launchpad-buildd

Merge ~ines-almeida/launchpad-buildd:update-close-session-for-fetch-service into launchpad-buildd:master

  1. Git
  2. lp:~ines-almeida/launchpad-buildd
  3. update-close-session-for-fetch-service
  4. Merge into master
Proposed by Ines Almeida
Status: Merged
Approved by: Ines Almeida
Approved revision: 25cb50d6e81e84531af45e716a21e43763a0373c
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~ines-almeida/launchpad-buildd:update-close-session-for-fetch-service
Merge into: launchpad-buildd:master
Diff against target: 64 lines (+15/-8)
2 files modified
lpbuildd/tests/test_util.py (+3/-1)
lpbuildd/util.py (+12/-7)
Reviewer Review Type Date Requested Status
Jürgen Gmach Approve
Review via email: mp+464529@code.launchpad.net

Commit message

Update fetch service revoke token authentication

We now use the proxy token as authentication to the fetch service control API to revoke itself.
This is the only control endpoint that can be authenticated with the proxy token, as all it can do it revoke itself.

To post a comment you must log in.
Revision history for this message
Jürgen Gmach (jugmac00) wrote :

Thank you!

review: Approve
Revision history for this message
Ines Almeida (ines-almeida) :

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/lpbuildd/tests/test_util.py b/lpbuildd/tests/test_util.py
2index ab65f5f..8a5d766 100644
3--- a/lpbuildd/tests/test_util.py
4+++ b/lpbuildd/tests/test_util.py
5@@ -92,7 +92,8 @@ class TestRevokeToken(TestCase):
6 def test_revoke_fetch_service_token(self):
7 """Proxy token revocation for the fetch service"""
8
9- proxy_url = "http://session_id:token@proxy.fetch-service.example"
10+ token = "token"
11+ proxy_url = f"http://session_id:{token}@proxy.fetch-service.example"
12 revocation_endpoint = (
13 "http://control.fetch-service.example/session_id/token"
14 )
15@@ -111,3 +112,4 @@ class TestRevokeToken(TestCase):
16 "http://control.fetch-service.example/session_id/token",
17 request.url,
18 )
19+ self.assertEqual(f"Basic {token}", request.headers["Authorization"])
20diff --git a/lpbuildd/util.py b/lpbuildd/util.py
21index 664f92b..b09b33f 100644
22--- a/lpbuildd/util.py
23+++ b/lpbuildd/util.py
24@@ -1,6 +1,7 @@
25 # Copyright 2015-2017 Canonical Ltd. This software is licensed under the
26 # GNU Affero General Public License version 3 (see the file LICENSE).
27
28+import base64
29 import os
30 import subprocess
31 import sys
32@@ -81,21 +82,25 @@ def revoke_proxy_token(
33 authentication to revoke its token.
34
35 If using the fetch service:
36- The call to revoke a token does not require authentication.
37+ The proxy_url for the Fetch Service has the following format:
38+ http://{session_id}:{token}@{host}:{port}
39
40- XXX ines-almeida 2024-04-15: this might change depending on
41- conversations about fetch service authentication. We might decide to
42- instead use the token itself as the authentication.
43+ We use the token from the proxy_url for authentication to revoke
44+ elself.
45
46 :raises RevokeProxyTokenError: if attempting to revoke the token failed.
47 """
48 url = urlparse(proxy_url)
49
50- auth = None
51 if not use_fetch_service:
52- auth = (url.username, url.password)
53+ auth_string = f"{url.username}:{url.password}"
54+ token = base64.b64encode(auth_string.encode()).decode()
55+ else:
56+ token = url.password
57+
58+ headers = {"Authorization": f"Basic {token}"}
59
60 try:
61- requests.delete(revocation_endpoint, auth=auth, timeout=15)
62+ requests.delete(revocation_endpoint, headers=headers, timeout=15)
63 except requests.RequestException as e:
64 raise RevokeProxyTokenError(url.username, e)

Subscribers

People subscribed via source and target branches