Launchpad itself

Merge lp:~cjwatson/launchpad/git-repository-macaroon-secret-key into lp:launchpad

  1. git-repository-macaroon-secret-key
  2. Merge into devel
Proposed by Colin Watson
Status: Merged
Merged at revision: 18958
Proposed branch: lp:~cjwatson/launchpad/git-repository-macaroon-secret-key
Merge into: lp:launchpad
Diff against target: 46 lines (+12/-2)
3 files modified
lib/lp/code/model/gitrepository.py (+8/-0)
lib/lp/code/model/tests/test_gitrepository.py (+1/-2)
lib/lp/services/config/schema-lazr.conf (+3/-0)
To merge this branch: bzr merge lp:~cjwatson/launchpad/git-repository-macaroon-secret-key
Reviewer Review Type Date Requested Status
William Grant code Approve
Review via email: mp+366918@code.launchpad.net

Commit message

Use a different secret key for Git access tokens.

Description of the change

When I set up launchpad.internal_macaroon_secret_key I'd intended that it only be used for macaroons passed around between Launchpad components for their own purposes, and not for ones issued to users since we might need to rotate that key on a different schedule. I forgot about that when writing the GitRepository macaroon issuer.

We'll have to get an appropriate key configured on the appservers after landing this and before making use of this key.

To post a comment you must log in.
Revision history for this message
William Grant (wgrant) :
review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/code/model/gitrepository.py'
2--- lib/lp/code/model/gitrepository.py 2019-05-01 16:31:20 +0000
3+++ lib/lp/code/model/gitrepository.py 2019-05-03 13:26:10 +0000
4@@ -1787,6 +1787,14 @@
5 "lp.expires": self.verifyExpires,
6 }
7
8+ @property
9+ def _root_secret(self):
10+ secret = config.codehosting.git_macaroon_secret_key
11+ if not secret:
12+ raise RuntimeError(
13+ "codehosting.git_macaroon_secret_key not configured.")
14+ return secret
15+
16 def checkIssuingContext(self, context, user=None, **kwargs):
17 """See `MacaroonIssuerBase`.
18
19
20=== modified file 'lib/lp/code/model/tests/test_gitrepository.py'
21--- lib/lp/code/model/tests/test_gitrepository.py 2019-05-01 15:59:02 +0000
22+++ lib/lp/code/model/tests/test_gitrepository.py 2019-05-03 13:26:10 +0000
23@@ -3917,8 +3917,7 @@
24
25 def setUp(self):
26 super(TestGitRepositoryMacaroonIssuer, self).setUp()
27- self.pushConfig(
28- "launchpad", internal_macaroon_secret_key="some-secret")
29+ self.pushConfig("codehosting", git_macaroon_secret_key="some-secret")
30
31 def test_issueMacaroon_refuses_branch(self):
32 branch = self.factory.makeAnyBranch()
33
34=== modified file 'lib/lp/services/config/schema-lazr.conf'
35--- lib/lp/services/config/schema-lazr.conf 2019-04-27 08:35:51 +0000
36+++ lib/lp/services/config/schema-lazr.conf 2019-05-03 13:26:10 +0000
37@@ -386,6 +386,9 @@
38 # Git commit metadata.
39 related_bugs_from_source_limit: 1000
40
41+# Secret key for Git access tokens issued to Launchpad users.
42+git_macaroon_secret_key: none
43+
44
45 [codeimport]
46 # Where the Bazaar imports are stored.