Launchpad itself

Merge lp:~cjwatson/launchpad/snap-build-send-private into lp:launchpad

  1. snap-build-send-private
  2. Merge into devel
Proposed by Colin Watson
Status: Merged
Merged at revision: 18903
Proposed branch: lp:~cjwatson/launchpad/snap-build-send-private
Merge into: lp:launchpad
Diff against target: 79 lines (+16/-0)
2 files modified
lib/lp/snappy/model/snapbuildbehaviour.py (+1/-0)
lib/lp/snappy/tests/test_snapbuildbehaviour.py (+15/-0)
To merge this branch: bzr merge lp:~cjwatson/launchpad/snap-build-send-private
Reviewer Review Type Date Requested Status
William Grant code Approve
Review via email: mp+364067@code.launchpad.net

Commit message

Send "private": True to launchpad-buildd for builds of private snaps.

Description of the change

Before we can do anything else with private snap builds, we need to ensure that launchpad-buildd doesn't leak information via SNAPCRAFT_BUILD_INFO, and that means it needs to be told whether the build is private or public.

To post a comment you must log in.
Revision history for this message
William Grant (wgrant) wrote :

I agree launchpad-buildd should know whether a build is private, but I don't think it maps directly to SNAPCRAFT_BUILD_INFO. e.g. a normal security build should include SNAPCRAFT_BUILD_INFO, just without creds.

Revision history for this message
Colin Watson (cjwatson) wrote :

The problem is that SNAPCRAFT_BUILD_INFO is binary: there's no way to say "include the build information but redact credentials from it" (I'm not actually sure which credentials might be included, but it certainly seems likely that there'd be some). So for the time being it seems safer to disable it for all private builds.

Revision history for this message
William Grant (wgrant) :
review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'lib/lp/snappy/model/snapbuildbehaviour.py'
--- lib/lp/snappy/model/snapbuildbehaviour.py 2019-02-07 19:17:52 +0000
+++ lib/lp/snappy/model/snapbuildbehaviour.py 2019-03-06 23:01:28 +0000
@@ -141,6 +141,7 @@
141 "Source branch/repository for ~%s/%s has been deleted." %141 "Source branch/repository for ~%s/%s has been deleted." %
142 (build.snap.owner.name, build.snap.name))142 (build.snap.owner.name, build.snap.name))
143 args["build_source_tarball"] = build.snap.build_source_tarball143 args["build_source_tarball"] = build.snap.build_source_tarball
144 args["private"] = build.is_private
144 defer.returnValue(args)145 defer.returnValue(args)
145146
146 @defer.inlineCallbacks147 @defer.inlineCallbacks
147148
=== modified file 'lib/lp/snappy/tests/test_snapbuildbehaviour.py'
--- lib/lp/snappy/tests/test_snapbuildbehaviour.py 2019-02-07 19:17:52 +0000
+++ lib/lp/snappy/tests/test_snapbuildbehaviour.py 2019-03-06 23:01:28 +0000
@@ -82,6 +82,7 @@
82 )82 )
83from lp.services.webapp import canonical_url83from lp.services.webapp import canonical_url
84from lp.snappy.interfaces.snap import (84from lp.snappy.interfaces.snap import (
85 SNAP_PRIVATE_FEATURE_FLAG,
85 SNAP_SNAPCRAFT_CHANNEL_FEATURE_FLAG,86 SNAP_SNAPCRAFT_CHANNEL_FEATURE_FLAG,
86 SnapBuildArchiveOwnerMismatch,87 SnapBuildArchiveOwnerMismatch,
87 )88 )
@@ -396,6 +397,7 @@
396 "build_url": Equals(canonical_url(job.build)),397 "build_url": Equals(canonical_url(job.build)),
397 "fast_cleanup": Is(True),398 "fast_cleanup": Is(True),
398 "name": Equals("test-snap"),399 "name": Equals("test-snap"),
400 "private": Is(False),
399 "proxy_url": self.getProxyURLMatcher(job),401 "proxy_url": self.getProxyURLMatcher(job),
400 "revocation_endpoint": self.getRevocationEndpointMatcher(job),402 "revocation_endpoint": self.getRevocationEndpointMatcher(job),
401 "series": Equals("unstable"),403 "series": Equals("unstable"),
@@ -422,6 +424,7 @@
422 "git_repository": Equals(ref.repository.git_https_url),424 "git_repository": Equals(ref.repository.git_https_url),
423 "git_path": Equals(ref.name),425 "git_path": Equals(ref.name),
424 "name": Equals("test-snap"),426 "name": Equals("test-snap"),
427 "private": Is(False),
425 "proxy_url": self.getProxyURLMatcher(job),428 "proxy_url": self.getProxyURLMatcher(job),
426 "revocation_endpoint": self.getRevocationEndpointMatcher(job),429 "revocation_endpoint": self.getRevocationEndpointMatcher(job),
427 "series": Equals("unstable"),430 "series": Equals("unstable"),
@@ -448,6 +451,7 @@
448 "fast_cleanup": Is(True),451 "fast_cleanup": Is(True),
449 "git_repository": Equals(ref.repository.git_https_url),452 "git_repository": Equals(ref.repository.git_https_url),
450 "name": Equals("test-snap"),453 "name": Equals("test-snap"),
454 "private": Is(False),
451 "proxy_url": self.getProxyURLMatcher(job),455 "proxy_url": self.getProxyURLMatcher(job),
452 "revocation_endpoint": self.getRevocationEndpointMatcher(job),456 "revocation_endpoint": self.getRevocationEndpointMatcher(job),
453 "series": Equals("unstable"),457 "series": Equals("unstable"),
@@ -476,6 +480,7 @@
476 "git_repository": Equals(url),480 "git_repository": Equals(url),
477 "git_path": Equals("master"),481 "git_path": Equals("master"),
478 "name": Equals("test-snap"),482 "name": Equals("test-snap"),
483 "private": Is(False),
479 "proxy_url": self.getProxyURLMatcher(job),484 "proxy_url": self.getProxyURLMatcher(job),
480 "revocation_endpoint": self.getRevocationEndpointMatcher(job),485 "revocation_endpoint": self.getRevocationEndpointMatcher(job),
481 "series": Equals("unstable"),486 "series": Equals("unstable"),
@@ -502,6 +507,7 @@
502 "fast_cleanup": Is(True),507 "fast_cleanup": Is(True),
503 "git_repository": Equals(url),508 "git_repository": Equals(url),
504 "name": Equals("test-snap"),509 "name": Equals("test-snap"),
510 "private": Is(False),
505 "proxy_url": self.getProxyURLMatcher(job),511 "proxy_url": self.getProxyURLMatcher(job),
506 "revocation_endpoint": self.getRevocationEndpointMatcher(job),512 "revocation_endpoint": self.getRevocationEndpointMatcher(job),
507 "series": Equals("unstable"),513 "series": Equals("unstable"),
@@ -600,6 +606,15 @@
600 self.assertTrue(args["build_source_tarball"])606 self.assertTrue(args["build_source_tarball"])
601607
602 @defer.inlineCallbacks608 @defer.inlineCallbacks
609 def test_extraBuildArgs_private(self):
610 # If the snap is private, extraBuildArgs sends the appropriate
611 # arguments.
612 self.useFixture(FeatureFixture({SNAP_PRIVATE_FEATURE_FLAG: "on"}))
613 job = self.makeJob(private=True)
614 args = yield job.extraBuildArgs()
615 self.assertTrue(args["private"])
616
617 @defer.inlineCallbacks
603 def test_composeBuildRequest_proxy_url_set(self):618 def test_composeBuildRequest_proxy_url_set(self):
604 job = self.makeJob()619 job = self.makeJob()
605 build_request = yield job.composeBuildRequest(None)620 build_request = yield job.composeBuildRequest(None)