Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remote-build: Use personal access tokens #4270

Merged
merged 1 commit into from Jul 12, 2023
Merged

remote-build: Use personal access tokens #4270

merged 1 commit into from Jul 12, 2023

Conversation

cjwatson
Copy link
Contributor

The initial mechanism used by Launchpad to grant temporary access tokens to snapcraft remote-build was a bit of a hack. They were essentially pure bearer tokens (implemented as macaroons) that weren't recorded anywhere on the Launchpad side, which meant that there was no mechanism for revoking them. We mitigated this with a hardcoded expiry time, but it wasn't great.

We now have a new "personal access tokens" mechanism, which is much better. These tokens show up in a "Manage access tokens" page on the repository and can be revoked by the owner; they have more specific control of the access scopes they grant, and the caller can specify an expiry time. The old mechanism is now deprecated, and we intend to remove it after a suitable transition period.

This commit changes snapcraft remote-build to use the new mechanism. The unit tests can essentially only confirm that it's passing the expected arguments to the Launchpad API, so I've also run an end-to-end manual test against Launchpad production to make sure that those arguments have the intended effect.

We can use a very tight expiry time here, since it only has to last for long enough for the git push process to start. It's OK to increase it a little if needed, but it's generally good for token lifetimes to be short where possible.

  • Have you followed the guidelines for contributing?
  • Have you signed the CLA?
  • Have you successfully run make lint?
  • Have you successfully run pytest tests/unit?

@cjwatson
remote-build: Use personal access tokens
4aede8b 
The initial mechanism used by Launchpad to grant temporary access tokens
to `snapcraft remote-build` was a bit of a hack.  They were essentially
pure bearer tokens (implemented as macaroons) that weren't recorded
anywhere on the Launchpad side, which meant that there was no mechanism
for revoking them.  We mitigated this with a hardcoded expiry time, but
it wasn't great.

We now have a new "personal access tokens" mechanism, which is much
better.  These tokens show up in a "Manage access tokens" page on the
repository and can be revoked by the owner; they have more specific
control of the access scopes they grant, and the caller can specify an
expiry time.  The old mechanism is now deprecated, and we intend to
remove it after a suitable transition period.

This commit changes `snapcraft remote-build` to use the new mechanism.
The unit tests can essentially only confirm that it's passing the
expected arguments to the Launchpad API, so I've also run an end-to-end
manual test against Launchpad production to make sure that those
arguments have the intended effect.

We can use a very tight expiry time here, since it only has to last for
long enough for the `git push` process to _start_.  It's OK to increase
it a little if needed, but it's generally good for token lifetimes to be
short where possible.

Signed-off-by: Colin Watson <cjwatson@canonical.com>
@cjwatson cjwatson force-pushed the remote-build-personal-access-token branch from 05c4376 to 4aede8b Compare July 11, 2023 21:41
@codecov-commenter
Copy link

codecov-commenter commented Jul 11, 2023
edited

Codecov Report

Merging #4270 (4aede8b) into main (4d0d751) will not change coverage.
The diff coverage is 100.00%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

@@           Coverage Diff           @@
##             main    #4270   +/-   ##
=======================================
  Coverage   88.98%   88.98%           
=======================================
  Files         296      296           
  Lines       20192    20192           
=======================================
  Hits        17968    17968           
  Misses       2224     2224
Impacted Files Coverage Δ
...apcraft_legacy/internal/remote_build/_launchpad.py 88.27% <100.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

sergiusens
sergiusens approved these changes Jul 12, 2023
View reviewed changes
Copy link
Collaborator

@sergiusens sergiusens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks Colin!

@sergiusens sergiusens merged commit 7c80a05 into canonical:main Jul 12, 2023
12 checks passed
@cjwatson cjwatson deleted the remote-build-personal-access-token branch August 4, 2023 15:55
@Porkepix Porkepix mentioned this pull request Dec 4, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergiusens sergiusens sergiusens approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cjwatson @codecov-commenter @sergiusens