Canonical SSO provider

Merge lp:~facundo/canonical-identity-provider/no-caveat-in-refresh into lp:canonical-identity-provider/release

  1. no-caveat-in-refresh
  2. Merge into trunk
Proposed by Facundo Batista
Status: Merged
Approved by: Facundo Batista
Approved revision: no longer in the source branch.
Merged at revision: 1441
Proposed branch: lp:~facundo/canonical-identity-provider/no-caveat-in-refresh
Merge into: lp:canonical-identity-provider/release
Diff against target: 198 lines (+21/-70)
4 files modified
src/api/v20/handlers.py (+7/-9)
src/api/v20/tests/test_handlers.py (+5/-34)
src/identityprovider/auth.py (+3/-3)
src/identityprovider/tests/test_auth.py (+6/-24)
To merge this branch: bzr merge lp:~facundo/canonical-identity-provider/no-caveat-in-refresh
Reviewer Review Type Date Requested Status
Matias Bordese (community) Approve
Ricardo Kirkner (community) Approve
Review via email: mp+293915@code.launchpad.net

Commit message

Don't need the caveat_id in the refresh.

Description of the change

Don't need the caveat_id in the refresh.

To post a comment you must log in.
Revision history for this message
Ricardo Kirkner (ricardokirkner) wrote :

LGTM

review: Approve
Revision history for this message
Matias Bordese (matiasb) wrote :

LGTM

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'src/api/v20/handlers.py'
--- src/api/v20/handlers.py 2016-05-05 11:39:43 +0000
+++ src/api/v20/handlers.py 2016-05-05 15:40:29 +0000
@@ -543,18 +543,16 @@
543 missing = {'discharge_macaroon': [FIELD_REQUIRED]}543 missing = {'discharge_macaroon': [FIELD_REQUIRED]}
544 return errors.INVALID_DATA(**missing)544 return errors.INVALID_DATA(**missing)
545545
546 if 'caveat_id' in data:546 if 'root_macaroon' in data:
547 method = auth.refresh_discharge547 # (deprecated 2016-05-03) use the root macaroon to old-fashion
548 params = (data['caveat_id'], discharge_macaroon_raw)548 # refresh, that also returns a bound discharge
549 stats.increment('macaroon.refresh', key='caveat_id')
550 elif 'root_macaroon' in data:
551 method = auth.refresh_macaroons549 method = auth.refresh_macaroons
552 params = (data['root_macaroon'], discharge_macaroon_raw)550 params = (data['root_macaroon'], discharge_macaroon_raw)
553 stats.increment('macaroon.refresh', key='macaroon')551 stats.increment('macaroon.refresh', key='root_macaroon')
554 else:552 else:
555 # let's flag the new one only, not the deprecated one553 method = auth.refresh_discharge
556 missing = {'caveat_id': [FIELD_REQUIRED]}554 params = (discharge_macaroon_raw,)
557 return errors.INVALID_DATA(**missing)555 stats.increment('macaroon.refresh', key='just_discharge')
558556
559 try:557 try:
560 new_discharge = method(*params)558 new_discharge = method(*params)
561559
=== modified file 'src/api/v20/tests/test_handlers.py'
--- src/api/v20/tests/test_handlers.py 2016-05-05 11:39:43 +0000
+++ src/api/v20/tests/test_handlers.py 2016-05-05 15:40:29 +0000
@@ -2473,8 +2473,7 @@
2473 self.discharge_macaroon = self.root_macaroon.prepare_for_request(2473 self.discharge_macaroon = self.root_macaroon.prepare_for_request(
2474 unbound_discharge)2474 unbound_discharge)
24752475
2476 self.data = {'caveat_id': caveat.caveat_id,2476 self.data = {'discharge_macaroon': unbound_discharge.serialize()}
2477 'discharge_macaroon': unbound_discharge.serialize()}
24782477
2479 def do_post(self, data=None, expected_status_code=200,2478 def do_post(self, data=None, expected_status_code=200,
2480 content_type='application/json', **kwargs):2479 content_type='application/json', **kwargs):
@@ -2514,17 +2513,6 @@
2514 )2513 )
2515 self.assertEqual(self.login_failed_calls, [])2514 self.assertEqual(self.login_failed_calls, [])
25162515
2517 def test_required_parameters_caveat_id(self):
2518 json_body = self.do_post(expected_status_code=400,
2519 data={'discharge_macaroon': 'whatever'})
2520
2521 self.assertEqual(json_body, {
2522 'code': 'INVALID_DATA',
2523 'extra': {'caveat_id': [handlers.FIELD_REQUIRED]},
2524 'message': 'Invalid request data'},
2525 )
2526 self.assertEqual(self.login_failed_calls, [])
2527
2528 def test_account_missing(self):2516 def test_account_missing(self):
2529 self.account.deactivate()2517 self.account.deactivate()
2530 self.assert_failed_login('ACCOUNT_DEACTIVATED', self.data)2518 self.assert_failed_login('ACCOUNT_DEACTIVATED', self.data)
@@ -2557,26 +2545,9 @@
2557 v.satisfy_general(lambda c: True)2545 v.satisfy_general(lambda c: True)
2558 v.verify(2546 v.verify(
2559 self.root_macaroon, self.macaroon_random_key, [discharge_macaroon])2547 self.root_macaroon, self.macaroon_random_key, [discharge_macaroon])
2560 self.check_stats_increment('macaroon.refresh', key='macaroon')2548 self.check_stats_increment('macaroon.refresh', key='root_macaroon')
25612549
2562 def test_caveat_id_corrupt(self):2550 def test_just_discharge_refreshed(self):
2563 data = dict(caveat_id="I'm a seriously corrupted caveat",
2564 discharge_macaroon="Also broken")
2565 self.assert_failed_login('INVALID_DATA', data,
2566 expected_status_code=400,
2567 check_login_failed=False)
2568
2569 def test_caveat_id_bad_authinfo(self):
2570 macaroon, _, _ = self.build_macaroon(service_location="other service")
2571 (caveat,) = [c for c in macaroon.third_party_caveats()
2572 if c.location == "other service"]
2573 data = dict(caveat_id=caveat.caveat_id,
2574 discharge_macaroon=self.discharge_macaroon.serialize())
2575 self.assert_failed_login('INVALID_CREDENTIALS', data,
2576 expected_status_code=401,
2577 check_login_failed=False)
2578
2579 def test_caveat_id_refreshed(self):
2580 json_body = self.do_post()2551 json_body = self.do_post()
25812552
2582 # get new discharge macaroon, apply it and verify with old root (its2553 # get new discharge macaroon, apply it and verify with old root (its
@@ -2588,4 +2559,4 @@
2588 v = Verifier()2559 v = Verifier()
2589 v.satisfy_general(lambda c: True)2560 v.satisfy_general(lambda c: True)
2590 v.verify(self.root_macaroon, self.macaroon_random_key, [discharge])2561 v.verify(self.root_macaroon, self.macaroon_random_key, [discharge])
2591 self.check_stats_increment('macaroon.refresh', key='caveat_id')2562 self.check_stats_increment('macaroon.refresh', key='just_discharge')
25922563
=== modified file 'src/identityprovider/auth.py'
--- src/identityprovider/auth.py 2016-05-05 11:39:43 +0000
+++ src/identityprovider/auth.py 2016-05-05 15:40:29 +0000
@@ -672,7 +672,7 @@
672 return discharge672 return discharge
673673
674674
675def refresh_discharge(raw_caveat_id, discharge_macaroon_raw):675def refresh_discharge(discharge_macaroon_raw):
676 """Refresh a discharge with a new discharge macaroon."""676 """Refresh a discharge with a new discharge macaroon."""
677 try:677 try:
678 discharge_macaroon = Macaroon.deserialize(discharge_macaroon_raw)678 discharge_macaroon = Macaroon.deserialize(discharge_macaroon_raw)
@@ -680,7 +680,7 @@
680 raise ValidationError("The received Macaroons are corrupt")680 raise ValidationError("The received Macaroons are corrupt")
681681
682 # get the decrypted deserialized info682 # get the decrypted deserialized info
683 caveat_info = _decrypt_caveat(raw_caveat_id)683 caveat_info = _decrypt_caveat(discharge_macaroon.identifier)
684 account, macaroon_info = _account_from_macaroon(684 account, macaroon_info = _account_from_macaroon(
685 discharge_macaroon, caveat_info['3rdparty'])685 discharge_macaroon, caveat_info['3rdparty'])
686686
@@ -689,7 +689,7 @@
689 # be matched and verified), and keeping the last_auth and expires from689 # be matched and verified), and keeping the last_auth and expires from
690 # the original discharge macaroon690 # the original discharge macaroon
691 discharge = _build_discharge(691 discharge = _build_discharge(
692 caveat_info['3rdparty'], raw_caveat_id, account,692 caveat_info['3rdparty'], discharge_macaroon.identifier, account,
693 last_auth=macaroon_info['last_auth'], expires=macaroon_info['expires'])693 last_auth=macaroon_info['last_auth'], expires=macaroon_info['expires'])
694694
695 # return the unbound discharge macaroon695 # return the unbound discharge macaroon
696696
=== modified file 'src/identityprovider/tests/test_auth.py'
--- src/identityprovider/tests/test_auth.py 2016-05-05 11:39:43 +0000
+++ src/identityprovider/tests/test_auth.py 2016-05-05 15:40:29 +0000
@@ -1270,42 +1270,25 @@
1270 root_macaroon, _, self.random_key = self.build_macaroon()1270 root_macaroon, _, self.random_key = self.build_macaroon()
1271 (caveat,) = [c for c in root_macaroon.third_party_caveats()1271 (caveat,) = [c for c in root_macaroon.third_party_caveats()
1272 if c.location == settings.MACAROON_SERVICE_LOCATION]1272 if c.location == settings.MACAROON_SERVICE_LOCATION]
1273 self.caveat_id = caveat.caveat_id
12741273
1275 # get a discharge for the test macaroon1274 # get a discharge for the test macaroon
1276 self.account = self.factory.make_account()1275 self.account = self.factory.make_account()
1277 self.discharge_macaroon = build_discharge_macaroon(1276 self.discharge_macaroon = build_discharge_macaroon(
1278 self.account, self.caveat_id)1277 self.account, caveat.caveat_id)
1279
1280 def test_caveat_id_corrupt(self):
1281 self.assertRaises(
1282 ValidationError, refresh_discharge,
1283 "Corrupted caveat id", self.discharge_macaroon.serialize())
12841278
1285 def test_discharge_macaroon_corrupt(self):1279 def test_discharge_macaroon_corrupt(self):
1286 self.assertRaises(1280 self.assertRaises(
1287 ValidationError, refresh_discharge,1281 ValidationError, refresh_discharge, "Seriously corrupted macaroon")
1288 self.caveat_id, "Seriously corrupted macaroon")
1289
1290 def test_macaroons_dont_verify_ok(self):
1291 # just get *another* discharge so it's not for the same root macaroon
1292 other_root, _, _ = self.build_macaroon()
1293 (other_caveat,) = [c for c in other_root.third_party_caveats()
1294 if c.location == settings.MACAROON_SERVICE_LOCATION]
1295 other_discharge = build_discharge_macaroon(
1296 self.account, other_caveat.caveat_id)
1297 self.assertRaises(AuthenticationError, refresh_discharge,
1298 self.caveat_id, other_discharge.serialize())
12991282
1300 def test_deactivated_account(self):1283 def test_deactivated_account(self):
1301 self.account.deactivate()1284 self.account.deactivate()
1302 self.assertRaises(AccountDeactivated, refresh_discharge,1285 self.assertRaises(AccountDeactivated, refresh_discharge,
1303 self.caveat_id, self.discharge_macaroon.serialize())1286 self.discharge_macaroon.serialize())
13041287
1305 def test_password_changed(self):1288 def test_password_changed(self):
1306 self.account.set_password("a new password")1289 self.account.set_password("a new password")
1307 self.assertRaises(AuthenticationError, refresh_discharge,1290 self.assertRaises(AuthenticationError, refresh_discharge,
1308 self.caveat_id, self.discharge_macaroon.serialize())1291 self.discharge_macaroon.serialize())
13091292
1310 def test_password_with_no_datetime(self):1293 def test_password_with_no_datetime(self):
1311 # simulate an "old" account password (before we started to keep the1294 # simulate an "old" account password (before we started to keep the
@@ -1317,7 +1300,7 @@
1317 assert self.account.accountpassword.date_changed is None1300 assert self.account.accountpassword.date_changed is None
13181301
1319 # check that auths ok1302 # check that auths ok
1320 refresh_discharge(self.caveat_id, self.discharge_macaroon.serialize())1303 refresh_discharge(self.discharge_macaroon.serialize())
13211304
1322 def test_proper_refreshing(self):1305 def test_proper_refreshing(self):
1323 old_discharge = self.discharge_macaroon # just rename for readability1306 old_discharge = self.discharge_macaroon # just rename for readability
@@ -1340,8 +1323,7 @@
13401323
1341 # call!1324 # call!
1342 before = now()1325 before = now()
1343 new_discharge = refresh_discharge(self.caveat_id,1326 new_discharge = refresh_discharge(old_discharge.serialize())
1344 old_discharge.serialize())
1345 after = now()1327 after = now()
13461328
1347 # test1329 # test