Launchpad itself

Merge lp:~cjwatson/launchpad/snap-build-send-private into lp:launchpad

snap-build-send-private
Merge into devel

Proposed by Colin Watson on 2019-03-06

Status:

Merged

Merged at revision:

18903

Proposed branch:

lp:~cjwatson/launchpad/snap-build-send-private

Merge into:

lp:launchpad

Diff against target:

79 lines (+16/-0)

2 files modified

lib/lp/snappy/model/snapbuildbehaviour.py (+1/-0)
lib/lp/snappy/tests/test_snapbuildbehaviour.py (+15/-0)

To merge this branch:

bzr merge lp:~cjwatson/launchpad/snap-build-send-private

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
William Grant	code	2019-03-06	Approve on 2019-03-08
Review via email: mp+364067@code.launchpad.net

Commit message

Send "private": True to launchpad-buildd for builds of private snaps.

Description of the change

Before we can do anything else with private snap builds, we need to ensure that launchpad-buildd doesn't leak information via SNAPCRAFT_BUILD_INFO, and that means it needs to be told whether the build is private or public.

Revision history for this message

William Grant (wgrant) wrote on 2019-03-07:

I agree launchpad-buildd should know whether a build is private, but I don't think it maps directly to SNAPCRAFT_BUILD_INFO. e.g. a normal security build should include SNAPCRAFT_BUILD_INFO, just without creds.

Revision history for this message

Colin Watson (cjwatson) wrote on 2019-03-07:

The problem is that SNAPCRAFT_BUILD_INFO is binary: there's no way to say "include the build information but redact credentials from it" (I'm not actually sure which credentials might be included, but it certainly seems likely that there'd be some). So for the time being it seems safer to disable it for all private builds.

Revision history for this message

William Grant (wgrant) on 2019-03-08:

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Harpianto,ANDI

James Troup

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

1	=== modified file 'lib/lp/snappy/model/snapbuildbehaviour.py'
2	--- lib/lp/snappy/model/snapbuildbehaviour.py 2019-02-07 19:17:52 +0000
3	+++ lib/lp/snappy/model/snapbuildbehaviour.py 2019-03-06 23:01:28 +0000
4	@@ -141,6 +141,7 @@
5	"Source branch/repository for ~%s/%s has been deleted." %
6	(build.snap.owner.name, build.snap.name))
7	args["build_source_tarball"] = build.snap.build_source_tarball
8	+ args["private"] = build.is_private
9	defer.returnValue(args)
10
11	@defer.inlineCallbacks
12
13	=== modified file 'lib/lp/snappy/tests/test_snapbuildbehaviour.py'
14	--- lib/lp/snappy/tests/test_snapbuildbehaviour.py 2019-02-07 19:17:52 +0000
15	+++ lib/lp/snappy/tests/test_snapbuildbehaviour.py 2019-03-06 23:01:28 +0000
16	@@ -82,6 +82,7 @@
17	)
18	from lp.services.webapp import canonical_url
19	from lp.snappy.interfaces.snap import (
20	+ SNAP_PRIVATE_FEATURE_FLAG,
21	SNAP_SNAPCRAFT_CHANNEL_FEATURE_FLAG,
22	SnapBuildArchiveOwnerMismatch,
23	)
24	@@ -396,6 +397,7 @@
25	"build_url": Equals(canonical_url(job.build)),
26	"fast_cleanup": Is(True),
27	"name": Equals("test-snap"),
28	+ "private": Is(False),
29	"proxy_url": self.getProxyURLMatcher(job),
30	"revocation_endpoint": self.getRevocationEndpointMatcher(job),
31	"series": Equals("unstable"),
32	@@ -422,6 +424,7 @@
33	"git_repository": Equals(ref.repository.git_https_url),
34	"git_path": Equals(ref.name),
35	"name": Equals("test-snap"),
36	+ "private": Is(False),
37	"proxy_url": self.getProxyURLMatcher(job),
38	"revocation_endpoint": self.getRevocationEndpointMatcher(job),
39	"series": Equals("unstable"),
40	@@ -448,6 +451,7 @@
41	"fast_cleanup": Is(True),
42	"git_repository": Equals(ref.repository.git_https_url),
43	"name": Equals("test-snap"),
44	+ "private": Is(False),
45	"proxy_url": self.getProxyURLMatcher(job),
46	"revocation_endpoint": self.getRevocationEndpointMatcher(job),
47	"series": Equals("unstable"),
48	@@ -476,6 +480,7 @@
49	"git_repository": Equals(url),
50	"git_path": Equals("master"),
51	"name": Equals("test-snap"),
52	+ "private": Is(False),
53	"proxy_url": self.getProxyURLMatcher(job),
54	"revocation_endpoint": self.getRevocationEndpointMatcher(job),
55	"series": Equals("unstable"),
56	@@ -502,6 +507,7 @@
57	"fast_cleanup": Is(True),
58	"git_repository": Equals(url),
59	"name": Equals("test-snap"),
60	+ "private": Is(False),
61	"proxy_url": self.getProxyURLMatcher(job),
62	"revocation_endpoint": self.getRevocationEndpointMatcher(job),
63	"series": Equals("unstable"),
64	@@ -600,6 +606,15 @@
65	self.assertTrue(args["build_source_tarball"])
66
67	@defer.inlineCallbacks
68	+ def test_extraBuildArgs_private(self):
69	+ # If the snap is private, extraBuildArgs sends the appropriate
70	+ # arguments.
71	+ self.useFixture(FeatureFixture({SNAP_PRIVATE_FEATURE_FLAG: "on"}))
72	+ job = self.makeJob(private=True)
73	+ args = yield job.extraBuildArgs()
74	+ self.assertTrue(args["private"])
75	+
76	+ @defer.inlineCallbacks
77	def test_composeBuildRequest_proxy_url_set(self):
78	job = self.makeJob()
79	build_request = yield job.composeBuildRequest(None)