← Back to team overview

launchpad-reviewers team mailing list archive

  1. launchpad-reviewers team
  2. Mailing list archive
  3. Message #17392

[Merge] lp:~wgrant/launchpad/timelimitedtoken-sha256 into lp:launchpad

  Thread PreviousDate PreviousThread Next 
William Grant has proposed merging lp:~wgrant/launchpad/timelimitedtoken-sha256 into lp:launchpad.

Commit message:
SHA-256-hash TimeLimitedTokens in the DB.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~wgrant/launchpad/timelimitedtoken-sha256/+merge/232958

SHA-256-hash TimeLimitedTokens in the DB.
-- 
https://code.launchpad.net/~wgrant/launchpad/timelimitedtoken-sha256/+merge/232958
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wgrant/launchpad/timelimitedtoken-sha256 into lp:launchpad.

=== modified file 'lib/lp/services/librarian/doc/librarian.txt'
--- lib/lp/services/librarian/doc/librarian.txt	2013-06-20 05:50:00 +0000
+++ lib/lp/services/librarian/doc/librarian.txt	2014-09-02 01:09:10 +0000
@@ -333,6 +333,7 @@
 access to a file, regardless of who is logged in. getURL can be asked to
 provide such a token.
 
+    >>> import hashlib
     >>> token_url = file_alias.getURL(include_token=True)
     >>> print token_url
     https://i...restricted.../private.txt?token=...
@@ -342,8 +343,9 @@
 
     >>> private_path = TimeLimitedToken.url_to_token_path(
     ...        file_alias.private_url)
-    >>> token_url.endswith(session_store().find(
-    ...     TimeLimitedToken, path=private_path).any().token)
+    >>> url_token = token_url.split('=')[1]
+    >>> hashlib.sha256(url_token).hexdigest() == session_store().find(
+    ...     TimeLimitedToken, path=private_path).any().token
     True
 
 LibraryFileAliasView doesn't work on restricted files. This is a

=== modified file 'lib/lp/services/librarian/model.py'
--- lib/lp/services/librarian/model.py	2014-09-01 09:46:01 +0000
+++ lib/lp/services/librarian/model.py	2014-09-02 01:09:10 +0000
@@ -12,6 +12,7 @@
     ]
 
 from datetime import datetime
+import hashlib
 from urlparse import urlparse
 
 from lazr.delegates import delegates
@@ -298,7 +299,9 @@
 
     created = UtcDateTimeCol(notNull=True, default=UTC_NOW)
     path = StringCol(notNull=True)
+    # The hex SHA-256 hash of the token.
     token = StringCol(notNull=True)
+
     __storm_primary__ = ("path", "token")
 
     def __init__(self, path, token, created=None):
@@ -306,7 +309,7 @@
         if created is not None:
             self.created = created
         self.path = path
-        self.token = token
+        self.token = hashlib.sha256(token).hexdigest()
 
     @staticmethod
     def allocate(url):

=== modified file 'lib/lp/services/librarianserver/tests/test_web.py'
--- lib/lp/services/librarianserver/tests/test_web.py	2013-06-20 05:50:00 +0000
+++ lib/lp/services/librarianserver/tests/test_web.py	2014-09-02 01:09:10 +0000
@@ -3,6 +3,7 @@
 
 from cStringIO import StringIO
 from datetime import datetime
+import hashlib
 import httplib
 import unittest
 from urllib2 import (
@@ -339,9 +340,11 @@
         token = TimeLimitedToken.allocate(url)
         # But time has passed
         store = session_store()
-        tokens = store.find(TimeLimitedToken, TimeLimitedToken.token==token)
+        tokens = store.find(
+            TimeLimitedToken,
+            TimeLimitedToken.token == hashlib.sha256(token).hexdigest())
         tokens.set(
-            TimeLimitedToken.created==SQL("created - interval '1 week'"))
+            TimeLimitedToken.created == SQL("created - interval '1 week'"))
         url = url + "?token=%s" % token
         # Now, as per test_restricted_no_token we should get a 404.
         self.require404(url)

Follow ups

  Thread PreviousDate PreviousThread Next