Merge lp:~twom/canonical-identity-provider/unexpiring-discharge-macaroon into lp:canonical-identity-provider/release
Proposed by
Tom Wardill
on 2018-11-23
Status: | Merged |
---|---|
Approved by: | Tom Wardill on 2019-01-14 |
Approved revision: | 1673 |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | lp:~twom/canonical-identity-provider/unexpiring-discharge-macaroon |
Merge into: | lp:canonical-identity-provider/release |
Diff against target: |
225 lines (+95/-55) 3 files modified
django_project/settings_base.py (+0/-1) src/identityprovider/auth.py (+4/-5) src/identityprovider/tests/test_auth.py (+91/-49) |
To merge this branch: | bzr merge lp:~twom/canonical-identity-provider/unexpiring-discharge-macaroon |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Colin Watson | 2018-11-23 | Approve on 2018-11-28 | |
Review via email:
|
Commit message
Remove the expiry caveat from the discharge macaroon.
Description of the change
Expiry is now handled by the root macaroons of snapauth and SCA, so remove it from SSO. This allows the other services to control their own expiry.
To post a comment you must log in.
Colin Watson (cjwatson) wrote : | # |
Oh, and please make sure that MacaroonRefresh
lp:~twom/canonical-identity-provider/unexpiring-discharge-macaroon
updated
on 2019-01-14
- 1670. By Tom Wardill on 2018-11-29
-
Merge trunk
- 1671. By Tom Wardill on 2018-11-29
-
Add tests for having an optional expiry caveat
- 1672. By Tom Wardill on 2018-11-29
-
Remove old comment
- 1673. By Tom Wardill on 2019-01-14
-
Merge with latest trunk
I think you should also replace the 'expires' tests in BuildMacaroonFr omRootDischarge TestCase. test_proper_ discharging and BuildMacaroonDi schargeTestCase .test_proper_ discharging with tests that the 'expires' caveat is absent (perhaps just "return False" in the checker function if you encounter one of those). When you've done that, it should also be possible to remove MACAROON_TTL from django_ project/ settings_ base.py.
This can't be landed until the corresponding SCA and snapauth changes are on production, and I'd suggest waiting a week or two after that for safety.