Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Caveats #6255 #6613

Closed
wants to merge 82 commits into from
Closed

New Caveats #6255 #6613

wants to merge 82 commits into from

Conversation

rachelcipkins
Copy link

Added new caveats for new releases and expiration time of a macaroon.

@rachelcipkins
Psuedo code added for issue pypi#6255.
34f5e96
@rachelcipkins
Added caveats for project version and macaroon expiration time.
545dea0
@rachelcipkins
Added tests for expiration time.
cd4e8a2
@rachelcipkins
Updated caveats for expiration time and release.
03ea2ce
@rachelcipkins
Added macaroon fields for expiration time and release.
1447ed7
@rachelcipkins
Added expiration field to macaroon.
0d2733d
@rachelcipkins
Added form fields for expiration and release.
a89a25e
@rachelcipkins
Moved release caveat.
8826d39
@rachelcipkins
Added potential new Macaroon fields.
d3cb195
@rachelcipkins
Added scope, release, and expiration fields to Macaroon object.
71f7c1b
@rachelcipkins
Added scope, release, and expiration fields to create_macaroon.
2e62cfc
@rachelcipkins
Changed release to be a text input.
29dcb8c
@rachelcipkins
Updated validate_release.
0de8289
@rachelcipkins
Added verification for release.
e96b1b0
@rachelcipkins
Updated timezone info to GMT for POC.
5cbadb0
@rachelcipkins
Removed macaroon db fields for scope, release, and expiration. Added …
1913b28 
…these in as caveat permissions instead.
@rachelcipkins
Updated functionality for release caveat.
b5bb8ce
@rachelcipkins
Added validation for releases.
63cfeee
@rachelcipkins
Added property to macaroon views to get all of a user's projects.
77e80b0
@rachelcipkins
Removed testing lines.
ece4724
@rachelcipkins
Removed note.
c9feca4
@rachelcipkins
Merge branch 'tob-6255'
8631895
@woodruffw woodruffw requested a review from dstufft September 11, 2019 14:20
@woodruffw
Copy link
Member

Whoops, requested the wrong reviewer -- that should be me.

woodruffw
woodruffw approved these changes Sep 19, 2019
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to push some nitpick commits, but otherwise LGTM! Great work here @rcipkins!

@woodruffw
Copy link
Member

@ewdurbin @dstufft I believe this is good for an initial review!

Some notes:

  • We should probably (better) figure out what the semantics of a release-limited token are -- the upload endpoint accepts one file at a time and creates the release on the first file, so creating a version-limited token will cause package upload to bomb out if the release is more than one file.

  • Similarly, PyPI already imposes some release constraints: duplicate filenames can never be re-released. This partially obviates the general need for version-scoped tokens, although it doesn't cover the case where a malicious user uploads a new filename for the same release.

@ewdurbin
Copy link
Member

ref #6255

@rachelcipkins rachelcipkins changed the title (WIP) New Caveats #6255 New Caveats #6255 Oct 15, 2019
@woodruffw
Copy link
Member

#6935 supersedes this and includes additional caveat work; thanks @rcipkins!

@woodruffw woodruffw closed this Nov 18, 2019
@woodruffw woodruffw deleted the tob-new-caveats branch November 18, 2019 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

@dstufft dstufft Awaiting requested review from dstufft

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rachelcipkins @woodruffw @ewdurbin