Canonical SSO provider

Merge lp:~facundo/canonical-identity-provider/refresh-macaroons into lp:canonical-identity-provider/release

refresh-macaroons
Merge into trunk

Proposed by Facundo Batista on 2016-03-22

Status:	Merged
Approved by:	Facundo Batista on 2016-03-22
Approved revision:	no longer in the source branch.
Merged at revision:	1416
Proposed branch:	lp:~facundo/canonical-identity-provider/refresh-macaroons
Merge into:	lp:canonical-identity-provider/release
Diff against target:	691 lines (+450/-56) 5 files modified src/api/v20/handlers.py (+33/-1) src/api/v20/tests/test_handlers.py (+110/-9) src/api/v20/urls.py (+7/-3) src/identityprovider/auth.py (+104/-26) src/identityprovider/tests/test_auth.py (+196/-17)
To merge this branch:	bzr merge lp:~facundo/canonical-identity-provider/refresh-macaroons
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Matias Bordese (community)		2016-03-22	Approve on 2016-03-22
Review via email: mp+289798@code.launchpad.net

Commit message

We can refresh macaroons now.

Description of the change

We can refresh macaroons now.

Revision history for this message

Matias Bordese (matiasb) wrote on 2016-03-22:

Looks good, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Corey Russell SR

Damian

Danny Tamez

Diane Montana

Facundo Batista

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

 === modified file 'src/api/v20/handlers.py'
 --- src/api/v20/handlers.py	2016-03-18 18:40:31 +0000
 +++ src/api/v20/handlers.py	2016-03-22 19:47:49 +0000
@@ -425,7 +425,7 @@
          return response
--class MacaroonHandler(BaseHandler):
++class MacaroonDischargeHandler(BaseHandler):
      allowed_methods = ('POST',)
      @require_mime('json')
@@ -498,6 +498,38 @@
          return response
++class MacaroonRefreshHandler(BaseHandler):
++    allowed_methods = ('POST',)
++
++    @require_mime('json')
++    def create(self, request):
++        if settings.CRYPTO_SSO_PRIVKEY is None:
++            return errors.RESOURCE_NOT_FOUND()
++
++        data = request.data
++        try:
++            root_macaroon_raw = data['root_macaroon']
++            discharge_macaroon_raw = data['discharge_macaroon']
++        except KeyError:
++            expected = {'root_macaroon', 'discharge_macaroon'}
++            missing = dict((k, [FIELD_REQUIRED]) for k in expected - set(data))
++            return errors.INVALID_DATA(**missing)
++
++        try:
++            new_discharge = auth.refresh_macaroons(root_macaroon_raw,
++                                                   discharge_macaroon_raw)
++        except ValidationError:
++            return errors.INVALID_DATA()
++        except AccountDeactivated:
++            return errors.ACCOUNT_DEACTIVATED()
++        except AuthenticationError:
++            return errors.INVALID_CREDENTIALS()
++
++        response = rc.ALL_OK
++        response.content = dict(discharge_macaroon=new_discharge.serialize())
++        return response
++
++
  class EmailsHandler(BaseHandler):
      allowed_methods = ('DELETE', 'GET', 'PATCH')
      model = EmailAddress
 === modified file 'src/api/v20/tests/test_handlers.py'
 --- src/api/v20/tests/test_handlers.py	2016-03-18 20:27:55 +0000
 +++ src/api/v20/tests/test_handlers.py	2016-03-22 19:47:49 +0000
@@ -29,6 +29,7 @@
  from timeline import Timeline
  from api.v20 import handlers, whitelist
++from identityprovider.auth import build_discharge_macaroon
  from identityprovider.login import PasswordPolicyError
  from identityprovider.models import (
      Account,
@@ -2164,7 +2165,15 @@
  class MacaroonHandlerBaseTestCase(SSOBaseTestCase):
--    url = reverse('api-macaroon-discharge')
++    def build_key_pair(self, _cache=[]):
++        """Build the key pairs (cached, as it takes quite some time now!)."""
++        if not _cache:
++            Random.atfork()
++            test_rsa_priv_key = RSA.generate(2048)
++            test_rsa_pub_key = test_rsa_priv_key.publickey()
++            _cache.append(test_rsa_priv_key)
++            _cache.append(test_rsa_pub_key)
++        return _cache
      def track_failed_logins(self, **kw):
          self.login_failed_calls.append(kw)
@@ -2175,9 +2184,7 @@
              service_location = settings.MACAROON_SERVICE_LOCATION
          # pair of keys to encrypt/decrypt
--        Random.atfork()
--        test_rsa_priv_key = RSA.generate(1024)
--        test_rsa_pub_key = test_rsa_priv_key.publickey()
++        test_rsa_priv_key, test_rsa_pub_key = self.build_key_pair()
          p = self.settings(CRYPTO_SSO_PRIVKEY=test_rsa_priv_key)
          p.enable()
          self.addCleanup(p.disable)
@@ -2189,10 +2196,14 @@
              identifier='A test macaroon',
+         )
          random_key = binascii.hexlify(os.urandom(32))
--        random_key_encrypted = base64.b64encode(
--            test_rsa_pub_key.encrypt(random_key, 32)[0])
++        info = {
++            'roothash': macaroon_random_key,
++            '3rdparty': random_key,
++        }
++        info_encrypted = base64.b64encode(
++            test_rsa_pub_key.encrypt(json.dumps(info), 32)[0])
          root_macaroon.add_third_party_caveat(
--            service_location, random_key, random_key_encrypted)
++            service_location, random_key, info_encrypted)
          return root_macaroon, macaroon_random_key
      def setUp(self):
@@ -2209,8 +2220,10 @@
              email=self.data['email'], password=self.data['password'])
--class MacaroonHandlerTestCase(MacaroonHandlerBaseTestCase,
--                              AuthLogTestCaseMixin):
++class MacaroonDischargeHandlerTestCase(MacaroonHandlerBaseTestCase,
++                                       AuthLogTestCaseMixin):
++
++    url = reverse('api-macaroon-discharge')
      def do_post(self, data=None, expected_status_code=200,
                  content_type='application/json', **kwargs):
@@ -2378,6 +2391,8 @@
  class MacaroonHandlerTimelineTestCase(MacaroonHandlerBaseTestCase,
                                        TimelineActionMixin):
++    url = reverse('api-macaroon-discharge')
++
      def test_login_timeline_records_password_checking(self):
          # Prepare and inject a timeline in the client's POST.
          empty_timeline = Timeline()
@@ -2408,3 +2423,89 @@
          self.assertEqual(response.status_code, 200)
          self.assertNotIn('timeline.timeline', response.wsgi_request.META)
++
++
++class MacaroonRefreshHandlerTestCase(MacaroonHandlerBaseTestCase):
++
++    url = reverse('api-macaroon-refresh')
++
++    def setUp(self):
++        super(MacaroonRefreshHandlerTestCase, self).setUp()
++
++        # discharge the test macaroon
++        root_macaroon_raw = self.root_macaroon.serialize()
++        self.discharge_macaroon = build_discharge_macaroon(
++            self.account, root_macaroon_raw)
++
++        self.data = {'root_macaroon': root_macaroon_raw,
++                     'discharge_macaroon': self.discharge_macaroon.serialize()}
++
++    def do_post(self, data=None, expected_status_code=200,
++                content_type='application/json', **kwargs):
++        if data is None:
++            data = self.data
++
++        response = self.client.post(self.url, data=json.dumps(data),
++                                    content_type=content_type, **kwargs)
++
++        self.assertEqual(
++            response.status_code, expected_status_code,
++            "Bad status code! expected={} got={} response={}".format(
++                expected_status_code, response.status_code, response))
++        self.assertEqual(response['Content-type'],
++                         'application/json; charset=utf-8',
++                         response)
++        return json.loads(response.content)
++
++    def assert_failed_login(self, code, data, extra=None,
++                            expected_status_code=403, check_login_failed=True):
++        if extra is None:
++            extra = {}
++
++        json_body = self.do_post(expected_status_code=expected_status_code,
++                                 data=data)
++        self.assertEqual(json_body['code'], code)
++        self.assertEqual(json_body['extra'], extra)
++        return json_body
++
++    def test_required_parameters(self):
++        json_body = self.do_post(expected_status_code=400, data={})
++
++        self.assertEqual(json_body, {
++            'code': 'INVALID_DATA',
++            'extra': {'root_macaroon': [handlers.FIELD_REQUIRED],
++                      'discharge_macaroon': [handlers.FIELD_REQUIRED]},
++            'message': 'Invalid request data'},
++        )
++        self.assertEqual(self.login_failed_calls, [])
++
++    def test_account_missing(self):
++        self.account.deactivate()
++        self.assert_failed_login('ACCOUNT_DEACTIVATED', self.data)
++
++    def test_root_macaroon_corrupt(self):
++        data = dict(root_macaroon="I'm a seriously corrupted macaroon",
++                    discharge_macaroon="Also broken")
++        self.assert_failed_login('INVALID_DATA', data,
++                                 expected_status_code=400,
++                                 check_login_failed=False)
++
++    def test_macaroon_bad_authinfo(self):
++        macaroon, _ = self.build_macaroon(service_location="other service")
++        data = dict(root_macaroon=macaroon.serialize(),
++                    discharge_macaroon=self.discharge_macaroon.serialize())
++        self.assert_failed_login('INVALID_CREDENTIALS', data,
++                                 expected_status_code=401,
++                                 check_login_failed=False)
++
++    def test_macaroon_refreshed(self):
++        json_body = self.do_post()
++
++        # get new discharge macaroon and verify with old root (its internals
++        # are verified by the tests of the 'refresh_macaroons' function itself)
++        discharge_macaroon_raw = json_body['discharge_macaroon']
++        discharge_macaroon = Macaroon.deserialize(discharge_macaroon_raw)
++        v = Verifier()
++        v.satisfy_general(lambda c: True)
++        v.verify(
++            self.root_macaroon, self.macaroon_random_key, [discharge_macaroon])
 === modified file 'src/api/v20/urls.py'
 --- src/api/v20/urls.py	2016-03-04 18:19:34 +0000
 +++ src/api/v20/urls.py	2016-03-22 19:47:49 +0000
@@ -15,7 +15,8 @@
      AccountRegistrationHandler,
      AccountsHandler,
      EmailsHandler,
--    MacaroonHandler,
++    MacaroonDischargeHandler,
++    MacaroonRefreshHandler,
      PasswordResetTokenHandler,
      RequestsHandler,
      TokensHandler,
@@ -27,7 +28,8 @@
  v2emails = ApiResource(
      handler=EmailsHandler, authentication=ApiEmailsAuthentication())
  v2login = ApiResource(handler=AccountLoginHandler)
--v2macaroon = ApiResource(handler=MacaroonHandler)
++v2macaroon_discharge = ApiResource(handler=MacaroonDischargeHandler)
++v2macaroon_refresh = ApiResource(handler=MacaroonRefreshHandler)
  v2password_reset = ApiResource(handler=PasswordResetTokenHandler)
  v2registration = ApiResource(
      handler=AccountRegistrationHandler,
@@ -43,7 +45,9 @@
      url(r'^accounts/(?P<openid>\w+)$', v2accounts, name='api-account'),
      url(r'^emails/(?P<email>.+)$', v2emails, name='api-email'),
      url(r'^requests/validate$', v2requests, name='api-requests'),
--    url(r'^tokens/discharge$', v2macaroon, name='api-macaroon-discharge'),
++    url(r'^tokens/discharge$', v2macaroon_discharge,
++        name='api-macaroon-discharge'),
++    url(r'^tokens/refresh$', v2macaroon_refresh, name='api-macaroon-refresh'),
      url(r'^tokens/oauth$', v2login, name='api-login'),
      url(r'^tokens/oauth/(?P<token>.+)$', v2tokens, name='api-token'),
      url(r'^tokens/password$', v2password_reset, name='api-password-reset'),
 === modified file 'src/identityprovider/auth.py'
 --- src/identityprovider/auth.py	2016-03-16 16:25:36 +0000
 +++ src/identityprovider/auth.py	2016-03-22 19:47:49 +0000
@@ -24,9 +24,9 @@
  from django.utils.translation import ugettext_lazy as _
  from django.utils.timezone import now
  from oauthlib.oauth1 import RequestValidator, ResourceEndpoint
--from pymacaroons import Macaroon
++from pymacaroons import Macaroon, Verifier
--from identityprovider.login import AuthenticationError
++from identityprovider.login import AuthenticationError, AccountDeactivated
  from identityprovider.models import (
      Account,
      AccountPassword,
@@ -495,34 +495,40 @@
          return response
--def build_discharge_macaroon(account, root_macaroon_raw):
--    """Build a discharge macaroon from a root one."""
--    service_location = settings.MACAROON_SERVICE_LOCATION
--
--    try:
--        root_macaroon = Macaroon.deserialize(root_macaroon_raw)
--    except:
--        raise ValidationError("The received Macaroon is corrupt")
--
--    try:
--        # isolate 3rd-party caveat that concerns SSO (hinted by 'location')
--        (sso_caveat,) = [c for c in root_macaroon.third_party_caveats()
--                         if c.location == service_location]
++def _get_own_caveat(macaroon):
++    """Get a caveat for this service from the Macaroon."""
++    try:
++        # isolate 3rd-party caveat that concerns to us (hinted by 'location')
++        (sso_caveat,) = [c for c in macaroon.third_party_caveats()
++                         if c.location == settings.MACAROON_SERVICE_LOCATION]
      except:
          # the macaroon doesn't have a location for this service
          raise AuthenticationError("The received macaroon is not for ours")
      # get the only-for-this-project random key
--    original_random_key = settings.CRYPTO_SSO_PRIVKEY.decrypt(
--        base64.b64decode(sso_caveat.caveat_id))
--
--    # create a discharge macaroon with same location, key and
++    try:
++        caveat_info_raw = settings.CRYPTO_SSO_PRIVKEY.decrypt(
++            base64.b64decode(sso_caveat.caveat_id))
++        caveat_info = json.loads(caveat_info_raw)
++    except:
++        # not properly encrypted information inside
++        raise AuthenticationError("Bad info in the caveat_id")
++
++    return sso_caveat.caveat_id, caveat_info
++
++
++def _build_discharge(macaroon_key, caveat_id, account,
++                     last_auth=None, expires=None):
++    """Build a typical discharge macaroon."""
++    service_location = settings.MACAROON_SERVICE_LOCATION
++
++    # create the new discharge macaroon with same location, key and
      # identifier than it's original 3rd-party caveat (so they can
      # be matched and verified)
      d = Macaroon(
          location=service_location,
--        key=original_random_key,
--        identifier=sso_caveat.caveat_id,
++        key=macaroon_key,
++        identifier=caveat_id,
+     )
      # add the account info
@@ -536,12 +542,84 @@
      # add timestamp values
      now_string = now().strftime('%Y-%m-%dT%H:%M:%S.%f')
++    if last_auth is None:
++        last_auth = now_string
++    if expires is None:
++        expires_ts = now() + datetime.timedelta(seconds=settings.MACAROON_TTL)
++        expires = expires_ts.strftime('%Y-%m-%dT%H:%M:%S.%f')
++
      d.add_first_party_caveat(service_location + '|valid_since|' + now_string)
--    d.add_first_party_caveat(service_location + '|last_auth|' + now_string)
--    expire = now() + datetime.timedelta(seconds=settings.MACAROON_TTL)
--    d.add_first_party_caveat(
--        service_location + '|expires|' +
--        expire.strftime('%Y-%m-%dT%H:%M:%S.%f'))
++    d.add_first_party_caveat(service_location + '|last_auth|' + last_auth)
++    d.add_first_party_caveat(service_location + '|expires|' + expires)
++    return d
++
++
++def build_discharge_macaroon(account, root_macaroon_raw):
++    """Build a discharge macaroon from a root one."""
++    try:
++        root_macaroon = Macaroon.deserialize(root_macaroon_raw)
++    except:
++        raise ValidationError("The received Macaroon is corrupt")
++
++    # get the raw caveat id and the decrypted deserialized info
++    raw_caveat_id, caveat_info = _get_own_caveat(root_macaroon)
++
++    # create a discharge macaroon with same location, key and
++    # identifier than it's original 3rd-party caveat (so they can
++    # be matched and verified)
++    d = _build_discharge(caveat_info['3rdparty'], raw_caveat_id, account)
++
++    # return the properly prepared discharge macaroon
++    discharge = root_macaroon.prepare_for_request(d)
++    return discharge
++
++
++def refresh_macaroons(root_macaroon_raw, discharge_macaroon_raw):
++    """Refresh a root/discharge pair with a new discharge macaroon."""
++    service_location = settings.MACAROON_SERVICE_LOCATION
++
++    try:
++        root_macaroon = Macaroon.deserialize(root_macaroon_raw)
++        discharge_macaroon = Macaroon.deserialize(discharge_macaroon_raw)
++    except:
++        raise ValidationError("The received Macaroons are corrupt")
++
++    # get the raw caveat id and the decrypted deserialized info
++    raw_caveat_id, caveat_info = _get_own_caveat(root_macaroon)
++    info_holder = {}
++
++    def checker(caveat):
++        """Extract the openid."""
++        source, key, value = caveat.split("|", 2)
++        if source == service_location and key == 'account':
++            acc = json.loads(base64.b64decode(value).decode("utf8"))
++            info_holder['openid'] = acc['openid']
++        elif source == service_location and key == 'last_auth':
++            info_holder['last_auth'] = value
++        elif source == service_location and key == 'expires':
++            info_holder['expires'] = value
++        return True
++
++    # assure that the received pair is safe
++    v = Verifier()
++    v.satisfy_general(checker)
++    try:
++        v.verify(root_macaroon, caveat_info['roothash'], [discharge_macaroon])
++    except:
++        raise AuthenticationError("Not verifying macaroons")
++
++    # verify that the account is still fine
++    account = Account.objects.active_by_openid(info_holder['openid'])
++    if account is None:
++        raise AccountDeactivated()
++
++    # create the new discharge macaroon with same location, key and
++    # identifier than it's original 3rd-party caveat (so they can
++    # be matched and verified), and keeping the last_auth and expires from
++    # the original discharge macaroon
++    d = _build_discharge(caveat_info['3rdparty'], raw_caveat_id, account,
++                         last_auth=info_holder['last_auth'],
++                         expires=info_holder['expires'])
      # return the properly prepared discharge macaroon
      discharge = root_macaroon.prepare_for_request(d)
 === modified file 'src/identityprovider/tests/test_auth.py'
 --- src/identityprovider/tests/test_auth.py	2016-03-16 16:25:36 +0000
 +++ src/identityprovider/tests/test_auth.py	2016-03-22 19:47:49 +0000
@@ -31,18 +31,24 @@
      LaunchpadBackend,
      SSOOAuthAuthentication,
      SSORequestValidator,
++    _get_own_caveat,
      basic_authenticate,
      build_discharge_macaroon,
++    refresh_macaroons,
      validate_oauth_signature,
+ )
--from identityprovider.login import AuthenticationError
++from identityprovider.login import AuthenticationError, AccountDeactivated
  from identityprovider.models import (
      Account,
      AccountPassword,
      AuthLog,
      EmailAddress,
+ )
--from identityprovider.models.const import AccountStatus, TokenScope
++from identityprovider.models.const import (
++    AccountStatus,
++    EmailStatus,
++    TokenScope,
++)
  from identityprovider.readonly import ReadOnlyManager
  from identityprovider.tests import DEFAULT_API_PASSWORD, DEFAULT_USER_PASSWORD
  from identityprovider.tests.utils import (
@@ -954,19 +960,30 @@
              timer=self.dummy_timer)
--class BuildMacaroonDischargeTestCase(SSOBaseTestCase):
++class BaseMacaroonTestCase(SSOBaseTestCase):
++
++    def setup_key_pair(self, _cache=[]):
++        """Build the key pairs (cached, as it takes quite some time now!)."""
++        # get or build the keys
++        if _cache:
++            test_rsa_priv_key, test_rsa_pub_key = _cache
++        else:
++            Random.atfork()
++            test_rsa_priv_key = RSA.generate(2048)
++            test_rsa_pub_key = test_rsa_priv_key.publickey()
++            _cache.append(test_rsa_priv_key)
++            _cache.append(test_rsa_pub_key)
++
++        # set up config for priv key
++        p = self.settings(CRYPTO_SSO_PRIVKEY=test_rsa_priv_key)
++        p.enable()
++        self.addCleanup(p.disable)
++        return test_rsa_priv_key, test_rsa_pub_key
      def build_macaroon(self, service_location=None):
          if service_location is None:
              service_location = settings.MACAROON_SERVICE_LOCATION
--
--        # pair of keys to encrypt/decrypt
--        Random.atfork()
--        test_rsa_priv_key = RSA.generate(1024)
--        test_rsa_pub_key = test_rsa_priv_key.publickey()
--        p = self.settings(CRYPTO_SSO_PRIVKEY=test_rsa_priv_key)
--        p.enable()
--        self.addCleanup(p.disable)
++        test_rsa_priv_key, test_rsa_pub_key = self.setup_key_pair()
          # create a Macaron with the proper third party caveat
          macaroon_random_key = binascii.hexlify(os.urandom(32))
@@ -976,12 +993,23 @@
              identifier='A test macaroon',
+         )
          random_key = binascii.hexlify(os.urandom(32))
--        random_key_encrypted = base64.b64encode(
--            test_rsa_pub_key.encrypt(random_key, 32)[0])
++        info = {
++            'roothash': macaroon_random_key,
++            '3rdparty': random_key,
++        }
++        info_encrypted = base64.b64encode(
++            test_rsa_pub_key.encrypt(json.dumps(info), 32)[0])
          root_macaroon.add_third_party_caveat(
--            service_location, random_key, random_key_encrypted)
++            service_location, random_key, info_encrypted)
          return root_macaroon, macaroon_random_key
++
++class BuildMacaroonDischargeTestCase(BaseMacaroonTestCase):
++
++    def setUp(self):
++        super(BaseMacaroonTestCase, self).setUp()
++        self.root_macaroon, self.macaroon_random_key = self.build_macaroon()
++
      def test_root_macaroon_corrupt(self):
          self.assertRaises(ValidationError, build_discharge_macaroon,
                            "fake account", "I'm a seriously corrupted macaroon")
@@ -993,11 +1021,10 @@
      def test_proper_discharging(self):
          # build the input and call
--        root_macaroon, random_key_used = self.build_macaroon()
          real_account = self.factory.make_account()
          before = now()
          discharge_macaroon = build_discharge_macaroon(
--            real_account, root_macaroon.serialize())
++            real_account, self.root_macaroon.serialize())
          after = now()
          # test
@@ -1044,4 +1071,156 @@
          v = Verifier()
          v.satisfy_general(checker)
--        v.verify(root_macaroon, random_key_used, [discharge_macaroon])
++        v.verify(self.root_macaroon, self.macaroon_random_key,
++                 [discharge_macaroon])
++
++
++class MacaroonHelpersTestCase(BaseMacaroonTestCase):
++
++    def test_get_caveat_ok(self):
++        test_rsa_priv_key, test_rsa_pub_key = self.setup_key_pair()
++
++        # create a Macaron with the proper third party caveat
++        macaroon_random_key = binascii.hexlify(os.urandom(32))
++        root_macaroon = Macaroon(
++            location='The store ;)',
++            key=macaroon_random_key,
++            identifier='A test macaroon',
++        )
++        random_key = binascii.hexlify(os.urandom(32))
++        info = {
++            'some stuff': 'foo',
++            'more stuff': 'bar',
++        }
++        info_encrypted = base64.b64encode(
++            test_rsa_pub_key.encrypt(json.dumps(info), 32)[0])
++        root_macaroon.add_third_party_caveat(
++            settings.MACAROON_SERVICE_LOCATION, random_key, info_encrypted)
++
++        # check
++        raw_caveat_id, caveat_info = _get_own_caveat(root_macaroon)
++        self.assertEqual(raw_caveat_id, info_encrypted)
++        self.assertEqual(caveat_info, info)
++
++    def test_get_caveat_not_for_sso(self):
++        macaroon, _ = self.build_macaroon(service_location="other service")
++        self.assertRaises(AuthenticationError, _get_own_caveat, macaroon)
++
++    def test_get_caveat_badly_encrypted(self):
++        test_rsa_priv_key, test_rsa_pub_key = self.setup_key_pair()
++
++        # create a Macaron with the proper third party caveat
++        macaroon_random_key = binascii.hexlify(os.urandom(32))
++        root_macaroon = Macaroon(
++            location='The store ;)',
++            key=macaroon_random_key,
++            identifier='A test macaroon',
++        )
++        random_key = binascii.hexlify(os.urandom(32))
++        root_macaroon.add_third_party_caveat(
++            settings.MACAROON_SERVICE_LOCATION, random_key,
++            b"not really well encrypted stuff")
++
++        # check
++        self.assertRaises(AuthenticationError, _get_own_caveat, root_macaroon)
++
++
++class MacaroonRefreshTestCase(BaseMacaroonTestCase):
++
++    def setUp(self):
++        super(MacaroonRefreshTestCase, self).setUp()
++        self.root_macaroon, self.macaroon_random_key = self.build_macaroon()
++
++        # discharge the test macaroon
++        self.account = self.factory.make_account()
++        self.discharge_macaroon = build_discharge_macaroon(
++            self.account, self.root_macaroon.serialize())
++
++    def test_root_macaroon_corrupt(self):
++        self.assertRaises(
++            ValidationError, refresh_macaroons,
++            "Corrupted macaroon", self.discharge_macaroon.serialize())
++
++    def test_discharge_macaroon_corrupt(self):
++        self.assertRaises(
++            ValidationError, refresh_macaroons,
++            self.root_macaroon.serialize(), "Seriously corrupted macaroon")
++
++    def test_macaroons_dont_verify_ok(self):
++        # just get *another* discharge so it's not for the same root macaroon
++        other_root, _ = self.build_macaroon()
++        other_discharge = build_discharge_macaroon(
++            self.account, other_root.serialize())
++        self.assertRaises(AuthenticationError, refresh_macaroons,
++                          self.root_macaroon.serialize(),
++                          other_discharge.serialize())
++
++    def test_deactivated_account(self):
++        self.account.deactivate()
++        self.assertRaises(AccountDeactivated, refresh_macaroons,
++                          self.root_macaroon.serialize(),
++                          self.discharge_macaroon.serialize())
++
++    def test_proper_refreshing(self):
++        old_discharge = self.discharge_macaroon  # just rename for readability
++        service_location = settings.MACAROON_SERVICE_LOCATION
++
++        def get_value(search_key):
++            for caveat in old_discharge.first_party_caveats():
++                source, key, value = caveat.caveat_id.split("|", 2)
++                if source == service_location and key == search_key:
++                    return value
++
++        # get old values from the macaroon and also change the account to see
++        # that reflected
++        old_last_auth = get_value('last_auth')
++        old_expires = get_value('expires')
++        new_mail = self.factory.make_email_for_account(
++            self.account, status=EmailStatus.PREFERRED)
++        self.account.displayname = "New test display name"
++        self.account.save()
++
++        # call!
++        before = now()
++        new_discharge = refresh_macaroons(self.root_macaroon.serialize(),
++                                          old_discharge.serialize())
++        after = now()
++
++        # test
++        def checker(caveat):
++            """Assure all caveats inside the discharged macaroon are ok."""
++            source, key, value = caveat.split("|", 2)
++            if source != service_location:
++                # just checking the NEW discharge one, not the root
++                return True
++
++            if key == 'valid_since':
++                valid_since = datetime.strptime(value, '%Y-%m-%dT%H:%M:%S.%f')
++                self.assertGreater(valid_since, before)
++                self.assertGreater(after, valid_since)
++                return True
++
++            if key == 'last_auth':
++                self.assertEqual(value, old_last_auth)
++                return True
++
++            if key == 'account':
++                acc = json.loads(base64.b64decode(value).decode("utf8"))
++                self.assertEqual(acc['openid'], self.account.openid_identifier)
++                self.assertEqual(acc['email'], new_mail.email)
++                self.assertEqual(acc['displayname'], "New test display name")
++                self.assertEqual(acc['is_verified'], self.account.is_verified)
++                return True
++
++            if key == 'expires':
++                self.assertEqual(value, old_expires)
++                return True
++
++            # we're not validating an SSO from the discharged macaroon, fail!
++            return False
++
++        # verify using the NEW discharge macaroon
++        v = Verifier()
++        v.satisfy_general(checker)
++        v.verify(self.root_macaroon, self.macaroon_random_key,
++                 [new_discharge])