component="main",
++            )
++            sprf = self.factory.makeSourcePackageReleaseFile(
++                sourcepackagerelease=spph.sourcepackagerelease,
++                library_file=self.factory.makeLibraryFileAlias(
++                    filename="test-package_1.dsc", db_only=True
++                ),
++            )
++            self.factory.makeSourcePackageReleaseFile(
++                sourcepackagerelease=spph.sourcepackagerelease,
++                library_file=self.factory.makeLibraryFileAlias(
++                    filename="test-package_1.tar.xz", db_only=True
++                ),
++            )
++            IStore(sprf).flush()
++        path = "pool/main/t/test-package/test-package_1.dsc"
++        self.assertStartsWith(
++            sprf.libraryfile.getURL() + "?token=",
++            self.archive_api.translatePath(archive.reference, path),
++        )
++        self.assertLogs(
++            "%s: %s (pool) -> LFA %d"
++            % (archive.reference, path, sprf.libraryfile.id)
++        )
++
      def test_translatePath_pool_binary_not_found(self):
          archive = removeSecurityProxy(self.factory.makeArchive())
          self.factory.makeBinaryPackagePublishingHistory(
@@ -466,3 +542,41 @@ class TestArchiveAPI(TestCaseWithFactory):
              "%s: %s (pool) -> LFA %d"
              % (archive.reference, path, bpf.libraryfile.id)
+         )
++
++    def test_translatePath_pool_binary_found_private(self):
++        archive = removeSecurityProxy(self.factory.makeArchive(private=True))
++        with person_logged_in(archive.owner):
++            bpph = self.factory.makeBinaryPackagePublishingHistory(
++                archive=archive,
++                status=PackagePublishingStatus.PUBLISHED,
++                sourcepackagename="test-package",
++                component="main",
++            )
++            bpf = self.factory.makeBinaryPackageFile(
++                binarypackagerelease=bpph.binarypackagerelease,
++                library_file=self.factory.makeLibraryFileAlias(
++                    filename="test-package_1_amd64.deb", db_only=True
++                ),
++            )
++            bpph2 = self.factory.makeBinaryPackagePublishingHistory(
++                archive=archive,
++                status=PackagePublishingStatus.PUBLISHED,
++                sourcepackagename="test-package",
++                component="main",
++            )
++            self.factory.makeBinaryPackageFile(
++                binarypackagerelease=bpph2.binarypackagerelease,
++                library_file=self.factory.makeLibraryFileAlias(
++                    filename="test-package_1_i386.deb", db_only=True
++                ),
++            )
++            IStore(bpf).flush()
++        path = "pool/main/t/test-package/test-package_1_amd64.deb"
++        self.assertStartsWith(
++            bpf.libraryfile.getURL() + "?token=",
++            self.archive_api.translatePath(archive.reference, path),
++        )
++        self.assertLogs(
++            "%s: %s (pool) -> LFA %d"
++            % (archive.reference, path, bpf.libraryfile.id)
++        )