Canonical SSO provider

Merge lp:~facundo/canonical-identity-provider/macaroon-discharging-2 into lp:canonical-identity-provider/release

macaroon-discharging-2
Merge into trunk

Proposed by Facundo Batista on 2016-03-10

Status:	Merged
Approved by:	Facundo Batista on 2016-03-11
Approved revision:	no longer in the source branch.
Merged at revision:	1408
Proposed branch:	lp:~facundo/canonical-identity-provider/macaroon-discharging-2
Merge into:	lp:canonical-identity-provider/release
Diff against target:	867 lines (+564/-13) 15 files modified .bzrignore (+1/-0) README (+19/-0) dependencies.txt (+1/-0) django_project/settings_base.py (+14/-0) django_project/settings_devel.py (+3/-3) requirements.txt (+3/-0) requirements_docs.txt (+0/-1) src/api/v20/handlers.py (+74/-1) src/api/v20/tests/test_handlers.py (+259/-3) src/api/v20/urls.py (+3/-0) src/identityprovider/auth.py (+58/-1) src/identityprovider/migrations/0007_auto_20160310_2013.py (+19/-0) src/identityprovider/models/const.py (+3/-1) src/identityprovider/tests/test_auth.py (+105/-1) uci-vms.conf (+2/-2)
To merge this branch:	bzr merge lp:~facundo/canonical-identity-provider/macaroon-discharging-2
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Facundo Batista (community)			Approve on 2016-03-11
Review via email: mp+288684@code.launchpad.net

Commit message

Discharge the received macaroon if user authenticates ok.

Description of the change

Moving from

https://code.launchpad.net/~facundo/canonical-identity-provider/macaroon-discharging/+merge/288151

Revision history for this message

Facundo Batista (facundo) wrote on 2016-03-10:

Approve it as formal review and everything happened in the other MP.

review: Approve

Revision history for this message

Ubuntu One Auto Pilot (otto-pilot) wrote on 2016-03-10:

Download full text (25.2 KiB)

The attempt to merge lp:~facundo/canonical-identity-provider/macaroon-discharging-2 into lp:canonical-identity-provider failed. Below is the output from the failed tests.

Bootstrapping...
rm -rf /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
rm -rf branches/wheels
rm -rf branches/*
rm -rf staticfiles
rm -f lib/versioninfo.py
find -name '*.pyc' -delete
find -name '*.~*' -delete
Not deleting /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin
New python executable in /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin/python
Installing setuptools, pip...done.
/usr/lib/config-manager/cm.py update config-manager.txt
touch branches/last_build
[ -d branches/wheels ] && (cd branches/wheels && bzr pull) || (bzr branch lp:~ubuntuone-pqm-team/canonical-identity-provider/dependencies branches/wheels)
bzr version-info --format=python > lib/versioninfo.py
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin/python /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin/pip install --find-links=branches/wheels --no-index -r requirements.txt
Ignoring indexes: https://pypi.python.org/simple/
Downloading/unpacking bson==0.3.3 (from -r requirements.txt (line 1))
Downloading/unpacking canonical-raven==0.0.3 (from -r requirements.txt (line 2))
Downloading/unpacking convoy==0.4.1 (from -r requirements.txt (line 3))
Downloading/unpacking django==1.8.7 (from -r requirements.txt (line 4))
Downloading/unpacking django-honeypot==0.4.0 (from -r requirements.txt (line 5))
Downloading/unpacking django-jsonfield==0.9.13 (from -r requirements.txt (line 6))
Downloading/unpacking django-model-utils==2.2 (from -r requirements.txt (line 7))
Downloading/unpacking django-modeldict==1.4.1 (from -r requirements.txt (line 8))
Downloading/unpacking django-preflight==0.1.5 (from -r requirements.txt (line 9))
Downloading/unpacking django-secure==1.0.1 (from -r requirements.txt (line 10))
Downloading/unpacking django-statsd-mozilla==0.3.15 (from -r requirements.txt (line 11))
Downloading/unpacking gargoyle==0.11.0 (from -r requirements.txt (line 12))
Downloading/unpacking gunicorn==19.3.0 (from -r requirements.txt (line 13))
Downloading/unpacking lazr.authentication==0.1.3 (from -r requirements.txt (line 14))
Downloading/unpacking libnacl==1.3.6 (from -r requirements.txt (line 15))
Downloading/unpacking nexus==0.3.1 (from -r requirements.txt (line 16))
Downloading/unpacking oath==1.4.0 (from -r requirements.txt (line 17))
Downloading/unpacking oauthlib==0.7.2 (from -r requirements.txt (line 18))
Requirement already satisfied (use --upgrade to upgrade): oops==0.0.13 in /usr/lib/pymodules/python2.7 (from -r requirements.txt (line 19))
Downloading/unpacking oops-amqp==0.0.8b1 (from -r requirements.txt (line 20))
Downloading/unpacking oops-datedir-repo==0.0.23 (from -r requirements.txt (line 21))
Downloading/unpacking oops-dictconfig==0.0.6 (from -r requirements.txt (line 22))
Downloading/unpacking oops-timeline==0.0.2 (from -r requirements.txt (line 23))
Downloading/unpacking oops-wsgi==0.0.11 (from -r requirements.txt (line 24))
Downloading/unpacking paste==2.0.1 (from -r requirements.txt (line 25))
Downloading/unpacking pymacaroons==0.9.1 (from -r requirements.txt (line 26))
Downloading/unpacking raven==5.6.0 (from -r requirements.txt (line 27))
Downloading/unpacking requests-oauthlib==0.4.2 (from -r requirements.txt (line 28))
Downloading/unpacking six==1.10.0 (from -r requirements.txt (line 29))
Downloading/unpacking statsd==3.1 (from -r requirements.txt (line 30))
Requirement already satisfied (use --upgrade to upgrade): testresources==0.2.7 in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 31))
Downloading/unpacking timeline==0.0.4 (from -r requirements.txt (line 32))
Downloading/unpacking timeline-django==0.0.4 (from -r requirements.txt (line 33))
Downloading/unpacking whitenoise==2.0.6 (from -r requirements.txt (line 34))
Requirement already satisfied (use --upgrade to upgrade): pytz>=2010b in /usr/lib/python2.7/dist-packages (from bson==0.3.3->-r requirements.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): setuptools in ./env/lib/python2.7/site-packages (from django-honeypot==0.4.0->-r requirements.txt (line 5))
Requirement already satisfied (use --upgrade to upgrade): httplib2 in /usr/lib/python2.7/dist-packages (from lazr.authentication==0.1.3->-r requirements.txt (line 14))
Requirement already satisfied (use --upgrade to upgrade): oauth in /usr/lib/python2.7/dist-packages (from lazr.authentication==0.1.3->-r requirements.txt (line 14))
Requirement already satisfied (use --upgrade to upgrade): zope.interface in /usr/lib/python2.7/dist-packages (from lazr.authentication==0.1.3->-r requirements.txt (line 14))
Downloading/unpacking wsgi-intercept (from lazr.authentication==0.1.3->-r requirements.txt (line 14))
Requirement already satisfied (use --upgrade to upgrade): amqplib in /usr/lib/python2.7/dist-packages (from oops-amqp==0.0.8b1->-r requirements.txt (line 20))
Requirement already satisfied (use --upgrade to upgrade): iso8601 in /usr/lib/python2.7/dist-packages (from oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): launchpadlib in /usr/lib/python2.7/dist-packages (from oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): requests>=2.0.0 in /usr/lib/python2.7/dist-packages (from requests-oauthlib==0.4.2->-r requirements.txt (line 28))
Requirement already satisfied (use --upgrade to upgrade): keyring in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): lazr.restfulclient>=0.9.19 in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): lazr.uri in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): simplejson in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): wadllib in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Installing collected packages: bson, canonical-raven, convoy, django, django-honeypot, django-jsonfield, django-model-utils, django-modeldict, django-preflight, django-secure, django-statsd-mozilla, gargoyle, gunicorn, lazr.authentication, libnacl, nexus, oath, oauthlib, oops-amqp, oops-datedir-repo, oops-dictconfig, oops-timeline, oops-wsgi, paste, pymacaroons, raven, requests-oauthlib, six, statsd, timeline, timeline-django, whitenoise, wsgi-intercept
  Found existing installation: gunicorn 17.5
    Not uninstalling gunicorn at /usr/lib/python2.7/dist-packages, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
Compiling /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/build/gunicorn/gunicorn/workers/_gaiohttp.py ...
  File "/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/build/gunicorn/gunicorn/workers/_gaiohttp.py", line 68
    yield from self.wsgi.close()
             ^
SyntaxError: invalid syntax

Found existing installation: oauthlib 0.6.1
    Not uninstalling oauthlib at /usr/lib/python2.7/dist-packages, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
  Found existing installation: oops-amqp 0.0.7
    Not uninstalling oops-amqp at /usr/lib/python2.7/dist-packages, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
  Found existing installation: oops-datedir-repo 0.0.21
    Not uninstalling oops-datedir-repo at /usr/lib/pymodules/python2.7, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
  Found existing installation: oops-timeline 0.0.1
    Not uninstalling oops-timeline at /usr/lib/python2.7/dist-packages, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
  Found existing installation: oops-wsgi 0.0.10
    Not uninstalling oops-wsgi at /usr/lib/python2.7/dist-packages, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
  Found existing installation: Paste 1.7.5.1
    Not uninstalling Paste at /usr/lib/python2.7/dist-packages, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
  Found existing installation: six 1.5.2
    Not uninstalling six at /usr/lib/python2.7/dist-packages, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
  Found existing installation: timeline 0.0.3
    Not uninstalling timeline at /usr/lib/pymodules/python2.7, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
Successfully installed bson canonical-raven convoy django django-honeypot django-jsonfield django-model-utils django-modeldict django-preflight django-secure django-statsd-mozilla gargoyle gunicorn lazr.authentication libnacl nexus oath oauthlib oops-amqp oops-datedir-repo oops-dictconfig oops-timeline oops-wsgi paste pymacaroons raven requests-oauthlib six statsd timeline timeline-django whitenoise wsgi-intercept
Cleaning up...
make install-wheels ARGS="-r requirements_devel.txt --pre"
make[1]: Entering directory `/mnt/tarmac/cache/canonical-identity-provider/merges/trunk'
Deleting tree /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/lib/python2.7
Not deleting /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin
New python executable in /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin/python
Installing setuptools, pip...done.
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin/python /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin/pip install --find-links=branches/wheels --no-index -r requirements_devel.txt --pre
Ignoring indexes: https://pypi.python.org/simple/
Downloading/unpacking bson==0.3.3 (from -r requirements.txt (line 1))
Downloading/unpacking canonical-raven==0.0.3 (from -r requirements.txt (line 2))
Downloading/unpacking convoy==0.4.1 (from -r requirements.txt (line 3))
Downloading/unpacking django==1.8.7 (from -r requirements.txt (line 4))
Downloading/unpacking django-honeypot==0.4.0 (from -r requirements.txt (line 5))
Downloading/unpacking django-jsonfield==0.9.13 (from -r requirements.txt (line 6))
Downloading/unpacking django-model-utils==2.2 (from -r requirements.txt (line 7))
Downloading/unpacking django-modeldict==1.4.1 (from -r requirements.txt (line 8))
Downloading/unpacking django-preflight==0.1.5 (from -r requirements.txt (line 9))
Downloading/unpacking django-secure==1.0.1 (from -r requirements.txt (line 10))
Downloading/unpacking django-statsd-mozilla==0.3.15 (from -r requirements.txt (line 11))
Downloading/unpacking gargoyle==0.11.0 (from -r requirements.txt (line 12))
Downloading/unpacking gunicorn==19.3.0 (from -r requirements.txt (line 13))
Downloading/unpacking lazr.authentication==0.1.3 (from -r requirements.txt (line 14))
Downloading/unpacking libnacl==1.3.6 (from -r requirements.txt (line 15))
Downloading/unpacking nexus==0.3.1 (from -r requirements.txt (line 16))
Downloading/unpacking oath==1.4.0 (from -r requirements.txt (line 17))
Downloading/unpacking oauthlib==0.7.2 (from -r requirements.txt (line 18))
Requirement already satisfied (use --upgrade to upgrade): oops==0.0.13 in /usr/lib/pymodules/python2.7 (from -r requirements.txt (line 19))
Downloading/unpacking oops-amqp==0.0.8b1 (from -r requirements.txt (line 20))
Downloading/unpacking oops-datedir-repo==0.0.23 (from -r requirements.txt (line 21))
Downloading/unpacking oops-dictconfig==0.0.6 (from -r requirements.txt (line 22))
Downloading/unpacking oops-timeline==0.0.2 (from -r requirements.txt (line 23))
Downloading/unpacking oops-wsgi==0.0.11 (from -r requirements.txt (line 24))
Downloading/unpacking paste==2.0.1 (from -r requirements.txt (line 25))
Downloading/unpacking pymacaroons==0.9.1 (from -r requirements.txt (line 26))
Downloading/unpacking raven==5.6.0 (from -r requirements.txt (line 27))
Downloading/unpacking requests-oauthlib==0.4.2 (from -r requirements.txt (line 28))
Downloading/unpacking six==1.10.0 (from -r requirements.txt (line 29))
Downloading/unpacking statsd==3.1 (from -r requirements.txt (line 30))
Requirement already satisfied (use --upgrade to upgrade): testresources==0.2.7 in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 31))
Downloading/unpacking timeline==0.0.4 (from -r requirements.txt (line 32))
Downloading/unpacking timeline-django==0.0.4 (from -r requirements.txt (line 33))
Downloading/unpacking whitenoise==2.0.6 (from -r requirements.txt (line 34))
Downloading/unpacking coverage==3.6 (from -r requirements_devel.txt (line 3))
Downloading/unpacking cssselect==0.7.1 (from -r requirements_devel.txt (line 4))
Downloading/unpacking ecdsa==0.11 (from -r requirements_devel.txt (line 5))
Requirement already satisfied (use --upgrade to upgrade): extras==0.0.3 in /usr/lib/python2.7/dist-packages (from -r requirements_devel.txt (line 6))
Downloading/unpacking fixtures==0.3.12 (from -r requirements_devel.txt (line 7))
Downloading/unpacking flake8==2.4.0 (from -r requirements_devel.txt (line 8))
Downloading/unpacking junitxml==0.7 (from -r requirements_devel.txt (line 9))
Downloading/unpacking localmail==0.3 (from -r requirements_devel.txt (line 10))
Downloading/unpacking logilab-astng==0.24.3 (from -r requirements_devel.txt (line 11))
Downloading/unpacking logilab-common==0.59.1 (from -r requirements_devel.txt (line 12))
Requirement already satisfied (use --upgrade to upgrade): mechanize==0.2.5 in /usr/lib/python2.7/dist-packages (from -r requirements_devel.txt (line 13))
Requirement already satisfied (use --upgrade to upgrade): mock==1.0.1 in /usr/lib/python2.7/dist-packages (from -r requirements_devel.txt (line 14))
Downloading/unpacking paramiko==1.15.1 (from -r requirements_devel.txt (line 15))
Downloading/unpacking pep8==1.5.7 (from -r requirements_devel.txt (line 16))
Requirement already satisfied (use --upgrade to upgrade): pycrypto==2.6.1 in /usr/lib/python2.7/dist-packages (from -r requirements_devel.txt (line 17))
Downloading/unpacking pyflakes==0.8.1 (from -r requirements_devel.txt (line 18))
Downloading/unpacking pylint==0.28.0 (from -r requirements_devel.txt (line 19))
Downloading/unpacking pyquery==1.2.1 (from -r requirements_devel.txt (line 20))
Requirement already satisfied (use --upgrade to upgrade): python-mimeparse==0.1.4 in /usr/lib/python2.7/dist-packages (from -r requirements_devel.txt (line 21))
Downloading/unpacking python-subunit==1.1.0 (from -r requirements_devel.txt (line 22))
Downloading/unpacking selenium==2.48.0 (from -r requirements_devel.txt (line 23))
Downloading/unpacking sqlparse==0.1.4 (from -r requirements_devel.txt (line 24))
Downloading/unpacking sst==0.2.5dev (from -r requirements_devel.txt (line 25))
Requirement already satisfied (use --upgrade to upgrade): testscenarios==0.4 in /usr/lib/python2.7/dist-packages (from -r requirements_devel.txt (line 26))
Downloading/unpacking testtools==0.9.39 (from -r requirements_devel.txt (line 27))
Downloading/unpacking u1-test-utils==0.5 (from -r requirements_devel.txt (line 28))
Downloading/unpacking ucitests==0.4.1 (from -r requirements_devel.txt (line 29))
Downloading/unpacking wsgi-intercept==0.5.1 (from -r requirements_devel.txt (line 30))
Downloading/unpacking alabaster==0.7.2 (from -r requirements_docs.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): babel==1.3 in /usr/lib/python2.7/dist-packages (from -r requirements_docs.txt (line 3))
Downloading/unpacking docutils==0.12 (from -r requirements_docs.txt (line 4))
Downloading/unpacking jinja2==2.7.3 (from -r requirements_docs.txt (line 5))
Downloading/unpacking markupsafe==0.23 (from -r requirements_docs.txt (line 6))
Downloading/unpacking pygments==2.0.2 (from -r requirements_docs.txt (line 7))
Downloading/unpacking pytz==2014.10 (from -r requirements_docs.txt (line 8))
Downloading/unpacking setuptools==14.0 (from -r requirements_docs.txt (line 9))
Downloading/unpacking snowballstemmer==1.2.0 (from -r requirements_docs.txt (line 10))
Downloading/unpacking sphinx==1.3 (from -r requirements_docs.txt (line 11))
Downloading/unpacking sphinx-bootstrap-theme==0.4.5 (from -r requirements_docs.txt (line 12))
Downloading/unpacking sphinxcontrib-httpdomain==1.3.0 (from -r requirements_docs.txt (line 13))
Downloading/unpacking sphinx-rtd-theme==0.1.7 (from -r requirements_docs.txt (line 14))
Requirement already satisfied (use --upgrade to upgrade): httplib2 in /usr/lib/python2.7/dist-packages (from lazr.authentication==0.1.3->-r requirements.txt (line 14))
Requirement already satisfied (use --upgrade to upgrade): oauth in /usr/lib/python2.7/dist-packages (from lazr.authentication==0.1.3->-r requirements.txt (line 14))
Requirement already satisfied (use --upgrade to upgrade): zope.interface in /usr/lib/python2.7/dist-packages (from lazr.authentication==0.1.3->-r requirements.txt (line 14))
Requirement already satisfied (use --upgrade to upgrade): amqplib in /usr/lib/python2.7/dist-packages (from oops-amqp==0.0.8b1->-r requirements.txt (line 20))
Requirement already satisfied (use --upgrade to upgrade): iso8601 in /usr/lib/python2.7/dist-packages (from oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): launchpadlib in /usr/lib/python2.7/dist-packages (from oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): requests>=2.0.0 in /usr/lib/python2.7/dist-packages (from requests-oauthlib==0.4.2->-r requirements.txt (line 28))
Downloading/unpacking mccabe>=0.2.1,<0.4 (from flake8==2.4.0->-r requirements_devel.txt (line 8))
Requirement already satisfied (use --upgrade to upgrade): Twisted>=11.0.0 in /usr/lib/python2.7/dist-packages (from localmail==0.3->-r requirements_devel.txt (line 10))
Requirement already satisfied (use --upgrade to upgrade): lxml>=2.1 in /usr/lib/python2.7/dist-packages (from pyquery==1.2.1->-r requirements_devel.txt (line 20))
Requirement already satisfied (use --upgrade to upgrade): keyring in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): lazr.restfulclient>=0.9.19 in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): lazr.uri in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): simplejson in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Requirement already satisfied (use --upgrade to upgrade): wadllib in /usr/lib/python2.7/dist-packages (from launchpadlib->oops-datedir-repo==0.0.23->-r requirements.txt (line 21))
Installing collected packages: bson, canonical-raven, convoy, django, django-honeypot, django-jsonfield, django-model-utils, django-modeldict, django-preflight, django-secure, django-statsd-mozilla, gargoyle, gunicorn, lazr.authentication, libnacl, nexus, oath, oauthlib, oops-amqp, oops-datedir-repo, oops-dictconfig, oops-timeline, oops-wsgi, paste, pymacaroons, raven, requests-oauthlib, six, statsd, timeline, timeline-django, whitenoise, coverage, cssselect, ecdsa, fixtures, flake8, junitxml, localmail, logilab-astng, logilab-common, paramiko, pep8, pyflakes, pylint, pyquery, python-subunit, selenium, sqlparse, sst, testtools, u1-test-utils, ucitests, wsgi-intercept, alabaster, docutils, jinja2, markupsafe, pygments, pytz, setuptools, snowballstemmer, sphinx, sphinx-bootstrap-theme, sphinxcontrib-httpdomain, sphinx-rtd-theme, mccabe
  Found existing installation: gunicorn 17.5
    Not uninstalling gunicorn at /usr/lib/python2.7/dist-packages, outside environment /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env
Compiling /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/build/gunicorn/gunicorn/workers/_gaiohttp.py ...
  File "/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/build/gunicorn/gunicorn/workers/_gaiohttp.py", line 68
    yield from self.wsgi.close()
             ^
SyntaxError: invalid syntax

Branched 51 revisions.

Revision history for this message

Facundo Batista (facundo) wrote on 2016-03-11:

Let's see now

review: Approve

Revision history for this message

Ubuntu One Auto Pilot (otto-pilot) wrote on 2016-03-11:

Attempt to merge into lp:canonical-identity-provider failed due to conflicts:

text conflict in dependencies.txt

Revision history for this message

Facundo Batista (facundo) wrote on 2016-03-11:

Argggggg, let's try again

review: Approve

Revision history for this message

Ubuntu One Auto Pilot (otto-pilot) wrote on 2016-03-11:

Download full text (35.0 KiB)

The attempt to merge lp:~facundo/canonical-identity-provider/macaroon-discharging-2 into lp:canonical-identity-provider failed. Below is the output from the failed tests.

The database cluster will be initialized with locale "en_US.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /dev/shm/pg_sso/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
creating configuration files ... ok
creating template1 database in /dev/shm/pg_sso/data/base/1 ... ok
initializing pg_authid ... ok
initializing dependencies ... ok
creating system views ... ok
loading system objects' descriptions ... ok
creating collations ... ok
creating conversions ... ok
creating dictionaries ... ok
setting privileges on built-in objects ... ok
creating information schema ... ok
loading PL/pgSQL server-side language ... ok
vacuuming database template1 ... ok
copying template1 to template0 ... ok
copying template1 to postgres ... ok
syncing data to disk ... ok

Success. You can now start the database server using:

/usr/lib/postgresql/9.3/bin/postgres -D /dev/shm/pg_sso/data
or
    /usr/lib/postgresql/9.3/bin/pg_ctl -D /dev/shm/pg_sso/data -l logfile start

echo "fsync = off" > /dev/shm/pg_sso/postgresql.conf
echo "standard_conforming_strings = off" >> /dev/shm/pg_sso/postgresql.conf
echo "escape_string_warning = off" >> /dev/shm/pg_sso/postgresql.conf
/usr/lib/postgresql/9.3/bin/pg_ctl start -w -D /dev/shm/pg_sso/data -l /dev/shm/pg_sso/postgresql.log -o "-F -k /dev/shm/pg_sso -h ''"
waiting for server to start.... done
server started
PGHOST=/dev/shm/pg_sso createdb identityprovider
PGHOST=/dev/shm/pg_sso createuser --superuser --createdb postgres
make[1]: Leaving directory `/mnt/tarmac/cache/canonical-identity-provider/merges/trunk'
make migrate
make[1]: Entering directory `/mnt/tarmac/cache/canonical-identity-provider/merges/trunk'
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin/python /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/django_project/manage.py migrate --noinput
Operations to perform:
  Synchronize unmigrated apps: gargoyle, pgtools, raven_contrib_django, staticfiles, messages, canonical_raven, nexus, djangosecure, preflight, honeypot, saml2idp, django_statsd
  Apply all migrations: identityprovider, sessions, admin, django_openid_auth, auth, sites, adminaudit, contenttypes, piston, oauth_backend
Synchronizing apps without migrations:
  Creating tables...
    Creating table gargoyle_switch
    Running deferred SQL...
  Installing custom SQL...
Running migrations:
  Rendering model states... DONE
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying adminaudit.0001_initial... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying django_openid_auth.0001_initial... OK
  Applying identityprovider.0001_initial... OK
  Applying identityprovider.0002_auto_20150519_1631... OK
  Applying identityprovider.0003_auto_20150708_1451... OK
  Applying identityprovider.0004_accountpassword_last_leak_check... OK
  Applying identityprovider.0005_authlog... OK
  Applying identityprovider.0006_auto_20151019_1515... OK
  Applying identityprovider.0007_auto_20160310_2013... OK
  Applying oauth_backend.0001_initial... OK
  Applying oauth_backend.0002_auto_20150922_1439... OK
  Applying piston.0001_initial... OK
  Applying sessions.0001_initial... OK
  Applying sites.0001_initial... OK
make[1]: Leaving directory `/mnt/tarmac/cache/canonical-identity-provider/merges/trunk'
Updating translation messages
Gathering translations for django's apps.
processing locale en
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk
processing locale en
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk
processing locale en
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk
processing locale en
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk
processing locale en
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk
processing locale en
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk
processing locale en
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk
Running canonical-identity-provider tests in tarmac
/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/env/bin/python /mnt/tarmac/cache/canonical-identity-provider/merges/trunk/django_project/manage.py test --noinput --failfast
Tests running...
Creating test database for alias 'default'...
....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................FDestroying test database for alias 'default'...
E======================================================================
ERROR: testing.runner.TestRunner.check_all_tests_executed
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/lib/olstestsdjango/runner.py", line 187, in check_all_tests_executed
    initial_test_nb, result.testsRun))
AssertionError: Expecting 2529, got 2485 tests run
======================================================================
FAIL: tests.test_lint.Lint.test_lint
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/src/tests/test_lint.py", line 14, in test_lint
    self.assertEqual('', e.output, '\n' + e.output)
  File "/usr/lib/python2.7/unittest/case.py", line 515, in assertEqual
    assertion_func(first, second, msg=msg)
  File "/usr/lib/python2.7/unittest/case.py", line 508, in _baseAssertEqual
    raise self.failureException(msg)
AssertionError: 
make[1]: Entering directory `/mnt/tarmac/cache/canonical-identity-provider/merges/trunk'
django_project/settings.py:5:1: F403 'from django_project.settings_devel import *' used; unable to detect undefined names
make[1]: *** [lint] Error 1
make[1]: Leaving directory `/mnt/tarmac/cache/canonical-identity-provider/merges/trunk'

Ran 2486 tests in 974.483s
FAILED (failures=2)
PGHOST=/dev/shm/pg_sso dropdb identityprovider
/usr/lib/postgresql/9.3/bin/pg_ctl stop -w -D /dev/shm/pg_sso/data -m smart
waiting for server to shut down.... done
server stopped
rm -rf /dev/shm/pg_sso

Branched 51 revisions.
cp: cannot stat ‘/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/src/oauth_backend/locale/en/LC_MESSAGES/django.po’: No such file or directory
cp: cannot stat ‘/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/src/testing/locale/en/LC_MESSAGES/django.po’: No such file or directory
cp: cannot stat ‘/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/src/tests/locale/en/LC_MESSAGES/django.po’: No such file or directory
cp: cannot stat ‘/mnt/tarmac/cache/canonical-identity-provider/merges/trunk/src/ubuntu_sso_saml/locale/en/LC_MESSAGES/django.po’: No such file or directory
Raven is not configured (logging is disabled). Please see the documentation for more information.
make: *** [test] Error 1

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Corey Russell SR

Damian

Danny Tamez

Diane Montana

Facundo Batista

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

 === modified file '.bzrignore'
 --- .bzrignore	2015-10-09 16:03:29 +0000
 +++ .bzrignore	2016-03-11 17:07:30 +0000
@@ -8,3 +8,4 @@
  staticfiles
  lib/versioninfo.py
  settings.py
++rsakeys/*
 === modified file 'README'
 --- README	2016-03-03 20:01:53 +0000
 +++ README	2016-03-11 17:07:30 +0000
@@ -45,6 +45,10 @@
 . Install system dependencies
  ::
++    # Needed for libsodium package
++    $ sudo apt-get install -y software-properties-common
++    $ sudo add-apt-repository ppa:facundo/salty
++
      $ sudo apt-get update
      $ cat dependencies.txt | sudo xargs apt-get install -y --no-install-recommends
      $ cat dependencies-devel.txt | sudo xargs apt-get install -y --no-install-recommends
@@ -207,6 +211,21 @@
      lxc with no internet access at all.
++13. (Optional) Set up private/public keys to make macaroons work between
++    projects
++
++    For some endpoints to work correctly, the system needs to decrypt keys
++    that were encrypted from other services (you'll need to use this
++    instructions, or the corresponding one in the other projects).
++
++    So, create a pair of keys for this project:
++
++       ssh-keygen -t rsa -N "" -f project_id_rsa
++
++    This will leave you with two files, move the private one into the
++    ``rsakeys`` directory, and the .pub one into this same dir in the
++    other projects.
++
  BAZAAR
  ------
 === modified file 'dependencies.txt'
 --- dependencies.txt	2016-03-01 19:13:46 +0000
 +++ dependencies.txt	2016-03-11 17:07:30 +0000
@@ -1,6 +1,7 @@
  bzr
  geoip-database
  libgeoip1
++libsodium13
  python-amqplib
  python-bcrypt
  python-beautifulsoup
 === modified file 'django_project/settings_base.py'
 --- django_project/settings_base.py	2016-03-01 19:13:46 +0000
 +++ django_project/settings_base.py	2016-03-11 17:07:30 +0000
@@ -3,6 +3,8 @@
  import random
  from urlparse import urlparse
++from Crypto.PublicKey import RSA
++
  from versioninfo import version_info
  # /srv/login.staging.ubuntu.com/staging/canonical-identity-provider
@@ -68,6 +70,16 @@
  COMBINE = True
  COMBO_URL = '/combo/'
  COMMENTS_ALLOW_PROFANITIES = False
++_fpath = os.path.join(
++    os.path.abspath(os.getenv('SCA_RSAKEYS_DIR', '')), 'sso_id_rsa')
++try:
++    with open(_fpath) as fh:
++        raw = fh.read()
++    CRYPTO_SSO_PRIVKEY = RSA.importKey(raw)
++except:
++    # this catch-all-and-set-None will be removed after first successful
++    # deployments having the proper key in place
++    CRYPTO_SSO_PRIVKEY = None
  CSRF_COOKIE_DOMAIN = None
  CSRF_COOKIE_HTTPONLY = True
  CSRF_COOKIE_NAME = 'csrftoken'
@@ -368,6 +380,8 @@
  LOGIN_REDIRECT_URL = '/'
  LOGIN_URL = '/+login'
  LOGOUT_URL = '/accounts/logout/'
++MACAROON_TTL = 365 * 24 * 3600  # seconds
++MACAROON_SERVICE_LOCATION = HOSTNAME
  MANAGERS = []
  MAX_FAILED_LOGIN_ATTEMPTS = 20
  MAX_PASSWORD_RESET_TOKENS = 5
 === modified file 'django_project/settings_devel.py'
 --- django_project/settings_devel.py	2015-12-18 12:21:25 +0000
 +++ django_project/settings_devel.py	2016-03-11 17:07:30 +0000
@@ -1,8 +1,8 @@
  import os
--os.environ.setdefault(
--    'SSO_LOGS_DIR',
--    os.path.join(os.path.dirname(os.path.dirname(__file__)), 'logs'))
++BASE_DIR = os.path.dirname(os.path.dirname(__file__))
++os.environ.setdefault('SSO_LOGS_DIR', os.path.join(BASE_DIR, 'logs'))
++os.environ.setdefault('SCA_RSAKEYS_DIR', os.path.join(BASE_DIR, 'rsakeys'))
  os.environ.setdefault('SSO_ROOT_URL', 'http://0.0.0.0:8000')
  from django_project.settings_base import *  # noqa
 === modified file 'requirements.txt'
 --- requirements.txt	2016-02-01 15:30:36 +0000
 +++ requirements.txt	2016-03-11 17:07:30 +0000
@@ -12,6 +12,7 @@
  gargoyle==0.11.0
  gunicorn==19.3.0
  lazr.authentication==0.1.3
++libnacl==1.3.6
  nexus==0.3.1
  oath==1.4.0
  oauthlib==0.7.2
@@ -22,8 +23,10 @@
  oops-timeline==0.0.2
  oops-wsgi==0.0.11
  paste==2.0.1
++pymacaroons==0.9.1
  raven==5.6.0
  requests-oauthlib==0.4.2
++six==1.10.0
  statsd==3.1
  testresources==0.2.7
  timeline==0.0.4
 === modified file 'requirements_docs.txt'
 --- requirements_docs.txt	2015-10-27 12:55:27 +0000
 +++ requirements_docs.txt	2016-03-11 17:07:30 +0000
@@ -7,7 +7,6 @@
  pygments==2.0.2
  pytz==2014.10
  setuptools==14.0
--six==1.9.0
  snowballstemmer==1.2.0
  sphinx==1.3
  sphinx-bootstrap-theme==0.4.5
 === added directory 'rsakeys'
 === modified file 'src/api/v20/handlers.py'
 --- src/api/v20/handlers.py	2015-10-26 21:53:48 +0000
 +++ src/api/v20/handlers.py	2016-03-11 17:07:30 +0000
@@ -1,4 +1,4 @@
--# Copyright 2010-2013 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2016 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  import logging
@@ -406,6 +406,79 @@
          return response
++class MacaroonHandler(BaseHandler):
++    allowed_methods = ('POST',)
++
++    @require_mime('json')
++    @throttle(extra_callback=get_email_from_request_data)
++    def create(self, request):
++        if settings.CRYPTO_SSO_PRIVKEY is None:
++            return errors.RESOURCE_NOT_FOUND()
++
++        data = request.data
++        try:
++            email = data['email']
++            password = data['password']
++            root_macaroon_raw = data['macaroon']
++        except KeyError:
++            expected = set(('email', 'password', 'macaroon'))
++            missing = dict((k, [FIELD_REQUIRED]) for k in expected - set(data))
++            return errors.INVALID_DATA(**missing)
++
++        account = None
++        response = None
++        try:
++            account = authenticate_user(email, password, request=request)
++        except AccountSuspended:
++            response = errors.ACCOUNT_SUSPENDED()
++        except AccountDeactivated:
++            response = errors.ACCOUNT_DEACTIVATED()
++        except EmailInvalidated:
++            response = errors.EMAIL_INVALIDATED()
++        except PasswordPolicyError as e:
++            root_url = request.build_absolute_uri('/')
++            response = errors.PASSWORD_POLICY_ERROR(
++                reason=unicode(e), location=root_url)
++        except AuthenticationError:
++            response = errors.INVALID_CREDENTIALS()
++
++        if account is not None:
++            otp = data.get('otp')
++            if otp is not None:
++                try:
++                    twofactor.authenticate(account, otp)
++                except AuthenticationError:
++                    account = None
++                    response = errors.TWOFACTOR_FAILURE()
++            elif account.twofactor_required:
++                response = errors.TWOFACTOR_REQUIRED()
++
++        if account is None:
++            # track failed login attempt
++            login_failed.send(sender=self, request=request,
++                              credentials=dict(email=email, password=password),
++                              authlogtype=AuthLogType.API_FAIL)
++
++        if response is not None:
++            return response
++
++        try:
++            discharge = auth.build_discharge_macaroon(
++                account, root_macaroon_raw)
++        except ValidationError:
++            return errors.INVALID_DATA()
++        except AuthenticationError:
++            return errors.INVALID_CREDENTIALS()
++
++        response = rc.ALL_OK
++        response.content = dict(discharge_macaroon=discharge.serialize())
++
++        log_type = AuthLogType.API_MACAROON_DISCHARGE_NEW
++        login_succeeded.send(sender=self, user=account, request=request,
++                             authlogtype=log_type, email=email)
++        return response
++
++
  class EmailsHandler(BaseHandler):
      allowed_methods = ('DELETE', 'GET')
      model = EmailAddress
 === modified file 'src/api/v20/tests/test_handlers.py'
 --- src/api/v20/tests/test_handlers.py	2016-01-07 16:01:28 +0000
 +++ src/api/v20/tests/test_handlers.py	2016-03-11 17:07:30 +0000
@@ -2,7 +2,10 @@
  from __future__ import unicode_literals
++import base64
++import binascii
  import json
++import os
  import re
  import time
@@ -10,8 +13,10 @@
  from urllib import quote, urlencode
  from urlparse import parse_qsl, urlparse, urlunparse
++from Crypto import Random
++from Crypto.PublicKey import RSA
  from django.conf import settings
--from django.contrib.auth.models import AnonymousUser
++from django.contrib.auth.models import AnonymousUser, make_password
  from django.core import mail
  from django.core.serializers.json import DjangoJSONEncoder
  from django.core.urlresolvers import NoReverseMatch, reverse
@@ -20,6 +25,7 @@
  from django.utils.timezone import now
  from gargoyle.testutils import switches
  from mock import Mock, patch
++from pymacaroons import Macaroon, Verifier
  from timeline import Timeline
  from api.v20 import handlers, whitelist
@@ -34,15 +40,17 @@
  from identityprovider.models.const import (
      AccountCreationRationale,
      AccountStatus,
++    AuthLogType,
      AuthTokenType,
      EmailStatus,
      TokenScope,
+ )
++from identityprovider.signals import login_failed
  from identityprovider.tests import DEFAULT_USER_PASSWORD
--from identityprovider.tests.utils import SSOBaseTestCase
++from identityprovider.tests.test_auth import AuthLogTestCaseMixin
++from identityprovider.tests.utils import SSOBaseTestCase, TimelineActionMixin
  from identityprovider.utils import redirection_url_for_token
--
  OVERRIDES = dict(
      EMAIL_WHITELIST_REGEXP_LIST=['^canonicaltest(?:\+.+)?@gmail\.com$']
+ )
@@ -2022,3 +2030,251 @@
                  mock_cache.get.return_value = (0, time.time() + 42.1)
                  self.get_response(request.path, method=request.method)
          self.assertEqual([], called_metrics)
++
++
++class MacaroonHandlerBaseTestCase(SSOBaseTestCase):
++
++    url = reverse('api-macaroon-discharge')
++
++    def track_failed_logins(self, **kw):
++        self.login_failed_calls.append(kw)
++
++    def build_macaroon(self, service_location=None):
++        """Create a Macaron with the proper third party caveat."""
++        if service_location is None:
++            service_location = settings.MACAROON_SERVICE_LOCATION
++
++        # pair of keys to encrypt/decrypt
++        Random.atfork()
++        test_rsa_priv_key = RSA.generate(1024)
++        test_rsa_pub_key = test_rsa_priv_key.publickey()
++        p = self.settings(CRYPTO_SSO_PRIVKEY=test_rsa_priv_key)
++        p.enable()
++        self.addCleanup(p.disable)
++
++        macaroon_random_key = binascii.hexlify(os.urandom(32))
++        root_macaroon = Macaroon(
++            location='The store ;)',
++            key=macaroon_random_key,
++            identifier='A test macaroon',
++        )
++        random_key = binascii.hexlify(os.urandom(32))
++        random_key_encrypted = base64.b64encode(
++            test_rsa_pub_key.encrypt(random_key, 32)[0])
++        root_macaroon.add_third_party_caveat(
++            service_location, random_key, random_key_encrypted)
++        return root_macaroon, macaroon_random_key
++
++    def setUp(self):
++        super(MacaroonHandlerBaseTestCase, self).setUp()
++
++        self.login_failed_calls = []
++        login_failed.connect(self.track_failed_logins, dispatch_uid=self.id())
++
++        self.root_macaroon, self.macaroon_random_key = self.build_macaroon()
++        self.data = dict(
++            email='foo@bar.com', password='foobar123',
++            macaroon=self.root_macaroon.serialize())
++        self.account = self.factory.make_account(
++            email=self.data['email'], password=self.data['password'])
++
++
++class MacaroonHandlerTestCase(MacaroonHandlerBaseTestCase,
++                              AuthLogTestCaseMixin):
++
++    def do_post(self, data=None, expected_status_code=200,
++                content_type='application/json', **kwargs):
++        if data is None:
++            data = self.data
++
++        response = self.client.post(self.url, data=json.dumps(data),
++                                    content_type=content_type, **kwargs)
++
++        self.assertEqual(
++            response.status_code, expected_status_code,
++            "Bad status code! expected={} got={} response={}".format(
++                expected_status_code, response.status_code, response))
++        self.assertEqual(response['Content-type'],
++                         'application/json; charset=utf-8',
++                         response)
++        return json.loads(response.content)
++
++    def assert_response_correct(self, json_body, account):
++        """Check we received a good discharge macaroon for the root sent.
++
++        Proper verification of the received macaroon internals happens in
++        the tests of the macaroon builder.
++        """
++        discharge_macaroon_raw = json_body['discharge_macaroon']
++        discharge_macaroon = Macaroon.deserialize(discharge_macaroon_raw)
++        v = Verifier()
++        v.satisfy_general(lambda c: True)
++        v.verify(
++            self.root_macaroon, self.macaroon_random_key, [discharge_macaroon])
++
++    def assert_failed_login(self, code, data, extra=None,
++                            expected_status_code=403, check_login_failed=True):
++        if extra is None:
++            extra = {}
++
++        json_body = self.do_post(expected_status_code=expected_status_code,
++                                 data=data)
++        self.assertEqual(json_body['code'], code)
++        self.assertEqual(json_body['extra'], extra)
++
++        if check_login_failed:
++            self.assertEqual(len(self.login_failed_calls), 1)
++            failed = self.login_failed_calls[0]
++            self.assertEqual(
++                failed['credentials'],
++                {'email': data['email'], 'password': data['password']})
++
++        return json_body
++
++    def test_login_required_parameters(self):
++        json_body = self.do_post(expected_status_code=400, data={})
++
++        self.assertEqual(json_body, {
++            'code': 'INVALID_DATA',
++            'extra': {'email': [handlers.FIELD_REQUIRED]},
++            'message': 'Invalid request data'},
++        )
++        self.assertEqual(self.login_failed_calls, [])
++
++    def test_account_suspended(self):
++        self.account.suspend()
++        self.assert_failed_login('ACCOUNT_SUSPENDED', self.data)
++
++    def test_account_deactivated(self):
++        self.account.deactivate()
++        self.assert_failed_login('ACCOUNT_DEACTIVATED', self.data)
++
++    def test_failed_login(self):
++        self.account.set_password('other-thing')
++        self.account.save()
++        self.assert_failed_login('INVALID_CREDENTIALS',
++                                 self.data, expected_status_code=401)
++
++    def test_email_invalidated(self):
++        self.account.preferredemail.invalidate()
++        self.assert_failed_login('EMAIL_INVALIDATED', self.data)
++
++    def test_password_policy(self):
++        self.account.accountpassword.password = make_password('short')
++        self.account.accountpassword.save()
++
++        self.data['password'] = 'short'
++        extra = {
++            'reason': 'Password must be at least 8 characters long',
++            'location': 'http://testserver/'}
++        self.assert_failed_login(
++            'PASSWORD_POLICY_ERROR', data=self.data, extra=extra)
++
++    def test_twofactor_required(self):
++        self.account.twofactor_required = True
++        self.account.save()
++
++        json_body = self.do_post(expected_status_code=401)
++        self.assertEqual(json_body['code'], 'TWOFACTOR_REQUIRED')
++        self.assertEqual(self.login_failed_calls, [])
++
++    def test_twofactor(self):
++        device = self.factory.make_device(account=self.account)
++        self.account.twofactor_required = True
++        self.account.save()
++
++        self.data['otp'] = self.factory.make_next_otp(device)
++        json_body = self.do_post(data=self.data)
++
++        self.assert_response_correct(json_body, self.account)
++
++    def test_twofactor_wrong_otp(self):
++        device = self.factory.make_device(account=self.account)
++        self.account.twofactor_required = True
++        self.account.save()
++
++        self.data['otp'] = str(int(self.factory.make_next_otp(device)) - 1)
++        self.assert_failed_login('TWOFACTOR_FAILURE', self.data)
++
++    def test_failed_login_creates_authlog(self):
++        self.account.set_password('other-thing')
++        self.account.save()
++        expected_values = {
++            'login_email': self.data['email'],
++            'log_type': AuthLogType.API_FAIL,
++            'referer': '',
++            'user_agent': '',
++            'remote_ip': '127.0.0.1',
++            'account': None
++        }
++        with self.assert_authlog_matches(expected_values):
++            self.assert_failed_login('INVALID_CREDENTIALS',
++                                     self.data, expected_status_code=401)
++
++    def test_login_creates_authlog(self):
++        expected_values = {
++            'login_email': self.data['email'],
++            'log_type': AuthLogType.API_MACAROON_DISCHARGE_NEW,
++            'referer': '',
++            'user_agent': '',
++            'remote_ip': '127.0.0.1',
++            'account': self.account.id
++        }
++        # This context manager magically checks when_created values
++        with self.assert_authlog_matches(expected_values):
++            self.do_post()
++
++    def test_macaroon_created(self):
++        json_body = self.do_post()
++        self.assert_response_correct(json_body, self.account)
++
++    def test_root_macaroon_corrupt(self):
++        data = dict(
++            email='foo@bar.com', password='foobar123',
++            macaroon="I'm a seriously corrupted macaroon")
++        self.assert_failed_login('INVALID_DATA', data,
++                                 expected_status_code=400,
++                                 check_login_failed=False)
++
++    def test_root_macaroon_not_for_sso(self):
++        macaroon, _ = self.build_macaroon(service_location="other service")
++        data = dict(email='foo@bar.com', password='foobar123',
++                    macaroon=macaroon.serialize())
++        self.assert_failed_login('INVALID_CREDENTIALS', data,
++                                 expected_status_code=401,
++                                 check_login_failed=False)
++
++
++class MacaroonHandlerTimelineTestCase(MacaroonHandlerBaseTestCase,
++                                      TimelineActionMixin):
++
++    def test_login_timeline_records_password_checking(self):
++        # Prepare and inject a timeline in the client's POST.
++        empty_timeline = Timeline()
++        response = self.client.post(
++            self.url, data=json.dumps(self.data),
++            content_type='application/json',
++            **{'timeline.timeline': empty_timeline})
++        self.assert_timeline_contains(request=response.wsgi_request,
++                                      category='django-password-checking',
++                                      detail=str(self.account.id))
++
++    def test_login_ignore_weird_timeline(self):
++        """A weird object passed as timeline should be ignored/not used."""
++        weird_timeline = []
++        response = self.client.post(
++            self.url, data=json.dumps(self.data),
++            content_type='application/json',
++            **{'timeline.timeline': weird_timeline})
++
++        # If the timeline is a weird object we shouldn't have touched it
++        self.assertEqual([], response.wsgi_request.META['timeline.timeline'])
++
++    def test_login_no_timeline(self):
++        """Shouldn't barf if there's no timeline in the request at all."""
++        response = self.client.post(
++            self.url, data=json.dumps(self.data),
++            content_type='application/json')
++
++        self.assertEqual(response.status_code, 200)
++        self.assertNotIn('timeline.timeline', response.wsgi_request.META)
 === modified file 'src/api/v20/urls.py'
 --- src/api/v20/urls.py	2014-12-05 18:09:03 +0000
 +++ src/api/v20/urls.py	2016-03-11 17:07:30 +0000
@@ -15,6 +15,7 @@
      AccountRegistrationHandler,
      AccountsHandler,
      EmailsHandler,
++    MacaroonHandler,
      PasswordResetTokenHandler,
      RequestsHandler,
      TokensHandler,
@@ -26,6 +27,7 @@
  v2emails = ApiResource(
      handler=EmailsHandler, authentication=ApiEmailsAuthentication())
  v2login = ApiResource(handler=AccountLoginHandler)
++v2macaroon = ApiResource(handler=MacaroonHandler)
  v2password_reset = ApiResource(handler=PasswordResetTokenHandler)
  v2registration = ApiResource(
      handler=AccountRegistrationHandler,
@@ -41,6 +43,7 @@
      url(r'^accounts/(?P<openid>\w+)$', v2accounts, name='api-account'),
      url(r'^emails/(?P<email>.+)$', v2emails, name='api-email'),
      url(r'^requests/validate$', v2requests, name='api-requests'),
++    url(r'^tokens/discharge$', v2macaroon, name='api-macaroon-discharge'),
      url(r'^tokens/oauth$', v2login, name='api-login'),
      url(r'^tokens/oauth/(?P<token>.+)$', v2tokens, name='api-token'),
      url(r'^tokens/password$', v2password_reset, name='api-password-reset'),
 === modified file 'src/identityprovider/auth.py'
 --- src/identityprovider/auth.py	2015-11-18 17:21:12 +0000
 +++ src/identityprovider/auth.py	2016-03-11 17:07:30 +0000
@@ -1,10 +1,13 @@
  # -*- coding: utf-8 -*-
+ #
--# Copyright 2010 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2016 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  from __future__ import unicode_literals
++import base64
++import datetime
++import json
  import logging
  from django.conf import settings
@@ -21,7 +24,9 @@
  from django.utils.translation import ugettext_lazy as _
  from django.utils.timezone import now
  from oauthlib.oauth1 import RequestValidator, ResourceEndpoint
++from pymacaroons import Macaroon
++from identityprovider.login import AuthenticationError
  from identityprovider.models import (
      Account,
      AccountPassword,
@@ -488,3 +493,55 @@
          response = HttpResponse("Authorization Required", status=401)
          response['WWW-Authenticate'] = 'OAuth realm="%s"' % self.realm
          return response
++
++
++def build_discharge_macaroon(account, root_macaroon_raw):
++    """Build a discharge macaroon from a root one."""
++    service_location = settings.MACAROON_SERVICE_LOCATION
++
++    try:
++        root_macaroon = Macaroon.deserialize(root_macaroon_raw)
++    except:
++        raise ValidationError("The received Macaroon is corrupt")
++
++    try:
++        # isolate 3rd-party caveat that concerns SSO (hinted by 'location')
++        (sso_caveat,) = [c for c in root_macaroon.third_party_caveats()
++                         if c.location == service_location]
++    except:
++        # the macaroon doesn't have a location for this service
++        raise AuthenticationError("The received macaroon is not for ours")
++
++    # get the only-for-this-project random key
++    original_random_key = settings.CRYPTO_SSO_PRIVKEY.decrypt(
++        base64.b64decode(sso_caveat.caveat_id))
++
++    # create a discharge macaroon with same location, key and
++    # identifier than it's original 3rd-party caveat (so they can
++    # be matched and verified)
++    d = Macaroon(
++        location=service_location,
++        key=original_random_key,
++        identifier=sso_caveat.caveat_id,
++    )
++
++    # add the account info
++    account_info = base64.b64encode(json.dumps({
++        'openid': account.openid_identifier,
++        'email': account.preferredemail.email,
++        'displayname': account.displayname,
++    }).encode("utf8"))
++    d.add_first_party_caveat(service_location + '|account|' + account_info)
++
++    # add timestamp values
++    now_string = now().strftime('%Y-%m-%dT%H:%M:%S.%f')
++    d.add_first_party_caveat(service_location + '|valid_since|' + now_string)
++    d.add_first_party_caveat(service_location + '|last_auth|' + now_string)
++    expire = now() + datetime.timedelta(seconds=settings.MACAROON_TTL)
++    d.add_first_party_caveat(
++        service_location + '|expires|' +
++        expire.strftime('%Y-%m-%dT%H:%M:%S.%f'))
++
++    # return the properly prepared discharge macaroon
++    discharge = root_macaroon.prepare_for_request(d)
++    return discharge
 === added file 'src/identityprovider/migrations/0007_auto_20160310_2013.py'
 --- src/identityprovider/migrations/0007_auto_20160310_2013.py	1970-01-01 00:00:00 +0000
 +++ src/identityprovider/migrations/0007_auto_20160310_2013.py	2016-03-11 17:07:30 +0000
@@ -0,0 +1,19 @@
++# -*- coding: utf-8 -*-
++from __future__ import unicode_literals
++
++from django.db import migrations, models
++
++
++class Migration(migrations.Migration):
++
++    dependencies = [
++        ('identityprovider', '0006_auto_20151019_1515'),
++    ]
++
++    operations = [
++        migrations.AlterField(
++            model_name='authlog',
++            name='log_type',
++            field=models.IntegerField(choices=[(1, b'OPENID_FAIL'), (2, b'OPENID_NEW'), (3, b'OPENID_EXISTING'), (4, b'API_FAIL'), (5, b'API_NEW'), (6, b'API_EXISTING'), (7, b'API_MACAROON_DISCHARGE_NEW')]),
++        ),
++    ]
 === modified file 'src/identityprovider/models/const.py'
 --- src/identityprovider/models/const.py	2015-09-09 19:14:52 +0000
 +++ src/identityprovider/models/const.py	2016-03-11 17:07:30 +0000
@@ -114,6 +114,7 @@
      API_FAIL = 4
      API_NEW = 5  # A new oauth token created for the account
      API_EXISTING = 6  # Existing oauth token retrieved
++    API_MACAROON_DISCHARGE_NEW = 7  # First time a macaroon was discharged
      _verbose = {
          OPENID_FAIL: _("Failed web login"),
@@ -121,7 +122,8 @@
          OPENID_EXISTING: _("Existing web login"),
          API_FAIL: _("Failed API login"),
          API_NEW: _("New API login"),
--        API_EXISTING: _("Existing API login")
++        API_EXISTING: _("Existing API login"),
++        API_MACAROON_DISCHARGE_NEW: _("First time discharge for the macaroon"),
+     }
      @classmethod
 === modified file 'src/identityprovider/tests/test_auth.py'
 --- src/identityprovider/tests/test_auth.py	2016-01-05 20:13:30 +0000
 +++ src/identityprovider/tests/test_auth.py	2016-03-11 17:07:30 +0000
@@ -1,10 +1,18 @@
  # encoding: utf-8
--# Copyright 2010 Canonical Ltd.  This software is licensed under the
++# Copyright 2010-2016 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
++import base64
++import binascii
++import json
++import os
++
  from contextlib import contextmanager
++from datetime import datetime, timedelta
  from uuid import uuid4
++from Crypto import Random
++from Crypto.PublicKey import RSA
  from django.conf import settings
  from django.contrib.auth.hashers import get_hasher
  from django.contrib.auth.models import (
@@ -12,18 +20,22 @@
      is_password_usable,
      make_password,
+ )
++from django.core.exceptions import ValidationError
  from django.db import connection
  from django.test.utils import override_settings
  from django.utils.timezone import now
  from mock import call, Mock, patch
++from pymacaroons import Macaroon, Verifier
  from identityprovider.auth import (
      LaunchpadBackend,
      SSOOAuthAuthentication,
      SSORequestValidator,
      basic_authenticate,
++    build_discharge_macaroon,
      validate_oauth_signature,
+ )
++from identityprovider.login import AuthenticationError
  from identityprovider.models import (
      Account,
      AccountPassword,
@@ -940,3 +952,95 @@
              expected_detail="(direct password comparison)",
              hashed_password=make_password(DEFAULT_USER_PASSWORD),
              timer=self.dummy_timer)
++
++
++class BuildMacaroonDischargeTestCase(SSOBaseTestCase):
++
++    def build_macaroon(self, service_location=None):
++        if service_location is None:
++            service_location = settings.MACAROON_SERVICE_LOCATION
++
++        # pair of keys to encrypt/decrypt
++        Random.atfork()
++        test_rsa_priv_key = RSA.generate(1024)
++        test_rsa_pub_key = test_rsa_priv_key.publickey()
++        p = self.settings(CRYPTO_SSO_PRIVKEY=test_rsa_priv_key)
++        p.enable()
++        self.addCleanup(p.disable)
++
++        # create a Macaron with the proper third party caveat
++        macaroon_random_key = binascii.hexlify(os.urandom(32))
++        root_macaroon = Macaroon(
++            location='The store ;)',
++            key=macaroon_random_key,
++            identifier='A test macaroon',
++        )
++        random_key = binascii.hexlify(os.urandom(32))
++        random_key_encrypted = base64.b64encode(
++            test_rsa_pub_key.encrypt(random_key, 32)[0])
++        root_macaroon.add_third_party_caveat(
++            service_location, random_key, random_key_encrypted)
++        return root_macaroon, macaroon_random_key
++
++    def test_root_macaroon_corrupt(self):
++        self.assertRaises(ValidationError, build_discharge_macaroon,
++                          "fake account", "I'm a seriously corrupted macaroon")
++
++    def test_root_macaroon_not_for_sso(self):
++        macaroon, _ = self.build_macaroon(service_location="other service")
++        self.assertRaises(AuthenticationError, build_discharge_macaroon,
++                          "fake account", macaroon.serialize())
++
++    def test_proper_discharging(self):
++        # build the input and call
++        root_macaroon, random_key_used = self.build_macaroon()
++        real_account = self.factory.make_account()
++        before = now()
++        discharge_macaroon = build_discharge_macaroon(
++            real_account, root_macaroon.serialize())
++        after = now()
++
++        # test
++        def checker(caveat):
++            """Assure all caveats inside the discharged macaroon are ok."""
++            source, key, value = caveat.split("|", 2)
++            if source != settings.MACAROON_SERVICE_LOCATION:
++                # just checking the discharge one, not the root
++                return True
++
++            if key == 'valid_since':
++                valid_since = datetime.strptime(value, '%Y-%m-%dT%H:%M:%S.%f')
++                self.assertGreater(valid_since, before)
++                self.assertGreater(after, valid_since)
++                return True
++
++            if key == 'last_auth':
++                last_auth = datetime.strptime(value, '%Y-%m-%dT%H:%M:%S.%f')
++                self.assertGreater(last_auth, before)
++                self.assertGreater(after, last_auth)
++                return True
++
++            if key == 'account':
++                acc = json.loads(base64.b64decode(value).decode("utf8"))
++                self.assertEqual(acc['openid'], real_account.openid_identifier)
++                self.assertEqual(acc['email'],
++                                 real_account.preferredemail.email)
++                self.assertEqual(acc['displayname'], real_account.displayname)
++                return True
++
++            if key == 'expires':
++                expires = datetime.strptime(value, '%Y-%m-%dT%H:%M:%S.%f')
++                before_plus_ttl = before + timedelta(
++                    seconds=settings.MACAROON_TTL)
++                after_plus_ttl = after + timedelta(
++                    seconds=settings.MACAROON_TTL)
++                self.assertGreater(expires, before_plus_ttl)
++                self.assertGreater(after_plus_ttl, expires)
++                return True
++
++            # we're not validating an SSO from the discharged macaroon, fail!
++            return False
++
++        v = Verifier()
++        v.satisfy_general(checker)
++        v.verify(root_macaroon, random_key_used, [discharge_macaroon])
 === modified file 'uci-vms.conf'
 --- uci-vms.conf	2016-01-21 15:45:34 +0000
 +++ uci-vms.conf	2016-03-11 17:07:30 +0000
@@ -15,7 +15,7 @@
  vm.update = True
  vm.packages = {sso.dependencies}, python-uci-vms, python-novaclient
  vm.bind_home = True
--vm.apt_sources = deb https://{ppa.u1_hackers.user_pass}@private-ppa.launchpad.net/ubuntuone/hackers/ubuntu {vm.release} main|4BD0ECAE
++vm.apt_sources = ppa:facundo/salty, deb https://{ppa.u1_hackers.user_pass}@private-ppa.launchpad.net/ubuntuone/hackers/ubuntu {vm.release} main|4BD0ECAE
  # vms named sso-worker-0n are built from here
  [sso-worker]
@@ -49,5 +49,5 @@
  # /!\ 'ppa.u1_hackers.user_pass = <USER>:<PASSWORD>' should be defined in
  # ~/uci-vms.conf, see https://launchpad.net/~/+archivesubscriptions to find
  # your password
--vm.apt_sources = ppa:ubuntu-lxc/lxd-stable, deb https://{ppa.u1_hackers.user_pass}@private-ppa.launchpad.net/ubuntuone/hackers/ubuntu {vm.release} main|4BD0ECAE
++vm.apt_sources = ppa:facundo/salty, ppa:ubuntu-lxc/lxd-stable, deb https://{ppa.u1_hackers.user_pass}@private-ppa.launchpad.net/ubuntuone/hackers/ubuntu {vm.release} main|4BD0ECAE
  vm.packages = {sso.dependencies}, python3-uci-vms, lxc, lxc-templates, debootstrap