Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Macaroon-based API keys #6084

Merged
merged 58 commits into from
Jul 25, 2019
Merged

Macaroon-based API keys #6084

merged 58 commits into from
Jul 25, 2019

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Jun 24, 2019
edited
Loading

Based on dstufft#2.

TODO:

  • Package-scoped tokens
  • Unit tests

@woodruffw woodruffw mentioned this pull request Jun 24, 2019
Closed
@brainwane brainwane mentioned this pull request Jun 24, 2019
Closed
@woodruffw
Copy link
Member Author

woodruffw commented Jun 27, 2019
edited
Loading

Thanks @moshez and @webknjaz! I'll be addressing your feedback, but could you hold off on providing more until the "[WIP]" is removed from the title? I'll be changing things pretty quickly, so I don't want to get caught in a review churn over code that isn't fully formed yet 😄

@di
Copy link
Member

di commented Jul 2, 2019

@webknjaz, did you see @woodruffw's request above?

I'll be addressing your feedback, but could you hold off on providing more until the "[WIP]" is removed from the title?

@webknjaz

This comment has been minimized.

Sign in to view
@woodruffw woodruffw changed the title [WIP]: Macaroon-based API keys Macaroon-based API keys Jul 13, 2019
@woodruffw woodruffw force-pushed the tob-api-keys branch 2 times, most recently from 87a0f70 to 77c7018 Compare July 17, 2019 14:29
@woodruffw
Copy link
Member Author

This should be ready for initial testing, for the adventurous.

Some quick notes:

  • The UI is functional, but needs to be updated to conform to PyPI's design
  • Our current auth-policy is drop-in compatible with Twine and distutils. When using a token, your "username" will be @token and your "password" will be the token itself

brainwane
brainwane reviewed Jul 18, 2019
View reviewed changes
Copy link
Contributor

@brainwane brainwane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hope this helps!

brainwane
brainwane suggested changes Jul 18, 2019
View reviewed changes
Copy link
Contributor

@brainwane brainwane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am a maintainer of multiple projects: econ-ark and Forms990-analysis. I created an API token that was scoped to econ-ark and then tried to use it to upload a Forms990-analysis package, and got:
HTTPError: 403 Client Error: The user 'brainwane' isn't allowed to upload to project 'Forms990-analysis'. See http://localhost/help/#project-name for more information. for url: http://localhost/legacy/

This is not technically accurate -- this user account is allowed to upload to that project, but the token isn't. And maybe we don't want to leak the username in this error message. If we see that it's a token being used, can/should we change the error message in this case to something like "This token isn't allowed to upload to project 'name'"?

In the Docker logs, just for completeness: web_1 | [IP address] - @token [18/Jul/2019:01:03:01 +0000] "POST /legacy/ HTTP/1.1" 403 933 "-" "twine/1.13.0 pkginfo/1.5.0.1 requests/2.18.4 setuptools/41.0.1 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.7.3"

This was referenced Jul 18, 2019
Closed
Closed
@nlhkabu nlhkabu self-assigned this Jul 18, 2019
@woodruffw
Copy link
Member Author

This is not technically accurate -- this user account is allowed to upload to that project, but the token isn't. And maybe we don't want to leak the username in this error message. If we see that it's a token being used, can/should we change the error message in this case to something like "This token isn't allowed to upload to project 'name'"?

Yep, this needs to be changed here:

https://github.com/pypa/warehouse/blob/0d9c726153394cf6aca178c9015c467707fbaa2e/warehouse/forklift/legacy.py#L944-L954

It might be difficult to parametrize the error message in this context, so I could replace "user" with "credential owned by user" -- thoughts?

Re: leaking the username: this check happens after an authorization check, so we already have a valid credential (just not one for this package). As such it isn't an infoleak per se (and might be useful to users doing complicated deployments, since their error messages will tell them which underlying user identity failed).

@webknjaz webknjaz mentioned this pull request Jul 19, 2019
Closed
woodruffw and others added 22 commits July 25, 2019 10:28
@woodruffw @ewdurbin
tests: Fix routes, forms tests
d1e1c4c
@woodruffw @ewdurbin
tests: Fix service/views tests, fill in coverage
da707d0
@woodruffw @ewdurbin
warehouse: Re-add identifier to table, dump scope
8fd2a2b
@woodruffw @ewdurbin
warehouse: Remove unused import
ac07cf3
@woodruffw @ewdurbin
warehouse: Macro indentation
33f25c5
@woodruffw @ewdurbin
warehouse: Update comment
e935cd8
@nlhkabu @ewdurbin
Update API token UI
45765b9
@woodruffw @ewdurbin
warehouse: Flexible token removal
b5a3dfc
@woodruffw @ewdurbin
warehouse: Include token description in success flash
a4bb86e
@woodruffw @ewdurbin
tests: Update macaroon services tests
2d4c28f
@woodruffw @ewdurbin
warehouse: Use macaroon object directly for description
480c4b7
@woodruffw @ewdurbin
tests: Update views tests
44101ae
@woodruffw @ewdurbin
warehouse, tests: two_factor_provisioning_allowed -> has_primary_veri…
2ede760 
…fied_email
@woodruffw @ewdurbin
tests: Auto-format
5cef6aa
@woodruffw @ewdurbin
warehouse: Guard token creation with a verified email
5208b65
@woodruffw @ewdurbin
tests: Update views tests
271600b
@woodruffw @ewdurbin
warehouse: confirm_modal formatting
e8ee987
@brainwane @ewdurbin
Add API token creation instructions to FAQ
42cbcc7
@woodruffw @ewdurbin
warehouse: Flatten confirm_modal call
5127d9b
@woodruffw @ewdurbin
warehouse: Remove dangling paren
8ac5045
@woodruffw @ewdurbin
warehouse: Fix sass-lint error
4b90eb7
@ewdurbin
fix linting issue for _api-token.scss
8f7595a
@ewdurbin ewdurbin merged commit fcb0811 into pypi:master Jul 25, 2019
@woodruffw woodruffw mentioned this pull request Jul 25, 2019
Merged
@ewdurbin ewdurbin mentioned this pull request Jul 25, 2019
Closed
ewdurbin added a commit that referenced this pull request Jul 25, 2019
@ewdurbin
Revert "Macaroon-based API keys (#6084)"
cd40947 
This reverts commit fcb0811.
@ewdurbin ewdurbin mentioned this pull request Jul 25, 2019
Merged
ewdurbin added a commit that referenced this pull request Jul 25, 2019
@ewdurbin
Revert #6084 and #6254 (#6258)
72723be 
* Revert "Fixed a typo in a comment (#6254)"

This reverts commit c04e168.

* Revert "Macaroon-based API keys (#6084)"

This reverts commit fcb0811.
@woodruffw woodruffw mentioned this pull request Jul 25, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di left review comments

@moshez moshez moshez left review comments

@webknjaz webknjaz webknjaz left review comments

@merwok merwok merwok left review comments

@ewjoachim ewjoachim ewjoachim left review comments

@brainwane brainwane brainwane approved these changes

@ewdurbin ewdurbin ewdurbin approved these changes

@dstufft dstufft Awaiting requested review from dstufft

Assignees

@nlhkabu nlhkabu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@woodruffw @di @webknjaz @nlhkabu @ewdurbin @dstufft @moshez @merwok @brainwane @ewjoachim