launchpad-reviewers team mailing list archive

[Colin Watson <cjwatson@xxxxxxxxxxxxx>]

Diff comments:

> === modified file 'lib/lp/code/xmlrpc/git.py'
> --- lib/lp/code/xmlrpc/git.py	2019-04-26 13:13:37 +0000
> +++ lib/lp/code/xmlrpc/git.py	2019-05-07 17:07:40 +0000
> @@ -321,11 +356,15 @@
>          """See `IGitAPI`."""
>          # XXX cjwatson 2016-10-06: We only support free-floating macaroons
>          # at the moment, not ones bound to a user.
> -        if not username and self._verifyMacaroon(password):
> -            return {"macaroon": password}
> -        else:
> -            # Only macaroons are supported for password authentication.
> -            return faults.Unauthorized()
> +        if not username:
> +            verified = self._verifyMacaroon(password)
> +            if verified:
> +                auth_params = {"macaroon": password}
> +                if verified.issuer_name == "code-import-job":
> +                    auth_params["uid"] = LAUNCHPAD_SERVICES

This actually won't quite work today because turnip runs any uid value it sees in auth_params through int().  I think using auth_params["user"] (and hence turnip-authenticated-user, for which there's some limited precedent) instead would work; I'll change that round when I get a moment.

> +                return auth_params
> +        # Only macaroons are supported for password authentication.
> +        return faults.Unauthorized()
>  
>      def _renderPermissions(self, set_of_permissions):
>          """Render a set of permission strings for XML-RPC output."""


-- 
https://code.launchpad.net/~cjwatson/launchpad/refactor-git-code-import-authz/+merge/367068
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/refactor-git-code-import-authz into lp:launchpad.