launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~ines-almeida/launchpad-buildd:update-close-session-for-fetch-service into launchpad-buildd:master

To: mp+464529@xxxxxxxxxxxxxxxxxx
From: Ines Almeida <mp+464529@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Apr 2024 12:25:19 -0000
Reply-to: mp+464529@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Ines Almeida has proposed merging ~ines-almeida/launchpad-buildd:update-close-session-for-fetch-service into launchpad-buildd:master.

Commit message:
Update fetch service revoke token authentication
    
We now use the proxy token as authentication to the fetch service control API to revoke itself.
This is the only control endpoint that can be authenticated with the proxy token, as all it can do it revoke itself.


Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~ines-almeida/launchpad-buildd/+git/launchpad-buildd/+merge/464529
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~ines-almeida/launchpad-buildd:update-close-session-for-fetch-service into launchpad-buildd:master.

diff --git a/lpbuildd/tests/test_util.py b/lpbuildd/tests/test_util.py
index ab65f5f..8a5d766 100644
--- a/lpbuildd/tests/test_util.py
+++ b/lpbuildd/tests/test_util.py
@@ -92,7 +92,8 @@ class TestRevokeToken(TestCase):
     def test_revoke_fetch_service_token(self):
         """Proxy token revocation for the fetch service"""
 
-        proxy_url = "http://session_id:token@proxy.fetch-service.example";
+        token = "token"
+        proxy_url = f"http://session_id:{token}@proxy.fetch-service.example";
         revocation_endpoint = (
             "http://control.fetch-service.example/session_id/token";
         )
@@ -111,3 +112,4 @@ class TestRevokeToken(TestCase):
             "http://control.fetch-service.example/session_id/token";,
             request.url,
         )
+        self.assertEqual(f"Basic {token}", request.headers["Authorization"])
diff --git a/lpbuildd/util.py b/lpbuildd/util.py
index 664f92b..b09b33f 100644
--- a/lpbuildd/util.py
+++ b/lpbuildd/util.py
@@ -1,6 +1,7 @@
 # Copyright 2015-2017 Canonical Ltd.  This software is licensed under the
 # GNU Affero General Public License version 3 (see the file LICENSE).
 
+import base64
 import os
 import subprocess
 import sys
@@ -81,21 +82,25 @@ def revoke_proxy_token(
         authentication to revoke its token.
 
     If using the fetch service:
-        The call to revoke a token does not require authentication.
+        The proxy_url for the Fetch Service has the following format:
+        http://{session_id}:{token}@{host}:{port}
 
-        XXX ines-almeida 2024-04-15: this might change depending on
-        conversations about fetch service authentication. We might decide to
-        instead use the token itself as the authentication.
+        We use the token from the proxy_url for authentication to revoke
+        elself.
 
     :raises RevokeProxyTokenError: if attempting to revoke the token failed.
     """
     url = urlparse(proxy_url)
 
-    auth = None
     if not use_fetch_service:
-        auth = (url.username, url.password)
+        auth_string = f"{url.username}:{url.password}"
+        token = base64.b64encode(auth_string.encode()).decode()
+    else:
+        token = url.password
+
+    headers = {"Authorization": f"Basic {token}"}
 
     try:
-        requests.delete(revocation_endpoint, auth=auth, timeout=15)
+        requests.delete(revocation_endpoint, headers=headers, timeout=15)
     except requests.RequestException as e:
         raise RevokeProxyTokenError(url.username, e)