Pushed the requested changes. I'll top-approve this. Diff comments:
> diff --git a/lib/lp/oci/model/ocirecipebuild.py > b/lib/lp/oci/model/ocirecipebuild.py > index c38bfa5..2e41955 100644 > --- a/lib/lp/oci/model/ocirecipebuild.py > +++ b/lib/lp/oci/model/ocirecipebuild.py > @@ -253,6 +263,11 @@ class OCIRecipeBuild(PackageBuildMixin, Storm): > ] > return self.status in cancellable_statuses > > + @property > + def is_private(self): > + """See `IBuildFarmJob`.""" > + return self.recipe.git_ref.private Sure. I'll change the condition and add a XXX, also including a link to the old MP for reference. > + > def retry(self): > """See `IOCIRecipeBuild`.""" > assert self.can_be_retried, "Build %s cannot be retried" % self.id > @@ -578,3 +593,62 @@ class OCIRecipeBuildSet(SpecificBuildFarmJobSourceMixin): > OCIRecipeBuild, OCIRecipeBuild.build_farm_job_id.is_in( > bfj.id for bfj in build_farm_jobs)) > return DecoratedResultSet(rows, pre_iter_hook=self.preloadBuildsData) > + > + > +@implementer(IMacaroonIssuer) > +class OCIRecipeBuildMacaroonIssuer(MacaroonIssuerBase): > + > + identifier = "ocirecipe-build" Changing it. > + issuable_via_authserver = True > + > + def checkIssuingContext(self, context, **kwargs): > + """See `MacaroonIssuerBase`. > + > + For issuing, the context is an `IOCIRecipeBuild`. > + """ > + if not IOCIRecipeBuild.providedBy(context): > + raise BadMacaroonContext(context) > + if not removeSecurityProxy(context).is_private: > + raise BadMacaroonContext( > + context, "Refusing to issue macaroon for public build.") > + return removeSecurityProxy(context).id > + > + def checkVerificationContext(self, context, **kwargs): > + """See `MacaroonIssuerBase`.""" > + if not IGitRepository.providedBy(context): > + raise BadMacaroonContext(context) > + return context > + > + def verifyPrimaryCaveat(self, verified, caveat_value, context, user=None, > + **kwargs): > + """See `MacaroonIssuerBase`. > + > + For verification, the context is an `IGitRepository`. We check that > + the repository is needed to build the `IOCIRecipeBuild` that is the > + context of the macaroon, and that the context build is currently > + building. > + """ > + # Circular import. > + from lp.oci.model.ocirecipe import OCIRecipe > + > + # OCIRecipeBuild builds only support free-floating macaroons for Git > + # authentication, not ones bound to a user. > + if user: > + return False > + verified.user = NO_USER > + > + if context is None: > + # We're only verifying that the macaroon could be valid for some > + # context. > + return True > + > + try: > + build_id = int(caveat_value) > + except ValueError: > + return False > + return not IStore(OCIRecipeBuild).find( > + OCIRecipeBuild, > + OCIRecipeBuild.id == build_id, > + OCIRecipeBuild.recipe_id == OCIRecipe.id, > + OCIRecipe.git_repository == context, > + OCIRecipeBuild.status == BuildStatus.BUILDING).is_empty() -- https://code.launchpad.net/~pappacena/launchpad/+git/launchpad/+merge/396932 Your team Launchpad code reviewers is subscribed to branch ~pappacena/launchpad:ocirecipebuild-macaroon-issuer. _______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp
