Launchpad itself

Merge lp:~cjwatson/launchpad/librarian-accept-macaroon into lp:launchpad

librarian-accept-macaroon
Merge into devel

Proposed by Colin Watson on 2018-05-04

Status:	Merged
Merged at revision:	18937
Proposed branch:	lp:~cjwatson/launchpad/librarian-accept-macaroon
Merge into:	lp:launchpad
Diff against target:	1300 lines (+658/-107) 18 files modified configs/development/launchpad-lazr.conf (+2/-1) configs/testrunner-appserver/launchpad-lazr.conf (+1/-3) lib/lp/code/model/codeimportjob.py (+8/-2) lib/lp/code/model/tests/test_codeimportjob.py (+9/-2) lib/lp/code/xmlrpc/git.py (+2/-0) lib/lp/code/xmlrpc/tests/test_git.py (+10/-5) lib/lp/codehosting/codeimport/tests/test_workermonitor.py (+2/-2) lib/lp/services/authserver/interfaces.py (+3/-1) lib/lp/services/authserver/tests/test_authserver.py (+47/-13) lib/lp/services/authserver/xmlrpc.py (+17/-3) lib/lp/services/config/schema-lazr.conf (+15/-0) lib/lp/services/librarianserver/db.py (+68/-20) lib/lp/services/librarianserver/tests/test_db.py (+104/-6) lib/lp/services/librarianserver/tests/test_web.py (+128/-46) lib/lp/services/librarianserver/web.py (+9/-0) lib/lp/soyuz/configure.zcml (+9/-0) lib/lp/soyuz/model/binarypackagebuild.py (+96/-2) lib/lp/soyuz/tests/test_binarypackagebuild.py (+128/-1)
To merge this branch:	bzr merge lp:~cjwatson/launchpad/librarian-accept-macaroon
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
William Grant	code	2018-05-04	Approve on 2019-04-23
Review via email: mp+345079@code.launchpad.net

Commit message

Allow macaroon authentication to the librarian for BPBs' source files.

Description of the change

This will later allow us to dispatch private builds immediately, rather than having to wait for the source to be published first.

In this case we accept the macaroon as the password part of basic authentication with an empty username, similar to the git authentication method used by code import jobs. This is a bit weird, but it avoids needing to change launchpad-buildd, and we could always switch to a more conventional "Authorization: Macaroon ..." scheme later. (Alternatively, I suppose we could put the macaroon in a query parameter instead?)

The only things I can see that we'll need to do deployment-wise are to set up *.restricted.dogfood.launchpadlibrarian.net (both DNS and listening to it on a different IP address from the public librarian) and to configure launchpad.internal_macaroon_secret_key and librarian.authentication_endpoint.

Revision history for this message

William Grant (wgrant) wrote on 2018-05-09:

This seems like a massive layering violation. I really think we should just issue macaroons with LFA.id caveats directly, even though that loses us the BuildStatus.BUILDING restriction.

review: Needs Information

Revision history for this message

Colin Watson (cjwatson) wrote on 2018-05-09:

I don't understand the principle here. Can you explain why it's any more of a layering violation for a BPB issuer to grant permission to access its associated LFAs than it is for a CodeImportJob issuer to grant permission to access its associated GitRepositories?

In general, my intent in designing the IMacaroonIssuer interface was that various subsystems could grant the specific permissions they needed, and the verifying code could then use the getUtility(IMacaroonIssuer, token.identifier) idiom to get the appropriate verifier without having to have specific knowledge of what the verifier in question does. Apart from the security.cfg changes, nothing about the librarian changes here is at all specific to BPBs, and it would be perfectly possible to write a different verifier that grants access based on some other criteria; furthermore, if (hypothetically) a BPB needed access to some other private resource, the same macaroon could be used for both by generalising the verifier.

The only thing here that feels at all like a layering violation to me is that BPBMacaroonIssuer.verifyMacaroon takes an LFA ID rather than a build. But, firstly, that's something that it's free to generalise later without reference to the librarian (although I suppose that would be easier if it took an actual LFA; that would require a little bit of extra work in the librarian to avoid an extra query), and, secondly, it's OK for BPBs to know about LFAs, just not vice versa.

Revision history for this message

William Grant (wgrant) wrote on 2018-05-09:

On 09/05/18 23:24, Colin Watson wrote:
> I don't understand the principle here. Can you explain why it's any
> more of a layering violation for a BPB issuer to grant permission to
> access its associated LFAs than it is for a CodeImportJob issuer to
> grant permission to access its associated GitRepositories?

It was less obviously wrong there because the GitRepository
authorisation code already touched CodeImport and they were part of the
same Launchpad application. But in this case we have the librarian
touching complex bits of the Soyuz schema, which is ugly from a code
structure perspective and also means we have to be very careful around
synchronising schema changes and librarian deployments.

librarian today only examines non-librarian tables when GC introspects
the schema to work out which FKs there are to LFA.id, and that doesn't
seem like an architectural separation that we should abandon lightly.

> In general, my intent in designing the IMacaroonIssuer interface was
> that various subsystems could grant the specific permissions they
> needed, and the verifying code could then use the
> getUtility(IMacaroonIssuer, token.identifier) idiom to get the
> appropriate verifier without having to have specific knowledge of
> what the verifier in question does. Apart from the security.cfg
> changes, nothing about the librarian changes here is at all specific
> to BPBs, and it would be perfectly possible to write a different
> verifier that grants access based on some other criteria;
> furthermore, if (hypothetically) a BPB needed access to some other
> private resource, the same macaroon could be used for both by
> generalising the verifier.

I agree that sharing macaroons would be ideal, but having the librarian
itself validate macaroons that may require arbitrarily broad and complex
database logic (particularly given the librarian is a Twisted app which
really shouldn't be doing synchronous DB calls at all) doesn't seem right.

Revision history for this message

Colin Watson (cjwatson) wrote on 2018-05-10:

Would it be better if the librarian talked to the authserver for this?
I'd avoided that approach because it seemed like unnecessary complexity,
but it could easily be done asynchronously and it would allow preserving
the fine-grained permissions, which I'd really like to find a way to do.
We could do it only for the macaroon auth case, which I expect to
continue being comparatively rare.

Revision history for this message

William Grant (wgrant) wrote on 2018-05-10:

I think that sounds fine. It's a bit of a change from where we are today, but not a huge way off and not clearly in the wrong direction.

Revision history for this message

Colin Watson (cjwatson) wrote on 2018-06-05:

https://code.launchpad.net/~cjwatson/launchpad/authserver-macaroon/+merge/345354

Revision history for this message

Colin Watson (cjwatson) wrote on 2018-11-01:

I've updated this to use the authserver. I've also split out https://code.launchpad.net/~cjwatson/launchpad/librarianserver-test-web-requests/+merge/358189, which might be worth reviewing first to make the review diff size here more manageable.

Revision history for this message

Colin Watson (cjwatson) wrote on 2018-11-02:

OK, that other MP is merged now, so this is a bit more readable.

Revision history for this message

William Grant (wgrant) wrote on 2019-04-23:

A couple of bits are potentially confusing and would ideally be reworded, otherwise looks good.

review: Approve (code)

Revision history for this message

William Grant (wgrant) wrote on 2019-04-23:

In fact, the authserver interface is completely ambiguous. It so happens that CodeImportJobMacaroonIssuer.verifyMacaroon will crash if it's given an LFA ID, so it's safe for now, but a giant boobytrap.

review: Needs Fixing

Revision history for this message

Colin Watson (cjwatson) on 2019-04-23:

Revision history for this message

William Grant (wgrant) on 2019-04-23:

Revision history for this message

William Grant (wgrant) on 2019-04-23:

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Harpianto,ANDI

James Troup

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

 === modified file 'configs/development/launchpad-lazr.conf'
 --- configs/development/launchpad-lazr.conf	2019-04-16 14:30:40 +0000
 +++ configs/development/launchpad-lazr.conf	2019-04-23 14:01:24 +0000
@@ -121,7 +121,8 @@
  restricted_upload_port: 58095
  restricted_download_port: 58085
  restricted_download_url: http://launchpad.dev:58085/
--use_https = False
++use_https: False
++authentication_endpoint: http://xmlrpc-private.launchpad.dev:8087/authserver
  [librarian_server]
  root: /var/tmp/fatsam
 === modified file 'configs/testrunner-appserver/launchpad-lazr.conf'
 --- configs/testrunner-appserver/launchpad-lazr.conf	2018-05-21 20:30:16 +0000
 +++ configs/testrunner-appserver/launchpad-lazr.conf	2019-04-23 14:01:24 +0000
@@ -8,14 +8,12 @@
  [codehosting]
  launch: False
--[codeimport]
--macaroon_secret_key: dev-macaroon-secret
--
  [bing_test_service]
  launch: False
  [launchpad]
  openid_provider_root: http://testopenid.dev:8085/
++internal_macaroon_secret_key: internal-dev-macaroon-secret
  [librarian_server]
  launch: False
 === modified file 'lib/lp/code/model/codeimportjob.py'
 --- lib/lp/code/model/codeimportjob.py	2018-03-15 20:44:04 +0000
 +++ lib/lp/code/model/codeimportjob.py	2019-04-23 14:01:24 +0000
@@ -413,10 +413,14 @@
      @property
      def _root_secret(self):
--        secret = config.codeimport.macaroon_secret_key
++        secret = config.launchpad.internal_macaroon_secret_key
++        if not secret:
++            # XXX cjwatson 2018-11-01: Remove this once it is no longer in
++            # production configs.
++            secret = config.codeimport.macaroon_secret_key
          if not secret:
              raise RuntimeError(
--                "codeimport.macaroon_secret_key not configured.")
++                "launchpad.internal_macaroon_secret_key not configured.")
          return secret
      def issueMacaroon(self, context):
@@ -442,6 +446,8 @@
      def verifyMacaroon(self, macaroon, context):
          """See `IMacaroonIssuer`."""
++        if not ICodeImportJob.providedBy(context):
++            return False
          if not self.checkMacaroonIssuer(macaroon):
              return False
          try:
 === modified file 'lib/lp/code/model/tests/test_codeimportjob.py'
 --- lib/lp/code/model/tests/test_codeimportjob.py	2018-04-19 00:02:19 +0000
 +++ lib/lp/code/model/tests/test_codeimportjob.py	2019-04-23 14:01:24 +0000
@@ -131,7 +131,8 @@
                  'git://git.example.com/project.git']))
      def test_git_to_git_arguments(self):
--        self.pushConfig('codeimport', macaroon_secret_key='some-secret')
++        self.pushConfig(
++            'launchpad', internal_macaroon_secret_key='some-secret')
          self.useFixture(GitHostingFixture())
          code_import = self.factory.makeCodeImport(
              git_repo_url="git://git.example.com/project.git",
@@ -1271,7 +1272,8 @@
      def setUp(self):
          super(TestCodeImportJobMacaroonIssuer, self).setUp()
          login_for_code_imports()
--        self.pushConfig("codeimport", macaroon_secret_key="some-secret")
++        self.pushConfig(
++            "launchpad", internal_macaroon_secret_key="some-secret")
          self.useFixture(GitHostingFixture())
      def makeJob(self, target_rcs_type=TargetRevisionControlSystems.GIT):
@@ -1296,6 +1298,11 @@
                  caveat_id="lp.code-import-job %s" % job.id),
              ]))
++    def test_issueMacaroon_good_old_config(self):
++        self.pushConfig("launchpad", internal_macaroon_secret_key="")
++        self.pushConfig("codeimport", macaroon_secret_key="some-secret")
++        self.test_issueMacaroon_good()
++
      def test_checkMacaroonIssuer_good(self):
          job = self.makeJob()
          issuer = getUtility(IMacaroonIssuer, "code-import-job")
 === modified file 'lib/lp/code/xmlrpc/git.py'
 --- lib/lp/code/xmlrpc/git.py	2019-04-09 14:19:34 +0000
 +++ lib/lp/code/xmlrpc/git.py	2019-04-23 14:01:24 +0000
@@ -83,6 +83,8 @@
      def _verifyMacaroon(self, macaroon_raw, repository=None):
          try:
              macaroon = Macaroon.deserialize(macaroon_raw)
++        # XXX cjwatson 2019-04-23: Restrict exceptions once
++        # https://github.com/ecordell/pymacaroons/issues/50 is fixed.
          except Exception:
              return False
          try:
 === modified file 'lib/lp/code/xmlrpc/tests/test_git.py'
 --- lib/lp/code/xmlrpc/tests/test_git.py	2019-04-09 14:19:34 +0000
 +++ lib/lp/code/xmlrpc/tests/test_git.py	2019-04-23 14:01:24 +0000
@@ -962,7 +962,8 @@
      def test_translatePath_code_import(self):
          # A code import worker with a suitable macaroon can write to a
          # repository associated with a running code import job.
--        self.pushConfig("codeimport", macaroon_secret_key="some-secret")
++        self.pushConfig(
++            "launchpad", internal_macaroon_secret_key="some-secret")
          machine = self.factory.makeCodeImportMachine(set_online=True)
          code_imports = [
              self.factory.makeCodeImport(
@@ -998,7 +999,8 @@
      def test_translatePath_private_code_import(self):
          # A code import worker with a suitable macaroon can write to a
          # repository associated with a running private code import job.
--        self.pushConfig("codeimport", macaroon_secret_key="some-secret")
++        self.pushConfig(
++            "launchpad", internal_macaroon_secret_key="some-secret")
          machine = self.factory.makeCodeImportMachine(set_online=True)
          code_imports = [
              self.factory.makeCodeImport(
@@ -1070,7 +1072,8 @@
              faults.Unauthorized)
      def test_authenticateWithPassword_code_import(self):
--        self.pushConfig("codeimport", macaroon_secret_key="some-secret")
++        self.pushConfig(
++            "launchpad", internal_macaroon_secret_key="some-secret")
          code_import = self.factory.makeCodeImport(
              target_rcs_type=TargetRevisionControlSystems.GIT)
          with celebrity_logged_in("vcs_imports"):
@@ -1093,7 +1096,8 @@
          # A code import worker with a suitable macaroon has repository owner
          # privileges on a repository associated with a running code import
          # job.
--        self.pushConfig("codeimport", macaroon_secret_key="some-secret")
++        self.pushConfig(
++            "launchpad", internal_macaroon_secret_key="some-secret")
          machine = self.factory.makeCodeImportMachine(set_online=True)
          code_imports = [
              self.factory.makeCodeImport(
@@ -1133,7 +1137,8 @@
          # A code import worker with a suitable macaroon has repository owner
          # privileges on a repository associated with a running private code
          # import job.
--        self.pushConfig("codeimport", macaroon_secret_key="some-secret")
++        self.pushConfig(
++            "launchpad", internal_macaroon_secret_key="some-secret")
          machine = self.factory.makeCodeImportMachine(set_online=True)
          code_imports = [
              self.factory.makeCodeImport(
 === modified file 'lib/lp/codehosting/codeimport/tests/test_workermonitor.py'
 --- lib/lp/codehosting/codeimport/tests/test_workermonitor.py	2018-03-26 07:37:26 +0000
 +++ lib/lp/codehosting/codeimport/tests/test_workermonitor.py	2019-04-23 14:01:24 +0000
@@ -819,8 +819,8 @@
              "[codehosting]",
              "git_browse_root: %s" % self.target_git_server.get_url(""),
              "",
--            "[codeimport]",
--            "macaroon_secret_key: some-secret",
++            "[launchpad]",
++            "internal_macaroon_secret_key: some-secret",
+             ]
          config_fixture.add_section("\n" + "\n".join(setting_lines))
          self.useFixture(ConfigUseFixture(config_name))
 === modified file 'lib/lp/services/authserver/interfaces.py'
 --- lib/lp/services/authserver/interfaces.py	2018-05-10 10:05:45 +0000
 +++ lib/lp/services/authserver/interfaces.py	2019-04-23 14:01:24 +0000
@@ -27,10 +27,12 @@
              person with the given name.
          """
--    def verifyMacaroon(macaroon_raw, context):
++    def verifyMacaroon(macaroon_raw, context_type, context):
          """Verify that `macaroon_raw` grants access to `context`.
          :param macaroon_raw: A serialised macaroon.
++        :param context_type: A string identifying the type of context to
++            check.  Currently only 'LibraryFileAlias' is supported.
          :param context: The context to check.  Note that this is passed over
              XML-RPC, so it should be plain data (e.g. an ID) rather than a
              database object.
 === modified file 'lib/lp/services/authserver/tests/test_authserver.py'
 --- lib/lp/services/authserver/tests/test_authserver.py	2018-05-10 10:05:45 +0000
 +++ lib/lp/services/authserver/tests/test_authserver.py	2019-04-23 14:01:24 +0000
@@ -1,4 +1,4 @@
--# Copyright 2009-2018 Canonical Ltd.  This software is licensed under the
++# Copyright 2009-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Tests for the internal codehosting API."""
@@ -9,6 +9,7 @@
      Macaroon,
      Verifier,
+     )
++from storm.sqlobject import SQLObjectNotFound
  from testtools.matchers import Is
  from zope.component import getUtility
  from zope.interface import implementer
@@ -16,6 +17,10 @@
  from lp.services.authserver.xmlrpc import AuthServerAPIView
  from lp.services.config import config
++from lp.services.librarian.interfaces import (
++    ILibraryFileAlias,
++    ILibraryFileAliasSet,
++    )
  from lp.services.macaroons.interfaces import IMacaroonIssuer
  from lp.testing import (
      person_logged_in,
@@ -25,7 +30,7 @@
  from lp.testing.fixture import ZopeUtilityFixture
  from lp.testing.layers import (
      DatabaseFunctionalLayer,
--    ZopelessLayer,
++    ZopelessDatabaseLayer,
+     )
  from lp.xmlrpc import faults
  from lp.xmlrpc.interfaces import IPrivateApplication
@@ -82,7 +87,7 @@
          macaroon = Macaroon(
              location=config.vhost.mainsite.hostname, identifier='test',
              key=self._root_secret)
--        macaroon.add_first_party_caveat('test %s' % context)
++        macaroon.add_first_party_caveat('test %s' % context.id)
          return macaroon
      def checkMacaroonIssuer(self, macaroon):
@@ -99,11 +104,13 @@
      def verifyMacaroon(self, macaroon, context):
          """See `IMacaroonIssuer`."""
++        if not ILibraryFileAlias.providedBy(context):
++            return False
          if not self.checkMacaroonIssuer(macaroon):
              return False
          try:
              verifier = Verifier()
--            verifier.satisfy_exact('test %s' % context)
++            verifier.satisfy_exact('test %s' % context.id)
              return verifier.verify(macaroon, self._root_secret)
          except Exception:
              return False
@@ -111,7 +118,7 @@
  class VerifyMacaroonTests(TestCase):
--    layer = ZopelessLayer
++    layer = ZopelessDatabaseLayer
      def setUp(self):
          super(VerifyMacaroonTests, self).setUp()
@@ -125,7 +132,7 @@
      def test_nonsense_macaroon(self):
          self.assertEqual(
              faults.Unauthorized(),
--            self.authserver.verifyMacaroon('nonsense', 0))
++            self.authserver.verifyMacaroon('nonsense', 'LibraryFileAlias', 1))
      def test_unknown_issuer(self):
          macaroon = Macaroon(
@@ -133,15 +140,42 @@
              identifier='unknown-issuer', key='test')
          self.assertEqual(
              faults.Unauthorized(),
--            self.authserver.verifyMacaroon(macaroon.serialize(), 0))
++            self.authserver.verifyMacaroon(
++                macaroon.serialize(), 'LibraryFileAlias', 1))
++
++    def test_wrong_context_type(self):
++        lfa = getUtility(ILibraryFileAliasSet)[1]
++        macaroon = self.issuer.issueMacaroon(lfa)
++        self.assertEqual(
++            faults.Unauthorized(),
++            self.authserver.verifyMacaroon(
++                macaroon.serialize(), 'nonsense', lfa.id))
      def test_wrong_context(self):
--        macaroon = self.issuer.issueMacaroon(0)
--        self.assertEqual(
--            faults.Unauthorized(),
--            self.authserver.verifyMacaroon(macaroon.serialize(), 1))
++        lfa = getUtility(ILibraryFileAliasSet)[1]
++        macaroon = self.issuer.issueMacaroon(lfa)
++        self.assertEqual(
++            faults.Unauthorized(),
++            self.authserver.verifyMacaroon(
++                macaroon.serialize(), 'LibraryFileAlias', 2))
++
++    def test_nonexistent_lfa(self):
++        macaroon = self.issuer.issueMacaroon(
++            getUtility(ILibraryFileAliasSet)[1])
++        # Pick a large ID that doesn't exist in sampledata.
++        lfa_id = 1000000
++        self.assertRaises(
++            SQLObjectNotFound, getUtility(ILibraryFileAliasSet).__getitem__,
++            lfa_id)
++        self.assertEqual(
++            faults.Unauthorized(),
++            self.authserver.verifyMacaroon(
++                macaroon.serialize(), 'LibraryFileAlias', lfa_id))
      def test_success(self):
--        macaroon = self.issuer.issueMacaroon(0)
++        lfa = getUtility(ILibraryFileAliasSet)[1]
++        macaroon = self.issuer.issueMacaroon(lfa)
          self.assertThat(
--            self.authserver.verifyMacaroon(macaroon.serialize(), 0), Is(True))
++            self.authserver.verifyMacaroon(
++                macaroon.serialize(), 'LibraryFileAlias', lfa.id),
++            Is(True))
 === modified file 'lib/lp/services/authserver/xmlrpc.py'
 --- lib/lp/services/authserver/xmlrpc.py	2018-05-10 10:05:45 +0000
 +++ lib/lp/services/authserver/xmlrpc.py	2019-04-23 14:01:24 +0000
@@ -1,4 +1,4 @@
--# Copyright 2009-2018 Canonical Ltd.  This software is licensed under the
++# Copyright 2009-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Auth-Server XML-RPC API ."""
@@ -11,6 +11,7 @@
+     ]
  from pymacaroons import Macaroon
++from storm.sqlobject import SQLObjectNotFound
  from zope.component import (
      ComponentLookupError,
      getUtility,
@@ -22,6 +23,7 @@
      IAuthServer,
      IAuthServerApplication,
+     )
++from lp.services.librarian.interfaces import ILibraryFileAliasSet
  from lp.services.macaroons.interfaces import IMacaroonIssuer
  from lp.services.webapp import LaunchpadXMLRPCView
  from lp.xmlrpc import faults
@@ -43,17 +45,29 @@
                       for key in person.sshkeys],
+             }
--    def verifyMacaroon(self, macaroon_raw, context):
++    def verifyMacaroon(self, macaroon_raw, context_type, context):
          """See `IAuthServer.verifyMacaroon`."""
          try:
              macaroon = Macaroon.deserialize(macaroon_raw)
++        # XXX cjwatson 2019-04-23: Restrict exceptions once
++        # https://github.com/ecordell/pymacaroons/issues/50 is fixed.
          except Exception:
              return faults.Unauthorized()
          try:
              issuer = getUtility(IMacaroonIssuer, macaroon.identifier)
          except ComponentLookupError:
              return faults.Unauthorized()
--        if not issuer.verifyMacaroon(macaroon, context):
++        # The context is plain data, since we can't pass general objects over
++        # the XML-RPC interface.  Look it up so that we can verify it.
++        if context_type == 'LibraryFileAlias':
++            # The context is a `LibraryFileAlias` ID.
++            try:
++                lfa = getUtility(ILibraryFileAliasSet)[context]
++            except SQLObjectNotFound:
++                return faults.Unauthorized()
++        else:
++            return faults.Unauthorized()
++        if not issuer.verifyMacaroon(macaroon, lfa):
              return faults.Unauthorized()
          return True
 === modified file 'lib/lp/services/config/schema-lazr.conf'
 --- lib/lp/services/config/schema-lazr.conf	2019-04-16 14:30:40 +0000
 +++ lib/lp/services/config/schema-lazr.conf	2019-04-23 14:01:24 +0000
@@ -431,6 +431,7 @@
  svn_revisions_import_limit: 500
  # Secret key for macaroons used to grant git push permission to workers.
++# Deprecated in favour of launchpad.internal_macaroon_secret_key.
  macaroon_secret_key: none
  [codeimportdispatcher]
@@ -1114,6 +1115,10 @@
  # Minimum account age in days that indicates a legitimate user.
  min_legitimate_account_age: 0
++# Secret key for macaroons used to grant permissions to various internal
++# components of Launchpad.
++internal_macaroon_secret_key: none
++
  [launchpad_session]
  # The database connection string.
  # datatype: pgconnection
@@ -1196,6 +1201,16 @@
  use_https = True
++# The URL of the XML-RPC endpoint that handles verifying macaroons.  This
++# should implement IAuthServer.
++#
++# datatype: string
++authentication_endpoint: none
++
++# The time in seconds that the librarian will wait for a reply from the
++# authserver.
++authentication_timeout: 5
++
  [librarian_gc]
  # The database user which will be used by this process.
 === modified file 'lib/lp/services/librarianserver/db.py'
 --- lib/lp/services/librarianserver/db.py	2016-01-10 22:37:40 +0000
 +++ lib/lp/services/librarianserver/db.py	2019-04-23 14:01:24 +0000
@@ -1,4 +1,4 @@
--# Copyright 2009 Canonical Ltd.  This software is licensed under the
++# Copyright 2009-2018 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Database access layer for the Librarian."""
@@ -11,11 +11,20 @@
  import hashlib
  import urllib
++from pymacaroons import Macaroon
++from six.moves.xmlrpc_client import Fault
  from storm.expr import (
      And,
      SQL,
+     )
++from twisted.internet import (
++    defer,
++    reactor as default_reactor,
++    threads,
++    )
++from twisted.web import xmlrpc
++from lp.services.config import config
  from lp.services.database.interfaces import IStore
  from lp.services.database.sqlbase import session_store
  from lp.services.librarian.model import (
@@ -23,6 +32,8 @@
      LibraryFileContent,
      TimeLimitedToken,
+     )
++from lp.services.twistedsupport import cancel_on_timeout
++from lp.xmlrpc import faults
  class Library:
@@ -36,18 +47,47 @@
              Files created in this library will marked as restricted.
          """
          self.restricted = restricted
++        self._authserver = xmlrpc.Proxy(
++            config.librarian.authentication_endpoint,
++            connectTimeout=config.librarian.authentication_timeout)
      # The following methods are read-only queries.
      def lookupBySHA1(self, digest):
          return [fc.id for fc in LibraryFileContent.selectBy(sha1=digest)]
++    @defer.inlineCallbacks
++    def _verifyMacaroon(self, macaroon, aliasid):
++        """Verify an LFA-authorising macaroon with the authserver.
++
++        This must be called in the reactor thread.
++
++        :param macaroon: A `Macaroon`.
++        :param aliasid: A `LibraryFileAlias` ID.
++        :return: True if the authserver reports that `macaroon` authorises
++            access to `aliasid`; False if it reports that it does not.
++        :raises Fault: if the authserver request fails.
++        """
++        try:
++            yield cancel_on_timeout(
++                self._authserver.callRemote(
++                    "verifyMacaroon", macaroon.serialize(), "LibraryFileAlias",
++                    aliasid),
++                config.librarian.authentication_timeout)
++            defer.returnValue(True)
++        except Fault as fault:
++            if fault.faultCode == faults.Unauthorized.error_code:
++                defer.returnValue(False)
++            else:
++                raise
++
      def getAlias(self, aliasid, token, path):
          """Returns a LibraryFileAlias, or raises LookupError.
          A LookupError is raised if no record with the given ID exists
          or if not related LibraryFileContent exists.
++        :param aliasid: A `LibraryFileAlias` ID.
          :param token: The token for the file. If None no token is present.
              When a token is supplied, it is looked up with path.
          :param path: The path the request is for, unused unless a token
@@ -59,26 +99,34 @@
          if token and path:
              # With a token and a path we may be able to serve restricted files
              # on the public port.
--            #
--            # The URL-encoding of the path may have changed somewhere
--            # along the line, so reencode it canonically. LFA.filename
--            # can't contain slashes, so they're safe to leave unencoded.
--            # And urllib.quote erroneously excludes ~ from its safe set,
--            # while RFC 3986 says it should be unescaped and Chromium
--            # forcibly decodes it in any URL that it sees.
--            #
--            # This needs to match url_path_quote.
--            normalised_path = urllib.quote(urllib.unquote(path), safe='/~+')
--            store = session_store()
--            token_found = store.find(TimeLimitedToken,
--                SQL("age(created) < interval '1 day'"),
--                TimeLimitedToken.token == hashlib.sha256(token).hexdigest(),
--                TimeLimitedToken.path == normalised_path).is_empty()
--            store.reset()
--            if token_found:
++            if isinstance(token, Macaroon):
++                # Macaroons have enough other constraints that they don't
++                # need to be path-specific; it's simpler and faster to just
++                # check the alias ID.
++                token_ok = threads.blockingCallFromThread(
++                    default_reactor, self._verifyMacaroon, token, aliasid)
++            else:
++                # The URL-encoding of the path may have changed somewhere
++                # along the line, so reencode it canonically. LFA.filename
++                # can't contain slashes, so they're safe to leave unencoded.
++                # And urllib.quote erroneously excludes ~ from its safe set,
++                # while RFC 3986 says it should be unescaped and Chromium
++                # forcibly decodes it in any URL that it sees.
++                #
++                # This needs to match url_path_quote.
++                normalised_path = urllib.quote(
++                    urllib.unquote(path), safe='/~+')
++                store = session_store()
++                token_ok = not store.find(TimeLimitedToken,
++                    SQL("age(created) < interval '1 day'"),
++                    TimeLimitedToken.token ==
++                        hashlib.sha256(token).hexdigest(),
++                    TimeLimitedToken.path == normalised_path).is_empty()
++                store.reset()
++            if token_ok:
++                restricted = True
++            else:
                  raise LookupError("Token stale/pruned/path mismatch")
--            else:
--                restricted = True
          alias = LibraryFileAlias.selectOne(And(
              LibraryFileAlias.id == aliasid,
              LibraryFileAlias.contentID == LibraryFileContent.q.id,
 === modified file 'lib/lp/services/librarianserver/tests/test_db.py'
 --- lib/lp/services/librarianserver/tests/test_db.py	2013-06-20 05:50:00 +0000
 +++ lib/lp/services/librarianserver/tests/test_db.py	2019-04-23 14:01:24 +0000
@@ -1,21 +1,37 @@
--# Copyright 2009 Canonical Ltd.  This software is licensed under the
++# Copyright 2009-2018 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
--import unittest
++__metaclass__ = type
++from fixtures import MockPatchObject
++from pymacaroons import Macaroon
++from testtools.testcase import ExpectedException
++from testtools.twistedsupport import AsynchronousDeferredRunTest
  import transaction
++from twisted.internet import (
++    defer,
++    reactor,
++    )
++from twisted.internet.threads import deferToThread
++from twisted.web import (
++    server,
++    xmlrpc,
++    )
  from lp.services.database.interfaces import IStore
  from lp.services.librarian.model import LibraryFileContent
  from lp.services.librarianserver import db
++from lp.testing import TestCase
  from lp.testing.dbuser import switch_dbuser
  from lp.testing.layers import LaunchpadZopelessLayer
--
--
--class DBTestCase(unittest.TestCase):
++from lp.xmlrpc import faults
++
++
++class DBTestCase(TestCase):
      layer = LaunchpadZopelessLayer
      def setUp(self):
++        super(DBTestCase, self).setUp()
          switch_dbuser('librarian')
      def test_lookupByDigest(self):
@@ -43,12 +59,36 @@
          self.assertEqual('text/unknown', alias.mimetype)
--class TestLibrarianStuff(unittest.TestCase):
++class FakeAuthServer(xmlrpc.XMLRPC):
++    """A fake authserver.
++
++    This saves us from needing to start an appserver in tests.
++    """
++
++    def __init__(self):
++        xmlrpc.XMLRPC.__init__(self)
++        self.macaroons = set()
++
++    def registerMacaroon(self, macaroon, context):
++        self.macaroons.add((macaroon.serialize(), context))
++
++    def xmlrpc_verifyMacaroon(self, macaroon_raw, context_type, context):
++        if context_type != 'LibraryFileAlias':
++            return faults.Unauthorized()
++        if (macaroon_raw, context) in self.macaroons:
++            return True
++        else:
++            return faults.Unauthorized()
++
++
++class TestLibrarianStuff(TestCase):
      """Tests for the librarian."""
      layer = LaunchpadZopelessLayer
++    run_tests_with = AsynchronousDeferredRunTest.make_factory(timeout=10)
      def setUp(self):
++        super(TestLibrarianStuff, self).setUp()
          switch_dbuser('librarian')
          self.store = IStore(LibraryFileContent)
          self.content_id = db.Library().add('deadbeef', 1234, 'abababab', 'ba')
@@ -102,6 +142,64 @@
          self.assertRaises(
              LookupError, unrestricted_library.getAlias, 1, None, '/')
++    def setUpAuthServer(self):
++        authserver = FakeAuthServer()
++        authserver_listener = reactor.listenTCP(0, server.Site(authserver))
++        self.addCleanup(authserver_listener.stopListening)
++        authserver_port = authserver_listener.getHost().port
++        authserver_url = 'http://localhost:%d/' % authserver_port
++        self.pushConfig('librarian', authentication_endpoint=authserver_url)
++        return authserver
++
++    @defer.inlineCallbacks
++    def test_getAlias_with_macaroon(self):
++        # Library.getAlias() uses the authserver to verify macaroons.
++        authserver = self.setUpAuthServer()
++        unrestricted_library = db.Library(restricted=False)
++        alias = unrestricted_library.getAlias(1, None, '/')
++        alias.restricted = True
++        transaction.commit()
++        restricted_library = db.Library(restricted=True)
++        macaroon = Macaroon()
++        with ExpectedException(LookupError):
++            yield deferToThread(restricted_library.getAlias, 1, macaroon, '/')
++        authserver.registerMacaroon(macaroon, 1)
++        alias = yield deferToThread(
++            restricted_library.getAlias, 1, macaroon, '/')
++        self.assertEqual(1, alias.id)
++
++    @defer.inlineCallbacks
++    def test_getAlias_with_wrong_macaroon(self):
++        # A macaroon for a different LFA doesn't work.
++        authserver = self.setUpAuthServer()
++        unrestricted_library = db.Library(restricted=False)
++        alias = unrestricted_library.getAlias(1, None, '/')
++        alias.restricted = True
++        transaction.commit()
++        macaroon = Macaroon()
++        authserver.registerMacaroon(macaroon, 2)
++        restricted_library = db.Library(restricted=True)
++        with ExpectedException(LookupError):
++            yield deferToThread(restricted_library.getAlias, 1, macaroon, '/')
++
++    @defer.inlineCallbacks
++    def test_getAlias_with_macaroon_timeout(self):
++        # The authserver call is cancelled after a timeout period.
++        unrestricted_library = db.Library(restricted=False)
++        alias = unrestricted_library.getAlias(1, None, '/')
++        alias.restricted = True
++        transaction.commit()
++        macaroon = Macaroon()
++        restricted_library = db.Library(restricted=True)
++        self.useFixture(MockPatchObject(
++            restricted_library._authserver, 'callRemote',
++            return_value=defer.Deferred()))
++        # XXX cjwatson 2018-11-01: We should use a Clock instead, but I had
++        # trouble getting that working in conjunction with deferToThread.
++        self.pushConfig('librarian', authentication_timeout=1)
++        with ExpectedException(defer.CancelledError):
++            yield deferToThread(restricted_library.getAlias, 1, macaroon, '/')
++
      def test_getAliases(self):
          # Library.getAliases() returns a sequence
          # [(LFA.id, LFA.filename, LFA.mimetype), ...] where LFA are
 === modified file 'lib/lp/services/librarianserver/tests/test_web.py'
 --- lib/lp/services/librarianserver/tests/test_web.py	2018-11-02 10:14:23 +0000
 +++ lib/lp/services/librarianserver/tests/test_web.py	2019-04-23 14:01:24 +0000
@@ -1,6 +1,8 @@
  # Copyright 2009-2018 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
++__metaclass__ = type
++
  from datetime import datetime
  from gzip import GzipFile
  import hashlib
@@ -14,12 +16,14 @@
  import pytz
  import requests
  from storm.expr import SQL
--import testtools
  from testtools.matchers import EndsWith
  import transaction
  from zope.component import getUtility
++from zope.security.proxy import removeSecurityProxy
++from lp.buildmaster.enums import BuildStatus
  from lp.services.config import config
++from lp.services.config.fixture import ConfigUseFixture
  from lp.services.database.interfaces import IMasterStore
  from lp.services.database.sqlbase import (
      cursor,
@@ -37,10 +41,17 @@
      TimeLimitedToken,
+     )
  from lp.services.librarianserver.storage import LibrarianStorage
--from lp.testing.dbuser import switch_dbuser
++from lp.services.macaroons.interfaces import IMacaroonIssuer
++from lp.testing import TestCaseWithFactory
++from lp.testing.dbuser import (
++    dbuser,
++    switch_dbuser,
++    )
  from lp.testing.layers import (
++    AppServerLayer,
      LaunchpadFunctionalLayer,
      LaunchpadZopelessLayer,
++    ZopelessAppServerLayer,
+     )
@@ -50,19 +61,62 @@
      return str(parsed.replace(path=parsed.path.replace(old, new)))
--class LibrarianWebTestCase(testtools.TestCase):
++class LibrarianWebTestMixin:
++
++    layer = LaunchpadFunctionalLayer
++
++    def commit(self):
++        """Synchronize database state."""
++        flush_database_updates()
++        transaction.commit()
++
++    def get_restricted_file_and_public_url(self, filename='sample'):
++        # Use a regular LibrarianClient to ensure we speak to the
++        # nonrestricted port on the librarian which is where secured
++        # restricted files are served from.
++        client = LibrarianClient()
++        fileAlias = client.addFile(
++            filename, 12, BytesIO(b'a' * 12), contentType='text/plain')
++        # Note: We're deliberately using the wrong url here: we should be
++        # passing secure=True to getURLForAlias, but to use the returned URL
++        # we would need a wildcard DNS facility patched into requests; instead
++        # we use the *deliberate* choice of having the path of secure and
++        # insecure urls be the same, so that we can test it: the server code
++        # doesn't need to know about the fancy wildcard domains.
++        url = client.getURLForAlias(fileAlias)
++        # Now that we have a url which talks to the public librarian, make the
++        # file restricted.
++        IMasterStore(LibraryFileAlias).find(
++            LibraryFileAlias, LibraryFileAlias.id == fileAlias).set(
++                restricted=True)
++        self.commit()
++        return fileAlias, url
++
++    def require404(self, url, **kwargs):
++        """Assert that opening `url` raises a 404."""
++        response = requests.get(url, **kwargs)
++        self.assertEqual(404, response.status_code)
++
++
++class LibrarianZopelessWebTestMixin(LibrarianWebTestMixin):
++
++    layer = LaunchpadZopelessLayer
++
++    def setUp(self):
++        super(LibrarianZopelessWebTestMixin, self).setUp()
++        switch_dbuser(config.librarian.dbuser)
++
++    def commit(self):
++        LaunchpadZopelessLayer.commit()
++
++
++class LibrarianWebTestCase(LibrarianWebTestMixin, TestCaseWithFactory):
      """Test the librarian's web interface."""
--    layer = LaunchpadFunctionalLayer
      # Add stuff to a librarian via the upload port, then check that it's
      # immediately visible on the web interface. (in an attempt to test ddaa's
      # 500-error issue).
--    def commit(self):
--        """Synchronize database state."""
--        flush_database_updates()
--        transaction.commit()
--
      def test_uploadThenDownload(self):
          client = LibrarianClient()
@@ -286,28 +340,6 @@
          self.assertNotIn('Last-Modified', response.headers)
          self.assertNotIn('Cache-Control', response.headers)
--    def get_restricted_file_and_public_url(self, filename='sample'):
--        # Use a regular LibrarianClient to ensure we speak to the
--        # nonrestricted port on the librarian which is where secured
--        # restricted files are served from.
--        client = LibrarianClient()
--        fileAlias = client.addFile(
--            filename, 12, BytesIO(b'a' * 12), contentType='text/plain')
--        # Note: We're deliberately using the wrong url here: we should be
--        # passing secure=True to getURLForAlias, but to use the returned URL
--        # we would need a wildcard DNS facility patched into requests; instead
--        # we use the *deliberate* choice of having the path of secure and
--        # insecure urls be the same, so that we can test it: the server code
--        # doesn't need to know about the fancy wildcard domains.
--        url = client.getURLForAlias(fileAlias)
--        # Now that we have a url which talks to the public librarian, make the
--        # file restricted.
--        IMasterStore(LibraryFileAlias).find(
--            LibraryFileAlias, LibraryFileAlias.id == fileAlias).set(
--                restricted=True)
--        self.commit()
--        return fileAlias, url
--
      def test_restricted_subdomain_must_match_file_alias(self):
          # IFF there is a .restricted. in the host, then the library file alias
          # in the subdomain must match that in the path.
@@ -436,21 +468,9 @@
              last_modified_header, 'Tue, 30 Jan 2001 13:45:59 GMT')
          # Perhaps we should also set Expires to the Last-Modified.
--    def require404(self, url, **kwargs):
--        """Assert that opening `url` raises a 404."""
--        response = requests.get(url, **kwargs)
--        self.assertEqual(404, response.status_code)
--
--
--class LibrarianZopelessWebTestCase(LibrarianWebTestCase):
--    layer = LaunchpadZopelessLayer
--
--    def setUp(self):
--        super(LibrarianZopelessWebTestCase, self).setUp()
--        switch_dbuser(config.librarian.dbuser)
--
--    def commit(self):
--        LaunchpadZopelessLayer.commit()
++
++class LibrarianZopelessWebTestCase(
++        LibrarianZopelessWebTestMixin, LibrarianWebTestCase):
      def test_getURLForAliasObject(self):
          # getURLForAliasObject returns the same URL as getURLForAlias.
@@ -467,6 +487,68 @@
              client.getURLForAliasObject(alias))
++class LibrarianWebMacaroonTestCase(LibrarianWebTestMixin, TestCaseWithFactory):
++
++    layer = AppServerLayer
++
++    def setUp(self):
++        super(LibrarianWebMacaroonTestCase, self).setUp()
++        # Copy launchpad.internal_macaroon_secret_key from the appserver
++        # config so that we can issue macaroons using it.
++        with ConfigUseFixture(self.layer.appserver_config_name):
++            key = config.launchpad.internal_macaroon_secret_key
++        self.pushConfig("launchpad", internal_macaroon_secret_key=key)
++
++    def test_restricted_with_macaroon(self):
++        fileAlias, url = self.get_restricted_file_and_public_url()
++        lfa = IMasterStore(LibraryFileAlias).get(LibraryFileAlias, fileAlias)
++        with dbuser('testadmin'):
++            build = self.factory.makeBinaryPackageBuild(
++                archive=self.factory.makeArchive(private=True))
++            naked_build = removeSecurityProxy(build)
++            self.factory.makeSourcePackageReleaseFile(
++                sourcepackagerelease=naked_build.source_package_release,
++                library_file=lfa)
++            naked_build.updateStatus(BuildStatus.BUILDING)
++            issuer = getUtility(IMacaroonIssuer, "binary-package-build")
++            macaroon = removeSecurityProxy(issuer).issueMacaroon(build)
++        self.commit()
++        response = requests.get(url, auth=("", macaroon.serialize()))
++        response.raise_for_status()
++        self.assertEqual(b"a" * 12, response.content)
++
++    def test_restricted_with_invalid_macaroon(self):
++        fileAlias, url = self.get_restricted_file_and_public_url()
++        lfa = IMasterStore(LibraryFileAlias).get(LibraryFileAlias, fileAlias)
++        with dbuser('testadmin'):
++            build = self.factory.makeBinaryPackageBuild(
++                archive=self.factory.makeArchive(private=True))
++            naked_build = removeSecurityProxy(build)
++            self.factory.makeSourcePackageReleaseFile(
++                sourcepackagerelease=naked_build.source_package_release,
++                library_file=lfa)
++            naked_build.updateStatus(BuildStatus.BUILDING)
++        self.commit()
++        self.require404(url, auth=("", "not-a-macaroon"))
++
++    def test_restricted_with_unverifiable_macaroon(self):
++        fileAlias, url = self.get_restricted_file_and_public_url()
++        with dbuser('testadmin'):
++            build = self.factory.makeBinaryPackageBuild(
++                archive=self.factory.makeArchive(private=True))
++            removeSecurityProxy(build).updateStatus(BuildStatus.BUILDING)
++            issuer = getUtility(IMacaroonIssuer, "binary-package-build")
++            macaroon = removeSecurityProxy(issuer).issueMacaroon(build)
++        self.commit()
++        self.require404(url, auth=("", macaroon.serialize()))
++
++
++class LibrarianZopelessWebMacaroonTestCase(
++        LibrarianZopelessWebTestMixin, LibrarianWebMacaroonTestCase):
++
++    layer = ZopelessAppServerLayer
++
++
  class DeletedContentTestCase(unittest.TestCase):
      layer = LaunchpadZopelessLayer
 === modified file 'lib/lp/services/librarianserver/web.py'
 --- lib/lp/services/librarianserver/web.py	2019-01-05 09:54:44 +0000
 +++ lib/lp/services/librarianserver/web.py	2019-04-23 14:01:24 +0000
@@ -7,6 +7,7 @@
  import time
  from urlparse import urlparse
++from pymacaroons import Macaroon
  from storm.exceptions import DisconnectionError
  from twisted.internet import (
      abstract,
@@ -126,6 +127,14 @@
                  return fourOhFour
          token = request.args.get('token', [None])[0]
++        if token is None:
++            if not request.getUser() and request.getPassword():
++                try:
++                    token = Macaroon.deserialize(request.getPassword())
++                # XXX cjwatson 2019-04-23: Restrict exceptions once
++                # https://github.com/ecordell/pymacaroons/issues/50 is fixed.
++                except Exception:
++                    pass
          path = request.path
          deferred = deferToThread(
              self._getFileAlias, self.aliasID, token, path)
 === modified file 'lib/lp/soyuz/configure.zcml'
 --- lib/lp/soyuz/configure.zcml	2019-03-08 16:53:33 +0000
 +++ lib/lp/soyuz/configure.zcml	2019-04-23 14:01:24 +0000
@@ -483,6 +483,15 @@
          <allow interface="lp.buildmaster.interfaces.buildfarmjob.ISpecificBuildFarmJobSource"/>
      </securedutility>
++    <!-- BinaryPackageBuildMacaroonIssuer -->
++
++    <securedutility
++        class="lp.soyuz.model.binarypackagebuild.BinaryPackageBuildMacaroonIssuer"
++        provides="lp.services.macaroons.interfaces.IMacaroonIssuer"
++        name="binary-package-build">
++        <allow interface="lp.services.macaroons.interfaces.IMacaroonIssuerPublic"/>
++    </securedutility>
++
      <!-- DistroArchSeriesBinaryPackage -->
      <class
 === modified file 'lib/lp/soyuz/model/binarypackagebuild.py'
 --- lib/lp/soyuz/model/binarypackagebuild.py	2017-03-29 09:28:09 +0000
 +++ lib/lp/soyuz/model/binarypackagebuild.py	2019-04-23 14:01:24 +0000
@@ -1,4 +1,4 @@
--# Copyright 2009-2017 Canonical Ltd.  This software is licensed under the
++# Copyright 2009-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  __metaclass__ = type
@@ -21,6 +21,10 @@
  import apt_pkg
  from debian.deb822 import PkgRelation
++from pymacaroons import (
++    Macaroon,
++    Verifier,
++    )
  import pytz
  from sqlobject import SQLObjectNotFound
  from storm.expr import (
@@ -77,10 +81,12 @@
      sqlvalues,
+     )
  from lp.services.librarian.browser import ProxiedLibraryFileAlias
++from lp.services.librarian.interfaces import ILibraryFileAlias
  from lp.services.librarian.model import (
      LibraryFileAlias,
      LibraryFileContent,
+     )
++from lp.services.macaroons.interfaces import IMacaroonIssuer
  from lp.soyuz.adapters.buildarch import determine_architectures_to_build
  from lp.soyuz.enums import (
      ArchivePurpose,
@@ -102,7 +108,10 @@
  from lp.soyuz.mail.binarypackagebuild import BinaryPackageBuildMailer
  from lp.soyuz.model.binarypackagename import BinaryPackageName
  from lp.soyuz.model.binarypackagerelease import BinaryPackageRelease
--from lp.soyuz.model.files import BinaryPackageFile
++from lp.soyuz.model.files import (
++    BinaryPackageFile,
++    SourcePackageReleaseFile,
++    )
  from lp.soyuz.model.packageset import Packageset
  from lp.soyuz.model.queue import (
      PackageUpload,
@@ -1362,3 +1371,88 @@
                      % (build.title, build.id, build.archive.displayname,
                      build_queue.lastscore))
          return new_builds
++
++
++@implementer(IMacaroonIssuer)
++class BinaryPackageBuildMacaroonIssuer:
++
++    @property
++    def _root_secret(self):
++        secret = config.launchpad.internal_macaroon_secret_key
++        if not secret:
++            raise RuntimeError(
++                "launchpad.internal_macaroon_secret_key not configured.")
++        return secret
++
++    def issueMacaroon(self, context):
++        """See `IMacaroonIssuer`.
++
++        For issuing, the context is an `IBinaryPackageBuild`.
++        """
++        if not removeSecurityProxy(context).archive.private:
++            raise ValueError("Refusing to issue macaroon for public build.")
++        macaroon = Macaroon(
++            location=config.vhost.mainsite.hostname,
++            identifier="binary-package-build", key=self._root_secret)
++        # The "lp.principal" prefix indicates that this caveat constrains
++        # the macaroon to access only resources that should be accessible
++        # when acting on behalf of the named build, rather than to access
++        # the named build directly.
++        macaroon.add_first_party_caveat(
++            "lp.principal.binary-package-build %s" %
++            removeSecurityProxy(context).id)
++        return macaroon
++
++    def checkMacaroonIssuer(self, macaroon):
++        """See `IMacaroonIssuer`."""
++        if macaroon.location != config.vhost.mainsite.hostname:
++            return False
++        try:
++            verifier = Verifier()
++            verifier.satisfy_general(
++                lambda caveat: caveat.startswith(
++                    "lp.principal.binary-package-build "))
++            return verifier.verify(macaroon, self._root_secret)
++        except Exception:
++            return False
++
++    def verifyMacaroon(self, macaroon, context):
++        """See `IMacaroonIssuer`.
++
++        For verification, the context is a `LibraryFileAlias`.  We check
++        that the file is one of those required to build the
++        `IBinaryPackageBuild` that is the context of the macaroon, and that
++        the context build is currently building.
++        """
++        # Circular import.
++        from lp.soyuz.model.sourcepackagerelease import SourcePackageRelease
++
++        if not ILibraryFileAlias.providedBy(context):
++            return False
++        if not self.checkMacaroonIssuer(macaroon):
++            return False
++
++        def verify_build(caveat):
++            prefix = "lp.principal.binary-package-build "
++            if not caveat.startswith(prefix):
++                return False
++            try:
++                build_id = int(caveat[len(prefix):])
++            except ValueError:
++                return False
++            return not IStore(BinaryPackageBuild).find(
++                BinaryPackageBuild,
++                BinaryPackageBuild.id == build_id,
++                BinaryPackageBuild.source_package_release_id ==
++                    SourcePackageRelease.id,
++                SourcePackageReleaseFile.sourcepackagereleaseID ==
++                    SourcePackageRelease.id,
++                SourcePackageReleaseFile.libraryfile == context,
++                BinaryPackageBuild.status == BuildStatus.BUILDING).is_empty()
++
++        try:
++            verifier = Verifier()
++            verifier.satisfy_general(verify_build)
++            return verifier.verify(macaroon, self._root_secret)
++        except Exception:
++            return False
 === modified file 'lib/lp/soyuz/tests/test_binarypackagebuild.py'
 --- lib/lp/soyuz/tests/test_binarypackagebuild.py	2018-02-09 14:56:43 +0000
 +++ lib/lp/soyuz/tests/test_binarypackagebuild.py	2019-04-23 14:01:24 +0000
@@ -1,4 +1,4 @@
--# Copyright 2009-2018 Canonical Ltd.  This software is licensed under the
++# Copyright 2009-2019 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Test Build features."""
@@ -10,8 +10,13 @@
      timedelta,
+     )
++from pymacaroons import Macaroon
  import pytz
  from simplejson import dumps
++from testtools.matchers import (
++    MatchesListwise,
++    MatchesStructure,
++    )
  from zope.component import getUtility
  from zope.security.proxy import removeSecurityProxy
@@ -22,7 +27,9 @@
  from lp.registry.interfaces.pocket import PackagePublishingPocket
  from lp.registry.interfaces.series import SeriesStatus
  from lp.registry.interfaces.sourcepackage import SourcePackageUrgency
++from lp.services.config import config
  from lp.services.log.logger import DevNullLogger
++from lp.services.macaroons.interfaces import IMacaroonIssuer
  from lp.services.webapp.interaction import ANONYMOUS
  from lp.services.webapp.interfaces import OAuthPermission
  from lp.soyuz.enums import (
@@ -897,3 +904,123 @@
          with anonymous_logged_in():
              self.assertScoreWriteableByTeam(
                  archive, getUtility(ILaunchpadCelebrities).ppa_admin)
++
++
++class TestBinaryPackageBuildMacaroonIssuer(TestCaseWithFactory):
++    """Test BinaryPackageBuild macaroon issuing and verification."""
++
++    layer = LaunchpadZopelessLayer
++
++    def setUp(self):
++        super(TestBinaryPackageBuildMacaroonIssuer, self).setUp()
++        self.pushConfig(
++            "launchpad", internal_macaroon_secret_key="some-secret")
++
++    def test_issueMacaroon_refuses_public_archive(self):
++        build = self.factory.makeBinaryPackageBuild()
++        issuer = getUtility(IMacaroonIssuer, "binary-package-build")
++        self.assertRaises(
++            ValueError, removeSecurityProxy(issuer).issueMacaroon, build)
++
++    def test_issueMacaroon_good(self):
++        build = self.factory.makeBinaryPackageBuild(
++            archive=self.factory.makeArchive(private=True))
++        issuer = getUtility(IMacaroonIssuer, "binary-package-build")
++        macaroon = removeSecurityProxy(issuer).issueMacaroon(build)
++        self.assertEqual("launchpad.dev", macaroon.location)
++        self.assertEqual("binary-package-build", macaroon.identifier)
++        self.assertThat(macaroon.caveats, MatchesListwise([
++            MatchesStructure.byEquality(
++                caveat_id="lp.principal.binary-package-build %s" % build.id),
++            ]))
++
++    def test_checkMacaroonIssuer_good(self):
++        build = self.factory.makeBinaryPackageBuild(
++            archive=self.factory.makeArchive(private=True))
++        issuer = getUtility(IMacaroonIssuer, "binary-package-build")
++        macaroon = removeSecurityProxy(issuer).issueMacaroon(build)
++        self.assertTrue(issuer.checkMacaroonIssuer(macaroon))
++
++    def test_checkMacaroonIssuer_wrong_location(self):
++        issuer = getUtility(IMacaroonIssuer, "binary-package-build")
++        macaroon = Macaroon(
++            location="another-location",
++            key=removeSecurityProxy(issuer)._root_secret)
++        self.assertFalse(issuer.checkMacaroonIssuer(macaroon))
++
++    def test_checkMacaroonIssuer_wrong_key(self):
++        issuer = getUtility(IMacaroonIssuer, "binary-package-build")
++        macaroon = Macaroon(
++            location=config.vhost.mainsite.hostname, key="another-secret")
++        self.assertFalse(issuer.checkMacaroonIssuer(macaroon))
++
++    def test_verifyMacaroon_good(self):
++        build = self.factory.makeBinaryPackageBuild(
++            archive=self.factory.makeArchive(private=True))
++        sprf = self.factory.makeSourcePackageReleaseFile(
++            sourcepackagerelease=build.source_package_release)
++        build.updateStatus(BuildStatus.BUILDING)
++        issuer = removeSecurityProxy(
++            getUtility(IMacaroonIssuer, "binary-package-build"))
++        macaroon = issuer.issueMacaroon(build)
++        self.assertTrue(issuer.verifyMacaroon(macaroon, sprf.libraryfile))
++
++    def test_verifyMacaroon_wrong_location(self):
++        build = self.factory.makeBinaryPackageBuild(
++            archive=self.factory.makeArchive(private=True))
++        sprf = self.factory.makeSourcePackageReleaseFile(
++            sourcepackagerelease=build.source_package_release)
++        build.updateStatus(BuildStatus.BUILDING)
++        issuer = removeSecurityProxy(
++            getUtility(IMacaroonIssuer, "binary-package-build"))
++        macaroon = Macaroon(
++            location="another-location", key=issuer._root_secret)
++        self.assertFalse(issuer.verifyMacaroon(macaroon, sprf.libraryfile))
++
++    def test_verifyMacaroon_wrong_key(self):
++        build = self.factory.makeBinaryPackageBuild(
++            archive=self.factory.makeArchive(private=True))
++        sprf = self.factory.makeSourcePackageReleaseFile(
++            sourcepackagerelease=build.source_package_release)
++        build.updateStatus(BuildStatus.BUILDING)
++        issuer = removeSecurityProxy(
++            getUtility(IMacaroonIssuer, "binary-package-build"))
++        macaroon = Macaroon(
++            location=config.vhost.mainsite.hostname, key="another-secret")
++        self.assertFalse(issuer.verifyMacaroon(macaroon, sprf.libraryfile))
++
++    def test_verifyMacaroon_not_building(self):
++        build = self.factory.makeBinaryPackageBuild(
++            archive=self.factory.makeArchive(private=True))
++        sprf = self.factory.makeSourcePackageReleaseFile(
++            sourcepackagerelease=build.source_package_release)
++        issuer = removeSecurityProxy(
++            getUtility(IMacaroonIssuer, "binary-package-build"))
++        macaroon = issuer.issueMacaroon(build)
++        self.assertFalse(issuer.verifyMacaroon(macaroon, sprf.libraryfile))
++
++    def test_verifyMacaroon_wrong_build(self):
++        build = self.factory.makeBinaryPackageBuild(
++            archive=self.factory.makeArchive(private=True))
++        sprf = self.factory.makeSourcePackageReleaseFile(
++            sourcepackagerelease=build.source_package_release)
++        build.updateStatus(BuildStatus.BUILDING)
++        other_build = self.factory.makeBinaryPackageBuild(
++            archive=self.factory.makeArchive(private=True))
++        other_build.updateStatus(BuildStatus.BUILDING)
++        issuer = removeSecurityProxy(
++            getUtility(IMacaroonIssuer, "binary-package-build"))
++        macaroon = issuer.issueMacaroon(other_build)
++        self.assertFalse(issuer.verifyMacaroon(macaroon, sprf.libraryfile))
++
++    def test_verifyMacaroon_wrong_file(self):
++        build = self.factory.makeBinaryPackageBuild(
++            archive=self.factory.makeArchive(private=True))
++        self.factory.makeSourcePackageReleaseFile(
++            sourcepackagerelease=build.source_package_release)
++        lfa = self.factory.makeLibraryFileAlias()
++        build.updateStatus(BuildStatus.BUILDING)
++        issuer = removeSecurityProxy(
++            getUtility(IMacaroonIssuer, "binary-package-build"))
++        macaroon = issuer.issueMacaroon(build)
++        self.assertFalse(issuer.verifyMacaroon(macaroon, lfa))