One time use project upload token

.gitignore

@@ -20,6 +20,9 @@ node_modules/
 dev/example.sql
 dev/prod.sql
 dev/prod.sql.xz
+dev/notdatadog.py
+dev/smtp.py
+docs/conf.py
 ./data/
 
 warehouse/.commit

tests/unit/legacy/api/test_pypi.py

@@ -13,10 +13,17 @@
 import pretend
 import pytest
 
-from pyramid.httpexceptions import HTTPBadRequest, HTTPMovedPermanently, HTTPNotFound
+from pyramid.httpexceptions import (
+    HTTPBadRequest,
+    HTTPMovedPermanently,
+    HTTPNotFound,
+    HTTPUnauthorized,
+)
 
 from warehouse.legacy.api import pypi
+from warehouse.macaroons.interfaces import IMacaroonService
 
+from ....common.db.accounts import UserFactory
 from ....common.db.classifiers import ClassifierFactory
 
 
@@ -209,3 +216,43 @@ def test_display_no_name(self, db_request):
 
         with pytest.raises(HTTPNotFound):
             pypi.display(db_request)
+
+
+class TestToken:
+    @pytest.mark.parametrize(("project_name", "version"), [("foo", "1.0")])
+    def test_token_creation(self, db_request, macaroon_service, project_name, version):
+        user = UserFactory.create()
+        master_key, macaroon = macaroon_service.create_macaroon(
+            "fake location",
+            user.id,
+            "fake description",
+            {"version": 2, "permissions": "user"},
+        )
+        request = pretend.stub(
+            user=user,
+            domain="fake location",
+            find_service=lambda interface, **kw: {IMacaroonService: macaroon_service}[
+                interface
+            ],
+            master_key=master_key,
+            project_name=project_name,
+            version=version,
+            description="fake description!",
+        )
+        assert isinstance(pypi.create_token(request), dict)
+
+    def test_invalid_master_token(self, macaroon_service):
+        user = UserFactory.create()
+        request = pretend.stub(
+            user=user,
+            domain="fake location",
+            find_service=lambda interface, **kw: {IMacaroonService: macaroon_service}[
+                interface
+            ],
+            master_key="a fake key",
+            project_name="foo",
+            version="1.0",
+            description="fake description!",
+        )
+        with pytest.raises(HTTPUnauthorized):
+            pypi.create_token(request)

tests/unit/macaroons/test_caveats.py

@@ -10,16 +10,24 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import json
+from datetime import datetime, timezone
 
 import pretend
+import pymacaroons
 import pytest
 
 from pymacaroons.exceptions import MacaroonInvalidSignatureException
 
-from warehouse.macaroons.caveats import Caveat, InvalidMacaroon, V1Caveat, Verifier
+from warehouse.macaroons.caveats import (
+    Caveat,
+    InvalidMacaroon,
+    TopLevelCaveat,
+    V1Caveat,
+    V2Caveat,
+    Verifier,
+)
 
-from ...common.db.packaging import ProjectFactory
+from ...common.db.packaging import ProjectFactory, ReleaseFactory
 
 
 class TestCaveat:
@@ -36,43 +44,163 @@ def test_creation(self):
 
 class TestV1Caveat:
     @pytest.mark.parametrize(
-        ["predicate", "result"],
+        ["predicate", "valid"],
         [
             ("invalid json", False),
+            ("", False),
+            ("{}", False),
+            ('{"version": 1, "permissions": "user"}', True),
+            ('{"version": 1}', False),
+            ('{"version": 2, "permissions": "user"}', True),
             ('{"version": 2}', False),
-            ('{"permissions": null, "version": 1}', False),
+            ('{"version": 3}', False),
         ],
     )
-    def test_verify_invalid_predicates(self, predicate, result):
+    def test_verify_toplevel_caveat(self, monkeypatch, predicate, valid):
+        verifier = pretend.stub()
+        caveat = TopLevelCaveat(verifier)
+
+        if not valid:
+            with pytest.raises(InvalidMacaroon):
+                caveat(predicate)
+        else:
+            assert caveat(predicate)
+
+    @pytest.mark.parametrize(
+        "predicate", [{}, {"permissions": None}, {"permissions": {"projects": None}}]
+    )
+    def test_verify_invalid_v1_predicates(self, predicate):
         verifier = pretend.stub()
         caveat = V1Caveat(verifier)
 
         with pytest.raises(InvalidMacaroon):
             caveat(predicate)
 
-    def test_verify_valid_predicate(self):
-        verifier = pretend.stub()
+    @pytest.mark.parametrize(
+        "predicate",
+        [
+            {"version": 1, "permissions": {"projects": ["foobar"]}},
+            {"version": 1, "permissions": "user"},
+        ],
+    )
+    def test_verify_valid_v1_predicates(self, db_request, predicate):
+        project = ProjectFactory.create(name="foobar")
+        verifier = pretend.stub(context=project)
         caveat = V1Caveat(verifier)
-        predicate = '{"permissions": "user", "version": 1}'
 
-        assert caveat(predicate) is True
+        caveat(predicate)
 
-    def test_verify_project_invalid_context(self):
+    @pytest.mark.parametrize(
+        "predicate",
+        [
+            {"version": 1, "permissions": {"projects": ["notfoobar"]}},
+            {"version": 2, "permissions": {"projects": [{"name": "notfoobar"}]}},
+        ],
+    )
+    def test_verify_project_invalid_context(self, predicate):
         verifier = pretend.stub(context=pretend.stub())
-        caveat = V1Caveat(verifier)
 
-        predicate = {"version": 1, "permissions": {"projects": ["notfoobar"]}}
+        if predicate["version"] == 1:
+            caveat = V1Caveat(verifier)
+        else:
+            caveat = V2Caveat(verifier)
+
         with pytest.raises(InvalidMacaroon):
-            caveat(json.dumps(predicate))
+            caveat(predicate)
+
+    @pytest.mark.parametrize(
+        ["predicate", "valid"],
+        [
+            ({"version": 2, "expiration": 0, "permissions": "user"}, False),
+            (
+                {
+                    "version": 2,
+                    "expiration": int(datetime.now(tz=timezone.utc).timestamp()) + 3600,
+                    "permissions": "user",
+                },
+                True,
+            ),
+        ],
+    )
+    def test_verify_v2_caveat_expiration(self, predicate, valid):
+        verifier = pretend.stub()
+        caveat = V2Caveat(verifier)
+
+        if not valid:
+            with pytest.raises(InvalidMacaroon):
+                caveat(predicate)
+        else:
+            assert caveat(predicate)
+
+    @pytest.mark.parametrize(
+        ["predicate", "valid"],
+        [
+            (
+                {
+                    "version": 2,
+                    "permissions": {"projects": [{"name": "foo", "version": "1.0.0"}]},
+                },
+                False,
+            ),
+            (
+                {
+                    "version": 2,
+                    "permissions": {"projects": [{"name": "foo", "version": "1.0.1"}]},
+                },
+                True,
+            ),
+        ],
+    )
+    def test_verify_v2_caveat_release(self, db_request, predicate, valid):
+        project = ProjectFactory.create(name="foo")
+        ReleaseFactory.create(project=project, version="1.0.0")
+
+        verifier = pretend.stub(context=project)
+        caveat = V2Caveat(verifier)
+
+        if not valid:
+            with pytest.raises(InvalidMacaroon):
+                caveat(predicate)
+        else:
+            assert caveat(predicate)
+
+    @pytest.mark.parametrize(
+        ["predicate", "valid"],
+        [
+            ({"version": 2, "permissions": {"projects": [{"name": "foo"}]}}, False),
+            ({"version": 2, "permissions": {}}, False),
+            ({"version": 2, "permissions": {"projects": [{"name": "bar"}]}}, True),
+        ],
+    )
+    def test_verify_v2_caveat_project(self, db_request, predicate, valid):
+        project = ProjectFactory.create(name="bar")
+        verifier = pretend.stub(context=project)
+        caveat = V2Caveat(verifier)
 
-    def test_verify_project_invalid_project_name(self, db_request):
+        if not valid:
+            with pytest.raises(InvalidMacaroon):
+                caveat(predicate)
+        else:
+            assert caveat(predicate)
+
+    @pytest.mark.parametrize(
+        "predicate",
+        [
+            {"version": 1, "permissions": {"projects": ["notfoobar"]}},
+            {"version": 2, "permissions": {"projects": [{"name": "notfoobar"}]}},
+        ],
+    )
+    def test_verify_project_invalid_project_name(self, db_request, predicate):
         project = ProjectFactory.create(name="foobar")
         verifier = pretend.stub(context=project)
-        caveat = V1Caveat(verifier)
 
-        predicate = {"version": 1, "permissions": {"projects": ["notfoobar"]}}
+        if predicate["version"] == 1:
+            caveat = V1Caveat(verifier)
+        else:
+            caveat = V2Caveat(verifier)
+
         with pytest.raises(InvalidMacaroon):
-            caveat(json.dumps(predicate))
+            caveat(predicate)
 
     def test_verify_project_no_projects_object(self, db_request):
         project = ProjectFactory.create(name="foobar")
@@ -84,15 +212,42 @@ def test_verify_project_no_projects_object(self, db_request):
             "permissions": {"somethingthatisntprojects": ["blah"]},
         }
         with pytest.raises(InvalidMacaroon):
-            caveat(json.dumps(predicate))
+            caveat(predicate)
 
-    def test_verify_project(self, db_request):
+    @pytest.mark.parametrize(
+        "predicate",
+        [
+            {"version": 1, "permissions": {"projects": ["foobar"]}},
+            {"version": 2, "permissions": {"projects": [{"name": "foobar"}]}},
+        ],
+    )
+    def test_verify_project(self, db_request, predicate):
         project = ProjectFactory.create(name="foobar")
+        ReleaseFactory.create(project=project)
         verifier = pretend.stub(context=project)
-        caveat = V1Caveat(verifier)
 
-        predicate = {"version": 1, "permissions": {"projects": ["foobar"]}}
-        assert caveat(json.dumps(predicate)) is True
+        if predicate["version"] == 1:
+            caveat = V1Caveat(verifier)
+        else:
+            caveat = V2Caveat(verifier)
+
+        assert caveat(predicate) is True
+
+    @pytest.mark.parametrize(
+        ["predicate", "valid"],
+        [
+            ('{"version": 2, "permissions": "user"}', True),
+            ('{"version": 2, "permissions": "user", "used": true}', False),
+        ],
+    )
+    def test_verify_one_time_token_caveat(self, predicate, valid):
+        verifier = pretend.stub()
+        caveat = TopLevelCaveat(verifier)
+        if not valid:
+            with pytest.raises(InvalidMacaroon):
+                caveat(predicate)
+        else:
+            assert caveat(predicate)
 
 
 class TestVerifier:
@@ -123,3 +278,28 @@ def test_verify(self, monkeypatch):
         with pytest.raises(InvalidMacaroon):
             verifier.verify(key)
         assert verify.calls == [pretend.call(macaroon, key)]
+
+    @pytest.mark.parametrize(
+        "predicate",
+        [
+            {"version": 2, "permissions": "user"},
+            {"version": 2, "permissions": {"projects": [{"name": "bar"}]}},
+            {"version": 2, "permissions": "user", "used": "true"},
+        ],
+    )
+    def test_verify_one_time_token(self, macaroon_service, predicate):
+        project = ProjectFactory.create(name="bar")
+        macaroon_obj = pymacaroons.Macaroon(
+            location="fake location",
+            identifier="identifier",
+            key="key",
+            version=pymacaroons.MACAROON_V2,
+        )
+        macaroon = macaroon_obj
+        context = project
+        principals = pretend.stub()
+        permission = predicate
+        key = "key"
+        verifier = Verifier(macaroon, context, principals, permission)
+
+        assert verifier.verify(key)