snapstore-client

Merge ~cjwatson/snapstore-client:overrides into snapstore-client:master

Proposed by Colin Watson on 2017-07-13

Status:	Merged
Merged at revision:	7c7bc507ad645dbcfea6ba09c6dfb3acad787c95
Proposed branch:	~cjwatson/snapstore-client:overrides
Merge into:	snapstore-client:master
Prerequisite:	~cjwatson/snapstore-client:login
Diff against target:	876 lines (+727/-5) 12 files modified requirements-dev.txt (+1/-0) snapstore (+44/-0) snapstore_client/exceptions.py (+13/-0) snapstore_client/logic/overrides.py (+79/-0) snapstore_client/logic/tests/test_overrides.py (+143/-0) snapstore_client/presentation_helpers.py (+42/-0) snapstore_client/tests/factory.py (+22/-3) snapstore_client/tests/matchers.py (+52/-0) snapstore_client/tests/test_presentation_helpers.py (+107/-0) snapstore_client/tests/test_webservices.py (+92/-1) snapstore_client/tests/testfixtures.py (+43/-1) snapstore_client/webservices.py (+89/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Adam Collard (community)		2017-07-13	Approve on 2017-08-02
Review via email: mp+327372@code.launchpad.net

Commit message

Add override commands

These allow displaying and modifying channel map overrides in an
enterprise store.

Description of the change

Revision history for this message

Adam Collard (adam-collard) wrote on 2017-08-02:

Looks good, just a subjective bike-shed nitpick inline :)

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Colin Watson

SIAB

 diff --git a/requirements-dev.txt b/requirements-dev.txt
 index c29ab6e..999f232 100644
 --- a/requirements-dev.txt
 +++ b/requirements-dev.txt
@@ -5,4 +5,5 @@ flake8
  pysha3>=1.0
  responses
  snapstore-schemas
++testscenarios
  testtools
 diff --git a/snapstore b/snapstore
 index a331e6d..2bb9dad 100755
 --- a/snapstore
 +++ b/snapstore
@@ -14,6 +14,11 @@ from snapstore_client.logic.dump import (
      import_snapsection_dump,
+ )
  from snapstore_client.logic.login import login
++from snapstore_client.logic.overrides import (
++    delete_override,
++    list_overrides,
++    override,
++)
  from snapstore_client.logic.upload import upload_snap
@@ -55,6 +60,45 @@ def parse_args():
      login_parser = subparsers.add_parser('login', help='Sign into a store.')
      login_parser.set_defaults(func=login)
++    list_overrides_parser = subparsers.add_parser(
++        'list-overrides', help='List channel map overrides.',
++    )
++    list_overrides_parser.add_argument(
++        '--series', default='16',
++        help='The series within which to list overrides.')
++    list_overrides_parser.add_argument(
++        'snap_name',
++        help='The name of the snap whose channel map should be listed.')
++    list_overrides_parser.set_defaults(func=list_overrides)
++
++    override_parser = subparsers.add_parser(
++        'override', help='Set channel map overrides.',
++    )
++    override_parser.add_argument(
++        '--series', default='16',
++        help='The series within which to set overrides.')
++    override_parser.add_argument(
++        'snap_name',
++        help='The name of the snap whose channel map should be modified.')
++    override_parser.add_argument(
++        'channel_map_entries', nargs='+', metavar='channel_map_entry',
++        help='A channel map override, in the form <channel>=<revision>.')
++    override_parser.set_defaults(func=override)
++
++    delete_override_parser = subparsers.add_parser(
++        'delete-override', help='Delete channel map overrides.',
++    )
++    delete_override_parser.add_argument(
++        '--series', default='16',
++        help='The series within which to delete overrides.')
++    delete_override_parser.add_argument(
++        'snap_name',
++        help='The name of the snap whose channel map should be modified.')
++    delete_override_parser.add_argument(
++        'channels', nargs='+', metavar='channel',
++        help='A channel whose overrides should be deleted.')
++    delete_override_parser.set_defaults(func=delete_override)
++
      if len(sys.argv) == 1:
          # Display help if no arguments are provided.
          parser.print_help()
 diff --git a/snapstore_client/exceptions.py b/snapstore_client/exceptions.py
 index 5572b8f..88746c7 100644
 --- a/snapstore_client/exceptions.py
 +++ b/snapstore_client/exceptions.py
@@ -19,6 +19,14 @@ class ClientError(Exception):
          return self.fmt.format(**self.__dict__)
++class InvalidCredentials(ClientError):
++
++    fmt = 'Invalid credentials: {message}.'
++
++    def __init__(self, message):
++        super().__init__(message=message)
++
++
  class StoreMacaroonSSOMismatch(ClientError):
      fmt = 'Root macaroon does not refer to expected SSO host: {sso_host}.'
@@ -41,3 +49,8 @@ class StoreTwoFactorAuthenticationRequired(StoreAuthenticationError):
      def __init__(self):
          super().__init__('Two-factor authentication required.')
++
++
++class StoreMacaroonNeedsRefresh(ClientError):
++
++    fmt = 'Authentication macaroon needs to be refreshed.'
 diff --git a/snapstore_client/logic/overrides.py b/snapstore_client/logic/overrides.py
 new file mode 100644
 index 0000000..f514c48
 --- /dev/null
 +++ b/snapstore_client/logic/overrides.py
@@ -0,0 +1,79 @@
++# Copyright 2017 Canonical Ltd.
++
++import logging
++
++from requests.exceptions import HTTPError
++
++from snapstore_client import (
++    exceptions,
++    webservices as ws,
++)
++from snapstore_client.presentation_helpers import (
++    channel_map_string_to_tuple,
++    override_to_string,
++)
++
++
++logger = logging.getLogger(__name__)
++
++
++def _log_credentials_error(e):
++    logger.error('%s', e)
++    logger.error('Have you run "snapstore login"?')
++
++
++def list_overrides(args):
++    try:
++        response = ws.refresh_if_necessary(
++            ws.get_overrides, args.snap_name, series=args.series)
++    except exceptions.InvalidCredentials as e:
++        _log_credentials_error(e)
++        return 1
++    except HTTPError:
++        # Already logged.
++        return 1
++    for override in response['overrides']:
++        logger.info(override_to_string(override))
++
++
++def override(args):
++    overrides = []
++    for channel_map_entry in args.channel_map_entries:
++        channel, revision = channel_map_string_to_tuple(channel_map_entry)
++        overrides.append({
++            'snap_name': args.snap_name,
++            'revision': revision,
++            'channel': channel,
++            'series': args.series,
++        })
++    try:
++        response = ws.refresh_if_necessary(ws.set_overrides, overrides)
++    except exceptions.InvalidCredentials as e:
++        _log_credentials_error(e)
++        return 1
++    except HTTPError:
++        # Already logged.
++        return 1
++    for override in response['overrides']:
++        logger.info(override_to_string(override))
++
++
++def delete_override(args):
++    overrides = []
++    for channel in args.channels:
++        overrides.append({
++            'snap_name': args.snap_name,
++            'revision': None,
++            'channel': channel,
++            'series': args.series,
++        })
++    try:
++        response = ws.refresh_if_necessary(ws.set_overrides, overrides)
++    except exceptions.InvalidCredentials as e:
++        _log_credentials_error(e)
++        return 1
++    except HTTPError:
++        # Already logged.
++        return 1
++    for override in response['overrides']:
++        logger.info(override_to_string(override))
 diff --git a/snapstore_client/logic/tests/test_overrides.py b/snapstore_client/logic/tests/test_overrides.py
 new file mode 100644
 index 0000000..80a929f
 --- /dev/null
 +++ b/snapstore_client/logic/tests/test_overrides.py
@@ -0,0 +1,143 @@
++# Copyright 2017 Canonical Ltd.
++
++import json
++from urllib.parse import urljoin
++
++from acceptable._doubles import set_service_locations
++import fixtures
++import responses
++from testtools import TestCase
++
++from snapstore_client import config
++from snapstore_client.logic.overrides import (
++    delete_override,
++    list_overrides,
++    override,
++)
++from snapstore_client.tests import (
++    factory,
++    testfixtures,
++)
++
++
++class OverridesTests(TestCase):
++
++    def setUp(self):
++        super().setUp()
++        service_locations = config.read_config()['services']
++        set_service_locations(service_locations)
++
++    @responses.activate
++    def test_list_overrides(self):
++        logger = self.useFixture(fixtures.FakeLogger())
++        self.useFixture(testfixtures.CredentialsFixture())
++        snap_id = factory.generate_snap_id()
++        overrides = [
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap'),
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap', revision=3,
++                upstream_revision=4, channel='foo/stable',
++                architecture='i386'),
++        ]
++        # XXX cjwatson 2017-06-26: Use acceptable-generated doubles once
++        # they exist.
++        overrides_url = urljoin(
++            config.read_config()['services']['snapdevicegw'],
++            '/v2/metadata/overrides/mysnap')
++        responses.add(
++            'GET', overrides_url, status=200, json={'overrides': overrides})
++
++        list_overrides(factory.Args(snap_name='mysnap', series='16'))
++        self.assertEqual(
++            'mysnap stable amd64 1 (upstream 2)\n'
++            'mysnap foo/stable i386 3 (upstream 4)\n',
++            logger.output)
++
++    @responses.activate
++    def test_override(self):
++        logger = self.useFixture(fixtures.FakeLogger())
++        self.useFixture(testfixtures.CredentialsFixture())
++        snap_id = factory.generate_snap_id()
++        overrides = [
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap'),
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap', revision=3,
++                upstream_revision=4, channel='foo/stable',
++                architecture='i386'),
++        ]
++        # XXX cjwatson 2017-06-26: Use acceptable-generated doubles once
++        # they exist.
++        overrides_url = urljoin(
++            config.read_config()['services']['snapdevicegw'],
++            '/v2/metadata/overrides')
++        responses.add(
++            'POST', overrides_url, status=200, json={'overrides': overrides})
++
++        override(factory.Args(
++            snap_name='mysnap',
++            channel_map_entries=['stable=1', 'foo/stable=3'],
++            series='16'))
++        self.assertEqual([
++            {
++                'snap_name': 'mysnap',
++                'revision': 1,
++                'channel': 'stable',
++                'series': '16',
++            },
++            {
++                'snap_name': 'mysnap',
++                'revision': 3,
++                'channel': 'foo/stable',
++                'series': '16',
++            },
++        ], json.loads(responses.calls[0].request.body.decode()))
++        self.assertEqual(
++            'mysnap stable amd64 1 (upstream 2)\n'
++            'mysnap foo/stable i386 3 (upstream 4)\n',
++            logger.output)
++
++    @responses.activate
++    def test_delete_override(self):
++        logger = self.useFixture(fixtures.FakeLogger())
++        self.useFixture(testfixtures.CredentialsFixture())
++        snap_id = factory.generate_snap_id()
++        overrides = [
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap', revision=None),
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap', revision=None,
++                upstream_revision=4, channel='foo/stable',
++                architecture='i386'),
++        ]
++        # XXX cjwatson 2017-06-26: Use acceptable-generated doubles once
++        # they exist.
++        overrides_url = urljoin(
++            config.read_config()['services']['snapdevicegw'],
++            '/v2/metadata/overrides')
++        responses.add(
++            'POST', overrides_url, status=200, json={'overrides': overrides})
++
++        delete_override(factory.Args(
++            snap_name='mysnap',
++            channels=['stable', 'foo/stable'],
++            series='16'))
++        self.assertEqual([
++            {
++                'snap_name': 'mysnap',
++                'revision': None,
++                'channel': 'stable',
++                'series': '16',
++            },
++            {
++                'snap_name': 'mysnap',
++                'revision': None,
++                'channel': 'foo/stable',
++                'series': '16',
++            },
++        ], json.loads(responses.calls[0].request.body.decode()))
++        self.assertEqual(
++            'mysnap stable amd64 is tracking upstream (revision 2)\n'
++            'mysnap foo/stable i386 is tracking upstream (revision 4)\n',
++            logger.output)
 diff --git a/snapstore_client/presentation_helpers.py b/snapstore_client/presentation_helpers.py
 new file mode 100644
 index 0000000..74e47b1
 --- /dev/null
 +++ b/snapstore_client/presentation_helpers.py
@@ -0,0 +1,42 @@
++# Copyright 2017 Canonical Ltd.
++
++"""Helpers for the presentation layer.
++
++This module contains various functions to make formatting responses as easy
++as possible.
++
++Please DO NOT make calls to other services from this module! Doing so obscures
++the log of the view in question.
++"""
++
++
++def channel_map_string_to_tuple(channel_map_string):
++    """Convert from a channel map string to a tuple.
++
++    The right-hand side is converted to an integer.
++
++    'edge=1' becomes ('edge', 1).
++    """
++    parts = channel_map_string.rsplit('=', 1)
++    if len(parts) != 2:
++        raise ValueError("Invalid channel map string: %r" % channel_map_string)
++    channel = parts[0]
++    try:
++        revision = int(parts[1])
++    except ValueError:
++        raise ValueError("Invalid revision string: %r" % parts[1])
++    return channel, revision
++
++
++def override_to_string(override):
++    """Convert a channel map override into a string presentation."""
++    template = '{snap_name} {channel} {architecture}'
++    if override['revision'] is None:
++        template += ' is tracking upstream'
++        if override['upstream_revision'] is not None:
++            template += ' (revision {upstream_revision:d})'
++    else:
++        template += ' {revision:d}'
++        if override['upstream_revision'] is not None:
++            template += ' (upstream {upstream_revision:d})'
++    return template.format_map(override)
 diff --git a/snapstore_client/tests/factory.py b/snapstore_client/tests/factory.py
 index 250fafa..d6a74ce 100644
 --- a/snapstore_client/tests/factory.py
 +++ b/snapstore_client/tests/factory.py
@@ -2,8 +2,8 @@
  """Test Factory.
--Since siab-client does not have any database, its persistence layer consists
--of making requests to other services in the store.
++Since snapstore-client does not have any database, its persistence layer
++consists of making requests to other services in the store.
  The test factory therefore makes it easy to create payloads that are
  consistent with what those other services return from their various API
@@ -237,7 +237,7 @@ class SnapRevsBuilder:
+         }
--class SnapRevs():
++class SnapRevs:
      @staticmethod
      def NoRevisions():
@@ -252,6 +252,25 @@ class SnapRevs():
          return {'revisions': builder.get_payload()['revisions']}
++class SnapDeviceGateway:
++
++    @staticmethod
++    def Override(snap_id=None, snap_name='special-sauce', revision=1,
++                 upstream_revision=2, channel='stable', architecture='amd64',
++                 series='16'):
++        if snap_id is None:
++            snap_id = generate_snap_id()
++        return {
++            'snap_id': snap_id,
++            'snap_name': snap_name,
++            'revision': revision,
++            'upstream_revision': upstream_revision,
++            'channel': channel,
++            'architecture': architecture,
++            'series': series,
++        }
++
++
  class Args:
      """Fake arguments for testing command-line logic."""
 diff --git a/snapstore_client/tests/matchers.py b/snapstore_client/tests/matchers.py
 new file mode 100644
 index 0000000..29e10b7
 --- /dev/null
 +++ b/snapstore_client/tests/matchers.py
@@ -0,0 +1,52 @@
++# Copyright 2017 Canonical Ltd.  This software is licensed under the
++# GNU General Public License version 3 (see the file LICENSE).
++
++from pymacaroons import (
++    Macaroon,
++    Verifier,
++)
++from requests.utils import parse_dict_header
++from testtools.matchers import (
++    Contains,
++    Matcher,
++    Mismatch,
++    StartsWith,
++)
++
++
++class MacaroonsVerify(Matcher):
++    """Matches if serialised macaroons pass verification."""
++
++    def __init__(self, key):
++        super().__init__()
++        self.key = key
++
++    def match(self, macaroons):
++        mismatch = Contains('root').match(macaroons)
++        if mismatch is not None:
++            return mismatch
++        root_macaroon = Macaroon.deserialize(macaroons['root'])
++        if 'discharge' in macaroons:
++            discharge_macaroons = [
++                Macaroon.deserialize(macaroons['discharge'])]
++        else:
++            discharge_macaroons = []
++        try:
++            Verifier().verify(root_macaroon, self.key, discharge_macaroons)
++        except Exception as e:
++            return Mismatch('Macaroons do not verify: %s' % e)
++
++
++class MacaroonHeaderVerifies(Matcher):
++    """Matches if an Authorization header passes verification."""
++
++    def __init__(self, key):
++        super().__init__()
++        self.key = key
++
++    def match(self, authz_header):
++        mismatch = StartsWith('Macaroon ').match(authz_header)
++        if mismatch is not None:
++            return mismatch
++        return MacaroonsVerify(self.key).match(
++            parse_dict_header(authz_header[len('Macaroon '):]))
 diff --git a/snapstore_client/tests/test_presentation_helpers.py b/snapstore_client/tests/test_presentation_helpers.py
 new file mode 100644
 index 0000000..b46345d
 --- /dev/null
 +++ b/snapstore_client/tests/test_presentation_helpers.py
@@ -0,0 +1,107 @@
++# Copyright 2017 Canonical Ltd.
++
++from testtools import TestCase
++from testscenarios import WithScenarios
++
++from snapstore_client.presentation_helpers import (
++    channel_map_string_to_tuple,
++    override_to_string,
++)
++
++
++class ChannelMapStringToTupleScenarioTests(WithScenarios, TestCase):
++
++    scenarios = [
++        ('with risk', {
++            'channel_map': 'stable=1',
++            'terms': ('stable', 1),
++        }),
++        ('with track and risk', {
++            'channel_map': '2.1/stable=2',
++            'terms': ('2.1/stable', 2),
++        }),
++        ('with risk and branch', {
++            'channel_map': 'stable/hot-fix=42',
++            'terms': ('stable/hot-fix', 42),
++        }),
++        ('with track, risk and branch', {
++            'channel_map': '2.1/stable/hot-fix=123',
++            'terms': ('2.1/stable/hot-fix', 123),
++        }),
++    ]
++
++    def test_run_scenario(self):
++        self.assertEqual(
++            self.terms, channel_map_string_to_tuple(self.channel_map))
++
++
++class ChannelMapStringToTupleErrorTests(WithScenarios, TestCase):
++
++    scenarios = [
++        ('missing revision', {
++            'channel_map': 'stable',
++            'error_message': "Invalid channel map string: 'stable'",
++        }),
++        ('non-integer revision', {
++            'channel_map': 'stable=nonsense',
++            'error_message': "Invalid revision string: 'nonsense'",
++        }),
++    ]
++
++    def test_run_scenario(self):
++        error = self.assertRaises(
++            ValueError, channel_map_string_to_tuple, self.channel_map)
++        self.assertEqual(self.error_message, str(error))
++
++
++class OverrideToStringTests(WithScenarios, TestCase):
++
++    scenarios = [
++        ('without revision or upstream revision', {
++            'override': {
++                'snap_id': 'dummy',
++                'snap_name': 'mysnap',
++                'revision': None,
++                'upstream_revision': None,
++                'channel': 'stable',
++                'architecture': 'amd64',
++            },
++            'string': 'mysnap stable amd64 is tracking upstream',
++        }),
++        ('without revision but with upstream revision', {
++            'override': {
++                'snap_id': 'dummy',
++                'snap_name': 'mysnap',
++                'revision': None,
++                'upstream_revision': 2,
++                'channel': 'stable',
++                'architecture': 'amd64',
++            },
++            'string': 'mysnap stable amd64 is tracking upstream (revision 2)',
++        }),
++        ('with revision but without upstream revision', {
++            'override': {
++                'snap_id': 'dummy',
++                'snap_name': 'mysnap',
++                'revision': 1,
++                'upstream_revision': None,
++                'channel': 'stable',
++                'architecture': 'amd64',
++            },
++            'string': 'mysnap stable amd64 1',
++        }),
++        ('with revision and upstream revision', {
++            'override': {
++                'snap_id': 'dummy',
++                'snap_name': 'mysnap',
++                'revision': 1,
++                'upstream_revision': 2,
++                'channel': 'stable',
++                'architecture': 'amd64',
++            },
++            'string': 'mysnap stable amd64 1 (upstream 2)',
++        }),
++    ]
++
++    def test_run_scenario(self):
++        self.assertEqual(self.string, override_to_string(self.override))
 diff --git a/snapstore_client/tests/test_webservices.py b/snapstore_client/tests/test_webservices.py
 index b688f88..2d012ba 100644
 --- a/snapstore_client/tests/test_webservices.py
 +++ b/snapstore_client/tests/test_webservices.py
@@ -25,7 +25,11 @@ from snapstore_client import (
      exceptions,
      webservices,
+ )
--from snapstore_client.tests import factory
++from snapstore_client.tests import (
++    factory,
++    matchers,
++    testfixtures,
++)
  if sys.version < '3.6':
      import sha3  # noqa
@@ -550,3 +554,90 @@ class WebservicesTests(TestCase):
              'Try again later.\n'
              '====================\n',
              logger.output)
++
++    @responses.activate
++    def test_get_overrides_success(self):
++        logger = self.useFixture(fixtures.FakeLogger())
++        credentials = self.useFixture(testfixtures.CredentialsFixture())
++        overrides = [factory.SnapDeviceGateway.Override()]
++        # XXX cjwatson 2017-06-26: Use acceptable-generated double once it
++        # exists.
++        overrides_url = urljoin(
++            config.read_config()['services']['snapdevicegw'],
++            '/v2/metadata/overrides/mysnap')
++        responses.add('GET', overrides_url, status=200, json=overrides)
++
++        self.assertEqual(overrides, webservices.get_overrides('mysnap'))
++        request = responses.calls[0].request
++        self.assertThat(
++            request.headers['Authorization'],
++            matchers.MacaroonHeaderVerifies(credentials.key))
++        self.assertNotIn('Failed to get overrides:', logger.output)
++
++    @responses.activate
++    def test_get_overrides_error(self):
++        logger = self.useFixture(fixtures.FakeLogger())
++        self.useFixture(testfixtures.CredentialsFixture())
++        overrides_url = urljoin(
++            config.read_config()['services']['snapdevicegw'],
++            '/v2/metadata/overrides/mysnap')
++        responses.add(
++            'GET', overrides_url, status=400,
++            json=factory.APIError.single('Something went wrong').to_dict())
++
++        self.assertRaises(HTTPError, webservices.get_overrides, 'mysnap')
++        self.assertEqual(
++            'Failed to get overrides:\nSomething went wrong\n', logger.output)
++
++    @responses.activate
++    def test_set_overrides_success(self):
++        logger = self.useFixture(fixtures.FakeLogger())
++        credentials = self.useFixture(testfixtures.CredentialsFixture())
++        override = factory.SnapDeviceGateway.Override()
++        # XXX cjwatson 2017-06-26: Use acceptable-generated double once it
++        # exists.
++        overrides_url = urljoin(
++            config.read_config()['services']['snapdevicegw'],
++            '/v2/metadata/overrides')
++        responses.add('POST', overrides_url, status=200, json=[override])
++
++        self.assertEqual([override], webservices.set_overrides([{
++            'snap_name': override['snap_name'],
++            'revision': override['revision'],
++            'channel': override['channel'],
++            'series': override['series'],
++        }]))
++        request = responses.calls[0].request
++        self.assertThat(
++            request.headers['Authorization'],
++            matchers.MacaroonHeaderVerifies(credentials.key))
++        self.assertEqual([{
++            'snap_name': override['snap_name'],
++            'revision': override['revision'],
++            'channel': override['channel'],
++            'series': override['series'],
++        }], json.loads(request.body.decode()))
++        self.assertNotIn('Failed to set override:', logger.output)
++
++    @responses.activate
++    def test_set_overrides_error(self):
++        logger = self.useFixture(fixtures.FakeLogger())
++        self.useFixture(testfixtures.CredentialsFixture())
++        override = factory.SnapDeviceGateway.Override()
++        # XXX cjwatson 2017-06-26: Use acceptable-generated double once it
++        # exists.
++        overrides_url = urljoin(
++            config.read_config()['services']['snapdevicegw'],
++            '/v2/metadata/overrides')
++        responses.add(
++            'POST', overrides_url, status=400,
++            json=factory.APIError.single('Something went wrong').to_dict())
++
++        self.assertRaises(HTTPError, webservices.set_overrides, {
++            'snap_name': override['snap_name'],
++            'revision': override['revision'],
++            'channel': override['channel'],
++            'series': override['series'],
++        })
++        self.assertEqual(
++            'Failed to set override:\nSomething went wrong\n', logger.output)
 diff --git a/snapstore_client/tests/testfixtures.py b/snapstore_client/tests/testfixtures.py
 index f659cd9..5070d5a 100644
 --- a/snapstore_client/tests/testfixtures.py
 +++ b/snapstore_client/tests/testfixtures.py
@@ -1,6 +1,15 @@
  # Copyright 2017 Canonical Ltd.
--from fixtures import Fixture
++import os.path
++from textwrap import dedent
++from urllib.parse import urlparse
++
++from fixtures import (
++    Fixture,
++    MonkeyPatch,
++    TempDir,
++)
++from pymacaroons import Macaroon
  from snapstore_client import config
@@ -13,3 +22,36 @@ class ConfigOverrideFixture(Fixture):
      def _setUp(self):
          self.addCleanup(config.read_config.override_for_test(self._new_config))
++
++
++class CredentialsFixture(Fixture):
++
++    def __init__(self):
++        super().__init__()
++        self.key = 'random-key'
++        self.root = Macaroon(key=self.key)
++        self.root.add_third_party_caveat(
++            'login.example.com', 'sso-key', 'payload')
++        self.unbound_discharge = Macaroon(
++            location='login.example.com', identifier='payload', key='sso-key')
++
++    def _setUp(self):
++        config_path = self.useFixture(TempDir()).path
++        credentials_path = os.path.join(
++            config_path, 'snapstore-client', 'credentials.cfg')
++        os.makedirs(os.path.dirname(credentials_path))
++        snapdevicegw_netloc = urlparse(
++            config.read_config()['services']['snapdevicegw']).netloc
++        with open(credentials_path, 'w') as credentials_file:
++            credentials = dedent("""\
++                [{snapdevicegw}]
++                root = {root}
++                unbound_discharge = {unbound_discharge}
++                """).format(
++                    snapdevicegw=snapdevicegw_netloc,
++                    root=self.root.serialize(),
++                    unbound_discharge=self.unbound_discharge.serialize(),
++                )
++            print(credentials, file=credentials_file)
++        self.useFixture(MonkeyPatch(
++            'xdg.BaseDirectory.xdg_config_dirs', [config_path]))
 diff --git a/snapstore_client/webservices.py b/snapstore_client/webservices.py
 index b9306fa..3ec74b6 100644
 --- a/snapstore_client/webservices.py
 +++ b/snapstore_client/webservices.py
@@ -9,6 +9,7 @@ import logging
  import os.path
  import urllib.parse
++from pymacaroons import Macaroon
  import requests
  from snapstore_client import (
@@ -303,6 +304,94 @@ def get_sso_discharge(email, password, caveat_id, one_time_password=None):
      return resp.json()['discharge_macaroon']
++def refresh_sso_discharge(unbound_discharge_raw):
++    sso_root = config.read_config()['services']['sso']
++    refresh_url = urllib.parse.urljoin(sso_root, '/api/v2/tokens/refresh')
++    data = {'discharge_macaroon': unbound_discharge_raw}
++    resp = requests.post(
++        refresh_url, headers={'Accept': 'application/json'}, json=data)
++    if not resp.ok:
++        _print_error_message('refresh SSO discharge', resp)
++        resp.raise_for_status()
++    return resp.json()['discharge_macaroon']
++
++
++def _deserialize_macaroon(name, value):
++    if value is None:
++        raise exceptions.InvalidCredentials('no {} macaroon'.format(name))
++    try:
++        return Macaroon.deserialize(value)
++    except Exception:
++        raise exceptions.InvalidCredentials(
++            'failed to deserialize {} macaroon'.format(name))
++
++
++def _get_macaroon_auth():
++    """Return an Authorization header containing store macaroons."""
++    credentials = config.Credentials()
++    root_raw = credentials.get('root')
++    root = _deserialize_macaroon('root', root_raw)
++    unbound_discharge_raw = credentials.get('unbound_discharge')
++    unbound_discharge = _deserialize_macaroon(
++        'unbound discharge', unbound_discharge_raw)
++    bound_discharge = root.prepare_for_request(unbound_discharge)
++    bound_discharge_raw = bound_discharge.serialize()
++    return 'Macaroon root="{}", discharge="{}"'.format(
++        root_raw, bound_discharge_raw)
++
++
++def _raise_needs_refresh(response):
++    if (response.status_code == 401 and
++            response.headers.get('WWW-Authenticate') == (
++                'Macaroon needs_refresh=1')):
++        raise exceptions.StoreMacaroonNeedsRefresh()
++
++
++def refresh_if_necessary(func, *args, **kwargs):
++    """Make a request, refreshing macaroons if necessary."""
++    try:
++        return func(*args, **kwargs)
++    except exceptions.StoreMacaroonNeedsRefresh:
++        credentials = config.Credentials()
++        unbound_discharge = refresh_sso_discharge(
++            credentials.get('unbound_discharge'))
++        credentials.set('unbound_discharge', unbound_discharge)
++        credentials.save()
++        return func(*args, **kwargs)
++
++
++def get_overrides(snap_name, series='16'):
++    """Get all overrides for a snap."""
++    devicegw_root = config.read_config()['services']['snapdevicegw']
++    overrides_url = urllib.parse.urljoin(
++        devicegw_root,
++        '/v2/metadata/overrides/{}'.format(urllib.parse.quote_plus(snap_name)))
++    headers = {
++        'Authorization': _get_macaroon_auth(),
++        'X-Ubuntu-Series': series,
++    }
++    resp = requests.get(overrides_url, headers=headers)
++    _raise_needs_refresh(resp)
++    if resp.status_code != 200:
++        _print_error_message('get overrides', resp)
++        resp.raise_for_status()
++    return resp.json()
++
++
++def set_overrides(overrides):
++    """Add or remove channel map overrides for a snap."""
++    devicegw_root = config.read_config()['services']['snapdevicegw']
++    overrides_url = urllib.parse.urljoin(
++        devicegw_root, '/v2/metadata/overrides')
++    headers = {'Authorization': _get_macaroon_auth()}
++    resp = requests.post(overrides_url, headers=headers, json=overrides)
++    _raise_needs_refresh(resp)
++    if resp.status_code != 200:
++        _print_error_message('set override', resp)
++        resp.raise_for_status()
++    return resp.json()
++
++
  def _print_error_message(action, response):
      """Print failure messages from other services in a standard way."""
      logger.error("Failed to %s:", action)