Launchpad itself

 === modified file 'lib/lp/code/interfaces/gitrepository.py'
 --- lib/lp/code/interfaces/gitrepository.py	2019-04-01 10:09:31 +0000
 +++ lib/lp/code/interfaces/gitrepository.py	2019-05-11 11:18:34 +0000
@@ -1,4 +1,4 @@
--# Copyright 2015-2018 Canonical Ltd.  This software is licensed under the
++# Copyright 2015-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Git repository interfaces."""
@@ -651,6 +651,22 @@
          :return: A `ResultSet` of `IGitActivity`.
          """
++    @export_write_operation()
++    @operation_for_version("devel")
++    def issueAccessToken():
++        """Issue an access token for this repository.
++
++        Access tokens can be used to push to this repository over HTTPS.
++        They are only valid for a single repository, and have a short expiry
++        period (currently one week), so at the moment they are only suitable
++        in some limited situations.
++
++        This interface is experimental, and may be changed or removed
++        without notice.
++
++        :return: A serialised macaroon.
++        """
++
  class IGitRepositoryModerateAttributes(Interface):
      """IGitRepository attributes that can be edited by more than one community.
 === modified file 'lib/lp/code/model/gitrepository.py'
 --- lib/lp/code/model/gitrepository.py	2019-05-03 13:18:52 +0000
 +++ lib/lp/code/model/gitrepository.py	2019-05-11 11:18:34 +0000
@@ -1428,6 +1428,20 @@
          return DecoratedResultSet(
              results, pre_iter_hook=preloadDataForActivities)
++    def issueAccessToken(self):
++        """See `IGitRepository`."""
++        issuer = getUtility(IMacaroonIssuer, "git-repository")
++        # It's more usual in model code to pass the user as an argument,
++        # e.g. using @call_with(user=REQUEST_USER) in the webservice
++        # interface.  However, in this case that would allow anyone who
++        # constructs a way to call this method not via the webservice to
++        # issue a token for any user, which seems like a bad idea.
++        user = getUtility(ILaunchBag).user
++        # Our security adapter has already done the checks we need, apart
++        # from forbidding anonymous users which is done by the issuer.
++        return removeSecurityProxy(issuer).issueMacaroon(
++            self, user=user).serialize()
++
      def canBeDeleted(self):
          """See `IGitRepository`."""
          # Can't delete if the repository is associated with anything.
 === modified file 'lib/lp/code/model/tests/test_gitrepository.py'
 --- lib/lp/code/model/tests/test_gitrepository.py	2019-05-03 13:18:52 +0000
 +++ lib/lp/code/model/tests/test_gitrepository.py	2019-05-11 11:18:34 +0000
@@ -34,6 +34,7 @@
      MatchesListwise,
      MatchesSetwise,
      MatchesStructure,
++    StartsWith,
+     )
  import transaction
  from zope.component import getUtility
@@ -158,6 +159,7 @@
      api_url,
      celebrity_logged_in,
      login_person,
++    logout,
      person_logged_in,
      record_two_runs,
      TestCaseWithFactory,
@@ -174,7 +176,10 @@
      DoesNotSnapshot,
      HasQueryCount,
+     )
--from lp.testing.pages import webservice_for_person
++from lp.testing.pages import (
++    LaunchpadWebServiceCaller,
++    webservice_for_person,
++    )
  from lp.xmlrpc import faults
  from lp.xmlrpc.interfaces import IPrivateApplication
@@ -3909,6 +3914,50 @@
              "refs/other": Equals([]),
              }))
++    def test_issueAccessToken(self):
++        # A user can request an access token via the webservice API.
++        self.pushConfig("codehosting", git_macaroon_secret_key="some-secret")
++        repository = self.factory.makeGitRepository()
++        # Write access to the repository isn't checked at this stage
++        # (although the access token will only be useful if the user has
++        # some kind of write access).
++        requester = self.factory.makePerson()
++        with person_logged_in(requester):
++            repository_url = api_url(repository)
++        webservice = webservice_for_person(
++            requester, permission=OAuthPermission.WRITE_PUBLIC)
++        webservice.default_api_version = "devel"
++        response = webservice.named_post(repository_url, "issueAccessToken")
++        self.assertEqual(200, response.status)
++        macaroon = Macaroon.deserialize(json.loads(response.body))
++        with person_logged_in(ANONYMOUS):
++            self.assertThat(macaroon, MatchesStructure(
++                location=Equals(config.vhost.mainsite.hostname),
++                identifier=Equals("git-repository"),
++                caveats=MatchesListwise([
++                    MatchesStructure.byEquality(
++                        caveat_id="lp.git-repository %s" % repository.id),
++                    MatchesStructure(
++                        caveat_id=StartsWith(
++                            "lp.principal.openid-identifier ")),
++                    MatchesStructure(caveat_id=StartsWith("lp.expires ")),
++                    ])))
++
++    def test_issueAccessToken_anonymous(self):
++        # An anonymous user cannot request an access token via the
++        # webservice API.
++        repository = self.factory.makeGitRepository()
++        with person_logged_in(repository.owner):
++            repository_url = api_url(repository)
++        logout()
++        webservice = LaunchpadWebServiceCaller()
++        webservice.default_api_version = "devel"
++        response = webservice.named_post(repository_url, "issueAccessToken")
++        self.assertEqual(401, response.status)
++        self.assertEqual(
++            "git-repository macaroons may only be issued for a logged-in "
++            "user.", response.body)
++
  class TestGitRepositoryMacaroonIssuer(MacaroonTestMixin, TestCaseWithFactory):
      """Test GitRepository macaroon issuing and verification."""