Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ExpiryCaveat #11122

Merged
merged 7 commits into from
Apr 19, 2022
Merged

Add ExpiryCaveat #11122

merged 7 commits into from
Apr 19, 2022

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Apr 5, 2022
edited
Loading

Closes #10792.

Closes #6255.

@woodruffw woodruffw self-assigned this Apr 5, 2022
@woodruffw
Copy link
Member Author

This needs more testing, but the basic idea:

  • All current macaroons continue to function as expected, and nothing about the construction of normal macaroons (i.e., ones minted by users manually through the PyPI website) is changed.

  • In the future, macaroons minted via the OIDC JWT consumption route will include an additional expiry caveat, with two fields: nbf to indicate that the macaroon must not be used before the given timestamp, and exp to indicate when the macaroon ceases to be valid.

woodruffw
woodruffw commented Apr 5, 2022
View reviewed changes
warehouse/manage/views.py Outdated Show resolved Hide resolved
@woodruffw woodruffw requested a review from di April 5, 2022 20:57
This was referenced Apr 5, 2022
Closed
Closed
@woodruffw woodruffw marked this pull request as ready for review April 7, 2022 16:26
@woodruffw
Copy link
Member Author

Marking as ready for review since this is in a stable state, but see comments above about the current approach.

di
di reviewed Apr 8, 2022
View reviewed changes
Copy link
Member

@di di left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, but I didn't give it a super deep review. I had one high level question: how will this be backwards-compatible for macaroons created before this change? The migration is just dropping one column and adding a new one without doing a data migration.

@woodruffw
Copy link
Member Author

I had one high level question: how will this be backwards-compatible for macaroons created before this change?

Yeah, this was an oversight on my part. This will break the UI for pre-existing macaroons, at least in the form they're recorded in the DB.

The migration should probably just rename the column rather than dropping it and inserting a new one, since interior data is the same. I'll fix that now.

@woodruffw woodruffw requested a review from di April 11, 2022 15:06
woodruffw added a commit to trail-of-forks/warehouse that referenced this pull request Apr 11, 2022
@woodruffw
warehouse, tests: pick DB changes from pypi#11122
e60885d
@woodruffw woodruffw mentioned this pull request Apr 11, 2022
Merged
@woodruffw
Copy link
Member Author

Blocked on: #11157.

di pushed a commit that referenced this pull request Apr 12, 2022
@woodruffw
warehouse, tests: pick DB changes from #11122 (#11157)
9a84e62 
* warehouse, tests: pick DB changes from #11122

* warehouse: `make translations`

* manage/views: remove outdated note

* warehouse, tests: `Macaroon.permissions -> Macaroon.permissions_caveat`

Emphasizes that this is the entire caveat, and not just the permissions body.

* warehouse: `make translations`

* warehouse/templates: handle stale event caveats

Prior to these changes, the `caveats` field in API token events was
a dictionary, not a list.

* warehouse: `make translations`
@di
Copy link
Member

di commented Apr 12, 2022

#11157 has been merged!

@woodruffw
Copy link
Member Author

Excellent! I'll de-conflict here.

@woodruffw
Copy link
Member Author

woodruffw commented Apr 12, 2022
edited
Loading

N.B.: 1f65cff is a naive pick of the original changeset, so it isn't ready for review yet. I'll do another pass over it later today.

Edit: Done.

@woodruffw
Copy link
Member Author

I also confirmed locally that this does not break verification of current tokens (i.e., ones missing an expiry caveat).

@woodruffw woodruffw mentioned this pull request Apr 13, 2022
Closed
@woodruffw
warehouse, tests: refactor macaroon failure handling
3e60c4b 
Add tests for success/failure conditions in the top-level verifier.
@woodruffw woodruffw requested review from di and ewdurbin April 13, 2022 23:51
@woodruffw woodruffw mentioned this pull request Apr 16, 2022
Closed
di
di reviewed Apr 18, 2022
View reviewed changes
warehouse/macaroons/caveats.py Outdated Show resolved Hide resolved
@woodruffw woodruffw requested a review from di April 19, 2022 15:10
@di di merged commit 08813ab into pypi:main Apr 19, 2022
@di di deleted the tob-new-macaroon-caveats branch April 19, 2022 16:06
@fschulze
Copy link

What is the deployment policy of pypi.org? Is everything on main automatically deployed? If not, where can I see what version is deployed? In other words, how can I see that changes like this are available on pypi.org?

@di
Copy link
Member

di commented Apr 20, 2022

@fschulze Everything is automatically deployed within 5-10 minutes after merge.

@woodruffw
Copy link
Member Author

But also, note that these changes aren't user-facing yet! We don't currently allow users to create API tokens with expiry restrictions.

@fschulze
Copy link

@woodruffw doesn't matter for my use case. I want to derive unique upload tokens for pushing releases with devpi. The upload is done on the server side and the server currently sees the token/password. With the expiration and the project caveat I can create unique tokens on the client for use by the server.

@di di mentioned this pull request Apr 20, 2022
Closed
@woodruffw woodruffw mentioned this pull request Apr 20, 2022
Closed
domdfcoding pushed a commit to domdfcoding/warehouse that referenced this pull request Jun 7, 2022
@woodruffw @domdfcoding
warehouse, tests: pick DB changes from pypi#11122 (pypi#11157)
3397c7d 
* warehouse, tests: pick DB changes from pypi#11122

* warehouse: `make translations`

* manage/views: remove outdated note

* warehouse, tests: `Macaroon.permissions -> Macaroon.permissions_caveat`

Emphasizes that this is the entire caveat, and not just the permissions body.

* warehouse: `make translations`

* warehouse/templates: handle stale event caveats

Prior to these changes, the `caveats` field in API token events was
a dictionary, not a list.

* warehouse: `make translations`
domdfcoding pushed a commit to domdfcoding/warehouse that referenced this pull request Jun 7, 2022
@woodruffw @ewdurbin @domdfcoding
Add ExpiryCaveat (pypi#11122)
8385e2d 
* warehouse, tests: add and test `ExpiryCaveat`

* warehouse, tests: refactor macaroon failure handling

Add tests for success/failure conditions in the top-level verifier.

* tests: lint and format

* macaroons/caveats: remove `_fail` API

This was a misdesign.

Co-authored-by: Ee Durbin <ewdurbin@gmail.com>
@woodruffw woodruffw mentioned this pull request Oct 31, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

@ewdurbin ewdurbin ewdurbin approved these changes

Assignees

@woodruffw woodruffw

Labels
APIs/feeds
Projects
None yet
Milestone
No milestone
4 participants
@woodruffw @di @fschulze @ewdurbin