launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~ines-almeida/launchpad-buildd:fetch-service-update-token-revocation-auth into launchpad-buildd:master

To: mp+466765@xxxxxxxxxxxxxxxxxx
From: Ines Almeida <mp+466765@xxxxxxxxxxxxxxxxxx>
Date: Fri, 31 May 2024 23:44:20 -0000
Reply-to: mp+466765@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Ines Almeida has proposed merging ~ines-almeida/launchpad-buildd:fetch-service-update-token-revocation-auth into launchpad-buildd:master.

Commit message:
Update fetch service token revocation to send token in payload instead of auth headers

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~ines-almeida/launchpad-buildd/+git/launchpad-buildd/+merge/466765
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~ines-almeida/launchpad-buildd:fetch-service-update-token-revocation-auth into launchpad-buildd:master.

diff --git a/lpbuildd/tests/test_util.py b/lpbuildd/tests/test_util.py
index 8a5d766..09718b4 100644
--- a/lpbuildd/tests/test_util.py
+++ b/lpbuildd/tests/test_util.py
@@ -2,6 +2,7 @@
 # GNU Affero General Public License version 3 (see the file LICENSE).
 
 import base64
+import json
 
 import responses
 from testtools import TestCase
@@ -112,4 +113,5 @@ class TestRevokeToken(TestCase):
             "http://control.fetch-service.example/session_id/token";,
             request.url,
         )
-        self.assertEqual(f"Basic {token}", request.headers["Authorization"])
+        request_body = json.loads(request.body.decode("utf8"))
+        self.assertEqual({"token": token}, request_body)
diff --git a/lpbuildd/util.py b/lpbuildd/util.py
index b09b33f..f94b997 100644
--- a/lpbuildd/util.py
+++ b/lpbuildd/util.py
@@ -85,22 +85,28 @@ def revoke_proxy_token(
         The proxy_url for the Fetch Service has the following format:
         http://{session_id}:{token}@{host}:{port}
 
-        We use the token from the proxy_url for authentication to revoke
-        elself.
+        We use the token from the proxy_url and send it as a json payload (no
+        authentication required).
 
     :raises RevokeProxyTokenError: if attempting to revoke the token failed.
     """
     url = urlparse(proxy_url)
 
+    headers = None
+    json_data = None
+
     if not use_fetch_service:
         auth_string = f"{url.username}:{url.password}"
         token = base64.b64encode(auth_string.encode()).decode()
+        headers = {"Authorization": f"Basic {token}"}
     else:
-        token = url.password
-
-    headers = {"Authorization": f"Basic {token}"}
+        # When using the fetch service, we don't require authentication, but we
+        # need to send the token we want to revoke in the payload.
+        json_data = {"token": url.password}
 
     try:
-        requests.delete(revocation_endpoint, headers=headers, timeout=15)
+        requests.delete(
+            revocation_endpoint, headers=headers, json=json_data, timeout=15
+        )
     except requests.RequestException as e:
         raise RevokeProxyTokenError(url.username, e)