Canonical SSO provider

Merge lp:~facundo/canonical-identity-provider/no-caveat-in-refresh into lp:canonical-identity-provider/release

  1. no-caveat-in-refresh
  2. Merge into trunk
Proposed by Facundo Batista
Status: Merged
Approved by: Facundo Batista
Approved revision: no longer in the source branch.
Merged at revision: 1441
Proposed branch: lp:~facundo/canonical-identity-provider/no-caveat-in-refresh
Merge into: lp:canonical-identity-provider/release
Diff against target: 198 lines (+21/-70)
4 files modified
src/api/v20/handlers.py (+7/-9)
src/api/v20/tests/test_handlers.py (+5/-34)
src/identityprovider/auth.py (+3/-3)
src/identityprovider/tests/test_auth.py (+6/-24)
To merge this branch: bzr merge lp:~facundo/canonical-identity-provider/no-caveat-in-refresh
Reviewer Review Type Date Requested Status
Matias Bordese (community) Approve
Ricardo Kirkner (community) Approve
Review via email: mp+293915@code.launchpad.net

Commit message

Don't need the caveat_id in the refresh.

Description of the change

Don't need the caveat_id in the refresh.

To post a comment you must log in.
Revision history for this message
Ricardo Kirkner (ricardokirkner) wrote :

LGTM

review: Approve
Revision history for this message
Matias Bordese (matiasb) wrote :

LGTM

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/api/v20/handlers.py'
2--- src/api/v20/handlers.py 2016-05-05 11:39:43 +0000
3+++ src/api/v20/handlers.py 2016-05-05 15:40:29 +0000
4@@ -543,18 +543,16 @@
5 missing = {'discharge_macaroon': [FIELD_REQUIRED]}
6 return errors.INVALID_DATA(**missing)
7
8- if 'caveat_id' in data:
9- method = auth.refresh_discharge
10- params = (data['caveat_id'], discharge_macaroon_raw)
11- stats.increment('macaroon.refresh', key='caveat_id')
12- elif 'root_macaroon' in data:
13+ if 'root_macaroon' in data:
14+ # (deprecated 2016-05-03) use the root macaroon to old-fashion
15+ # refresh, that also returns a bound discharge
16 method = auth.refresh_macaroons
17 params = (data['root_macaroon'], discharge_macaroon_raw)
18- stats.increment('macaroon.refresh', key='macaroon')
19+ stats.increment('macaroon.refresh', key='root_macaroon')
20 else:
21- # let's flag the new one only, not the deprecated one
22- missing = {'caveat_id': [FIELD_REQUIRED]}
23- return errors.INVALID_DATA(**missing)
24+ method = auth.refresh_discharge
25+ params = (discharge_macaroon_raw,)
26+ stats.increment('macaroon.refresh', key='just_discharge')
27
28 try:
29 new_discharge = method(*params)
30
31=== modified file 'src/api/v20/tests/test_handlers.py'
32--- src/api/v20/tests/test_handlers.py 2016-05-05 11:39:43 +0000
33+++ src/api/v20/tests/test_handlers.py 2016-05-05 15:40:29 +0000
34@@ -2473,8 +2473,7 @@
35 self.discharge_macaroon = self.root_macaroon.prepare_for_request(
36 unbound_discharge)
37
38- self.data = {'caveat_id': caveat.caveat_id,
39- 'discharge_macaroon': unbound_discharge.serialize()}
40+ self.data = {'discharge_macaroon': unbound_discharge.serialize()}
41
42 def do_post(self, data=None, expected_status_code=200,
43 content_type='application/json', **kwargs):
44@@ -2514,17 +2513,6 @@
45 )
46 self.assertEqual(self.login_failed_calls, [])
47
48- def test_required_parameters_caveat_id(self):
49- json_body = self.do_post(expected_status_code=400,
50- data={'discharge_macaroon': 'whatever'})
51-
52- self.assertEqual(json_body, {
53- 'code': 'INVALID_DATA',
54- 'extra': {'caveat_id': [handlers.FIELD_REQUIRED]},
55- 'message': 'Invalid request data'},
56- )
57- self.assertEqual(self.login_failed_calls, [])
58-
59 def test_account_missing(self):
60 self.account.deactivate()
61 self.assert_failed_login('ACCOUNT_DEACTIVATED', self.data)
62@@ -2557,26 +2545,9 @@
63 v.satisfy_general(lambda c: True)
64 v.verify(
65 self.root_macaroon, self.macaroon_random_key, [discharge_macaroon])
66- self.check_stats_increment('macaroon.refresh', key='macaroon')
67-
68- def test_caveat_id_corrupt(self):
69- data = dict(caveat_id="I'm a seriously corrupted caveat",
70- discharge_macaroon="Also broken")
71- self.assert_failed_login('INVALID_DATA', data,
72- expected_status_code=400,
73- check_login_failed=False)
74-
75- def test_caveat_id_bad_authinfo(self):
76- macaroon, _, _ = self.build_macaroon(service_location="other service")
77- (caveat,) = [c for c in macaroon.third_party_caveats()
78- if c.location == "other service"]
79- data = dict(caveat_id=caveat.caveat_id,
80- discharge_macaroon=self.discharge_macaroon.serialize())
81- self.assert_failed_login('INVALID_CREDENTIALS', data,
82- expected_status_code=401,
83- check_login_failed=False)
84-
85- def test_caveat_id_refreshed(self):
86+ self.check_stats_increment('macaroon.refresh', key='root_macaroon')
87+
88+ def test_just_discharge_refreshed(self):
89 json_body = self.do_post()
90
91 # get new discharge macaroon, apply it and verify with old root (its
92@@ -2588,4 +2559,4 @@
93 v = Verifier()
94 v.satisfy_general(lambda c: True)
95 v.verify(self.root_macaroon, self.macaroon_random_key, [discharge])
96- self.check_stats_increment('macaroon.refresh', key='caveat_id')
97+ self.check_stats_increment('macaroon.refresh', key='just_discharge')
98
99=== modified file 'src/identityprovider/auth.py'
100--- src/identityprovider/auth.py 2016-05-05 11:39:43 +0000
101+++ src/identityprovider/auth.py 2016-05-05 15:40:29 +0000
102@@ -672,7 +672,7 @@
103 return discharge
104
105
106-def refresh_discharge(raw_caveat_id, discharge_macaroon_raw):
107+def refresh_discharge(discharge_macaroon_raw):
108 """Refresh a discharge with a new discharge macaroon."""
109 try:
110 discharge_macaroon = Macaroon.deserialize(discharge_macaroon_raw)
111@@ -680,7 +680,7 @@
112 raise ValidationError("The received Macaroons are corrupt")
113
114 # get the decrypted deserialized info
115- caveat_info = _decrypt_caveat(raw_caveat_id)
116+ caveat_info = _decrypt_caveat(discharge_macaroon.identifier)
117 account, macaroon_info = _account_from_macaroon(
118 discharge_macaroon, caveat_info['3rdparty'])
119
120@@ -689,7 +689,7 @@
121 # be matched and verified), and keeping the last_auth and expires from
122 # the original discharge macaroon
123 discharge = _build_discharge(
124- caveat_info['3rdparty'], raw_caveat_id, account,
125+ caveat_info['3rdparty'], discharge_macaroon.identifier, account,
126 last_auth=macaroon_info['last_auth'], expires=macaroon_info['expires'])
127
128 # return the unbound discharge macaroon
129
130=== modified file 'src/identityprovider/tests/test_auth.py'
131--- src/identityprovider/tests/test_auth.py 2016-05-05 11:39:43 +0000
132+++ src/identityprovider/tests/test_auth.py 2016-05-05 15:40:29 +0000
133@@ -1270,42 +1270,25 @@
134 root_macaroon, _, self.random_key = self.build_macaroon()
135 (caveat,) = [c for c in root_macaroon.third_party_caveats()
136 if c.location == settings.MACAROON_SERVICE_LOCATION]
137- self.caveat_id = caveat.caveat_id
138
139 # get a discharge for the test macaroon
140 self.account = self.factory.make_account()
141 self.discharge_macaroon = build_discharge_macaroon(
142- self.account, self.caveat_id)
143-
144- def test_caveat_id_corrupt(self):
145- self.assertRaises(
146- ValidationError, refresh_discharge,
147- "Corrupted caveat id", self.discharge_macaroon.serialize())
148+ self.account, caveat.caveat_id)
149
150 def test_discharge_macaroon_corrupt(self):
151 self.assertRaises(
152- ValidationError, refresh_discharge,
153- self.caveat_id, "Seriously corrupted macaroon")
154-
155- def test_macaroons_dont_verify_ok(self):
156- # just get *another* discharge so it's not for the same root macaroon
157- other_root, _, _ = self.build_macaroon()
158- (other_caveat,) = [c for c in other_root.third_party_caveats()
159- if c.location == settings.MACAROON_SERVICE_LOCATION]
160- other_discharge = build_discharge_macaroon(
161- self.account, other_caveat.caveat_id)
162- self.assertRaises(AuthenticationError, refresh_discharge,
163- self.caveat_id, other_discharge.serialize())
164+ ValidationError, refresh_discharge, "Seriously corrupted macaroon")
165
166 def test_deactivated_account(self):
167 self.account.deactivate()
168 self.assertRaises(AccountDeactivated, refresh_discharge,
169- self.caveat_id, self.discharge_macaroon.serialize())
170+ self.discharge_macaroon.serialize())
171
172 def test_password_changed(self):
173 self.account.set_password("a new password")
174 self.assertRaises(AuthenticationError, refresh_discharge,
175- self.caveat_id, self.discharge_macaroon.serialize())
176+ self.discharge_macaroon.serialize())
177
178 def test_password_with_no_datetime(self):
179 # simulate an "old" account password (before we started to keep the
180@@ -1317,7 +1300,7 @@
181 assert self.account.accountpassword.date_changed is None
182
183 # check that auths ok
184- refresh_discharge(self.caveat_id, self.discharge_macaroon.serialize())
185+ refresh_discharge(self.discharge_macaroon.serialize())
186
187 def test_proper_refreshing(self):
188 old_discharge = self.discharge_macaroon # just rename for readability
189@@ -1340,8 +1323,7 @@
190
191 # call!
192 before = now()
193- new_discharge = refresh_discharge(self.caveat_id,
194- old_discharge.serialize())
195+ new_discharge = refresh_discharge(old_discharge.serialize())
196 after = now()
197
198 # test