Merge lp:~thomir-deactivatedaccount/canonical-identity-provider/trunk-add-gpg-key-management into lp:canonical-identity-provider/release

I've made a number of changes. A re-review would be much appreciated.

Bunch of things which we chatted about below, +1 with those changes, but we'll probably need to go over the form things.

I've made the changes we discussed, with the exception of talking to the front-end design folk about the style review. I think we can leave this until we have the whole workflow implemented?

Cheers,

Thanks Thomi. +1 with a few comments below. Land when ready :)

Hello Michael, Thommy,

I was a little bit surprised with the adding of testtools' TestCase and testtools.matchers to these tests. I understand the difference in using matchers vs standard TestCase assertion methods, and leaving aside the discussion whether is something we want or not, I would like us to talk about adding them to SSO or any other existing big project.

SSO is a large project with a lot of code, and in many past conversations the OLS team have agreed that given the amount of people working in every project, and given the importance of being able to switch between projects easily and fast, one of the things we value the most is consistency (on top of things that may be a nice to have in other contexts).

Starting using testtools for our unit tests is something that breaks consistency, and wasn't agreed at team level in advanced. The testtools dependency was there only for the acceptance tests.

Even more, using multiple inheritance on different base TestCases is something that has been proven to be a complete disaster in the mid term, we suffered from this in the Ubuntu One code where we had the Twisted TestCase, the Django TestCase, and the testtools TestCase as multiple base test cases. All the benefits a particular TestCase can give, are lost and become a burden when combining more than one as base classes.

For our Django projects, the OLS decision was to use the Django TestCase with a few extra, custom helpers defined. After a quick look, most matchers usage can be replaced with perfectly valid assertion from the Django TestCase:

self.assertThat(keys, HasLength(1))
self.assertThat(resp.content.decode('utf8'), Not(Contains('GPG Keys')))
self.assertThat(resp.status_code, Equals(200))

self.assertEqual(len(keys), 1)
self.assertEqual(resp.status_code, 200)
self.assertNotContains(resp, 'GPG Keys')

(note that the usage of assertContains/assertNotContains will also be clever about decoding the reponse, grabbing the text content, etc, something that otherwise is being made by hand and is a more error prone).

For other more complex matchers, like these:

self.assertThat(email, EmailContainsPGPBlock())
self.assertThat(keys[0]['fingerprint'], FingerprintEquals(encryption_fingerprint))

the existing methodology is to create custom assert helpers that isolate the specific logic needed for each case:

def assert_gpg_block_in_email(self, email)
def assert_fingerprint_encryption_in keys(self, keys)

In summary, I would kindly ask you to maintain consistency in line within the existing project, or at least bring this issue to the whole OLS team and reach consensus and have a migration plan before landing this to trunk.

Thank you.

On Wed, Apr 20, 2016 at 11:39 PM Natalia Bidart <
<email address hidden>> wrote:

> Review: Needs Fixing
>
> Hello Michael, Thommy,
>

Hi Natalia,

>
> I was a little bit surprised with the adding of testtools' TestCase and
> testtools.matchers to these tests. I understand the difference in using
> matchers vs standard TestCase assertion methods, and leaving aside the
> discussion whether is something we want or not, I would like us to talk
> about adding them to SSO or any other existing big project.
>

I had assumed that using testtools here would be a non-issue given that it
was already a dependency of the project - that's my fault if anyone's. And
yes, we're happy to bring that up on the list, and not use testtools here
if that's better for the team - but note, this wasn't about using
testtools.matchers but rather avoiding adding more tech-debt in SSO when
testing the SSO<->GPGService interactions.

>
> SSO is a large project with a lot of code, and in many past conversations
> the OLS team have agreed that given the amount of people working in every
> project, and given the importance of being able to switch between projects
> easily and fast, one of the things we value the most is consistency (on top
> of things that may be a nice to have in other contexts).
>

+100 for consistency - I'd not seen this as breaking consistency at all.
Perhaps a silly example, but if you grep the current SSO codebase for
"assertEqual.*True" and "assertTrue" you'll see that there are many tests
using:

assertEqual(result, True)

and many others using:

assertTrue(result)

 - which is fine, I've never felt the need to make those consistent because
they read well and have clear intent, as does assertThat(result, Is(True))
. There are obviously lots of other benefits to testtools matchers, but I
don't want to derail the main point here, rather just highlight why I
didn't see this as a consistency issue at all.

It was not because of matchers that we started using the existing testtools
dependency here...

>
> Starting using testtools for our unit tests is something that breaks
> consistency, and wasn't agreed at team level in advanced.

As above, I'd not even thought of the use of matchers as a consistency
issue but am happy to accept that it is for some people, so that's
completely my fault for not recognising it as such and bringing that up
with the wider team. We'll do that, and remove the use of matchers if
that's the consensus - that's not an issue nor the reason we used testtools
here...

> The testtools dependency was there only for the acceptance tests.
>
> Even more, using multiple inheritance on different base TestCases is
> something that has been proven to be a complete disaster in the mid term,
> we suffered from this in the Ubuntu One code where we had the Twisted
> TestCase, the Django TestCase, and the testtools TestCase as multiple base
> test cases. All the benefits a particular TestCase can give, are lost and
> become a burden when combining more than one as base classes.
>

The only issue with test inheritance that I'm aware of and totally agree
with the issue, is when individual tests are re-used via inheritance of
test-cases ...

Hi Natalia,

I've removed the use of testtools matchers and assertThat statements. I no longer derive from testtools.TestCase, and I've re-implemented a less powerful version of testtools' useFixture (see use_fixture function) so we can get the benefits of testing against a real gpgservice without worsening the learning curve for new engineers.

Could you please re-review, if you have the time?

Thanks for the re-work. Added some comments, hopefully you could map some of the comments to match all recurrences of the same type (such as the docstring formatting, the self.client usage, the line wrapping for lists, dicts and import parenthesis, etc).

I was also wondering if there may be any chance you could extract the 2fa login decorator work into a pre-requisite MP to ease the review and landing process. This way you could also add the missing test case for this new decorator.

Lastly, note that src/webui already has decorators module, so I would suggest moving the new one there.

Hi Natalia,

I've checked off most of the items from your review, and commented where I think there's room for discussion.

I haven't gotten to separate out the new twofactor decorator into a separate branch. I probably won't get a chance to finish that before the end of my day. Perhaps you'd be willing to re-review this branch on the understanding that I'm working on that separate branch?

Thanks,

Re-reviewed. One nitpick I missed before is that we try to name all the testcases with the pattern

FooBarTestCase

(ie always use the TestCase prefix instead of Tests).

Thanks!

I've made the changes you asked for, with one main exception. I've added diff comments where appropriate to explain my rationale.

Cheers,

Hi Thomi, thanks for your changes. I will be reviewing them shortly.

Just wanted to share that my review process is iterative, particularly with branches this big, is very hard for me to pay the same level attention to all lines when there is so much to read.

If it helps, let me share how my review process works: first, I made a first quick pass correcting everything that is code style and try to pin point any important issues that may need early discussion (like the testtools multiple inheritance and matchers usage).

Once that's resolved, I do another pass more focused on the logic, where the code style issues are no longer a distraction and I can devote my whole attention to the content and semantics of the code.

Once that's completed, I focus on the tests, to ensure nothing has been left out once the logic is settled.

(a natural consequence is that when SSO-and-friend-projects code style and tools are unified, reviews happen faster, because usually there is no roundtrip required between phases 1 and 2)

I understand this can be a painful process (particularly in our case) because the timezone difference, so I will try to do my best on merging all the passes into the less amount possible (but this requires extra time and effort). For future reference, the process can also be speed up if the changes would be split in smaller, self-contained branches.

Thank you for your patience and understanding.

Added minimal replies to try not to add confusion to the inline threads. Will branch now and test IRL and try to focus on logic and tests. Will add another general comment with my findings.

Another trivial thing to fix while I review is the lint errors resulting from running "make lint".

Just made it to the forms.py changes, but will try to complete this later today.

== Needs information ==

* Do we really need fingerprint = models.TextField(null=True, blank=True) to
allow null=True? In Django, is generally discouraged to use both null=True and
blank=True for char/text field, for documentation please see:

https://docs.djangoproject.com/en/1.9/ref/models/fields/#null

If this is because the need of not setting the default '' in every existing row,
is fine, but we really need to be aware that the code will need to handle
fingerprint being None or '' for the "not set" case.

== Needs fixing ==

* The strings in the send_gpg_validation_message should be marked for
translation (salutation, closing).

* validation_phrase has a non compliant with pep-257 docstring, and the phrase
returned in validation_phrase is not marked for translation.

* validation_phrase does not have tests that I could find, would you please add
some if that is the case?

* src/identityprovider/templates/email/gpg-cleartext-instructions.txt should
mark the blocks for translation. This should be checked for all user-facing
strings added in this branch (see also strings in src/webui/forms.py).

* help_text=mark_safe in ClaimOpenPGPKeyForm should use the to-be-added lazy
version in combination with string translation for the user facing message.

== The following may needs fixing but needs confirmation from Ricardo ==

* The current sso code base is deployed so it will serve under 2 prod domains:

login.ubuntu.com
login.launchpad.net

Is my understanding that the setting SSO_ROOT_URL will not return the correct
base url in all cases, so last time I checked, we really need to build absolute
urls using request.build_absolute_uri(path).

If my suspicions are correct, we need to move this method out from the Account
models to a view layer, so we can pass and use the request (we should never pass
a request to the models layer). So in this to-confirm scenario the helper could
live in src/webui/accounts.py module and look something like this:

    def get_openid_identity_url_for_user(request):
        """Get the full openid identity url for the logged in user."""
        return request.build_absolute_uri(request.user.get_absolute_url())

== Desired but optional ==

* The method validation_phrase added inside the AuthToken model feels like it
does not belong there because is just building a specific user-facing string,
and IMHO it has nothing to do with the model's business logic. In my opinion,
validation_phrase is really a helper method from VerifySignedTextForm, so the
context can be constructed with:

'validation_phrase': form.validation_phrase(atrequest)

* We usually name settings that point to other services with the pattern:
SERVICE_NAME_URL instead of SERVICE_NAME_ENDPOINT. So perhaps is worth
considering GPG_SERVICE_URL.

* I'm a little nervous about the asserts this branch adds to production code.
I really like we are being strict on preconditions, but my worry is that if for
some unexpected reason we fail the precondition, we are exploding in the user
face instead of doing something nicer. Anyways, given that we can catch this
soon if we keep a close ey...

> * Do we really need fingerprint = models.TextField(null=True, blank=True) to
> allow null=True? In Django, is generally discouraged to use both null=True and
> blank=True for char/text field, for documentation please see:
>
> https://docs.djangoproject.com/en/1.9/ref/models/fields/#null
>
> If this is because the need of not setting the default '' in every existing
> row,
> is fine, but we really need to be aware that the code will need to handle
> fingerprint being None or '' for the "not set" case.

I just copied all the other text-based fields in that model. I've changed it now to just have 'blank=True'.

> * The strings in the send_gpg_validation_message should be marked for
> translation (salutation, closing).

Fixed - thanks.

> * validation_phrase has a non compliant with pep-257 docstring, and the phrase
> returned in validation_phrase is not marked for translation.

I've fixed the docstring. The validation phrase wasn't marked for translation because I was worried that translating the string might break the validation workflow. I *think* it should be OK, but we need to be careful about security here: I'm not sure what controls we have over who can translate strings, who reviews translated strings etc. I need to think about this point some more. I'll talk to wgrant who may have some suggestions here.

> * validation_phrase does not have tests that I could find, would you please
> add
> some if that is the case?

Done.

> * src/identityprovider/templates/email/gpg-cleartext-instructions.txt should
> mark the blocks for translation. This should be checked for all user-facing
> strings added in this branch (see also strings in src/webui/forms.py).

Done, I think.

> * help_text=mark_safe in ClaimOpenPGPKeyForm should use the to-be-added lazy
> version in combination with string translation for the user facing message.

Done.

>
> == The following may needs fixing but needs confirmation from Ricardo ==
>
> * The current sso code base is deployed so it will serve under 2 prod domains:
>
> login.ubuntu.com
> login.launchpad.net
>
> Is my understanding that the setting SSO_ROOT_URL will not return the correct
> base url in all cases, so last time I checked, we really need to build
> absolute
> urls using request.build_absolute_uri(path).
>

I'm happy to make this change, and the one below (move validation phrase into the form) if this turns out to be correct. The important thing here is that this *always* returns the same URL. If someone comes via login.launchpad.net, this should *always* return 'login.ubuntu.com', regardless of the URL the user is visiting.

Given the above, please let me know which is more correct: settings.SSO_ROOT_URL or request.build_absolute_uri(...).

>
> == Desired but optional ==
>
> * The method validation_phrase added inside the AuthToken model feels like it
> does not belong there because is just building a specific user-facing string,
> and IMHO it has nothing to do with the model's business logic. In my opinion,
> validation_phrase is really a helper method from VerifySignedTextForm, so the
> context can be constructed with:
>
> 'validation_phrase': form.validation_phrase(atrequest)

As above, hap...

Adding a second batch of comments:

== Needs fixing ==

* The usual pattern in Django for managing forms is having the action being
represented by the form submission button from the template, and not by adding a
hidden field to the form class. If multiple actions are needed, many submit
buttons with different names are usually defined in the template. If you haven't
yet, I would advice reading:

https://docs.djangoproject.com/en/1.9/topics/forms/

So for the particular case of ClaimOpenPGPKeyForm, the class could be something
among these lines:

FINGERPRINT_CODE_EXAMPLE = (
    '<code>27E0 7815 B47C 0397 90D5&nbsp;&nbsp;8589 27D9 A27B F3F9 6058</code>'
)

class ClaimOpenPGPKeyForm(forms.Form):

    """A form to validate the claiming of an OpenPGP key."""

    fingerprint = forms.CharField(
        help_text=mark_lazy_safe(
            _("For example: ") + FINGERPRINT_CODE_EXAMPLE),
        error_messages={'required': gpg_messages.bad_fingerprint_format()},
    )

    def clean_fingerprint(self):
        # ...
        return sane_fingerprint

And the template should look something like this:

  <form name="gpg_actions" action="" method="POST">
    {% csrf_token %}
    {{ claim_form }}
    <input class="cta" type="submit" name="claim_gpg" value="{% 'Import Key' %}"/>
  </form>

And in the view just remove the code to check the action in the POST dict, given
the form submission itself represents the single available action. If you feel
strong about checking the action name, you still could do (but this is uncommon
in Django views when a single action can be POSTed):

    if request.method == 'POST' and 'claim_gpg' in request.POST:
        form = ...

* I've found more user facing strings missing translations, I trust you will
review all the new code to fix this? (label='Clearsigned Text', <p> block in
gpg_keys.html, etc).

* There are no tests that I could find for the newly added src/webui/forms.py
and its forms. We should add a src/webui/tests/test_forms.py with proper tests
for the fields and custom clean logic.
It may be worth splitting the adding of the form file and its tests into a new branch, it will
certainly help the review process (and this would also include the new GPG service dependencies, and perhaps the new fixture usage).

== Nice to have ==

* Generally, in Django views, after successful POST processing, when redirecting
the user to the succes URL the UI should also show a success message so the user
gets confirmation that all went well. See for example the account_edit view.

* I know that all views in account.py use render_to_response, so I can certainly
understand why you choose to use the same helper to maintain compatibility. But
we have tried to migrate as we go to the new render() helper which is the
recommended function to use, given render_to_response will be deprecated soon:

https://docs.djangoproject.com/en/1.9/topics/http/shortcuts/#render-to-response

So I think it can be a good idea to use render in the gpg new view instead of
render_to_response. In the same nitpick category, is a bit more friendly to
django developers that the dict context variable is called 'context' instead of
template_vars.

Just a note about translating the validation phrase: After talking to William about this, there are valid security concerns about not making this translatable.

An attacker could, for example, submit a translation that happened to match some signed text they'd received (in an email, perhaps) from a key they want to claim as their own.

I'd hope that we have something like reviews of translation messages, but I can easily imagine how such a change might get lost in the noise.

We might want to translate this in the future, but we should think very carefully about how we do this in a safe, secure manner.

Hi Natalia,

You're absolutely correct - this would be a lot easier for both of us if the diff was smaller. I think we should put this MP on hold for now (I won't delete it, so your current work isn't wasted, I'll look at your comments). Instead, I'll start preparing a series of much smaller branches for your review.

The first such branch is here:

https://code.launchpad.net/~thomir/canonical-identity-provider/trunk-add-mark-safe-lazy/+merge/293195

Sorry about that. I think this is the best way forwards though. I look forward to your review on these new, smaller, branches.

...and a second MP here:

https://code.launchpad.net/~thomir/canonical-identity-provider/trunk-add-gpgservice-test-fixture/+merge/293196

> Hi Natalia,
>
> You're absolutely correct - this would be a lot easier for both of us if the
> diff was smaller. I think we should put this MP on hold for now (I won't
> delete it, so your current work isn't wasted, I'll look at your comments).
> Instead, I'll start preparing a series of much smaller branches for your
> review.

I very much agree and appreciate this extra effort. Thank you.