launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #17392
[Merge] lp:~wgrant/launchpad/timelimitedtoken-sha256 into lp:launchpad
William Grant has proposed merging lp:~wgrant/launchpad/timelimitedtoken-sha256 into lp:launchpad.
Commit message:
SHA-256-hash TimeLimitedTokens in the DB.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~wgrant/launchpad/timelimitedtoken-sha256/+merge/232958
SHA-256-hash TimeLimitedTokens in the DB.
--
https://code.launchpad.net/~wgrant/launchpad/timelimitedtoken-sha256/+merge/232958
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wgrant/launchpad/timelimitedtoken-sha256 into lp:launchpad.
=== modified file 'lib/lp/services/librarian/doc/librarian.txt'
--- lib/lp/services/librarian/doc/librarian.txt 2013-06-20 05:50:00 +0000
+++ lib/lp/services/librarian/doc/librarian.txt 2014-09-02 01:09:10 +0000
@@ -333,6 +333,7 @@
access to a file, regardless of who is logged in. getURL can be asked to
provide such a token.
+ >>> import hashlib
>>> token_url = file_alias.getURL(include_token=True)
>>> print token_url
https://i...restricted.../private.txt?token=...
@@ -342,8 +343,9 @@
>>> private_path = TimeLimitedToken.url_to_token_path(
... file_alias.private_url)
- >>> token_url.endswith(session_store().find(
- ... TimeLimitedToken, path=private_path).any().token)
+ >>> url_token = token_url.split('=')[1]
+ >>> hashlib.sha256(url_token).hexdigest() == session_store().find(
+ ... TimeLimitedToken, path=private_path).any().token
True
LibraryFileAliasView doesn't work on restricted files. This is a
=== modified file 'lib/lp/services/librarian/model.py'
--- lib/lp/services/librarian/model.py 2014-09-01 09:46:01 +0000
+++ lib/lp/services/librarian/model.py 2014-09-02 01:09:10 +0000
@@ -12,6 +12,7 @@
]
from datetime import datetime
+import hashlib
from urlparse import urlparse
from lazr.delegates import delegates
@@ -298,7 +299,9 @@
created = UtcDateTimeCol(notNull=True, default=UTC_NOW)
path = StringCol(notNull=True)
+ # The hex SHA-256 hash of the token.
token = StringCol(notNull=True)
+
__storm_primary__ = ("path", "token")
def __init__(self, path, token, created=None):
@@ -306,7 +309,7 @@
if created is not None:
self.created = created
self.path = path
- self.token = token
+ self.token = hashlib.sha256(token).hexdigest()
@staticmethod
def allocate(url):
=== modified file 'lib/lp/services/librarianserver/tests/test_web.py'
--- lib/lp/services/librarianserver/tests/test_web.py 2013-06-20 05:50:00 +0000
+++ lib/lp/services/librarianserver/tests/test_web.py 2014-09-02 01:09:10 +0000
@@ -3,6 +3,7 @@
from cStringIO import StringIO
from datetime import datetime
+import hashlib
import httplib
import unittest
from urllib2 import (
@@ -339,9 +340,11 @@
token = TimeLimitedToken.allocate(url)
# But time has passed
store = session_store()
- tokens = store.find(TimeLimitedToken, TimeLimitedToken.token==token)
+ tokens = store.find(
+ TimeLimitedToken,
+ TimeLimitedToken.token == hashlib.sha256(token).hexdigest())
tokens.set(
- TimeLimitedToken.created==SQL("created - interval '1 week'"))
+ TimeLimitedToken.created == SQL("created - interval '1 week'"))
url = url + "?token=%s" % token
# Now, as per test_restricted_no_token we should get a 404.
self.require404(url)
Follow ups