Review: Approve code
Diff comments: > > === modified file 'lib/lp/services/authserver/xmlrpc.py' > --- lib/lp/services/authserver/xmlrpc.py 2018-05-10 10:05:45 +0000 > +++ lib/lp/services/authserver/xmlrpc.py 2019-04-11 13:41:06 +0000 > @@ -43,6 +44,28 @@ > for key in person.sshkeys], > } > > + def issueMacaroon(self, issuer_name, context): > + """See `IAuthServer.issueMacaroon`.""" > + try: > + issuer = getUtility(IMacaroonIssuer, issuer_name) > + except ComponentLookupError: > + return faults.PermissionDenied() > + # Only permit issuers that have been specifically designed for use > + # with the authserver: they must need to be issued by parts of > + # Launchpad other than appservers but be verified by appservers, > + # they must take parameters that can be passed over XML-RPC, and > + # they must issue macaroons with carefully-designed constraints to > + # minimise privilege-escalation attacks. > + if not issuer.issuable_via_authserver: > + return faults.PermissionDenied() > + try: > + # issueMacaroon isn't normally public, but we clearly need it > + # here. > + macaroon = removeSecurityProxy(issuer).issueMacaroon(context) > + except ValueError: > + return faults.PermissionDenied() ValueError continues to be quite broad. > + return macaroon.serialize() > + > def verifyMacaroon(self, macaroon_raw, context): > """See `IAuthServer.verifyMacaroon`.""" > try: -- https://code.launchpad.net/~cjwatson/launchpad/authserver-issue-macaroon/+merge/364353 Your team Launchpad code reviewers is subscribed to branch lp:launchpad. _______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp
