snapstore-client

Merge ~twom/snapstore-client:add-upload-authentication into snapstore-client:master

Proposed by Tom Wardill on 2019-03-21

Status:	Merged
Approved by:	Tom Wardill on 2019-06-24
Approved revision:	00476d8bc59f05203b169e8793855c1731a67ad1
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	~twom/snapstore-client:add-upload-authentication
Merge into:	snapstore-client:master
Diff against target:	1255 lines (+947/-45) 12 files modified README (+23/-0) snapstore (+36/-0) snapstore_client/logic/login.py (+7/-0) snapstore_client/logic/overrides.py (+27/-32) snapstore_client/logic/push.py (+306/-0) snapstore_client/logic/tests/test-snap-assert.assert (+101/-0) snapstore_client/logic/tests/test-snap-map.json (+73/-0) snapstore_client/logic/tests/test_login.py (+3/-1) snapstore_client/logic/tests/test_overrides.py (+152/-8) snapstore_client/logic/tests/test_push.py (+169/-0) snapstore_client/utils.py (+26/-0) snapstore_client/webservices.py (+24/-4)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Tony Simpson (community)		2019-03-21	Approve on 2019-06-23
Review via email: mp+364917@code.launchpad.net

Commit message

Add control and upload for an offline proxy

Description of the change

Offline proxies can't issue or validate macaroons, so use HTTP Basic Auth.
Also add uploading of snaps via downloaded .snap, .assert and channel map metadata. This code mostly ported from the cli of the snap-store-proxy.

Relies on the upload-snap-to-cache branch of snapstore-snap

Revision history for this message

Adam Collard (adam-collard) on 2019-04-18:

~twom/snapstore-client:add-upload-authentication updated on 2019-04-18

12c75da... by Tom Wardill on 2019-04-18: Use env password as default
dd76e1e... by Tom Wardill on 2019-04-18: Lint error

Revision history for this message

Tom Wardill (twom) on 2019-04-18:

~twom/snapstore-client:add-upload-authentication updated on 2019-06-21

0d85442... by Tom Wardill on 2019-06-19: Add basic README instructions
935fb22... by Tom Wardill on 2019-06-21: Rename upload to push
00476d8... by Tom Wardill on 2019-06-21: Extract a tar file before upload

Revision history for this message

Tony Simpson (tonysimpson) wrote on 2019-06-23:

Looks good to me.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

SIAB

Tom Wardill

 diff --git a/README b/README
 index 6171594..ab1584e 100644
 --- a/README
 +++ b/README
@@ -6,3 +6,26 @@ This repo contains a client to adminster a snapstore.
  After authenticating with a snapstore the administrator can:
    - manage revision overrides
++
++Building
++--------
++
++You may wish to perform these installations inside a LXD container.
++
++Install the dependencies::
++
++  cat dependencies | xargs sudo apt install -y
++
++Create the environment
++----------------------
++
++Use the Makefile::
++
++  make bootstrap
++
++Running for development
++-----------------------
++
++The virtualenv environment is setup in /tmp::
++
++  /tmp/snapstore-client.tmp/env/bin/python snapstore
 diff --git a/snapstore b/snapstore
 index a21a8a1..cd67b71 100755
 --- a/snapstore
 +++ b/snapstore
@@ -7,6 +7,7 @@
  import argparse
  import logging
++import os
  import sys
  from snapstore_client.cli import configure_logging
@@ -16,6 +17,7 @@ from snapstore_client.logic.overrides import (
      list_overrides,
      override,
+ )
++from snapstore_client.logic.push import push_snap
  DEFAULT_SSO_URL = 'https://login.ubuntu.com/'
@@ -44,6 +46,8 @@ def parse_args():
      login_parser.add_argument('email', help='Ubuntu One SSO email', nargs='?')
      login_parser.add_argument('--sso-url', help='Ubuntu One SSO URL',
                                default=DEFAULT_SSO_URL)
++    login_parser.add_argument('--offline', help="Use offline mode interaction",
++                              action='store_true')
      login_parser.set_defaults(func=login)
      list_overrides_parser = subparsers.add_parser(
@@ -55,6 +59,11 @@ def parse_args():
      list_overrides_parser.add_argument(
          'snap_name',
          help='The name of the snap whose channel map should be listed.')
++    list_overrides_parser.add_argument(
++        '--password',
++        help='Password for interacting with an offline proxy',
++        default=os.environ.get('SNAP_PROXY_PASSWORD')
++    )
      list_overrides_parser.set_defaults(func=list_overrides)
      override_parser = subparsers.add_parser(
@@ -69,6 +78,11 @@ def parse_args():
      override_parser.add_argument(
          'channel_map_entries', nargs='+', metavar='channel_map_entry',
          help='A channel map override, in the form <channel>=<revision>.')
++    override_parser.add_argument(
++        '--password',
++        help='Password for interacting with an offline proxy',
++        default=os.environ.get('SNAP_PROXY_PASSWORD')
++    )
      override_parser.set_defaults(func=override)
      delete_override_parser = subparsers.add_parser(
@@ -83,8 +97,30 @@ def parse_args():
      delete_override_parser.add_argument(
          'channels', nargs='+', metavar='channel',
          help='A channel whose overrides should be deleted.')
++    delete_override_parser.add_argument(
++        '--password',
++        help='Password for interacting with an offline proxy',
++        default=os.environ.get('SNAP_PROXY_PASSWORD')
++    )
      delete_override_parser.set_defaults(func=delete_override)
++    push_snap_parser = subparsers.add_parser(
++        'push-snap', help='push a snap to an offline proxy')
++    push_snap_parser.add_argument(
++        'snap_tar_file',
++        help='The .tar.gz file of a bundled downloaded snap')
++    push_snap_parser.add_argument(
++        '--push-channel-map',
++        action='store_true',
++        help="Force push of the channel map,"
++             " removing any existing overrides")
++    push_snap_parser.add_argument(
++        '--password',
++        help='Password for interacting with an offline proxy',
++        default=os.environ.get('SNAP_PROXY_PASSWORD')
++    )
++    push_snap_parser.set_defaults(func=push_snap)
++
      if len(sys.argv) == 1:
          # Display help if no arguments are provided.
          parser.print_help()
 diff --git a/snapstore_client/logic/login.py b/snapstore_client/logic/login.py
 index 7d3a313..9550988 100644
 --- a/snapstore_client/logic/login.py
 +++ b/snapstore_client/logic/login.py
@@ -31,6 +31,13 @@ def login(args):
      gw_url = args.store_url
      sso_url = args.sso_url
++    if args.offline:
++        cfg = config.Config()
++        store = cfg.store_section('default')
++        store.set('gw_url', gw_url)
++        cfg.save()
++        return
++
      logger.info('Enter your Ubuntu One SSO credentials.')
      email = args.email
      if not email:
 diff --git a/snapstore_client/logic/overrides.py b/snapstore_client/logic/overrides.py
 index 667bd0a..d3c8356 100644
 --- a/snapstore_client/logic/overrides.py
 +++ b/snapstore_client/logic/overrides.py
@@ -13,34 +13,16 @@ from snapstore_client.presentation_helpers import (
      channel_map_string_to_tuple,
      override_to_string,
+ )
++from snapstore_client.utils import (
++    _check_default_store,
++    _log_authorized_error,
++    _log_credentials_error,
++)
  logger = logging.getLogger(__name__)
--def _log_credentials_error(e):
--    logger.error('%s', e)
--    logger.error('Try to "snap-store-proxy-client login" again.')
--
--
--def _log_authorized_error():
--    logger.error(("Perhaps you have not been registered as an "
--                  "admin with the proxy."))
--    logger.error("Try 'snap-proxy add-admin' on the proxy host.")
--
--
--def _check_default_store(cfg):
--    """Load the default store from the config."""
--    store = cfg.store_section('default')
--    # If the gw URL is configured then everything else should be too.
--    if not store.get('gw_url'):
--        logger.error(
--            'No store configuration found. '
--            'Have you run "snap-store-proxy-client login"?')
--        return None
--    return store
--
--
  def list_overrides(args):
      cfg = config.Config()
      store = _check_default_store(cfg)
@@ -48,9 +30,14 @@ def list_overrides(args):
          return 1
      try:
--        response = ws.refresh_if_necessary(
--            store, ws.get_overrides,
--            store, args.snap_name, series=args.series)
++        if args.password:
++            response = ws.get_overrides(
++                store, args.snap_name,
++                series=args.series, password=args.password)
++        else:
++            response = ws.refresh_if_necessary(
++                store, ws.get_overrides,
++                store, args.snap_name, series=args.series)
      except exceptions.InvalidCredentials as e:
          _log_credentials_error(e)
          return 1
@@ -77,9 +64,13 @@ def override(args):
              'series': args.series,
          })
      try:
--        response = ws.refresh_if_necessary(
--            store, ws.set_overrides,
--            store, overrides)
++        if args.password:
++            response = ws.set_overrides(
++                store, overrides, password=args.password)
++        else:
++            response = ws.refresh_if_necessary(
++                store, ws.set_overrides,
++                store, overrides)
      except exceptions.InvalidCredentials as e:
          _log_credentials_error(e)
          return 1
@@ -105,9 +96,13 @@ def delete_override(args):
              'series': args.series,
          })
      try:
--        response = ws.refresh_if_necessary(
--            store, ws.set_overrides,
--            store, overrides)
++        if args.password:
++            response = ws.set_overrides(
++                store, overrides, password=args.password)
++        else:
++            response = ws.refresh_if_necessary(
++                store, ws.set_overrides,
++                store, overrides)
      except exceptions.InvalidCredentials as e:
          _log_credentials_error(e)
          return 1
 diff --git a/snapstore_client/logic/push.py b/snapstore_client/logic/push.py
 new file mode 100644
 index 0000000..abd06e8
 --- /dev/null
 +++ b/snapstore_client/logic/push.py
@@ -0,0 +1,306 @@
++import json
++import logging
++from pathlib import Path
++import tarfile
++import tempfile
++from urllib.parse import urlsplit, urlunsplit
++
++import requests
++from requests.exceptions import HTTPError
++
++from snapstore_client import (
++    config,
++    exceptions,
++)
++from snapstore_client.utils import (
++    _check_default_store,
++    _log_authorized_error,
++    _log_credentials_error,
++)
++
++logger = logging.getLogger(__name__)
++
++
++# XXX twom 2019-03-19 hardcoded for now, awaiting RBAC integration
++USERNAME = 'admin'
++
++
++class pushException(Exception):
++    pass
++
++
++class ChannelMapExistsException(Exception):
++    pass
++
++
++def _push_ident(store, password, downloaded_map):
++    """push the snap details to snapident"""
++
++    snap_id = downloaded_map['snap-id']
++    snap_details = downloaded_map['snap']
++    push_details = {
++        'snap_id': snap_id,
++        'snap_name': snap_details['name'],
++        'private': False,  # If you're pushing to your own proxy
++        'stores': ['ubuntu'],  # ditto
++        'blob': snap_details,
++        'publisher_id': snap_details['publisher']['id'],
++        'publisher_name': snap_details['publisher']['display-name'],
++        'publisher_title': snap_details['publisher']['username'],
++        'publisher_validation': snap_details['publisher']['validation'],
++        'license': snap_details['license'],
++        'prices': snap_details['prices'],
++        'summary': snap_details['summary'],
++        'title': snap_details['title'],
++    }
++
++    url = store.get('gw_url')
++
++    response = requests.post(
++        url + '/snaps/update',
++        json={'snaps': [push_details]},
++        auth=requests.auth.HTTPBasicAuth(USERNAME, password)
++    )
++    if response.status_code != 200:
++        raise pushException(
++            "Failure in pushing to snapident: {}".format(
++                response.content))
++
++
++def _push_revs(store, password, downloaded_map):
++    """push the revision information to snaprevs"""
++    store_url = store.get('gw_url')
++
++    snap_id = downloaded_map['snap-id']
++    for instance in downloaded_map['channel-map']:
++        # rewrite the download_url
++        download_url = instance['download']['url']
++
++        url = urlsplit(download_url)
++        fqdn = urlsplit(store_url)
++        # Rewrite scheme and location
++        download_url = urlunsplit(url._replace(scheme=fqdn[0], netloc=fqdn[1]))
++
++        # create the revision
++        rev = {
++            'snap_id': snap_id,
++            'revision': instance['revision'],
++            'version': instance['version'],
++            'confinement': instance['confinement'],
++            'architectures': instance['architectures'],
++            'created_at': instance['created-at'],
++            # This is required, but isn't available to retrieve from /info
++            'created_by': '',
++            'binary_path': download_url,
++            'binary_filesize': instance['download']['size'],
++            'binary_sha3_384': instance['download']['sha3-384'],
++            'snap_yaml': instance.get('snap-yaml', ''),
++            'epoch': instance['epoch'],
++            'type': instance['type'],
++            'base': instance['base'],
++            'common_ids': instance['common-ids'],
++        }
++        revs_response = requests.post(
++            store_url + '/revisions/create',
++            json=[rev],
++            auth=requests.auth.HTTPBasicAuth(USERNAME, password)
++        )
++        # 409 / Conflict - already exists
++        if revs_response.status_code not in [201, 409]:
++            raise pushException(
++                "Failure to push revisions to snaprevs: {}".format(
++                    revs_response.content))
++
++
++def _push_channelmap(store, password, downloaded_map, force_push=False):
++    """push the channel map to snaprevs"""
++    store_url = store.get('gw_url')
++
++    snap_id = downloaded_map['snap-id']
++
++    # Check if we have an existing channel map
++    existing = requests.post(
++        store_url + '/channelmaps/filter',
++        json={'filters': [{'series': '16', 'snap_id': snap_id}]},
++        auth=requests.auth.HTTPBasicAuth(USERNAME, password))
++    if existing.status_code != 200:
++        raise pushException("Error retrieving current channelmap")
++    if existing.json().get('channelmaps') and not force_push:
++        raise ChannelMapExistsException("Channel map already exists.")
++
++    for instance in downloaded_map['channel-map']:
++        if instance['channel']['track'] == 'latest':
++            track = None
++        else:
++            track = instance['channel']['track']
++        chan_map = {
++            # This is wrong, it should be the current developer id
++            # but the pusher might not be a developer
++            # XXX (twom): can we get this from upstream?
++            'developer_id': downloaded_map['snap']['publisher']['id'],
++            'release_requests': [
++                {
++                    'snap_id': snap_id,
++                    'channel': [
++                        track,
++                        instance['channel']['risk'],
++                        None,  # We can't deal in 'branch', it's not on the API
++                    ],
++                    'architecture': instance['channel']['architecture'],
++                    'series': '16',
++                    'revision': instance['revision']
++                }
++            ]
++        }
++        map_response = requests.post(
++            store_url + '/channelmaps/update',
++            json=chan_map,
++            auth=requests.auth.HTTPBasicAuth(USERNAME, password)
++        )
++        if map_response.status_code != 200:
++            raise pushException("Error pushing channel map")
++
++
++def _load_assertion_file(assert_path):
++    with open(str(assert_path)) as assert_file:
++        raw_contents = assert_file.read().splitlines()
++    return raw_contents
++
++
++def _split_assertions(raw_contents):
++    # split the file into separate asserts
++    available_asserts = []
++    current_assert = []
++    for line in raw_contents:
++        # if we've encountered a new assert, save the old one, start a new one
++        if line.startswith('type: ') and current_assert:
++            available_asserts.append(current_assert)
++            current_assert = []
++        current_assert.append(line)
++    # account for the last one in the file
++    available_asserts.append(current_assert)
++
++    # Because we've split the file, we've ended up with the newlines
++    # from between the concatenated asserts.
++    # Remove it from the ones that have it so they're clean to push
++    for assertion in available_asserts:
++        assertion[:] = assertion[:-1] if assertion[-1] == '' else assertion
++    return available_asserts
++
++
++def _add_assertion_to_service(store, password, list_assertions):
++    store_url = store.get('gw_url')
++
++    # push the split asserts
++    for assertion in list_assertions:
++        # get the type
++        assert_type = assertion[0].split('type: ')[1]
++        # ignore the account-key of canonical, it's already a trusted assert
++        # and will error on push
++        canonical_key = 'account-id: canonical'
++        if (assert_type == 'account-key' and canonical_key in assertion):
++            continue
++        if (assert_type == 'account' and canonical_key in assertion):
++            continue
++        response = requests.post(
++            store_url + '/v1/assertions',
++            '\n'.join(assertion),
++            headers={'Content-Type': 'application/x.ubuntu.assertion'},
++            auth=requests.auth.HTTPBasicAuth(USERNAME, password))
++        if response.status_code != 201:
++            raise pushException(
++                "Failed to push: {} - {}".format(
++                    response.status_code, response.content))
++
++
++def _push_assertions(store, password, assert_path):
++    """Split a .assert and push individual assertions to snapassert"""
++
++    # load the file
++    raw_contents = _load_assertion_file(assert_path)
++    # split the assert file into single assertions for push
++    current_asserts = _split_assertions(raw_contents)
++    # push the assertions to the internal snap-assertion-service
++    try:
++        _add_assertion_to_service(store, password, current_asserts)
++    except pushException:
++        raise pushException("Assertion file: {}".format(assert_path))
++
++
++def _push_file_to_nginx_cache(store, password, snap_path, snap_id, revision):
++    """Add the file to the nginx cache via the snapproxy service"""
++    store_url = store.get('gw_url')
++    target_filename = '{}_{}.snap'.format(snap_id, revision)
++    files = {target_filename: open(snap_path, 'rb')}
++    response = requests.post(
++        store_url + '/files/upload',
++        files=files,
++        auth=requests.auth.HTTPBasicAuth(USERNAME, password))
++    if response.status_code != 200:
++        print(response.status_code)
++        raise pushException("Failed to push file to proxy cache")
++
++
++def _push(store, tar_file, password, force_channel_map=False):
++    """
++    push a given .snap with matching .assert and .json
++    to an offline proxy
++    """
++    extract_dir = Path(tempfile.mkdtemp())
++    with tarfile.open(str(tar_file), 'r:gz') as tar:
++        tar.extractall(str(extract_dir))
++
++    json_file = extract_dir / 'channel-map.json'
++    json_path = Path(json_file)
++    if not json_path.exists():
++        logger.error("Snap information file not found at {}".format(json_path))
++        return
++
++    with json_path.open() as fh:
++        downloaded_map = json.load(fh)
++
++    _push_ident(store, password, downloaded_map)
++    _push_revs(store, password, downloaded_map)
++    try:
++        _push_channelmap(
++            store, password, downloaded_map, force_channel_map)
++    except ChannelMapExistsException as e:
++        logger.info(str(e))
++        logger.info(
++            "Not updating the channel map, either manage revisions using "
++            "`snap-proxy override` or try again with `--push-channel-map`")
++
++    for instance in downloaded_map['channel-map']:
++        snap_name = downloaded_map['snap']['name']
++        snap_file_name = '{}_{}.snap'.format(
++            snap_name, instance['revision'])
++        assert_file_name = '{}_{}.assert'.format(
++            snap_name, instance['revision'])
++        snap_path = str(json_path.parent / snap_file_name)
++        assert_path = str(json_path.parent / assert_file_name)
++        _push_file_to_nginx_cache(
++            store, password, snap_path,
++            downloaded_map['snap-id'], instance['revision'])
++        _push_assertions(store, password, assert_path)
++
++
++def push_snap(args):
++    cfg = config.Config()
++    store = _check_default_store(cfg)
++    if not store:
++        return 1
++
++    try:
++        if args.password:
++            _push(store, args.snap_tar_file,
++                  args.password, args.push_channel_map)
++        else:
++            logger.error(
++                "This command only works with a supplied password"
++                " and a proxy in offline mode")
++    except exceptions.InvalidCredentials as e:
++        _log_credentials_error(e)
++        return 1
++    except HTTPError:
++        _log_authorized_error()
++        return 1
 diff --git a/snapstore_client/logic/tests/test-snap-assert.assert b/snapstore_client/logic/tests/test-snap-assert.assert
 new file mode 100644
 index 0000000..b6b2ebd
 --- /dev/null
 +++ b/snapstore_client/logic/tests/test-snap-assert.assert
@@ -0,0 +1,101 @@
++type: account-key
++authority-id: canonical
++revision: 2
++public-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
++account-id: canonical
++name: store
++since: 2016-04-01T00:00:00.0Z
++body-length: 717
++sign-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk
++
++AcbBTQRWhcGAARAA0KKYYQWuHOrsFVi4p4l7ZzSvX7kLgJFFeFgOkzdWKBTHEnsMKjl5mefFe9ji
++qe8NlmJdfY7BenP7XeBtwKp700H/t9lLrZbpTNAPHXYxEWFJp5bPqIcJYBZ+29oLVLN1Tc5X482R
++vCiDqL8+pPYqBrK2fNlyPlNNSum9wI70rDDL4r6FVvr+osTnGejibdV8JphWX+lrSQDnRSdM8KJi
++UM43vTgLGTi9W54oRhsA2OFexRfRksTrnqGoonCjqX5wO3OFSaMDzMsO2MJ/hPfLgDqw53qjzuKL
++Iec9OL3k5basvu2cj5u9tKwVFDsCKK2GbKUsWWpx2KTpOifmhmiAbzkTHbH9KaoMS7p0kJwhTQGA
++o9aJ9VMTWHJc/NCBx7eu451u6d46sBPCXS/OMUh2766fQmoRtO1OwCTxsRKG2kkjbMn54UdFULl9
++VfzvyghMNRKIezsEkmM8wueTqGUGZWa6CEZqZKwhe/PROxOPYzqtDH18XZknbU1n5lNb7vNfem9F
++2ai+3+JyFnW9UhfvpVF7gzAgdyCqNli4C6BIN43uwoS8HkykocZS/+Gv52aUQ/NZ8BKOHLw+7ant
++Q0o8W9ltSLZbEMxFIPSN0stiZlkXAp6DLyvh1Y4wXSynDjUondTpej2fSvSlCz/W5v5V7qA4nIcG
++vUvV7RjVzv17ut0AEQEAAQ==
++
++AcLDXAQAAQoABgUCV83k9QAKCRDUpVvql9g3IBT8IACKZ7XpiBZ3W4lqbPssY6On81WmxQLtvsMV
++WTp6zZpl/wWOSt2vMNUk9pvcmrNq1jG9CuhDfWFLGXEjcrrmVkN3YuCOajMSPFCGrxsIBLSRt/bP
++nrKykdLAAzMfG8rP1d82bjFFiIieE+urQ0Kcv09Jtdvavq3JT1Tek5mFyyfhHNlQEKOzWqmRWiLg
++3c3VOZUs1ZD8TSlnuq/x+5T0X0YtOyGjSlVxk7UybbyMNd6MZfNaMpIG4x+mxD3KHFtBAC7O6kLe
++eX3i6j5nCY5UABfA3DZEAkWP4zlmdBEOvZ9t293NaDdOpzsUHRkoi0Zez/9BHQ/kwx/uNc2WqrYm
++inCmu16JGNeXqsyinnLl7Ghn2RwhvDMlLxF6RTx8xdx1yk6p3PBTwhZMUvuZGjUtN/AG8BmVJQ19
++rsGSRkkSywvnhVJRB2sudnrMBmNS2goJbzSbmJnOlBrd2WsV0T9SgNMWZBiov3LvU4o2SmAb6b+k
++rYwh8H5QHcuuYJuxDjFhPswIp6Wes5T6hUicf3SWtObcDS4HSkVS4ImBjjX9YgCuFy7QdnooOWEY
++aPvkRw3XCVeYq0K6w9GRsk1YFErD4XmXXZjDYY650MX9v42Sz5MmphHV8jdIY5ssbadwFSe2rCQI
++6UX08zy7RsIb19hTndE6ncvSNDChUR9eEnCm73eYaWTWTnq1cxdVP/s52r8uss++OYOkPWqh5nOu
++haRn7INjH/yZX4qXjNXlTjo0PnHH0q08vNKDwLhxS+D9du+70FeacXFyLIbcWllSbJ7DmbumGpFo
++yYbtj3FDDPzachFQdIG3lSt+cSUGeyfSs6wVtc3cIPka/2Urx7RprfmoWSI6+a5NcLdj0u2z8O96
++HxeIgxDpg/3gT8ZIuFKePMcLDM19Fh/p0ysCsX+84B9chNWtsMSmIaE57V+959MVtsLu7SLb9gi7
++skrju0pQCwsu2wHMLTNd1f3PTHmrr49hxetTus07HSQUApMtAGKzQilF5zqFjbyaTd4xgQbd+PKW
++CjFyzQTDOcUhXpuUGt/IzlqiFfsCsmbj2K4KdSNYMlqIgZ3Azu8KvZLIhsyN7v5vNIZSPfEbjdeu
++ClU9r0VRiJmtYBUjcSghD9LWn+yRLwOxhfQVjm0cBwIt5R/yPF/qC76yIVuWUtM5Y2/zJR1J8OFq
++qWchvlImHtvDzS9FQeLyzJAOjvZ2CnWp2gILgUz0WQdOk1Dq8ax7KS9BQ42zxw9EZAEPw3PEFqRy
++IQsRTONp+iVS8YxSmoYZjDlCgRMWUmawez/Fv5b9Fb/XkO5Eq4e+KfrpUujXItaipb+tV8h5v3tr
++oG3Ie3WOHrVjCLXIdYslpL1O4nadqR6Xv58pHj6k
++
++type: account
++authority-id: canonical
++account-id: 1RgHGj7Zp3nyycrGa5sODDbZznzJAwAX
++display-name: Tom Wardill
++timestamp: 2018-02-06T09:22:49.118291Z
++username: twom
++validation: unproven
++sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
++
++AcLBUgQAAQoABgUCWnlz6QAA40sQALjt4pGWbG9icFARLbNSnx0ldc9cEytJ5ctLVvG0x3P7hP3u
++6VntHcurt5mkQmW9nTJ8CY3R5uAPVkVda1gFabFlIqZPl4fAv0KqH9vziqSsc1rn05nyLcPMEu2P
++WmWsOh/F7O3IqJrvdX1Xpuv0BsDjZi9merN20BHcY8LDVPd5qUDyN/BISbNzogzHC3MdilYAP75p
++YoYYhH7dHruLgPREOKEhAjIoFguvPtML1xAUFz5XDpvm0sHDURuDYN/cwpFOLsOkPCDokyYC/Udb
++Bh9foT4o1FYvBQOi2DjFBs0UFgAk/2ud8Rv9N10O2MnsQ0ZGerAsGAVIARkz5zjSHZPFokL5PJQ/
++AzJBVRR2NPtRvBEnF/bG0xR5JR/5AZK2K7mIKrQt22CFL4M4iL7uQI1Q1i7PBpysYT7vZwyyFkEP
++M2NXmvpZ34i+5JnyEtdn2H+JVhvQS1RpqdwDwfpqn+lYkJBvDN8B9aDtyp+yMdDTLoLt74JZKP4V
++YeptgPiaMUHOQJx6gdp/Fa9FJAQiNUFjXe9/lfF1yebu0CVXdO6CaSRGBXrQfk2E/WpZNsmZOTq+
++Rc0dGtlMeulEo8fY9RcJlsKe7hjlzX1Yk7JFkGqb60Fzqy0AzoJwDXjTnQPo0AKyNz+ryqly3Sur
++c58OOgdNDw9KbjYoVXvjFLzAyA/k
++
++type: snap-declaration
++authority-id: canonical
++series: 16
++snap-id: p5QNTakkyYmjqa9TRKQWHtZ58GTftzrM
++publisher-id: 1RgHGj7Zp3nyycrGa5sODDbZznzJAwAX
++snap-name: gif-cli
++timestamp: 2018-10-02T15:43:27.762767Z
++sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
++
++AcLBUgQAAQoABgUCW7OSHwAAV/cQAB9wlV5pNd/+20BSCv6tsBAUugrHbFRVjIMHsYoj7Can0mSB
++9vRSbDnFB91VWk+6gBpR+xXtHJithiyCl3fitf2tNuRKm/W6M4fhdctQXX8pcPSsonfSq1+1apgT
++vy7BZaChVEMROY3y5/NZNj4x/+1t38cA4dqxOHIXbhc1B/SifKpFQWq8hu+GMSFFVSxWCJp7rLor
++sqfBFUY1cFeCGsW/iawAPTXk3z7tZhkhoi1FQeu9KrQGMCY0aaD1uZhPLfCwP4mDmsuW3lxJ5QIt
++fhQdO46jh6Ea9nahjAMWrIYPL6G1Yk5aFH6cQ7LfcQq/JHEcDvFUXbtM5jQJU4gPcjnSkFlRCSNA
++aig1trd/RjqQyVMiIBDGRvOPZZij7AdnQ+P88CH1k5oWppNTgk4VM0UsSCdFFXVw7sQlPUWjRaYP
++PHfy1xkMZBw11jLDytOVwLKjPIZs8dCTHKkPfAD4oTP0+W/OvOBerUoHGeaxlZ8Cx17wFcfllEcO
++fiYmnYOAd0JRIXeOXH9/LTbSnb9dMPaaL9jIz0YhmNJOPuzUPpfGeoEQMlt61OfTtEuvjDAq+Nh/
++mhCDl0RnvH+8rjLv0ksYLETsFCkKlOYYMugoj0ruBjl3ss6GU/36RFX9quKEdDyyyus71C1V6ohF
++VzUiaij6jfTkWC4rMPyl69L3Z7fw
++
++type: snap-revision
++authority-id: canonical
++snap-sha3-384: MrP3xzTBH8SQLC1oOfMNIigeJ_0GUE1yqugKZzx2dKdqO2fHbzYa2SfJtxS5JWMe
++developer-id: 1RgHGj7Zp3nyycrGa5sODDbZznzJAwAX
++snap-id: p5QNTakkyYmjqa9TRKQWHtZ58GTftzrM
++snap-revision: 3
++snap-size: 9678848
++timestamp: 2018-10-14T20:48:18.733551Z
++sign-key-sha3-384: BWDEoaqyr25nF5SNCvEv2v7QnM9QsfCc0PBMYD_i2NGSQ32EF2d4D0hqUel3m8ul
++
++AcLBUgQAAQoABgUCW8OrkgAAm/oQAAnCsfsbDBJt59mPG9A1BRHYZHV7EqYis75QxZPzMLlkpoUG
++Xqc8g0aHgEt+STwrrAqUli9G5Yg3Tk8rWb7CV7MlB3c/pBgnW8XLWm3zp1S4ZonDPpKYmgeBcmui
++hH9lXPlHHnL9dGbObhPk7jbAFHOmqgC9S5lD6Uuj7RTn8Hv+hT7YbvZ8LpjcRfLfUJAIhfCCcxHm
++euwRMyGP5NFwOLWIj4XZNKhKf6Tj8bUJV9Kcf7MBZ/cvdwzPiTkU5EleHid4bdZcUkrcNTt8wFI4
++NxU+CH8m3mzP2/EF+amxoqHc5+9qMYWtu2iou1E8oY5M7s+QujTHPipzgPQkkMLSocyoO1ntezd1
++YhUu2GkXw2IRmmgVvaMjmXcE+voGNsT+W2CeHqQNvZvip3KDKvQG3G8tX9Sf6V7NSjqn1+IwpJpS
++Bx61HphfypyHbho7KgYcSYhdqCQF8XiLwQ3pWtE6l654I3kHzuzyrYKR+Ts1byHB+w5sLx4fw7xV
++7/CbvzO6konCrW00bG3UGKHZk4zJGBlv5cfGQxuq5GNaaDWZ9Pg5awSrgB8kShAGzOpdABle8eYg
++RVUbPo53cZO3ditJ+B7VT1pA0on1BiyQGKQUQplr+glZtplPsu6q+A0HzLZ3Wg7EFUdrSThhDh6N
++46jdhxSAwRSPVHtzHm/fgUcGXuMJ
 diff --git a/snapstore_client/logic/tests/test-snap-map.json b/snapstore_client/logic/tests/test-snap-map.json
 new file mode 100644
 index 0000000..0b28b16
 --- /dev/null
 +++ b/snapstore_client/logic/tests/test-snap-map.json
@@ -0,0 +1,73 @@
++{
++    "channel-map": [{
++        "architectures": ["amd64"],
++        "base": "core18",
++        "channel": {
++            "architecture": "amd64",
++            "name": "stable",
++            "released-at": "2018-11-08T18:30:43.652281+00:00",
++            "risk": "stable",
++            "track": "latest"
++        },
++        "common-ids": [],
++        "confinement": "strict",
++        "created-at": "2018-10-14T20:48:12.808884+00:00",
++        "download": {
++            "deltas": [],
++            "sha3-384": "32b3f7c734c11fc4902c2d6839f30d22281e27fd06504d72aae80a673c7674a76a3b67c76f361ad927c9b714b925631e",
++            "size": 9678848,
++            "url": "https://api.snapcraft.io/api/v1/snaps/download/p5QNTakkyYmjqa9TRKQWHtZ58GTftzrM_3.snap"
++        },
++        "epoch": {
++            "read": [0],
++            "write": [0]
++        },
++        "revision": 3,
++        "snap-yaml": "name: gif-cli\nversion: 0.0.3\nsummary: CLI tool to search for gifs\ndescription: 'CLI tool to search for gifs\n\n  '\nbase: core18\narchitectures:\n- amd64\nconfinement: strict\ngrade: stable\napps:\n  gif-cli:\n    command: command-gif-cli.wrapper\n    plugs:\n    - network-bind\n    - network\n",
++        "type": "app",
++        "version": "0.0.3"
++    }, {
++        "architectures": ["amd64"],
++        "base": "core18",
++        "channel": {
++            "architecture": "amd64",
++            "name": "edge",
++            "released-at": "2018-10-14T20:49:19.242435+00:00",
++            "risk": "edge",
++            "track": "latest"
++        },
++        "common-ids": [],
++        "confinement": "strict",
++        "created-at": "2018-10-14T20:48:12.808884+00:00",
++        "download": {
++            "deltas": [],
++            "sha3-384": "32b3f7c734c11fc4902c2d6839f30d22281e27fd06504d72aae80a673c7674a76a3b67c76f361ad927c9b714b925631e",
++            "size": 9678848,
++            "url": "https://api.snapcraft.io/api/v1/snaps/download/p5QNTakkyYmjqa9TRKQWHtZ58GTftzrM_3.snap"
++        },
++        "epoch": {
++            "read": [0],
++            "write": [0]
++        },
++        "revision": 3,
++        "snap-yaml": "name: gif-cli\nversion: 0.0.3\nsummary: CLI tool to search for gifs\ndescription: 'CLI tool to search for gifs\n\n  '\nbase: core18\narchitectures:\n- amd64\nconfinement: strict\ngrade: stable\napps:\n  gif-cli:\n    command: command-gif-cli.wrapper\n    plugs:\n    - network-bind\n    - network\n",
++        "type": "app",
++        "version": "0.0.3"
++    }],
++    "name": "gif-cli",
++    "snap": {
++        "license": "unset",
++        "name": "gif-cli",
++        "prices": {},
++        "publisher": {
++            "display-name": "Tom Wardill",
++            "id": "1RgHGj7Zp3nyycrGa5sODDbZznzJAwAX",
++            "username": "twom",
++            "validation": "unproven"
++        },
++        "snap-id": "p5QNTakkyYmjqa9TRKQWHtZ58GTftzrM",
++        "summary": "CLI tool to search for gifs",
++        "title": "gif-cli"
++    },
++    "snap-id": "p5QNTakkyYmjqa9TRKQWHtZ58GTftzrM"
++}
 diff --git a/snapstore_client/logic/tests/test_login.py b/snapstore_client/logic/tests/test_login.py
 index 25ef14f..d7854cc 100644
 --- a/snapstore_client/logic/tests/test_login.py
 +++ b/snapstore_client/logic/tests/test_login.py
@@ -54,11 +54,13 @@ class LoginTests(TestCase):
          iter_responses = iter(full_responses)
          return lambda request: next(iter_responses)
--    def make_args(self, store_url=None, sso_url=None, email=None):
++    def make_args(self, store_url=None,
++                  sso_url=None, email=None, offline=False):
          return factory.Args(
              store_url=store_url or self.default_gw_url,
              sso_url=sso_url or self.default_sso_url,
              email=email,
++            offline=offline,
+         )
      def add_issue_store_admin_response(self, *response_templates, gw_url=None):
 diff --git a/snapstore_client/logic/tests/test_overrides.py b/snapstore_client/logic/tests/test_overrides.py
 index 1f2f2d0..05e32fc 100644
 --- a/snapstore_client/logic/tests/test_overrides.py
 +++ b/snapstore_client/logic/tests/test_overrides.py
@@ -32,7 +32,7 @@ class OverridesTests(TestCase):
              'Have you run "snap-store-proxy-client login"?\n')
      @responses.activate
--    def test_list_overrides(self):
++    def test_list_overrides_online(self):
          self.useFixture(testfixtures.ConfigFixture())
          logger = self.useFixture(fixtures.FakeLogger())
          snap_id = factory.generate_snap_id()
@@ -52,18 +52,55 @@ class OverridesTests(TestCase):
          responses.add(
              'GET', overrides_url, status=200, json={'overrides': overrides})
--        list_overrides(factory.Args(snap_name='mysnap', series='16'))
++        list_overrides(
++            factory.Args(snap_name='mysnap', series='16', password=False))
          self.assertEqual(
              'mysnap stable amd64 1 (upstream 2)\n'
              'mysnap foo/stable i386 3 (upstream 4)\n',
              logger.output)
++        # We shouldn't have Basic Authorization headers, but Macaroon
++        self.assertNotIn(
++            'Basic',
++            responses.calls[0].request.headers['Authorization'])
++
++    @responses.activate
++    def test_list_overrides_offline(self):
++        self.useFixture(testfixtures.ConfigFixture())
++        logger = self.useFixture(fixtures.FakeLogger())
++        snap_id = factory.generate_snap_id()
++        overrides = [
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap'),
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap', revision=3,
++                upstream_revision=4, channel='foo/stable',
++                architecture='i386'),
++        ]
++        # XXX cjwatson 2017-06-26: Use acceptable-generated doubles once
++        # they exist.
++        overrides_url = urljoin(
++            config.Config().store_section('default').get('gw_url'),
++            '/v2/metadata/overrides/mysnap')
++        responses.add(
++            'GET', overrides_url, status=200, json={'overrides': overrides})
++
++        list_overrides(
++            factory.Args(snap_name='mysnap', series='16', password='test'))
++        self.assertEqual(
++            'mysnap stable amd64 1 (upstream 2)\n'
++            'mysnap foo/stable i386 3 (upstream 4)\n',
++            logger.output)
++        self.assertEqual(
++            'Basic YWRtaW46dGVzdA==',
++            responses.calls[0].request.headers['Authorization'])
      def test_override_no_store_config(self):
          self.useFixture(testfixtures.ConfigFixture(empty=True))
          logger = self.useFixture(fixtures.FakeLogger())
          rc = override(factory.Args(
              snap_name='some-snap', channel_map_entries=['stable=1'],
--            series='16'))
++            series='16',
++            password=False))
          self.assertEqual(rc, 1)
          self.assertEqual(
              logger.output,
@@ -71,7 +108,56 @@ class OverridesTests(TestCase):
              'Have you run "snap-store-proxy-client login"?\n')
      @responses.activate
--    def test_override(self):
++    def test_override_online(self):
++        self.useFixture(testfixtures.ConfigFixture())
++        logger = self.useFixture(fixtures.FakeLogger())
++        snap_id = factory.generate_snap_id()
++        overrides = [
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap'),
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap', revision=3,
++                upstream_revision=4, channel='foo/stable',
++                architecture='i386'),
++        ]
++        # XXX cjwatson 2017-06-26: Use acceptable-generated doubles once
++        # they exist.
++        overrides_url = urljoin(
++            config.Config().store_section('default').get('gw_url'),
++            '/v2/metadata/overrides')
++        responses.add(
++            'POST', overrides_url, status=200, json={'overrides': overrides})
++
++        override(factory.Args(
++            snap_name='mysnap',
++            channel_map_entries=['stable=1', 'foo/stable=3'],
++            series='16',
++            password=False))
++        self.assertEqual([
++            {
++                'snap_name': 'mysnap',
++                'revision': 1,
++                'channel': 'stable',
++                'series': '16',
++            },
++            {
++                'snap_name': 'mysnap',
++                'revision': 3,
++                'channel': 'foo/stable',
++                'series': '16',
++            },
++        ], json.loads(responses.calls[0].request.body.decode()))
++        self.assertEqual(
++            'mysnap stable amd64 1 (upstream 2)\n'
++            'mysnap foo/stable i386 3 (upstream 4)\n',
++            logger.output)
++        # We shouldn't have Basic Authorization headers, but Macaroon
++        self.assertNotIn(
++            'Basic',
++            responses.calls[0].request.headers['Authorization'])
++
++    @responses.activate
++    def test_override_offline(self):
          self.useFixture(testfixtures.ConfigFixture())
          logger = self.useFixture(fixtures.FakeLogger())
          snap_id = factory.generate_snap_id()
@@ -94,7 +180,8 @@ class OverridesTests(TestCase):
          override(factory.Args(
              snap_name='mysnap',
              channel_map_entries=['stable=1', 'foo/stable=3'],
--            series='16'))
++            series='16',
++            password='test'))
          self.assertEqual([
+             {
                  'snap_name': 'mysnap',
@@ -113,12 +200,16 @@ class OverridesTests(TestCase):
              'mysnap stable amd64 1 (upstream 2)\n'
              'mysnap foo/stable i386 3 (upstream 4)\n',
              logger.output)
++        self.assertEqual(
++            'Basic YWRtaW46dGVzdA==',
++            responses.calls[0].request.headers['Authorization'])
      def test_delete_override_no_store_config(self):
          self.useFixture(testfixtures.ConfigFixture(empty=True))
          logger = self.useFixture(fixtures.FakeLogger())
          rc = delete_override(factory.Args(
--            snap_name='some-snap', channels=['stable'], series='16'))
++            snap_name='some-snap', channels=['stable'],
++            series='16', password=False))
          self.assertEqual(rc, 1)
          self.assertEqual(
              logger.output,
@@ -126,7 +217,56 @@ class OverridesTests(TestCase):
              'Have you run "snap-store-proxy-client login"?\n')
      @responses.activate
--    def test_delete_override(self):
++    def test_delete_override_online(self):
++        self.useFixture(testfixtures.ConfigFixture())
++        logger = self.useFixture(fixtures.FakeLogger())
++        snap_id = factory.generate_snap_id()
++        overrides = [
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap', revision=None),
++            factory.SnapDeviceGateway.Override(
++                snap_id=snap_id, snap_name='mysnap', revision=None,
++                upstream_revision=4, channel='foo/stable',
++                architecture='i386'),
++        ]
++        # XXX cjwatson 2017-06-26: Use acceptable-generated doubles once
++        # they exist.
++        overrides_url = urljoin(
++            config.Config().store_section('default').get('gw_url'),
++            '/v2/metadata/overrides')
++        responses.add(
++            'POST', overrides_url, status=200, json={'overrides': overrides})
++
++        delete_override(factory.Args(
++            snap_name='mysnap',
++            channels=['stable', 'foo/stable'],
++            series='16',
++            password=False))
++        self.assertEqual([
++            {
++                'snap_name': 'mysnap',
++                'revision': None,
++                'channel': 'stable',
++                'series': '16',
++            },
++            {
++                'snap_name': 'mysnap',
++                'revision': None,
++                'channel': 'foo/stable',
++                'series': '16',
++            },
++        ], json.loads(responses.calls[0].request.body.decode()))
++        self.assertEqual(
++            'mysnap stable amd64 is tracking upstream (revision 2)\n'
++            'mysnap foo/stable i386 is tracking upstream (revision 4)\n',
++            logger.output)
++        # We shouldn't have Basic Authorization headers, but Macaroon
++        self.assertNotIn(
++            'Basic',
++            responses.calls[0].request.headers['Authorization'])
++
++    @responses.activate
++    def test_delete_override_offline(self):
          self.useFixture(testfixtures.ConfigFixture())
          logger = self.useFixture(fixtures.FakeLogger())
          snap_id = factory.generate_snap_id()
@@ -149,7 +289,8 @@ class OverridesTests(TestCase):
          delete_override(factory.Args(
              snap_name='mysnap',
              channels=['stable', 'foo/stable'],
--            series='16'))
++            series='16',
++            password='test'))
          self.assertEqual([
+             {
                  'snap_name': 'mysnap',
@@ -168,3 +309,6 @@ class OverridesTests(TestCase):
              'mysnap stable amd64 is tracking upstream (revision 2)\n'
              'mysnap foo/stable i386 is tracking upstream (revision 4)\n',
              logger.output)
++        self.assertEqual(
++            'Basic YWRtaW46dGVzdA==',
++            responses.calls[0].request.headers['Authorization'])
 diff --git a/snapstore_client/logic/tests/test_push.py b/snapstore_client/logic/tests/test_push.py
 new file mode 100644
 index 0000000..7fedbbd
 --- /dev/null
 +++ b/snapstore_client/logic/tests/test_push.py
@@ -0,0 +1,169 @@
++import json
++from pathlib import Path
++from urllib.parse import urljoin
++
++import fixtures
++import responses
++from testtools import TestCase
++
++from snapstore_client.logic.push import (
++    ChannelMapExistsException,
++    pushException,
++    _add_assertion_to_service,
++    _split_assertions,
++    _push_channelmap,
++    _push_ident,
++    _push_revs,
++)
++
++
++class pushTests(TestCase):
++
++    def setUp(self):
++        super().setUp()
++        self.default_gw_url = 'http://store.local'
++        self.logger = self.useFixture(fixtures.FakeLogger())
++        current_path = Path(__file__).resolve().parent
++        with (current_path / 'test-snap-map.json').open() as fh:
++            self.snap_map = json.load(fh)
++        with (current_path / 'test-snap-assert.assert').open() as fh:
++            self.snap_assert = fh.read().splitlines()
++        self.store = {'gw_url': self.default_gw_url}
++
++    @responses.activate
++    def test_push_ident(self):
++        ident_url = urljoin(self.default_gw_url, '/snaps/update')
++        responses.add('POST', ident_url, status=200)
++
++        _push_ident(self.store, 'test', self.snap_map)
++
++        self.assertEqual(
++            'Basic YWRtaW46dGVzdA==',
++            responses.calls[0].request.headers['Authorization'])
++
++    @responses.activate
++    def test_push_ident_failed(self):
++        ident_url = urljoin(self.default_gw_url, '/snaps/update')
++        responses.add('POST', ident_url, status=500)
++
++        self.assertRaises(
++            pushException, _push_ident, self.store, 'test', self.snap_map)
++
++    @responses.activate
++    def test_push_revs(self):
++        revs_url = urljoin(self.default_gw_url, '/revisions/create')
++        responses.add('POST', revs_url, status=201)
++
++        _push_revs(self.store, 'test', self.snap_map)
++
++        self.assertEqual(
++            'Basic YWRtaW46dGVzdA==',
++            responses.calls[0].request.headers['Authorization'])
++
++    @responses.activate
++    def test_push_revs_unexpected_status_code(self):
++        revs_url = urljoin(self.default_gw_url, '/revisions/create')
++        responses.add('POST', revs_url, status=302)
++
++        self.assertRaises(
++            pushException, _push_revs, self.store, 'test', self.snap_map)
++
++    @responses.activate
++    def test_push_revs_failed(self):
++        revs_url = urljoin(self.default_gw_url, '/revisions/create')
++        responses.add('POST', revs_url, status=500)
++
++        self.assertRaises(
++            pushException, _push_revs, self.store, 'test', self.snap_map)
++
++    @responses.activate
++    def test_push_map(self):
++        filter_url = urljoin(self.default_gw_url, '/channelmaps/filter')
++        update_url = urljoin(self.default_gw_url, '/channelmaps/update')
++        responses.add('POST', filter_url, status=200, json={})
++        responses.add('POST', update_url, status=200)
++
++        _push_channelmap(self.store, 'test', self.snap_map)
++
++        self.assertEqual(
++            'Basic YWRtaW46dGVzdA==',
++            responses.calls[0].request.headers['Authorization'])
++
++    @responses.activate
++    def test_push_map_failed(self):
++        filter_url = urljoin(self.default_gw_url, '/channelmaps/filter')
++        update_url = urljoin(self.default_gw_url, '/channelmaps/update')
++        responses.add('POST', filter_url, status=200, json={})
++        responses.add('POST', update_url, status=500)
++
++        self.assertRaises(
++            pushException, _push_channelmap,
++            self.store, 'test', self.snap_map)
++
++    @responses.activate
++    def test_push_map_exists(self):
++        filter_url = urljoin(self.default_gw_url, '/channelmaps/filter')
++        update_url = urljoin(self.default_gw_url, '/channelmaps/update')
++        exists = {'channelmaps': ['thing that exists']}
++        responses.add('POST', filter_url, status=200, json=exists)
++        responses.add('POST', update_url, status=200)
++
++        self.assertRaises(
++            ChannelMapExistsException, _push_channelmap,
++            self.store, 'test', self.snap_map)
++
++    @responses.activate
++    def test_push_map_exists_force_push(self):
++        filter_url = urljoin(self.default_gw_url, '/channelmaps/filter')
++        update_url = urljoin(self.default_gw_url, '/channelmaps/update')
++        exists = {'channelmaps': ['thing that exists']}
++        responses.add('POST', filter_url, status=200, json=exists)
++        responses.add('POST', update_url, status=200)
++
++        _push_channelmap(self.store, 'test', self.snap_map, True)
++
++        self.assertEqual(
++            'Basic YWRtaW46dGVzdA==',
++            responses.calls[0].request.headers['Authorization'])
++
++    def test_split_assertions(self):
++        result = _split_assertions(self.snap_assert)
++        assert len(result) == 4
++
++        # We should have 4 different types of assertion
++        assert result[0][0] == 'type: account-key'
++        assert result[1][0] == 'type: account'
++        assert result[2][0] == 'type: snap-declaration'
++        assert result[3][0] == 'type: snap-revision'
++
++    @responses.activate
++    def test_add_assertion_to_service(self):
++        assert_url = urljoin(self.default_gw_url, '/v1/assertions')
++        responses.add('POST', assert_url, status=201)
++
++        split_assertions = _split_assertions(self.snap_assert)
++        _add_assertion_to_service(self.store, 'test', split_assertions)
++
++        self.assertEqual(
++            'Basic YWRtaW46dGVzdA==',
++            responses.calls[0].request.headers['Authorization'])
++
++    @responses.activate
++    def test_add_assertion_to_service_unexpected_status_code(self):
++        assert_url = urljoin(self.default_gw_url, '/v1/assertions')
++        responses.add('POST', assert_url, status=302)
++
++        split_assertions = _split_assertions(self.snap_assert)
++        self.assertRaises(
++            pushException,
++            _add_assertion_to_service, self.store, 'test', split_assertions)
++
++    @responses.activate
++    def test_add_assertion_to_service_failed(self):
++        assert_url = urljoin(self.default_gw_url, '/v1/assertions')
++        responses.add('POST', assert_url, status=500)
++
++        split_assertions = _split_assertions(self.snap_assert)
++        self.assertRaises(
++            pushException,
++            _add_assertion_to_service, self.store, 'test', split_assertions)
 diff --git a/snapstore_client/utils.py b/snapstore_client/utils.py
 new file mode 100644
 index 0000000..461a1c3
 --- /dev/null
 +++ b/snapstore_client/utils.py
@@ -0,0 +1,26 @@
++import logging
++
++logger = logging.getLogger(__name__)
++
++
++def _log_credentials_error(e):
++    logger.error('%s', e)
++    logger.error('Try to "snap-store-proxy-client login" again.')
++
++
++def _log_authorized_error():
++    logger.error(("Perhaps you have not been registered as an "
++                  "admin with the proxy."))
++    logger.error("Try 'snap-proxy add-admin' on the proxy host.")
++
++
++def _check_default_store(cfg):
++    """Load the default store from the config."""
++    store = cfg.store_section('default')
++    # If the gw URL is configured then everything else should be too.
++    if not store.get('gw_url'):
++        logger.error(
++            'No store configuration found. '
++            'Have you run "snap-store-proxy-client login"?')
++        return None
++    return store
 diff --git a/snapstore_client/webservices.py b/snapstore_client/webservices.py
 index e8e618f..3ebf149 100644
 --- a/snapstore_client/webservices.py
 +++ b/snapstore_client/webservices.py
@@ -1,6 +1,7 @@
  # Copyright 2017 Canonical Ltd.  This software is licensed under the
  # GNU General Public License version 3 (see the file LICENSE).
++import base64
  import json
  import logging
  import urllib.parse
@@ -96,6 +97,19 @@ def _get_macaroon_auth(store):
          root_raw, bound_discharge_raw)
++def _get_basic_auth(password):
++    """Build the basic auth for interacting with an offline proxy"""
++    # XXX twom 2019-03-15 Hardcoded username, awaiting user management
++    username = 'admin'
++    credentials = '{}:{}'.format(username, password)
++    try:
++        encoded_credentials = base64.b64encode(credentials.encode('UTF-8'))
++    except UnicodeEncodeError:
++        logger.error('Unable to encode password to UTF-8')
++        raise
++    return 'Basic {}'.format(encoded_credentials.decode())
++
++
  def _raise_needs_refresh(response):
      if (response.status_code == 401 and
              response.headers.get('WWW-Authenticate') == (
@@ -115,15 +129,18 @@ def refresh_if_necessary(store, func, *args, **kwargs):
          return func(*args, **kwargs)
--def get_overrides(store, snap_name, series='16'):
++def get_overrides(store, snap_name, series='16', password=None):
      """Get all overrides for a snap."""
      overrides_url = urllib.parse.urljoin(
          store.get('gw_url'),
          '/v2/metadata/overrides/{}'.format(urllib.parse.quote_plus(snap_name)))
      headers = {
--        'Authorization': _get_macaroon_auth(store),
          'X-Ubuntu-Series': series,
+     }
++    if password:
++        headers['Authorization'] = _get_basic_auth(password)
++    else:
++        headers['Authorization'] = _get_macaroon_auth(store)
      resp = requests.get(overrides_url, headers=headers)
      _raise_needs_refresh(resp)
      if resp.status_code != 200:
@@ -132,11 +149,14 @@ def get_overrides(store, snap_name, series='16'):
      return resp.json()
--def set_overrides(store, overrides):
++def set_overrides(store, overrides, password=None):
      """Add or remove channel map overrides for a snap."""
      overrides_url = urllib.parse.urljoin(
          store.get('gw_url'), '/v2/metadata/overrides')
--    headers = {'Authorization': _get_macaroon_auth(store)}
++    if password:
++        headers = {'Authorization': _get_basic_auth(password)}
++    else:
++        headers = {'Authorization': _get_macaroon_auth(store)}
      resp = requests.post(overrides_url, headers=headers, json=overrides)
      _raise_needs_refresh(resp)
      if resp.status_code != 200: