Merge lp:~lifeless/launchpad/private-librarian into lp:launchpad/db-devel
- private-librarian
- Merge into db-devel
Status: | Merged |
---|---|
Approved by: | Stuart Bishop |
Approved revision: | no longer in the source branch. |
Merged at revision: | 9757 |
Proposed branch: | lp:~lifeless/launchpad/private-librarian |
Merge into: | lp:launchpad/db-devel |
Diff against target: |
1731 lines (+804/-148) 29 files modified
database/schema/launchpad_session.sql (+16/-0) lib/canonical/database/sqlbase.py (+10/-2) lib/canonical/launchpad/browser/librarian.py (+88/-12) lib/canonical/launchpad/database/ftests/test_timelimitedtoken.py (+29/-0) lib/canonical/launchpad/database/librarian.py (+69/-1) lib/canonical/launchpad/doc/librarian.txt (+175/-24) lib/canonical/launchpad/ftests/test_libraryfilealias.py (+1/-6) lib/canonical/launchpad/interfaces/librarian.py (+5/-1) lib/canonical/launchpad/interfaces/lpstorm.py (+0/-1) lib/canonical/launchpad/scripts/garbo.py (+47/-5) lib/canonical/launchpad/scripts/tests/test_garbo.py (+23/-2) lib/canonical/launchpad/utilities/looptuner.py (+4/-0) lib/canonical/launchpad/webapp/session.py (+2/-1) lib/canonical/launchpad/zcml/librarian.zcml (+5/-0) lib/canonical/librarian/client.py (+37/-9) lib/canonical/librarian/db.py (+33/-5) lib/canonical/librarian/ftests/test_db.py (+14/-12) lib/canonical/librarian/ftests/test_storage.py (+3/-2) lib/canonical/librarian/ftests/test_web.py (+157/-25) lib/canonical/librarian/interfaces.py (+13/-2) lib/canonical/librarian/storage.py (+2/-2) lib/canonical/librarian/web.py (+37/-9) lib/canonical/testing/layers.py (+6/-4) lib/lp/bugs/browser/bugattachment.py (+1/-16) lib/lp/bugs/browser/configure.zcml (+0/-4) lib/lp/bugs/browser/tests/test_bugattachment_file_access.py (+17/-2) lib/lp/scripts/utilities/importfascist.py (+1/-0) lib/lp/services/features/webapp.py (+8/-0) lib/lp/testing/fakelibrarian.py (+1/-1) |
To merge this branch: | bzr merge lp:~lifeless/launchpad/private-librarian |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Stuart Bishop (community) | Approve | ||
Graham Binns (community) | release-critical | Approve | |
Launchpad code reviewers | Pending | ||
Review via email: mp+31020@code.launchpad.net |
Commit message
Introduce a public restricted librarian uses a time limited token approach.
Description of the change
The basic idea is to have an https librarian that uses an access token for a time limited period, rather than proxying on the appservers which is terrible in several ways that aren't all that relevant except to say its hard to improve and incompatible with our peformance goals.
So in this model, we hand out a token when someone (including wget) accesses a private attachment on launchpad, and issue a temporary redirect (over ssl) to https:/
The token goes in the session DB, the garbo cleans that up, and we all are happy happy happy.
Oh, and the librarian rejects requests without a token for private files.
We can't use OAuth because then the OAuth token would be attackable by content in the private librarian.
RT 41202 contains the request for wildcard DNS keys.
The remaining work to make this fully reviewable is to:
- profit
Folk wanting to test or collaborate on this branch should:
- dropdb session_dev
- dropdb session_ftest
- pull the branch
- run 'make schema' which will create the timelimitedtoken table in your session dbs.
Stuart Bishop (stub) wrote : | # |
So one thing we will need to do is raise an exception if we try to generate a secure url as an anonymous user. This is a safety net, as I don't think we are doing this at the moment. It will stop accidentally ending up with stale URLs in the Squid caches.
I think I understand why the session store was (ab)used here - it runs in autocommit mode and we rollback the database connections on GET requests to ensure they are idempotent. I still don't like it but can't really offer a better solution with our existing infrastructure except perhaps using memcached. Certainly session.sql should not be modified though, with all the new stuff going into launchpad_
Robert Collins (lifeless) wrote : | # |
I used the session DB because this stuff is transient : memcached might be an answer too but the token *system* has to be available or private file downloads will fail, and memcached is currently (AIUI) a 'when its there use it' system - which is fine. Replicating the tokens isn't terribly useful given we're just going to delete them again, but all of that is a bit beside the point : yes, we do need to commit changes in get requests :).
Will move the definitions to launchpad_
We could store the expiry time, but I figured we'd make the lifetime a config option and thus work from the creation point rather than expiry.
I figured we might want reporting on stuff in the table - thats why I used url, token, rather than a single column. Easy to change if you have a strong opinion any which way - I don't.
I can't answer the url/path segment question yet : once its fully hooked up it should be obvious what is easiest. The current schema is what was easiest based on the attributes of the objects I am using (LibraryFileAlias etc).
We could make the librarian offer a redirect *back* to launchpad for expired tokens, rather than a go-away message - adding the source canonical_url to the table would permit that trivially.
Re: exceptions for anonymous users calling TimeLimitedToke
-Rob
Stuart Bishop (stub) wrote : | # |
On Wed, Jul 28, 2010 at 5:08 AM, Robert Collins
<email address hidden> wrote:
> I used the session DB because this stuff is transient : memcached might be an answer too but the token *system* has to be available or private file downloads will fail, and memcached is currently (AIUI) a 'when its there use it' system - which is fine. Replicating the tokens isn't terribly useful given we're just going to delete them again, but all of that is a bit beside the point : yes, we do need to commit changes in get requests :).
Right. We should consider promoting memcached to an always-on service
as we have tripped over a few cases where this would be desirable.
That is a separate task though. Stuffing this in the session database
seems the best fit for now.
> Will move the definitions to launchpad_
Ta.
> We could store the expiry time, but I figured we'd make the lifetime a config option and thus work from the creation point rather than expiry.
>
> I figured we might want reporting on stuff in the table - thats why I used url, token, rather than a single column. Easy to change if you have a strong opinion any which way - I don't.
>
> I can't answer the url/path segment question yet : once its fully hooked up it should be obvious what is easiest. The current schema is what was easiest based on the attributes of the objects I am using (LibraryFileAlias etc).
I suspect the host and port is just noise and we only want the path.
We have a complex environment, and relying on the URLs seems fragile
so I personally would feel more secure if we just stored the path.
> We could make the librarian offer a redirect *back* to launchpad for expired tokens, rather than a go-away message - adding the source canonical_url to the table would permit that trivially.
That sounds like a good idea.
> Re: exceptions for anonymous users calling TimeLimitedToke
If we offer the redirect back on expired tokens, there is no need for
this. My concern was expired tokens getting stuck in caches and Squid
caching Anonymous connections was the first I thought off.
After going over bug lists with Gary last night, this will solve a lot
of outstanding Librarian issues.
--
Stuart Bishop <email address hidden>
http://
Stuart Bishop (stub) wrote : | # |
So files served from the same domain can steal content from files served from the same domain. We don't care for public information, but this isn't cool for private.
One way around this is to serve every file from a unique domain. Changing the URL structure from https:/
Graham Binns (gmb) : | # |
Preview Diff
1 | === modified file 'database/schema/launchpad_session.sql' | |||
2 | --- database/schema/launchpad_session.sql 2009-06-24 21:17:33 +0000 | |||
3 | +++ database/schema/launchpad_session.sql 2010-09-07 04:07:54 +0000 | |||
4 | @@ -14,3 +14,19 @@ | |||
5 | 14 | GRANT EXECUTE ON FUNCTION | 14 | GRANT EXECUTE ON FUNCTION |
6 | 15 | set_session_pkg_data(text, text, text, bytea) TO session; | 15 | set_session_pkg_data(text, text, text, bytea) TO session; |
7 | 16 | 16 | ||
8 | 17 | CREATE TABLE TimeLimitedToken ( | ||
9 | 18 | path text NOT NULL, | ||
10 | 19 | token text NOT NULL, | ||
11 | 20 | created timestamp without time zone NOT NULL DEFAULT CURRENT_TIMESTAMP, | ||
12 | 21 | constraint timelimitedtoken_pky primary key (path, token) | ||
13 | 22 | ) WITHOUT OIDS; | ||
14 | 23 | COMMENT ON TABLE TimeLimitedToken IS 'stores tokens for granting access to a single path in the librarian for a short while. The garbo takes care of cleanups, and we should only have a few thousand at a time. Tokens are handed out just-in-time on the appserver, when a client attempts to dereference a private thing which we do not want to deliver in-line. OAuth tokens cannot be used for the launchpadlibrarian content because they would then be attackable. See lib.canonical.database.librarian for the python class.'; | ||
15 | 24 | -- Give the garbo an efficient selection to cleanup | ||
16 | 25 | CREATE INDEX timelimitedtoken_created ON TimeLimitedToken(created); | ||
17 | 26 | -- Give the librarian an efficient lookup | ||
18 | 27 | CREATE INDEX timelimitedtoken_path_token ON TimeLimitedToken(path, token); | ||
19 | 28 | |||
20 | 29 | -- Let the session user access file access tokens. | ||
21 | 30 | GRANT SELECT, INSERT, UPDATE, DELETE ON TimeLimitedToken TO session; | ||
22 | 31 | -- And the garbo needs to run on it too. | ||
23 | 32 | GRANT SELECT, DELETE ON TimeLimitedToken TO session; | ||
24 | 17 | 33 | ||
25 | === modified file 'lib/canonical/database/sqlbase.py' | |||
26 | --- lib/canonical/database/sqlbase.py 2010-08-24 10:45:57 +0000 | |||
27 | +++ lib/canonical/database/sqlbase.py 2010-09-07 04:07:54 +0000 | |||
28 | @@ -27,11 +27,12 @@ | |||
29 | 27 | 'RandomiseOrderDescriptor', | 27 | 'RandomiseOrderDescriptor', |
30 | 28 | 'reset_store', | 28 | 'reset_store', |
31 | 29 | 'rollback', | 29 | 'rollback', |
32 | 30 | 'session_store', | ||
33 | 30 | 'SQLBase', | 31 | 'SQLBase', |
34 | 31 | 'sqlvalues', | 32 | 'sqlvalues', |
35 | 32 | 'StupidCache', | 33 | 'StupidCache', |
36 | 33 | 'ZopelessTransactionManager', | 34 | 'ZopelessTransactionManager', |
38 | 34 | ] | 35 | ] |
39 | 35 | 36 | ||
40 | 36 | 37 | ||
41 | 37 | from datetime import datetime | 38 | from datetime import datetime |
42 | @@ -578,7 +579,7 @@ | |||
43 | 578 | 579 | ||
44 | 579 | """ | 580 | """ |
45 | 580 | if not isinstance(x, basestring): | 581 | if not isinstance(x, basestring): |
47 | 581 | raise TypeError, 'Not a string (%s)' % type(x) | 582 | raise TypeError('Not a string (%s)' % type(x)) |
48 | 582 | return quote(x).replace('%', r'\\%').replace('_', r'\\_') | 583 | return quote(x).replace('%', r'\\%').replace('_', r'\\_') |
49 | 583 | 584 | ||
50 | 584 | 585 | ||
51 | @@ -693,6 +694,7 @@ | |||
52 | 693 | clause = clause.replace('?', '%s') % sqlvalues(*parameters) | 694 | clause = clause.replace('?', '%s') % sqlvalues(*parameters) |
53 | 694 | return clause | 695 | return clause |
54 | 695 | 696 | ||
55 | 697 | |||
56 | 696 | def flush_database_updates(): | 698 | def flush_database_updates(): |
57 | 697 | """Flushes all pending database updates. | 699 | """Flushes all pending database updates. |
58 | 698 | 700 | ||
59 | @@ -833,6 +835,7 @@ | |||
60 | 833 | DEPRECATED - use of this class is deprecated in favour of using | 835 | DEPRECATED - use of this class is deprecated in favour of using |
61 | 834 | Store.execute(). | 836 | Store.execute(). |
62 | 835 | """ | 837 | """ |
63 | 838 | |||
64 | 836 | def __init__(self): | 839 | def __init__(self): |
65 | 837 | self._connection = _get_sqlobject_store()._connection | 840 | self._connection = _get_sqlobject_store()._connection |
66 | 838 | self._result = None | 841 | self._result = None |
67 | @@ -861,3 +864,8 @@ | |||
68 | 861 | if self._result is not None: | 864 | if self._result is not None: |
69 | 862 | self._result.close() | 865 | self._result.close() |
70 | 863 | self._result = None | 866 | self._result = None |
71 | 867 | |||
72 | 868 | |||
73 | 869 | def session_store(): | ||
74 | 870 | """Return a store connected to the session DB.""" | ||
75 | 871 | return getUtility(IZStorm).get('session', 'launchpad-session:') | ||
76 | 864 | 872 | ||
77 | === modified file 'lib/canonical/launchpad/browser/librarian.py' | |||
78 | --- lib/canonical/launchpad/browser/librarian.py 2010-09-03 07:53:11 +0000 | |||
79 | +++ lib/canonical/launchpad/browser/librarian.py 2010-09-07 04:07:54 +0000 | |||
80 | @@ -11,7 +11,9 @@ | |||
81 | 11 | 'LibraryFileAliasMD5View', | 11 | 'LibraryFileAliasMD5View', |
82 | 12 | 'LibraryFileAliasView', | 12 | 'LibraryFileAliasView', |
83 | 13 | 'ProxiedLibraryFileAlias', | 13 | 'ProxiedLibraryFileAlias', |
84 | 14 | 'SafeStreamOrRedirectLibraryFileAliasView', | ||
85 | 14 | 'StreamOrRedirectLibraryFileAliasView', | 15 | 'StreamOrRedirectLibraryFileAliasView', |
86 | 16 | 'RedirectPerhapsWithTokenLibraryFileAliasView', | ||
87 | 15 | ] | 17 | ] |
88 | 16 | 18 | ||
89 | 17 | import os | 19 | import os |
90 | @@ -44,6 +46,7 @@ | |||
91 | 44 | filechunks, | 46 | filechunks, |
92 | 45 | guess_librarian_encoding, | 47 | guess_librarian_encoding, |
93 | 46 | ) | 48 | ) |
94 | 49 | from lp.services.features import getFeatureFlag | ||
95 | 47 | 50 | ||
96 | 48 | 51 | ||
97 | 49 | class LibraryFileAliasView(LaunchpadView): | 52 | class LibraryFileAliasView(LaunchpadView): |
98 | @@ -77,11 +80,29 @@ | |||
99 | 77 | return '%s %s' % (self.context.content.md5, self.context.filename) | 80 | return '%s %s' % (self.context.content.md5, self.context.filename) |
100 | 78 | 81 | ||
101 | 79 | 82 | ||
103 | 80 | class StreamOrRedirectLibraryFileAliasView(LaunchpadView): | 83 | class MixedFileAliasView(LaunchpadView): |
104 | 81 | """Stream or redirects to `ILibraryFileAlias`. | 84 | """Stream or redirects to `ILibraryFileAlias`. |
105 | 82 | 85 | ||
108 | 83 | It streams the contents of restricted library files or redirects | 86 | If the file is public, it will redirect to the files http url. |
109 | 84 | to public ones. | 87 | |
110 | 88 | Otherwise if the feature flag publicrestrictedlibrarian is set to 'on' this | ||
111 | 89 | will allocate a token and redirect to the aliases private url. | ||
112 | 90 | |||
113 | 91 | Otherwise it will proxy the file in the appserver. | ||
114 | 92 | |||
115 | 93 | Once we no longer have any proxy code at all it should be possible to | ||
116 | 94 | consolidate this with LibraryFileAliasView. | ||
117 | 95 | |||
118 | 96 | Note that streaming restricted files is a security concern - they show up | ||
119 | 97 | in the launchpad.net domain rather than launchpadlibrarian.net and thus | ||
120 | 98 | we have to take special care about their origin. | ||
121 | 99 | SafeStreamOrRedirectLibraryFileAliasView is used when we do not trust the | ||
122 | 100 | content, otherwise StreamOrRedirectLibraryFileAliasView. We are working | ||
123 | 101 | to remove both of these views entirely, but some transition will be | ||
124 | 102 | needed. | ||
125 | 103 | |||
126 | 104 | The context provides a file-like interface - it can be opened and closed | ||
127 | 105 | and read from. | ||
128 | 85 | """ | 106 | """ |
129 | 86 | implements(IBrowserPublisher) | 107 | implements(IBrowserPublisher) |
130 | 87 | 108 | ||
131 | @@ -91,6 +112,8 @@ | |||
132 | 91 | # the shell environment changes. Download the library file | 112 | # the shell environment changes. Download the library file |
133 | 92 | # content into a local temporary file. Finally, restore original | 113 | # content into a local temporary file. Finally, restore original |
134 | 93 | # proxy-settings and refresh the urllib2 opener. | 114 | # proxy-settings and refresh the urllib2 opener. |
135 | 115 | # XXX: This is not threadsafe, so two calls at once will collide and | ||
136 | 116 | # can then corrupt the variable. bug=395960 | ||
137 | 94 | original_proxy = os.getenv('http_proxy') | 117 | original_proxy = os.getenv('http_proxy') |
138 | 95 | try: | 118 | try: |
139 | 96 | if original_proxy is not None: | 119 | if original_proxy is not None: |
140 | @@ -137,25 +160,65 @@ | |||
141 | 137 | return tmp_file | 160 | return tmp_file |
142 | 138 | 161 | ||
143 | 139 | def browserDefault(self, request): | 162 | def browserDefault(self, request): |
145 | 140 | """Decides whether to redirect or stream the file content. | 163 | """Decides how to deliver the file. |
146 | 164 | |||
147 | 165 | The options are: | ||
148 | 166 | - redirect to the contexts http url | ||
149 | 167 | - redirect to a time limited secure url | ||
150 | 168 | - stream the file content. | ||
151 | 141 | 169 | ||
152 | 142 | Only restricted file contents are streamed, finishing the traversal | 170 | Only restricted file contents are streamed, finishing the traversal |
153 | 143 | chain with this view. If the context file is public return the | 171 | chain with this view. If the context file is public return the |
154 | 144 | appropriate `RedirectionView` for its HTTP url. | 172 | appropriate `RedirectionView` for its HTTP url. |
155 | 145 | """ | 173 | """ |
156 | 174 | # Perhaps we should give a 404 at this point rather than asserting? | ||
157 | 175 | # If someone has a page open with an attachment link, then someone | ||
158 | 176 | # else deletes the attachment, this is a normal situation, not an | ||
159 | 177 | # error. -- RBC 20100726. | ||
160 | 146 | assert not self.context.deleted, ( | 178 | assert not self.context.deleted, ( |
165 | 147 | "StreamOrRedirectLibraryFileAliasView can not operate on " | 179 | "MixedFileAliasView can not operate on deleted librarian files, " |
166 | 148 | "deleted librarian files, since their URL is undefined.") | 180 | "since their URL is undefined.") |
167 | 149 | 181 | if not self.context.restricted: | |
168 | 150 | if self.context.restricted: | 182 | # Public file, just point the client at the right place. |
169 | 183 | return RedirectionView(self.context.http_url, self.request), () | ||
170 | 184 | if getFeatureFlag(u'publicrestrictedlibrarian') != 'on': | ||
171 | 185 | # Restricted file and we have not enabled the public | ||
172 | 186 | # restricted librarian yet :- deliver inline. | ||
173 | 187 | self._when_streaming() | ||
174 | 151 | return self, () | 188 | return self, () |
177 | 152 | 189 | # Avoids a circular import seen in | |
178 | 153 | return RedirectionView(self.context.http_url, self.request), () | 190 | # scripts/ftests/librarianformatter.txt |
179 | 191 | from canonical.launchpad.database.librarian import TimeLimitedToken | ||
180 | 192 | # Allocate a token for the file to be accessed for a limited time and | ||
181 | 193 | # redirect the client to the file. | ||
182 | 194 | token = TimeLimitedToken.allocate(self.context.private_url) | ||
183 | 195 | final_url = self.context.private_url + '?token=%s' % token | ||
184 | 196 | return RedirectionView(final_url, self.request), () | ||
185 | 154 | 197 | ||
186 | 155 | def publishTraverse(self, request, name): | 198 | def publishTraverse(self, request, name): |
188 | 156 | """See `IBrowserPublisher`.""" | 199 | """See `IBrowserPublisher` - can't traverse below a file.""" |
189 | 157 | raise NotFound(name, self.context) | 200 | raise NotFound(name, self.context) |
190 | 158 | 201 | ||
191 | 202 | def _when_streaming(self): | ||
192 | 203 | """Hook for SafeStreamOrRedirectLibraryFileAliasView.""" | ||
193 | 204 | |||
194 | 205 | |||
195 | 206 | |||
196 | 207 | class SafeStreamOrRedirectLibraryFileAliasView(MixedFileAliasView): | ||
197 | 208 | """A view for Librarian files that sets the content disposition header.""" | ||
198 | 209 | |||
199 | 210 | def _when_streaming(self): | ||
200 | 211 | super(SafeStreamOrRedirectLibraryFileAliasView, self)._when_streaming() | ||
201 | 212 | self.request.response.setHeader( | ||
202 | 213 | 'Content-Disposition', 'attachment') | ||
203 | 214 | |||
204 | 215 | |||
205 | 216 | # The eventual name of MixedFileAliasView once the proxy code | ||
206 | 217 | # is ripped out. | ||
207 | 218 | RedirectPerhapsWithTokenLibraryFileAliasView = MixedFileAliasView | ||
208 | 219 | # The name for the old behaviour being removed: | ||
209 | 220 | StreamOrRedirectLibraryFileAliasView = MixedFileAliasView | ||
210 | 221 | |||
211 | 159 | 222 | ||
212 | 160 | class DeletedProxiedLibraryFileAlias(NotFound): | 223 | class DeletedProxiedLibraryFileAlias(NotFound): |
213 | 161 | """Raised when a deleted `ProxiedLibraryFileAlias` is accessed.""" | 224 | """Raised when a deleted `ProxiedLibraryFileAlias` is accessed.""" |
214 | @@ -192,7 +255,20 @@ | |||
215 | 192 | 255 | ||
216 | 193 | 256 | ||
217 | 194 | class ProxiedLibraryFileAlias: | 257 | class ProxiedLibraryFileAlias: |
219 | 195 | """A `LibraryFileAlias` proxied via webapp. | 258 | """A `LibraryFileAlias` decorator for use in URL generation. |
220 | 259 | |||
221 | 260 | The URL's output by this decorator will always point at the webapp. This is | ||
222 | 261 | useful when: | ||
223 | 262 | - we are proxying files via the webapp (as we do at the moment) | ||
224 | 263 | - when the webapp has to be contacted to get access to a file (the case | ||
225 | 264 | for restricted files in the future) | ||
226 | 265 | - files might change from public to private and thus not work even if the | ||
227 | 266 | user has access to the once its private, unless they go via the webapp. | ||
228 | 267 | |||
229 | 268 | This should be used anywhere we are outputting URL's to LibraryFileAliases | ||
230 | 269 | other than directly in rendered pages. For rendered pages, using a | ||
231 | 270 | LibraryFileAlias directly is OK as at that point the status of the file | ||
232 | 271 | is know. | ||
233 | 196 | 272 | ||
234 | 197 | Overrides `ILibraryFileAlias.http_url` to always point to the webapp URL, | 273 | Overrides `ILibraryFileAlias.http_url` to always point to the webapp URL, |
235 | 198 | even when called from the webservice domain. | 274 | even when called from the webservice domain. |
236 | 199 | 275 | ||
237 | === added file 'lib/canonical/launchpad/database/ftests/test_timelimitedtoken.py' | |||
238 | --- lib/canonical/launchpad/database/ftests/test_timelimitedtoken.py 1970-01-01 00:00:00 +0000 | |||
239 | +++ lib/canonical/launchpad/database/ftests/test_timelimitedtoken.py 2010-09-07 04:07:54 +0000 | |||
240 | @@ -0,0 +1,29 @@ | |||
241 | 1 | # Copyright 2010 Canonical Ltd. This software is licensed under the | ||
242 | 2 | # GNU Affero General Public License version 3 (see the file LICENSE). | ||
243 | 3 | |||
244 | 4 | """Tests for TimeLimitedToken.""" | ||
245 | 5 | |||
246 | 6 | __metaclass__ = type | ||
247 | 7 | |||
248 | 8 | import testtools | ||
249 | 9 | import transaction | ||
250 | 10 | |||
251 | 11 | from canonical.database.sqlbase import session_store | ||
252 | 12 | from canonical.launchpad.database.librarian import TimeLimitedToken | ||
253 | 13 | from canonical.testing import LaunchpadFunctionalLayer | ||
254 | 14 | |||
255 | 15 | |||
256 | 16 | class TestLibraryFileAlias(testtools.TestCase): | ||
257 | 17 | |||
258 | 18 | layer = LaunchpadFunctionalLayer | ||
259 | 19 | |||
260 | 20 | def test_allocate(self): | ||
261 | 21 | store = session_store() | ||
262 | 22 | store.find(TimeLimitedToken).remove() | ||
263 | 23 | token1 = TimeLimitedToken.allocate('foo://') | ||
264 | 24 | token2 = TimeLimitedToken.allocate('foo://') | ||
265 | 25 | # We must get unique tokens | ||
266 | 26 | self.assertNotEqual(token1, token2) | ||
267 | 27 | # They must be bytestrings (as a surrogate for valid url fragment') | ||
268 | 28 | self.assertIsInstance(token1, str) | ||
269 | 29 | self.assertIsInstance(token2, str) | ||
270 | 0 | 30 | ||
271 | === modified file 'lib/canonical/launchpad/database/librarian.py' | |||
272 | --- lib/canonical/launchpad/database/librarian.py 2010-08-20 20:31:18 +0000 | |||
273 | +++ lib/canonical/launchpad/database/librarian.py 2010-09-07 04:07:54 +0000 | |||
274 | @@ -10,12 +10,16 @@ | |||
275 | 10 | 'LibraryFileAliasSet', | 10 | 'LibraryFileAliasSet', |
276 | 11 | 'LibraryFileContent', | 11 | 'LibraryFileContent', |
277 | 12 | 'LibraryFileDownloadCount', | 12 | 'LibraryFileDownloadCount', |
278 | 13 | 'TimeLimitedToken', | ||
279 | 13 | ] | 14 | ] |
280 | 14 | 15 | ||
281 | 15 | from datetime import ( | 16 | from datetime import ( |
282 | 16 | datetime, | 17 | datetime, |
283 | 17 | timedelta, | 18 | timedelta, |
284 | 18 | ) | 19 | ) |
285 | 20 | from hashlib import md5 | ||
286 | 21 | import random | ||
287 | 22 | from urlparse import urlparse | ||
288 | 19 | 23 | ||
289 | 20 | from lazr.delegates import delegates | 24 | from lazr.delegates import delegates |
290 | 21 | import pytz | 25 | import pytz |
291 | @@ -26,6 +30,7 @@ | |||
292 | 26 | SQLRelatedJoin, | 30 | SQLRelatedJoin, |
293 | 27 | StringCol, | 31 | StringCol, |
294 | 28 | ) | 32 | ) |
295 | 33 | import storm.base | ||
296 | 29 | from storm.locals import ( | 34 | from storm.locals import ( |
297 | 30 | Date, | 35 | Date, |
298 | 31 | Desc, | 36 | Desc, |
299 | @@ -48,7 +53,10 @@ | |||
300 | 48 | UTC_NOW, | 53 | UTC_NOW, |
301 | 49 | ) | 54 | ) |
302 | 50 | from canonical.database.datetimecol import UtcDateTimeCol | 55 | from canonical.database.datetimecol import UtcDateTimeCol |
304 | 51 | from canonical.database.sqlbase import SQLBase | 56 | from canonical.database.sqlbase import ( |
305 | 57 | session_store, | ||
306 | 58 | SQLBase, | ||
307 | 59 | ) | ||
308 | 52 | from canonical.launchpad.interfaces import ( | 60 | from canonical.launchpad.interfaces import ( |
309 | 53 | ILibraryFileAlias, | 61 | ILibraryFileAlias, |
310 | 54 | ILibraryFileAliasSet, | 62 | ILibraryFileAliasSet, |
311 | @@ -127,8 +135,15 @@ | |||
312 | 127 | return url | 135 | return url |
313 | 128 | return url.replace('http', 'https', 1) | 136 | return url.replace('http', 'https', 1) |
314 | 129 | 137 | ||
315 | 138 | @property | ||
316 | 139 | def private_url(self): | ||
317 | 140 | """See ILibraryFileAlias.https_url""" | ||
318 | 141 | return self.client.getURLForAlias(self.id, secure=True) | ||
319 | 142 | |||
320 | 130 | def getURL(self): | 143 | def getURL(self): |
321 | 131 | """See ILibraryFileAlias.getURL""" | 144 | """See ILibraryFileAlias.getURL""" |
322 | 145 | if self.restricted: | ||
323 | 146 | return self.private_url | ||
324 | 132 | if config.librarian.use_https: | 147 | if config.librarian.use_https: |
325 | 133 | return self.https_url | 148 | return self.https_url |
326 | 134 | else: | 149 | else: |
327 | @@ -285,3 +300,56 @@ | |||
328 | 285 | count = Int(allow_none=False) | 300 | count = Int(allow_none=False) |
329 | 286 | country_id = Int(name='country', allow_none=True) | 301 | country_id = Int(name='country', allow_none=True) |
330 | 287 | country = Reference(country_id, 'Country.id') | 302 | country = Reference(country_id, 'Country.id') |
331 | 303 | |||
332 | 304 | |||
333 | 305 | class TimeLimitedToken(storm.base.Storm): | ||
334 | 306 | """A time limited access token for accessing a private file.""" | ||
335 | 307 | |||
336 | 308 | __storm_table__ = 'TimeLimitedToken' | ||
337 | 309 | |||
338 | 310 | created = UtcDateTimeCol(notNull=True, default=UTC_NOW) | ||
339 | 311 | path = StringCol(notNull=True) | ||
340 | 312 | token = StringCol(notNull=True) | ||
341 | 313 | __storm_primary__ = ("path", "token") | ||
342 | 314 | |||
343 | 315 | def __init__(self, path, token, created=None): | ||
344 | 316 | """Create a TimeLimitedToken.""" | ||
345 | 317 | if created is not None: | ||
346 | 318 | self.created = created | ||
347 | 319 | self.path = path | ||
348 | 320 | self.token = token | ||
349 | 321 | |||
350 | 322 | @staticmethod | ||
351 | 323 | def allocate(url): | ||
352 | 324 | """Allocate a token for url path in the librarian. | ||
353 | 325 | |||
354 | 326 | :param url: A url bytestring. e.g. | ||
355 | 327 | https://i123.restricted.launchpad-librarian.net/123/foo.txt | ||
356 | 328 | Note that the token is generated for 123/foo.txt | ||
357 | 329 | :return: A url fragment token ready to be attached to the url. | ||
358 | 330 | e.g. 'a%20token' | ||
359 | 331 | """ | ||
360 | 332 | # We use random.random to get a string which varies reasonably, and we | ||
361 | 333 | # hash it to distribute it widely and get a easily copy and pastable | ||
362 | 334 | # single string (nice for debugging). The randomness is not a key | ||
363 | 335 | # factor here: as long as tokens are not guessable, they are hidden by | ||
364 | 336 | # https, not exposed directly in the API (tokens will be allocated by | ||
365 | 337 | # the appropriate objects), not by direct access to the | ||
366 | 338 | # TimeLimitedToken class. | ||
367 | 339 | baseline = str(random.random()) | ||
368 | 340 | hashed = md5(baseline).hexdigest() | ||
369 | 341 | token = hashed | ||
370 | 342 | store = session_store() | ||
371 | 343 | path = TimeLimitedToken.url_to_token_path(url) | ||
372 | 344 | store.add(TimeLimitedToken(path, token)) | ||
373 | 345 | # The session isn't part of the main transaction model, and in fact it | ||
374 | 346 | # has autocommit on. The commit here is belts and bracers: after | ||
375 | 347 | # allocation the external librarian must be able to serve the file | ||
376 | 348 | # immediately. | ||
377 | 349 | store.commit() | ||
378 | 350 | return token | ||
379 | 351 | |||
380 | 352 | @staticmethod | ||
381 | 353 | def url_to_token_path(url): | ||
382 | 354 | """Return the token path used for authorising access to url.""" | ||
383 | 355 | return urlparse(url)[2] | ||
384 | 288 | 356 | ||
385 | === modified file 'lib/canonical/launchpad/doc/librarian.txt' | |||
386 | --- lib/canonical/launchpad/doc/librarian.txt 2010-09-04 05:01:17 +0000 | |||
387 | +++ lib/canonical/launchpad/doc/librarian.txt 2010-09-07 04:07:54 +0000 | |||
388 | @@ -1,5 +1,31 @@ | |||
389 | 1 | = Librarian Access = | 1 | = Librarian Access = |
390 | 2 | 2 | ||
391 | 3 | The librarian is a file storage service for launchpad. Conceptually similar to | ||
392 | 4 | other file storage API's like S3, it is used to store binary or large content - | ||
393 | 5 | bug attachments, package builds, images and so on. | ||
394 | 6 | |||
395 | 7 | Content in the librarian can be exposed at different urls. To expose some | ||
396 | 8 | content use a LibraryFileAlias. Private content is supported as well - for that | ||
397 | 9 | tokens are added to permit access for a limited time by a client - each time a | ||
398 | 10 | client attempts to dereference a private LibraryFileAlias a token is emitted. | ||
399 | 11 | |||
400 | 12 | = Deployment notes = | ||
401 | 13 | |||
402 | 14 | (These may seem a bit out of place - they are, but they need to be written down | ||
403 | 15 | somewhere, and the deployment choices inform the implementation choices). | ||
404 | 16 | |||
405 | 17 | The basics are simple: The librarian talks to clients. However restricted file | ||
406 | 18 | access makes things a little more complex. As the librarian itself doesn't do | ||
407 | 19 | SSL processing, and we want restricted files to be kept confidential the | ||
408 | 20 | librarian will need a hint from the SSL front end that SSL was in fact used. | ||
409 | 21 | The semi standard header Front-End-Https can be used for this if we filter it | ||
410 | 22 | in incoming requests from clients. | ||
411 | 23 | |||
412 | 24 | == setUp == | ||
413 | 25 | |||
414 | 26 | >>> from canonical.database.sqlbase import session_store | ||
415 | 27 | >>> from canonical.launchpad.database.librarian import TimeLimitedToken | ||
416 | 28 | |||
417 | 3 | == High Level == | 29 | == High Level == |
418 | 4 | 30 | ||
419 | 5 | >>> from canonical.launchpad.interfaces import ILibraryFileAliasSet | 31 | >>> from canonical.launchpad.interfaces import ILibraryFileAliasSet |
420 | @@ -58,7 +84,9 @@ | |||
421 | 58 | ... ) is not None | 84 | ... ) is not None |
422 | 59 | True | 85 | True |
423 | 60 | 86 | ||
425 | 61 | Librarian also serves the same file through https. | 87 | Librarian also serves the same file through https, we use this for branding |
426 | 88 | and similar inline-presented objects which would trigger security warnings on | ||
427 | 89 | https pages otherwise. | ||
428 | 62 | 90 | ||
429 | 63 | >>> re.search( | 91 | >>> re.search( |
430 | 64 | ... r'^https://localhost:58000/\d+/text.txt$', alias.https_url | 92 | ... r'^https://localhost:58000/\d+/text.txt$', alias.https_url |
431 | @@ -83,7 +111,7 @@ | |||
432 | 83 | ... """) | 111 | ... """) |
433 | 84 | >>> config.push('test', test_data) | 112 | >>> config.push('test', test_data) |
434 | 85 | >>> re.search( | 113 | >>> re.search( |
436 | 86 | ... r'^https://localhost:58000/\d+/text.txt$', alias.getURL() | 114 | ... r'^https://localhost:58000/\d+/text.txt$', alias.https_url |
437 | 87 | ... ) is not None | 115 | ... ) is not None |
438 | 88 | True | 116 | True |
439 | 89 | 117 | ||
440 | @@ -183,6 +211,15 @@ | |||
441 | 183 | >>> re.search(r'^http://localhost:58000/\d+/text.txt$', url) is not None | 211 | >>> re.search(r'^http://localhost:58000/\d+/text.txt$', url) is not None |
442 | 184 | True | 212 | True |
443 | 185 | 213 | ||
444 | 214 | When secure=True, the returned url has the id as part of the domain name and | ||
445 | 215 | the protocol is https: | ||
446 | 216 | |||
447 | 217 | >>> expected = 'https://i%d.restricted.localhost:58000/%d/text.txt' % ( | ||
448 | 218 | ... aid, aid) | ||
449 | 219 | >>> expected == client.getURLForAlias(aid, secure=True) | ||
450 | 220 | True | ||
451 | 221 | |||
452 | 222 | |||
453 | 186 | Librarian reads are logged in the request timeline. | 223 | Librarian reads are logged in the request timeline. |
454 | 187 | 224 | ||
455 | 188 | >>> from canonical.lazr.utils import get_current_browser_request | 225 | >>> from canonical.lazr.utils import get_current_browser_request |
456 | @@ -465,10 +502,9 @@ | |||
457 | 465 | True | 502 | True |
458 | 466 | 503 | ||
459 | 467 | 504 | ||
461 | 468 | == StreamOrRedirectLibraryFileAliasView == | 505 | == File views setup == |
462 | 469 | 506 | ||
465 | 470 | This special view allows call sites to stream restricted `LibraryFileAlias` | 507 | We need some files to test different ways of accessing them. |
464 | 471 | contents directly from launchpad instances. | ||
466 | 472 | 508 | ||
467 | 473 | >>> filename = 'public.txt' | 509 | >>> filename = 'public.txt' |
468 | 474 | >>> content = 'PUBLIC' | 510 | >>> content = 'PUBLIC' |
469 | @@ -482,11 +518,141 @@ | |||
470 | 482 | ... filename, len(content), StringIO(content), 'text/plain', | 518 | ... filename, len(content), StringIO(content), 'text/plain', |
471 | 483 | ... NEVER_EXPIRES, restricted=True) | 519 | ... NEVER_EXPIRES, restricted=True) |
472 | 484 | 520 | ||
473 | 521 | # Create a new LibraryFileAlias not referencing any LibraryFileContent | ||
474 | 522 | # record. Such records are considered as being deleted. | ||
475 | 523 | >>> from canonical.launchpad.database import LibraryFileAlias | ||
476 | 524 | >>> from canonical.launchpad.webapp.interfaces import ( | ||
477 | 525 | ... IStoreSelector, MAIN_STORE, MASTER_FLAVOR) | ||
478 | 526 | |||
479 | 527 | >>> store = getUtility(IStoreSelector).get(MAIN_STORE, MASTER_FLAVOR) | ||
480 | 528 | >>> deleted_file = LibraryFileAlias( | ||
481 | 529 | ... content=None, filename='deleted.txt', | ||
482 | 530 | ... mimetype='text/plain') | ||
483 | 531 | >>> ignore = store.add(deleted_file) | ||
484 | 532 | |||
485 | 485 | Commit the just-created files. | 533 | Commit the just-created files. |
486 | 486 | 534 | ||
487 | 487 | >>> from canonical.database.sqlbase import commit | 535 | >>> from canonical.database.sqlbase import commit |
488 | 488 | >>> commit() | 536 | >>> commit() |
489 | 489 | 537 | ||
490 | 538 | >>> deleted_file = getUtility(ILibraryFileAliasSet)[deleted_file.id] | ||
491 | 539 | >>> print deleted_file.deleted | ||
492 | 540 | True | ||
493 | 541 | |||
494 | 542 | Clear out existing tokens. | ||
495 | 543 | |||
496 | 544 | >>> _ = session_store().find(TimeLimitedToken).remove() | ||
497 | 545 | |||
498 | 546 | == RedirectPerhapsWithTokenLibraryFileAliasView == | ||
499 | 547 | |||
500 | 548 | This is the eventual name of StreamOrRedirectLibraryFileAliasView once we have | ||
501 | 549 | migrated over to the token based approach. For now the code for the two things | ||
502 | 550 | is interleaved: zope's registration system is too static to permit doing it | ||
503 | 551 | cleanly with separate classes. | ||
504 | 552 | |||
505 | 553 | To enable the behaviour we want to test while its controlled by a feature flag, | ||
506 | 554 | we must enable a feature flag for it: | ||
507 | 555 | |||
508 | 556 | >>> from lp.services.features.model import FeatureFlag, getFeatureStore | ||
509 | 557 | >>> ignore = getFeatureStore().add(FeatureFlag( | ||
510 | 558 | ... scope=u'default', flag=u'publicrestrictedlibrarian', value=u'on', | ||
511 | 559 | ... priority=1)) | ||
512 | 560 | >>> transaction.commit() | ||
513 | 561 | |||
514 | 562 | This special view allows granting access to restricted `LibraryFileAlias` | ||
515 | 563 | objects on the launchpadlibrarian. All requests get redirected, restricted | ||
516 | 564 | files have an access token allocated. | ||
517 | 565 | |||
518 | 566 | This view implements `IBrowserPublisher` which allows us to use it in | ||
519 | 567 | traversals. | ||
520 | 568 | |||
521 | 569 | >>> from canonical.launchpad.browser.librarian import ( | ||
522 | 570 | ... RedirectPerhapsWithTokenLibraryFileAliasView) | ||
523 | 571 | |||
524 | 572 | >>> empty_request = LaunchpadTestRequest() | ||
525 | 573 | |||
526 | 574 | XXX bug=631884 we have to establish the flags object manually for testing. | ||
527 | 575 | |||
528 | 576 | >>> from lp.services.features.webapp import ScopesFromRequest | ||
529 | 577 | >>> from lp.services.features.flags import FeatureController | ||
530 | 578 | >>> from lp.services.features import per_thread | ||
531 | 579 | >>> per_thread.features = FeatureController( | ||
532 | 580 | ... ScopesFromRequest(empty_request).lookup) | ||
533 | 581 | |||
534 | 582 | >>> restricted_view = RedirectPerhapsWithTokenLibraryFileAliasView( | ||
535 | 583 | ... restricted_file, empty_request) | ||
536 | 584 | |||
537 | 585 | >>> from zope.publisher.interfaces.browser import IBrowserPublisher | ||
538 | 586 | >>> verifyObject(IBrowserPublisher, restricted_view) | ||
539 | 587 | True | ||
540 | 588 | |||
541 | 589 | When the context file is a restricted `LibraryFileAlias`, traversal causes an | ||
542 | 590 | access token to be allocated and a redirection to https on a unique domain to | ||
543 | 591 | be issued. | ||
544 | 592 | |||
545 | 593 | >>> view, extra = restricted_view.browserDefault(empty_request) | ||
546 | 594 | >>> print view | ||
547 | 595 | <...RedirectionView...> | ||
548 | 596 | >>> view.target | ||
549 | 597 | 'https://...restricted.txt?token=...' | ||
550 | 598 | >>> private_path = TimeLimitedToken.url_to_token_path( | ||
551 | 599 | ... restricted_file.private_url) | ||
552 | 600 | >>> view.target.endswith(session_store().find(TimeLimitedToken, | ||
553 | 601 | ... path=private_path).any().token) | ||
554 | 602 | True | ||
555 | 603 | |||
556 | 604 | The domain for the target starts with the id of the LibraryFileAlias. | ||
557 | 605 | |||
558 | 606 | >>> view.target.startswith('https://i%d.restricted.' % restricted_file.id) | ||
559 | 607 | True | ||
560 | 608 | |||
561 | 609 | Otherwise, no token is allocated and a redirection is issued to the http url. | ||
562 | 610 | |||
563 | 611 | >>> public_view = RedirectPerhapsWithTokenLibraryFileAliasView( | ||
564 | 612 | ... public_file, empty_request) | ||
565 | 613 | >>> verifyObject(IBrowserPublisher, public_view) | ||
566 | 614 | True | ||
567 | 615 | >>> view, extra = public_view.browserDefault(empty_request) | ||
568 | 616 | >>> print view | ||
569 | 617 | <...RedirectionView ...> | ||
570 | 618 | >>> view.target == public_file.http_url | ||
571 | 619 | True | ||
572 | 620 | >>> view.target | ||
573 | 621 | 'http://.../public.txt' | ||
574 | 622 | |||
575 | 623 | Deleted files cannot be handled by the view and it raises an appropriate | ||
576 | 624 | AssertionError when it gets traversed. | ||
577 | 625 | |||
578 | 626 | >>> deleted_view = RedirectPerhapsWithTokenLibraryFileAliasView( | ||
579 | 627 | ... deleted_file, empty_request) | ||
580 | 628 | |||
581 | 629 | >>> view, extra = deleted_view.browserDefault(empty_request) | ||
582 | 630 | Traceback (most recent call last): | ||
583 | 631 | ... | ||
584 | 632 | AssertionError: MixedFileAliasView can not operate on deleted librarian | ||
585 | 633 | files, since their URL is undefined. | ||
586 | 634 | |||
587 | 635 | |||
588 | 636 | As RedirectPerhapsWithTokenLibraryFileAliasView is | ||
589 | 637 | StreamOrRedirectLibraryFileAliasView influence by a feature flag, until the | ||
590 | 638 | proxy code is removed, we must remove the feature to test the old behaviour. | ||
591 | 639 | |||
592 | 640 | >>> ignore = getFeatureStore().find(FeatureFlag, | ||
593 | 641 | ... FeatureFlag.flag==u'publicrestrictedlibrarian').remove() | ||
594 | 642 | >>> transaction.commit() | ||
595 | 643 | |||
596 | 644 | Because the flags code aggressively caches, we have to do a small dance to | ||
597 | 645 | convince it a new request has started too. | ||
598 | 646 | |||
599 | 647 | >>> empty_request = LaunchpadTestRequest() | ||
600 | 648 | >>> per_thread.features = FeatureController( | ||
601 | 649 | ... ScopesFromRequest(empty_request).lookup) | ||
602 | 650 | |||
603 | 651 | == StreamOrRedirectLibraryFileAliasView == | ||
604 | 652 | |||
605 | 653 | This special view allows call sites to stream restricted `LibraryFileAlias` | ||
606 | 654 | contents directly from launchpad instances. | ||
607 | 655 | |||
608 | 490 | This view implements `IBrowserPublisher` which allows us to use it in | 656 | This view implements `IBrowserPublisher` which allows us to use it in |
609 | 491 | traversals. | 657 | traversals. |
610 | 492 | 658 | ||
611 | @@ -505,6 +671,8 @@ | |||
612 | 505 | traversal chain is finished with the view object itself. | 671 | traversal chain is finished with the view object itself. |
613 | 506 | 672 | ||
614 | 507 | >>> view, extra = restricted_view.browserDefault(empty_request) | 673 | >>> view, extra = restricted_view.browserDefault(empty_request) |
615 | 674 | >>> if view != restricted_view: | ||
616 | 675 | ... print view | ||
617 | 508 | >>> view == restricted_view | 676 | >>> view == restricted_view |
618 | 509 | True | 677 | True |
619 | 510 | 678 | ||
620 | @@ -586,31 +754,14 @@ | |||
621 | 586 | Files in this condition cannot be handled by the view and it raises an | 754 | Files in this condition cannot be handled by the view and it raises an |
622 | 587 | appropriate AssertionError when it gets traversed. | 755 | appropriate AssertionError when it gets traversed. |
623 | 588 | 756 | ||
624 | 589 | # Create a new LibraryFileAlias not referencing any LibraryFileContent | ||
625 | 590 | # record. Such records are considered as being deleted. | ||
626 | 591 | >>> from canonical.launchpad.database import LibraryFileAlias | ||
627 | 592 | >>> from canonical.launchpad.webapp.interfaces import ( | ||
628 | 593 | ... IStoreSelector, MAIN_STORE, MASTER_FLAVOR) | ||
629 | 594 | |||
630 | 595 | >>> store = getUtility(IStoreSelector).get(MAIN_STORE, MASTER_FLAVOR) | ||
631 | 596 | >>> deleted_file = LibraryFileAlias( | ||
632 | 597 | ... content=None, filename='deleted.txt', | ||
633 | 598 | ... mimetype='text/plain') | ||
634 | 599 | >>> ignore = store.add(deleted_file) | ||
635 | 600 | >>> store.commit() | ||
636 | 601 | |||
637 | 602 | >>> deleted_file = getUtility(ILibraryFileAliasSet)[deleted_file.id] | ||
638 | 603 | >>> print deleted_file.deleted | ||
639 | 604 | True | ||
640 | 605 | |||
641 | 606 | >>> deleted_view = StreamOrRedirectLibraryFileAliasView( | 757 | >>> deleted_view = StreamOrRedirectLibraryFileAliasView( |
642 | 607 | ... deleted_file, empty_request) | 758 | ... deleted_file, empty_request) |
643 | 608 | 759 | ||
644 | 609 | >>> view, extra = deleted_view.browserDefault(empty_request) | 760 | >>> view, extra = deleted_view.browserDefault(empty_request) |
645 | 610 | Traceback (most recent call last): | 761 | Traceback (most recent call last): |
646 | 611 | ... | 762 | ... |
649 | 612 | AssertionError: StreamOrRedirectLibraryFileAliasView can not | 763 | AssertionError: MixedFileAliasView can not operate on deleted librarian |
650 | 613 | operate on deleted librarian files, since their URL is undefined. | 764 | files, since their URL is undefined. |
651 | 614 | 765 | ||
652 | 615 | 766 | ||
653 | 616 | == LibraryFileAliasMD5View == | 767 | == LibraryFileAliasMD5View == |
654 | 617 | 768 | ||
655 | === modified file 'lib/canonical/launchpad/ftests/test_libraryfilealias.py' | |||
656 | --- lib/canonical/launchpad/ftests/test_libraryfilealias.py 2010-08-20 20:31:18 +0000 | |||
657 | +++ lib/canonical/launchpad/ftests/test_libraryfilealias.py 2010-09-07 04:07:54 +0000 | |||
658 | @@ -6,8 +6,8 @@ | |||
659 | 6 | __metaclass__ = type | 6 | __metaclass__ = type |
660 | 7 | 7 | ||
661 | 8 | from cStringIO import StringIO | 8 | from cStringIO import StringIO |
662 | 9 | |||
663 | 9 | import unittest | 10 | import unittest |
664 | 10 | |||
665 | 11 | import transaction | 11 | import transaction |
666 | 12 | from zope.component import getUtility | 12 | from zope.component import getUtility |
667 | 13 | 13 | ||
668 | @@ -45,8 +45,3 @@ | |||
669 | 45 | # the remaining content. If it's reset, the file will be auto-opened | 45 | # the remaining content. If it's reset, the file will be auto-opened |
670 | 46 | # and its whole content will be returned. | 46 | # and its whole content will be returned. |
671 | 47 | self.assertEquals(self.text_content, self.file_alias.read()) | 47 | self.assertEquals(self.text_content, self.file_alias.read()) |
672 | 48 | |||
673 | 49 | |||
674 | 50 | def test_suite(): | ||
675 | 51 | return unittest.TestLoader().loadTestsFromName(__name__) | ||
676 | 52 | |||
677 | 53 | 48 | ||
678 | === modified file 'lib/canonical/launchpad/interfaces/librarian.py' | |||
679 | --- lib/canonical/launchpad/interfaces/librarian.py 2010-08-20 20:31:18 +0000 | |||
680 | +++ lib/canonical/launchpad/interfaces/librarian.py 2010-09-07 04:07:54 +0000 | |||
681 | @@ -80,13 +80,17 @@ | |||
682 | 80 | # byte strings. | 80 | # byte strings. |
683 | 81 | http_url = Attribute(_("The http URL to this file")) | 81 | http_url = Attribute(_("The http URL to this file")) |
684 | 82 | https_url = Attribute(_("The https URL to this file")) | 82 | https_url = Attribute(_("The https URL to this file")) |
685 | 83 | private_url = Attribute(_("The secure URL to this file (private files)")) | ||
686 | 83 | 84 | ||
687 | 84 | def getURL(): | 85 | def getURL(): |
688 | 85 | """Return this file's http or https URL. | 86 | """Return this file's http or https URL. |
689 | 86 | 87 | ||
690 | 88 | If the file is a restricted file, the private_url will be returned, | ||
691 | 89 | which is on https and uses unique domains per file alias. | ||
692 | 90 | |||
693 | 87 | The generated URL will be https if the use_https config variable is | 91 | The generated URL will be https if the use_https config variable is |
694 | 88 | set, in order to prevent warnings about insecure objects from | 92 | set, in order to prevent warnings about insecure objects from |
696 | 89 | happening in some browsers. | 93 | happening in some browsers (this is used for, e.g., branding). |
697 | 90 | 94 | ||
698 | 91 | If config.launchpad.virtual_host.use_https is set, then return the | 95 | If config.launchpad.virtual_host.use_https is set, then return the |
699 | 92 | https URL. Otherwise return the http URL. | 96 | https URL. Otherwise return the http URL. |
700 | 93 | 97 | ||
701 | === modified file 'lib/canonical/launchpad/interfaces/lpstorm.py' | |||
702 | --- lib/canonical/launchpad/interfaces/lpstorm.py 2009-06-25 05:30:52 +0000 | |||
703 | +++ lib/canonical/launchpad/interfaces/lpstorm.py 2010-09-07 04:07:54 +0000 | |||
704 | @@ -32,4 +32,3 @@ | |||
705 | 32 | 32 | ||
706 | 33 | class IMasterObject(IDBObject): | 33 | class IMasterObject(IDBObject): |
707 | 34 | """A Storm database object associated with its master Store.""" | 34 | """A Storm database object associated with its master Store.""" |
708 | 35 | |||
709 | 36 | 35 | ||
710 | === modified file 'lib/canonical/launchpad/scripts/garbo.py' | |||
711 | --- lib/canonical/launchpad/scripts/garbo.py 2010-08-20 20:31:18 +0000 | |||
712 | +++ lib/canonical/launchpad/scripts/garbo.py 2010-09-07 04:07:54 +0000 | |||
713 | @@ -29,10 +29,14 @@ | |||
714 | 29 | from canonical.database.constants import THIRTY_DAYS_AGO | 29 | from canonical.database.constants import THIRTY_DAYS_AGO |
715 | 30 | from canonical.database.sqlbase import ( | 30 | from canonical.database.sqlbase import ( |
716 | 31 | cursor, | 31 | cursor, |
717 | 32 | session_store, | ||
718 | 32 | sqlvalues, | 33 | sqlvalues, |
719 | 33 | ) | 34 | ) |
720 | 34 | from canonical.launchpad.database.emailaddress import EmailAddress | 35 | from canonical.launchpad.database.emailaddress import EmailAddress |
722 | 35 | from canonical.launchpad.database.librarian import LibraryFileAlias | 36 | from canonical.launchpad.database.librarian import ( |
723 | 37 | LibraryFileAlias, | ||
724 | 38 | TimeLimitedToken, | ||
725 | 39 | ) | ||
726 | 36 | from canonical.launchpad.database.oauth import OAuthNonce | 40 | from canonical.launchpad.database.oauth import OAuthNonce |
727 | 37 | from canonical.launchpad.database.openidconsumer import OpenIDConsumerNonce | 41 | from canonical.launchpad.database.openidconsumer import OpenIDConsumerNonce |
728 | 38 | from canonical.launchpad.interfaces import IMasterStore | 42 | from canonical.launchpad.interfaces import IMasterStore |
729 | @@ -685,6 +689,43 @@ | |||
730 | 685 | transaction.commit() | 689 | transaction.commit() |
731 | 686 | 690 | ||
732 | 687 | 691 | ||
733 | 692 | class OldTimeLimitedTokenDeleter(TunableLoop): | ||
734 | 693 | """Delete expired url access tokens from the session DB.""" | ||
735 | 694 | |||
736 | 695 | maximum_chunk_size = 24*60*60 # 24 hours in seconds. | ||
737 | 696 | |||
738 | 697 | def __init__(self, log, abort_time=None): | ||
739 | 698 | super(OldTimeLimitedTokenDeleter, self).__init__(log, abort_time) | ||
740 | 699 | self.store = session_store() | ||
741 | 700 | self._update_oldest() | ||
742 | 701 | |||
743 | 702 | def _update_oldest(self): | ||
744 | 703 | self.oldest_age = self.store.execute(""" | ||
745 | 704 | SELECT COALESCE(EXTRACT(EPOCH FROM | ||
746 | 705 | CURRENT_TIMESTAMP AT TIME ZONE 'UTC' | ||
747 | 706 | - MIN(created)), 0) | ||
748 | 707 | FROM TimeLimitedToken | ||
749 | 708 | """).get_one()[0] | ||
750 | 709 | |||
751 | 710 | def isDone(self): | ||
752 | 711 | return self.oldest_age <= ONE_DAY_IN_SECONDS | ||
753 | 712 | |||
754 | 713 | def __call__(self, chunk_size): | ||
755 | 714 | self.oldest_age = max( | ||
756 | 715 | ONE_DAY_IN_SECONDS, self.oldest_age - chunk_size) | ||
757 | 716 | |||
758 | 717 | self.log.debug( | ||
759 | 718 | "Removed TimeLimitedToken rows older than %d seconds" | ||
760 | 719 | % self.oldest_age) | ||
761 | 720 | self.store.find( | ||
762 | 721 | TimeLimitedToken, | ||
763 | 722 | TimeLimitedToken.created < SQL( | ||
764 | 723 | "CURRENT_TIMESTAMP AT TIME ZONE 'UTC' - interval '%d seconds'" | ||
765 | 724 | % ONE_DAY_IN_SECONDS)).remove() | ||
766 | 725 | transaction.commit() | ||
767 | 726 | self._update_oldest() | ||
768 | 727 | |||
769 | 728 | |||
770 | 688 | class SuggestiveTemplatesCacheUpdater(TunableLoop): | 729 | class SuggestiveTemplatesCacheUpdater(TunableLoop): |
771 | 689 | """Refresh the SuggestivePOTemplate cache. | 730 | """Refresh the SuggestivePOTemplate cache. |
772 | 690 | 731 | ||
773 | @@ -806,13 +847,14 @@ | |||
774 | 806 | class DailyDatabaseGarbageCollector(BaseDatabaseGarbageCollector): | 847 | class DailyDatabaseGarbageCollector(BaseDatabaseGarbageCollector): |
775 | 807 | script_name = 'garbo-daily' | 848 | script_name = 'garbo-daily' |
776 | 808 | tunable_loops = [ | 849 | tunable_loops = [ |
777 | 850 | BranchJobPruner, | ||
778 | 851 | BugNotificationPruner, | ||
779 | 852 | BugWatchActivityPruner, | ||
780 | 809 | CodeImportResultPruner, | 853 | CodeImportResultPruner, |
781 | 810 | RevisionAuthorEmailLinker, | ||
782 | 811 | HWSubmissionEmailLinker, | 854 | HWSubmissionEmailLinker, |
783 | 812 | BugNotificationPruner, | ||
784 | 813 | BranchJobPruner, | ||
785 | 814 | BugWatchActivityPruner, | ||
786 | 815 | ObsoleteBugAttachmentDeleter, | 855 | ObsoleteBugAttachmentDeleter, |
787 | 856 | OldTimeLimitedTokenDeleter, | ||
788 | 857 | RevisionAuthorEmailLinker, | ||
789 | 816 | SuggestiveTemplatesCacheUpdater, | 858 | SuggestiveTemplatesCacheUpdater, |
790 | 817 | ] | 859 | ] |
791 | 818 | experimental_tunable_loops = [ | 860 | experimental_tunable_loops = [ |
792 | 819 | 861 | ||
793 | === modified file 'lib/canonical/launchpad/scripts/tests/test_garbo.py' | |||
794 | --- lib/canonical/launchpad/scripts/tests/test_garbo.py 2010-08-20 20:31:18 +0000 | |||
795 | +++ lib/canonical/launchpad/scripts/tests/test_garbo.py 2010-09-07 04:07:54 +0000 | |||
796 | @@ -23,11 +23,12 @@ | |||
797 | 23 | from zope.security.proxy import removeSecurityProxy | 23 | from zope.security.proxy import removeSecurityProxy |
798 | 24 | 24 | ||
799 | 25 | from canonical.config import config | 25 | from canonical.config import config |
800 | 26 | from canonical.database import sqlbase | ||
801 | 26 | from canonical.database.constants import ( | 27 | from canonical.database.constants import ( |
802 | 27 | THIRTY_DAYS_AGO, | 28 | THIRTY_DAYS_AGO, |
803 | 28 | UTC_NOW, | 29 | UTC_NOW, |
804 | 29 | ) | 30 | ) |
806 | 30 | from canonical.database.sqlbase import quote | 31 | from canonical.launchpad.database.librarian import TimeLimitedToken |
807 | 31 | from canonical.launchpad.database.message import Message | 32 | from canonical.launchpad.database.message import Message |
808 | 32 | from canonical.launchpad.database.oauth import OAuthNonce | 33 | from canonical.launchpad.database.oauth import OAuthNonce |
809 | 33 | from canonical.launchpad.database.openidconsumer import OpenIDConsumerNonce | 34 | from canonical.launchpad.database.openidconsumer import OpenIDConsumerNonce |
810 | @@ -561,6 +562,26 @@ | |||
811 | 561 | LaunchpadZopelessLayer.switchDbUser('testadmin') | 562 | LaunchpadZopelessLayer.switchDbUser('testadmin') |
812 | 562 | self.assertEqual(bug.attachments.count(), 0) | 563 | self.assertEqual(bug.attachments.count(), 0) |
813 | 563 | 564 | ||
814 | 565 | def test_TimeLimitedTokenPruner(self): | ||
815 | 566 | # Ensure there are no tokens | ||
816 | 567 | store = sqlbase.session_store() | ||
817 | 568 | map(store.remove, store.find(TimeLimitedToken)) | ||
818 | 569 | store.flush() | ||
819 | 570 | self.assertEqual(0, len(list(store.find(TimeLimitedToken, | ||
820 | 571 | path="sample path")))) | ||
821 | 572 | # One to clean and one to keep | ||
822 | 573 | store.add(TimeLimitedToken(path="sample path", token="foo", | ||
823 | 574 | created=datetime(2008, 01, 01, tzinfo=UTC))) | ||
824 | 575 | store.add(TimeLimitedToken(path="sample path", token="bar")), | ||
825 | 576 | store.commit() | ||
826 | 577 | self.assertEqual(2, len(list(store.find(TimeLimitedToken, | ||
827 | 578 | path="sample path")))) | ||
828 | 579 | self.runDaily() | ||
829 | 580 | self.assertEqual(0, len(list(store.find(TimeLimitedToken, | ||
830 | 581 | path="sample path", token="foo")))) | ||
831 | 582 | self.assertEqual(1, len(list(store.find(TimeLimitedToken, | ||
832 | 583 | path="sample path", token="bar")))) | ||
833 | 584 | |||
834 | 564 | def test_CacheSuggestivePOTemplates(self): | 585 | def test_CacheSuggestivePOTemplates(self): |
835 | 565 | LaunchpadZopelessLayer.switchDbUser('testadmin') | 586 | LaunchpadZopelessLayer.switchDbUser('testadmin') |
836 | 566 | template = self.factory.makePOTemplate() | 587 | template = self.factory.makePOTemplate() |
837 | @@ -571,6 +592,6 @@ | |||
838 | 571 | SELECT count(*) | 592 | SELECT count(*) |
839 | 572 | FROM SuggestivePOTemplate | 593 | FROM SuggestivePOTemplate |
840 | 573 | WHERE potemplate = %s | 594 | WHERE potemplate = %s |
842 | 574 | """ % quote(template.id)).get_one() | 595 | """ % sqlbase.quote(template.id)).get_one() |
843 | 575 | 596 | ||
844 | 576 | self.assertEqual(1, count) | 597 | self.assertEqual(1, count) |
845 | 577 | 598 | ||
846 | === modified file 'lib/canonical/launchpad/utilities/looptuner.py' | |||
847 | --- lib/canonical/launchpad/utilities/looptuner.py 2010-08-20 20:31:18 +0000 | |||
848 | +++ lib/canonical/launchpad/utilities/looptuner.py 2010-09-07 04:07:54 +0000 | |||
849 | @@ -314,6 +314,10 @@ | |||
850 | 314 | self.log = log | 314 | self.log = log |
851 | 315 | self.abort_time = abort_time | 315 | self.abort_time = abort_time |
852 | 316 | 316 | ||
853 | 317 | def isDone(self): | ||
854 | 318 | """Return True when the TunableLoop is complete.""" | ||
855 | 319 | raise NotImplementedError(self.isDone) | ||
856 | 320 | |||
857 | 317 | def run(self): | 321 | def run(self): |
858 | 318 | assert self.maximum_chunk_size is not None, ( | 322 | assert self.maximum_chunk_size is not None, ( |
859 | 319 | "Did not override maximum_chunk_size.") | 323 | "Did not override maximum_chunk_size.") |
860 | 320 | 324 | ||
861 | === modified file 'lib/canonical/launchpad/webapp/session.py' | |||
862 | --- lib/canonical/launchpad/webapp/session.py 2010-08-20 20:31:18 +0000 | |||
863 | +++ lib/canonical/launchpad/webapp/session.py 2010-09-07 04:07:54 +0000 | |||
864 | @@ -13,6 +13,7 @@ | |||
865 | 13 | from zope.session.http import CookieClientIdManager | 13 | from zope.session.http import CookieClientIdManager |
866 | 14 | 14 | ||
867 | 15 | from canonical.config import config | 15 | from canonical.config import config |
868 | 16 | from canonical.database.sqlbase import session_store | ||
869 | 16 | 17 | ||
870 | 17 | 18 | ||
871 | 18 | SECONDS = 1 | 19 | SECONDS = 1 |
872 | @@ -77,7 +78,7 @@ | |||
873 | 77 | # Secret is looked up here rather than in __init__, because | 78 | # Secret is looked up here rather than in __init__, because |
874 | 78 | # we can't be sure the database connections are setup at that point. | 79 | # we can't be sure the database connections are setup at that point. |
875 | 79 | if self._secret is None: | 80 | if self._secret is None: |
877 | 80 | store = getUtility(IZStorm).get('session', 'launchpad-session:') | 81 | store = session_store() |
878 | 81 | result = store.execute("SELECT secret FROM secret") | 82 | result = store.execute("SELECT secret FROM secret") |
879 | 82 | self._secret = result.get_one()[0] | 83 | self._secret = result.get_one()[0] |
880 | 83 | return self._secret | 84 | return self._secret |
881 | 84 | 85 | ||
882 | === modified file 'lib/canonical/launchpad/zcml/librarian.zcml' | |||
883 | --- lib/canonical/launchpad/zcml/librarian.zcml 2010-07-06 16:12:46 +0000 | |||
884 | +++ lib/canonical/launchpad/zcml/librarian.zcml 2010-09-07 04:07:54 +0000 | |||
885 | @@ -55,6 +55,11 @@ | |||
886 | 55 | <allow interface="zope.publisher.interfaces.browser.IBrowserPublisher" /> | 55 | <allow interface="zope.publisher.interfaces.browser.IBrowserPublisher" /> |
887 | 56 | </class> | 56 | </class> |
888 | 57 | 57 | ||
889 | 58 | <class class="canonical.launchpad.browser.librarian.SafeStreamOrRedirectLibraryFileAliasView"> | ||
890 | 59 | <allow attributes="__call__" /> | ||
891 | 60 | <allow interface="zope.publisher.interfaces.browser.IBrowserPublisher" /> | ||
892 | 61 | </class> | ||
893 | 62 | |||
894 | 58 | <adapter | 63 | <adapter |
895 | 59 | factory="canonical.launchpad.database.librarian.LibraryFileAliasWithParent" | 64 | factory="canonical.launchpad.database.librarian.LibraryFileAliasWithParent" |
896 | 60 | provides="canonical.launchpad.interfaces.librarian.ILibraryFileAliasWithParent" | 65 | provides="canonical.launchpad.interfaces.librarian.ILibraryFileAliasWithParent" |
897 | 61 | 66 | ||
898 | === modified file 'lib/canonical/librarian/client.py' | |||
899 | --- lib/canonical/librarian/client.py 2010-09-04 05:01:17 +0000 | |||
900 | +++ lib/canonical/librarian/client.py 2010-09-07 04:07:54 +0000 | |||
901 | @@ -23,7 +23,11 @@ | |||
902 | 23 | 23 | ||
903 | 24 | from select import select | 24 | from select import select |
904 | 25 | from socket import SOCK_STREAM, AF_INET | 25 | from socket import SOCK_STREAM, AF_INET |
906 | 26 | from urlparse import urljoin | 26 | from urlparse import ( |
907 | 27 | urlparse, | ||
908 | 28 | urljoin, | ||
909 | 29 | urlunparse, | ||
910 | 30 | ) | ||
911 | 27 | 31 | ||
912 | 28 | from storm.store import Store | 32 | from storm.store import Store |
913 | 29 | from zope.interface import implements | 33 | from zope.interface import implements |
914 | @@ -291,16 +295,17 @@ | |||
915 | 291 | # raise DownloadFailed, 'Incomplete response' | 295 | # raise DownloadFailed, 'Incomplete response' |
916 | 292 | # return paths | 296 | # return paths |
917 | 293 | 297 | ||
919 | 294 | def _getPathForAlias(self, aliasID): | 298 | def _getPathForAlias(self, aliasID, secure=False): |
920 | 295 | """Returns the path inside the librarian to talk about the given | 299 | """Returns the path inside the librarian to talk about the given |
921 | 296 | alias. | 300 | alias. |
922 | 297 | 301 | ||
923 | 298 | :param aliasID: A unique ID for the alias | 302 | :param aliasID: A unique ID for the alias |
925 | 299 | 303 | :param secure: Controls the behaviour when looking up restricted | |
926 | 304 | files. If False restricted files are only permitted when | ||
927 | 305 | self.restricted is True. See getURLForAlias. | ||
928 | 300 | :returns: String path, url-escaped. Unicode is UTF-8 encoded before | 306 | :returns: String path, url-escaped. Unicode is UTF-8 encoded before |
929 | 301 | url-escaping, as described in section 2.2.5 of RFC 2718. | 307 | url-escaping, as described in section 2.2.5 of RFC 2718. |
930 | 302 | None if the file has been deleted. | 308 | None if the file has been deleted. |
931 | 303 | |||
932 | 304 | :raises: DownloadFailed if the alias is invalid | 309 | :raises: DownloadFailed if the alias is invalid |
933 | 305 | """ | 310 | """ |
934 | 306 | from canonical.launchpad.database import LibraryFileAlias | 311 | from canonical.launchpad.database import LibraryFileAlias |
935 | @@ -311,7 +316,7 @@ | |||
936 | 311 | lfa = LibraryFileAlias.get(aliasID) | 316 | lfa = LibraryFileAlias.get(aliasID) |
937 | 312 | except SQLObjectNotFound: | 317 | except SQLObjectNotFound: |
938 | 313 | raise DownloadFailed('Alias %d not found' % aliasID) | 318 | raise DownloadFailed('Alias %d not found' % aliasID) |
940 | 314 | if self.restricted != lfa.restricted: | 319 | if not secure and self.restricted != lfa.restricted: |
941 | 315 | raise DownloadFailed( | 320 | raise DownloadFailed( |
942 | 316 | 'Alias %d cannot be downloaded from this client.' % aliasID) | 321 | 'Alias %d cannot be downloaded from this client.' % aliasID) |
943 | 317 | if lfa.deleted: | 322 | if lfa.deleted: |
944 | @@ -319,18 +324,41 @@ | |||
945 | 319 | return get_libraryfilealias_download_path( | 324 | return get_libraryfilealias_download_path( |
946 | 320 | aliasID, lfa.filename.encode('utf-8')) | 325 | aliasID, lfa.filename.encode('utf-8')) |
947 | 321 | 326 | ||
949 | 322 | def getURLForAlias(self, aliasID): | 327 | def getURLForAlias(self, aliasID, secure=False): |
950 | 323 | """Returns the url for talking to the librarian about the given | 328 | """Returns the url for talking to the librarian about the given |
951 | 324 | alias. | 329 | alias. |
952 | 325 | 330 | ||
953 | 326 | :param aliasID: A unique ID for the alias | 331 | :param aliasID: A unique ID for the alias |
955 | 327 | 332 | :param secure: If true generate https urls on unique domains for | |
956 | 333 | security. | ||
957 | 328 | :returns: String URL, or None if the file has expired and been deleted. | 334 | :returns: String URL, or None if the file has expired and been deleted. |
958 | 329 | """ | 335 | """ |
960 | 330 | path = self._getPathForAlias(aliasID) | 336 | # Note that the path is the same for both secure and insecure URLs - |
961 | 337 | # this is deliberate: the server doesn't need to know about the original | ||
962 | 338 | # Host the client provides, testing is easier as we don't need wildcard | ||
963 | 339 | # https environments on dev machines. | ||
964 | 340 | path = self._getPathForAlias(aliasID, secure=secure) | ||
965 | 331 | if path is None: | 341 | if path is None: |
966 | 332 | return None | 342 | return None |
968 | 333 | base = self.download_url | 343 | if not secure: |
969 | 344 | base = self.download_url | ||
970 | 345 | else: | ||
971 | 346 | # Secure url generation is the same for both restricted and | ||
972 | 347 | # unrestricted files aliases : it is used to give web clients (not | ||
973 | 348 | # appservers) a url to use to access a file which is either | ||
974 | 349 | # restricted (and so they will also need a TimeLimitedToken) or | ||
975 | 350 | # is suspected hostile (and so it should be isolated on its own | ||
976 | 351 | # domain). Note that only the former is currently used in LP. | ||
977 | 352 | # The algorithm is: | ||
978 | 353 | # parse the url | ||
979 | 354 | download_url = config.librarian.download_url | ||
980 | 355 | parsed = list(urlparse(download_url)) | ||
981 | 356 | # Force the scheme to https | ||
982 | 357 | parsed[0] = 'https' | ||
983 | 358 | # Insert the alias id (which is a unique key, thus unique) in the | ||
984 | 359 | # netloc | ||
985 | 360 | parsed[1] = ('i%d.restricted.' % aliasID) + parsed[1] | ||
986 | 361 | base = urlunparse(parsed) | ||
987 | 334 | return urljoin(base, path) | 362 | return urljoin(base, path) |
988 | 335 | 363 | ||
989 | 336 | def _getURLForDownload(self, aliasID): | 364 | def _getURLForDownload(self, aliasID): |
990 | 337 | 365 | ||
991 | === modified file 'lib/canonical/librarian/db.py' | |||
992 | --- lib/canonical/librarian/db.py 2009-11-24 15:36:44 +0000 | |||
993 | +++ lib/canonical/librarian/db.py 2010-09-07 04:07:54 +0000 | |||
994 | @@ -13,12 +13,19 @@ | |||
995 | 13 | from psycopg2.extensions import TransactionRollbackError | 13 | from psycopg2.extensions import TransactionRollbackError |
996 | 14 | from sqlobject.sqlbuilder import AND | 14 | from sqlobject.sqlbuilder import AND |
997 | 15 | from storm.exceptions import DisconnectionError, IntegrityError | 15 | from storm.exceptions import DisconnectionError, IntegrityError |
998 | 16 | from storm.expr import SQL | ||
999 | 16 | import transaction | 17 | import transaction |
1000 | 17 | from twisted.python.util import mergeFunctionMetadata | 18 | from twisted.python.util import mergeFunctionMetadata |
1001 | 18 | 19 | ||
1003 | 19 | from canonical.database.sqlbase import reset_store | 20 | from canonical.database.sqlbase import ( |
1004 | 21 | reset_store, | ||
1005 | 22 | session_store, | ||
1006 | 23 | ) | ||
1007 | 20 | from canonical.launchpad.database.librarian import ( | 24 | from canonical.launchpad.database.librarian import ( |
1009 | 21 | LibraryFileContent, LibraryFileAlias) | 25 | LibraryFileAlias, |
1010 | 26 | LibraryFileContent, | ||
1011 | 27 | TimeLimitedToken, | ||
1012 | 28 | ) | ||
1013 | 22 | 29 | ||
1014 | 23 | 30 | ||
1015 | 24 | RETRY_ATTEMPTS = 3 | 31 | RETRY_ATTEMPTS = 3 |
1016 | @@ -98,19 +105,40 @@ | |||
1017 | 98 | def lookupBySHA1(self, digest): | 105 | def lookupBySHA1(self, digest): |
1018 | 99 | return [fc.id for fc in LibraryFileContent.selectBy(sha1=digest)] | 106 | return [fc.id for fc in LibraryFileContent.selectBy(sha1=digest)] |
1019 | 100 | 107 | ||
1021 | 101 | def getAlias(self, aliasid): | 108 | def getAlias(self, aliasid, token, path): |
1022 | 102 | """Returns a LibraryFileAlias, or raises LookupError. | 109 | """Returns a LibraryFileAlias, or raises LookupError. |
1023 | 103 | 110 | ||
1024 | 104 | A LookupError is raised if no record with the given ID exists | 111 | A LookupError is raised if no record with the given ID exists |
1025 | 105 | or if not related LibraryFileContent exists. | 112 | or if not related LibraryFileContent exists. |
1026 | 113 | |||
1027 | 114 | :param token: The token for the file. If None no token is present. | ||
1028 | 115 | When a token is supplied, it is looked up with path. | ||
1029 | 116 | :param path: The path the request is for, unused unless a token | ||
1030 | 117 | is supplied; when supplied it must match the token. The | ||
1031 | 118 | value of path is expected to be that from a twisted request.args | ||
1032 | 119 | e.g. /foo/bar. | ||
1033 | 106 | """ | 120 | """ |
1034 | 121 | restricted = self.restricted | ||
1035 | 122 | if token and path: | ||
1036 | 123 | # with a token and a path we may be able to serve restricted files | ||
1037 | 124 | # on the public port. | ||
1038 | 125 | store = session_store() | ||
1039 | 126 | token_found = store.find(TimeLimitedToken, | ||
1040 | 127 | SQL("age(created) < interval '1 day'"), | ||
1041 | 128 | TimeLimitedToken.token==token, | ||
1042 | 129 | TimeLimitedToken.path==path).is_empty() | ||
1043 | 130 | store.reset() | ||
1044 | 131 | if token_found: | ||
1045 | 132 | raise LookupError("Token stale/pruned/path mismatch") | ||
1046 | 133 | else: | ||
1047 | 134 | restricted = True | ||
1048 | 107 | alias = LibraryFileAlias.selectOne(AND( | 135 | alias = LibraryFileAlias.selectOne(AND( |
1049 | 108 | LibraryFileAlias.q.id==aliasid, | 136 | LibraryFileAlias.q.id==aliasid, |
1050 | 109 | LibraryFileAlias.q.contentID==LibraryFileContent.q.id, | 137 | LibraryFileAlias.q.contentID==LibraryFileContent.q.id, |
1052 | 110 | LibraryFileAlias.q.restricted==self.restricted, | 138 | LibraryFileAlias.q.restricted==restricted, |
1053 | 111 | )) | 139 | )) |
1054 | 112 | if alias is None: | 140 | if alias is None: |
1056 | 113 | raise LookupError | 141 | raise LookupError("No file alias with LibraryFileContent") |
1057 | 114 | return alias | 142 | return alias |
1058 | 115 | 143 | ||
1059 | 116 | def getAliases(self, fileid): | 144 | def getAliases(self, fileid): |
1060 | 117 | 145 | ||
1061 | === modified file 'lib/canonical/librarian/ftests/test_db.py' | |||
1062 | --- lib/canonical/librarian/ftests/test_db.py 2009-11-24 16:54:45 +0000 | |||
1063 | +++ lib/canonical/librarian/ftests/test_db.py 2010-09-07 04:07:54 +0000 | |||
1064 | @@ -39,7 +39,7 @@ | |||
1065 | 39 | sorted(library.lookupBySHA1('deadbeef'))) | 39 | sorted(library.lookupBySHA1('deadbeef'))) |
1066 | 40 | 40 | ||
1067 | 41 | aliasID = library.addAlias(fileID, 'file1', 'text/unknown') | 41 | aliasID = library.addAlias(fileID, 'file1', 'text/unknown') |
1069 | 42 | alias = library.getAlias(aliasID) | 42 | alias = library.getAlias(aliasID, None, '/') |
1070 | 43 | self.assertEqual('file1', alias.filename) | 43 | self.assertEqual('file1', alias.filename) |
1071 | 44 | self.assertEqual('text/unknown', alias.mimetype) | 44 | self.assertEqual('text/unknown', alias.mimetype) |
1072 | 45 | 45 | ||
1073 | @@ -65,42 +65,44 @@ | |||
1074 | 65 | # Library.getAlias() returns the LibrarayFileAlias for a given | 65 | # Library.getAlias() returns the LibrarayFileAlias for a given |
1075 | 66 | # LibrarayFileAlias ID. | 66 | # LibrarayFileAlias ID. |
1076 | 67 | library = db.Library(restricted=False) | 67 | library = db.Library(restricted=False) |
1078 | 68 | alias = library.getAlias(1) | 68 | alias = library.getAlias(1, None, '/') |
1079 | 69 | self.assertEqual(1, alias.id) | 69 | self.assertEqual(1, alias.id) |
1080 | 70 | 70 | ||
1081 | 71 | def test_getAlias_no_such_record(self): | 71 | def test_getAlias_no_such_record(self): |
1082 | 72 | # Library.getAlias() raises a LookupError, if no record with | 72 | # Library.getAlias() raises a LookupError, if no record with |
1083 | 73 | # the given ID exists. | 73 | # the given ID exists. |
1084 | 74 | library = db.Library(restricted=False) | 74 | library = db.Library(restricted=False) |
1086 | 75 | self.assertRaises(LookupError, library.getAlias, -1) | 75 | self.assertRaises(LookupError, library.getAlias, -1, None, '/') |
1087 | 76 | 76 | ||
1088 | 77 | def test_getAlias_content_is_null(self): | 77 | def test_getAlias_content_is_null(self): |
1089 | 78 | # Library.getAlias() raises a LookupError, if no content | 78 | # Library.getAlias() raises a LookupError, if no content |
1090 | 79 | # record for the given alias exists. | 79 | # record for the given alias exists. |
1091 | 80 | library = db.Library(restricted=False) | 80 | library = db.Library(restricted=False) |
1093 | 81 | alias = library.getAlias(1) | 81 | alias = library.getAlias(1, None, '/') |
1094 | 82 | alias.content = None | 82 | alias.content = None |
1096 | 83 | self.assertRaises(LookupError, library.getAlias, 1) | 83 | self.assertRaises(LookupError, library.getAlias, 1, None, '/') |
1097 | 84 | 84 | ||
1098 | 85 | def test_getAlias_content_is_none(self): | 85 | def test_getAlias_content_is_none(self): |
1099 | 86 | # Library.getAlias() raises a LookupError, if the matching | 86 | # Library.getAlias() raises a LookupError, if the matching |
1100 | 87 | # record does not reference any LibraryFileContent record. | 87 | # record does not reference any LibraryFileContent record. |
1101 | 88 | library = db.Library(restricted=False) | 88 | library = db.Library(restricted=False) |
1103 | 89 | alias = library.getAlias(1) | 89 | alias = library.getAlias(1, None, '/') |
1104 | 90 | alias.content = None | 90 | alias.content = None |
1106 | 91 | self.assertRaises(LookupError, library.getAlias, 1) | 91 | self.assertRaises(LookupError, library.getAlias, 1, None, '/') |
1107 | 92 | 92 | ||
1108 | 93 | def test_getAlias_content_wrong_library(self): | 93 | def test_getAlias_content_wrong_library(self): |
1109 | 94 | # Library.getAlias() raises a LookupError, if a restricted | 94 | # Library.getAlias() raises a LookupError, if a restricted |
1110 | 95 | # library looks up a unrestricted LibraryFileAlias and | 95 | # library looks up a unrestricted LibraryFileAlias and |
1111 | 96 | # vice versa. | 96 | # vice versa. |
1112 | 97 | restricted_library = db.Library(restricted=True) | 97 | restricted_library = db.Library(restricted=True) |
1114 | 98 | self.assertRaises(LookupError, restricted_library.getAlias, 1) | 98 | self.assertRaises( |
1115 | 99 | LookupError, restricted_library.getAlias, 1, None, '/') | ||
1116 | 99 | 100 | ||
1117 | 100 | unrestricted_library = db.Library(restricted=False) | 101 | unrestricted_library = db.Library(restricted=False) |
1119 | 101 | alias = unrestricted_library.getAlias(1) | 102 | alias = unrestricted_library.getAlias(1, None, '/') |
1120 | 102 | alias.restricted = True | 103 | alias.restricted = True |
1122 | 103 | self.assertRaises(LookupError, unrestricted_library.getAlias, 1) | 104 | self.assertRaises( |
1123 | 105 | LookupError, unrestricted_library.getAlias, 1, None, '/') | ||
1124 | 104 | 106 | ||
1125 | 105 | def test_getAliases(self): | 107 | def test_getAliases(self): |
1126 | 106 | # Library.getAliases() returns a sequence | 108 | # Library.getAliases() returns a sequence |
1127 | @@ -119,7 +121,7 @@ | |||
1128 | 119 | # Library.getAliases() does not return records which do not | 121 | # Library.getAliases() does not return records which do not |
1129 | 120 | # reference any LibraryFileContent record. | 122 | # reference any LibraryFileContent record. |
1130 | 121 | library = db.Library(restricted=False) | 123 | library = db.Library(restricted=False) |
1132 | 122 | alias = library.getAlias(1) | 124 | alias = library.getAlias(1, None, '/') |
1133 | 123 | alias.content = None | 125 | alias.content = None |
1134 | 124 | aliases = library.getAliases(1) | 126 | aliases = library.getAliases(1) |
1135 | 125 | expected_aliases = [ | 127 | expected_aliases = [ |
1136 | @@ -132,7 +134,7 @@ | |||
1137 | 132 | # LibrarayFileAlias records when called from a unrestricted | 134 | # LibrarayFileAlias records when called from a unrestricted |
1138 | 133 | # library and vice versa. | 135 | # library and vice versa. |
1139 | 134 | unrestricted_library = db.Library(restricted=False) | 136 | unrestricted_library = db.Library(restricted=False) |
1141 | 135 | alias = unrestricted_library.getAlias(1) | 137 | alias = unrestricted_library.getAlias(1, None, '/') |
1142 | 136 | alias.restricted = True | 138 | alias.restricted = True |
1143 | 137 | 139 | ||
1144 | 138 | aliases = unrestricted_library.getAliases(1) | 140 | aliases = unrestricted_library.getAliases(1) |
1145 | 139 | 141 | ||
1146 | === modified file 'lib/canonical/librarian/ftests/test_storage.py' | |||
1147 | --- lib/canonical/librarian/ftests/test_storage.py 2010-02-09 00:17:40 +0000 | |||
1148 | +++ lib/canonical/librarian/ftests/test_storage.py 2010-09-07 04:07:54 +0000 | |||
1149 | @@ -71,7 +71,7 @@ | |||
1150 | 71 | fileid, aliasid = newfile.store() | 71 | fileid, aliasid = newfile.store() |
1151 | 72 | 72 | ||
1152 | 73 | # Check that its alias has the right mimetype | 73 | # Check that its alias has the right mimetype |
1154 | 74 | fa = self.storage.getFileAlias(aliasid) | 74 | fa = self.storage.getFileAlias(aliasid, None, '/') |
1155 | 75 | self.assertEqual('text/unknown', fa.mimetype) | 75 | self.assertEqual('text/unknown', fa.mimetype) |
1156 | 76 | 76 | ||
1157 | 77 | # Re-add the same file, with the same name and mimetype... | 77 | # Re-add the same file, with the same name and mimetype... |
1158 | @@ -81,7 +81,8 @@ | |||
1159 | 81 | fileid2, aliasid2 = newfile2.store() | 81 | fileid2, aliasid2 = newfile2.store() |
1160 | 82 | 82 | ||
1161 | 83 | # Verify that we didn't get back the same alias ID | 83 | # Verify that we didn't get back the same alias ID |
1163 | 84 | self.assertNotEqual(fa.id, self.storage.getFileAlias(aliasid2).id) | 84 | self.assertNotEqual(fa.id, |
1164 | 85 | self.storage.getFileAlias(aliasid2, None, '/').id) | ||
1165 | 85 | 86 | ||
1166 | 86 | def test_clientProvidedDuplicateIDs(self): | 87 | def test_clientProvidedDuplicateIDs(self): |
1167 | 87 | # This test checks the new behaviour specified by LibrarianTransactions | 88 | # This test checks the new behaviour specified by LibrarianTransactions |
1168 | 88 | 89 | ||
1169 | === modified file 'lib/canonical/librarian/ftests/test_web.py' | |||
1170 | --- lib/canonical/librarian/ftests/test_web.py 2009-11-24 15:36:44 +0000 | |||
1171 | +++ lib/canonical/librarian/ftests/test_web.py 2010-09-07 04:07:54 +0000 | |||
1172 | @@ -3,17 +3,28 @@ | |||
1173 | 3 | 3 | ||
1174 | 4 | from cStringIO import StringIO | 4 | from cStringIO import StringIO |
1175 | 5 | from datetime import datetime | 5 | from datetime import datetime |
1176 | 6 | import httplib | ||
1177 | 6 | import unittest | 7 | import unittest |
1178 | 7 | from urllib2 import urlopen, HTTPError | 8 | from urllib2 import urlopen, HTTPError |
1179 | 9 | from urlparse import urlparse | ||
1180 | 8 | 10 | ||
1181 | 9 | import pytz | 11 | import pytz |
1183 | 10 | 12 | from storm.expr import SQL | |
1184 | 11 | import transaction | 13 | import transaction |
1185 | 12 | from zope.component import getUtility | 14 | from zope.component import getUtility |
1186 | 13 | 15 | ||
1187 | 14 | from canonical.config import config | 16 | from canonical.config import config |
1190 | 15 | from canonical.database.sqlbase import flush_database_updates, cursor | 17 | from canonical.database.sqlbase import ( |
1191 | 16 | from canonical.librarian.client import LibrarianClient | 18 | cursor, |
1192 | 19 | flush_database_updates, | ||
1193 | 20 | session_store, | ||
1194 | 21 | ) | ||
1195 | 22 | from canonical.launchpad.database.librarian import TimeLimitedToken | ||
1196 | 23 | from canonical.librarian.client import ( | ||
1197 | 24 | get_libraryfilealias_download_path, | ||
1198 | 25 | LibrarianClient, | ||
1199 | 26 | RestrictedLibrarianClient, | ||
1200 | 27 | ) | ||
1201 | 17 | from canonical.librarian.interfaces import DownloadFailed | 28 | from canonical.librarian.interfaces import DownloadFailed |
1202 | 18 | from canonical.launchpad.database import LibraryFileAlias | 29 | from canonical.launchpad.database import LibraryFileAlias |
1203 | 19 | from canonical.launchpad.interfaces import IMasterStore | 30 | from canonical.launchpad.interfaces import IMasterStore |
1204 | @@ -57,12 +68,7 @@ | |||
1205 | 57 | # librarian allow access to files that don't exist in the DB | 68 | # librarian allow access to files that don't exist in the DB |
1206 | 58 | # and spitting them out with an 'unknown' mime-type | 69 | # and spitting them out with an 'unknown' mime-type |
1207 | 59 | # -- StuartBishop) | 70 | # -- StuartBishop) |
1214 | 60 | try: | 71 | self.require404(url) |
1209 | 61 | urlopen(url) | ||
1210 | 62 | self.fail('Should have raised a 404') | ||
1211 | 63 | except HTTPError, x: | ||
1212 | 64 | self.failUnlessEqual(x.code, 404) | ||
1213 | 65 | |||
1215 | 66 | self.commit() | 72 | self.commit() |
1216 | 67 | 73 | ||
1217 | 68 | # Make sure we can download it using the API | 74 | # Make sure we can download it using the API |
1218 | @@ -148,11 +154,7 @@ | |||
1219 | 148 | config.librarian.download_port, | 154 | config.librarian.download_port, |
1220 | 149 | aid, filename | 155 | aid, filename |
1221 | 150 | ) | 156 | ) |
1227 | 151 | try: | 157 | self.require404(self._makeURL(aid, 'different.txt')) |
1223 | 152 | urlopen(self._makeURL(aid, 'different.txt')) | ||
1224 | 153 | self.fail('404 not raised') | ||
1225 | 154 | except HTTPError, x: | ||
1226 | 155 | self.failUnlessEqual(x.code, 404) | ||
1228 | 156 | 158 | ||
1229 | 157 | def _makeURL(self, aliasID, filename): | 159 | def _makeURL(self, aliasID, filename): |
1230 | 158 | host = config.librarian.download_host | 160 | host = config.librarian.download_host |
1231 | @@ -172,18 +174,9 @@ | |||
1232 | 172 | self.failUnlessEqual(url, self._makeURL(aid, filename)) | 174 | self.failUnlessEqual(url, self._makeURL(aid, filename)) |
1233 | 173 | 175 | ||
1234 | 174 | # Change the aliasid and assert we get a 404 | 176 | # Change the aliasid and assert we get a 404 |
1241 | 175 | try: | 177 | self.require404(self._makeURL(aid+1, filename)) |
1236 | 176 | urlopen(self._makeURL(aid+1, filename)) | ||
1237 | 177 | self.fail('404 not raised') | ||
1238 | 178 | except HTTPError, x: | ||
1239 | 179 | self.failUnlessEqual(x.code, 404) | ||
1240 | 180 | |||
1242 | 181 | # Change the filename and assert we get a 404 | 178 | # Change the filename and assert we get a 404 |
1248 | 182 | try: | 179 | self.require404(self._makeURL(aid, 'different.txt')) |
1244 | 183 | urlopen(self._makeURL(aid, 'different.txt')) | ||
1245 | 184 | self.fail('404 not raised') | ||
1246 | 185 | except HTTPError, x: | ||
1247 | 186 | self.failUnlessEqual(x.code, 404) | ||
1249 | 187 | 180 | ||
1250 | 188 | def test_duplicateuploads(self): | 181 | def test_duplicateuploads(self): |
1251 | 189 | client = LibrarianClient() | 182 | client = LibrarianClient() |
1252 | @@ -237,6 +230,145 @@ | |||
1253 | 237 | self.failUnlessEqual( | 230 | self.failUnlessEqual( |
1254 | 238 | last_modified_header, 'Tue, 30 Jan 2001 13:45:59 GMT') | 231 | last_modified_header, 'Tue, 30 Jan 2001 13:45:59 GMT') |
1255 | 239 | 232 | ||
1256 | 233 | def get_restricted_file_and_public_url(self): | ||
1257 | 234 | # Use a regular LibrarianClient to ensure we speak to the nonrestricted | ||
1258 | 235 | # port on the librarian which is where secured restricted files are | ||
1259 | 236 | # served from. | ||
1260 | 237 | client = LibrarianClient() | ||
1261 | 238 | fileAlias = client.addFile('sample', 12, StringIO('a'*12), | ||
1262 | 239 | contentType='text/plain') | ||
1263 | 240 | # Note: We're deliberately using the wrong url here: we should be | ||
1264 | 241 | # passing secure=True to getURLForAlias, but to use the returned URL we | ||
1265 | 242 | # would need a wildcard DNS facility patched into urlopen; instead | ||
1266 | 243 | # we use the *deliberate* choice of having the path of secure and insecure | ||
1267 | 244 | # urls be the same, so that we can test it: the server code doesn't need | ||
1268 | 245 | # to know about the fancy wildcard domains. | ||
1269 | 246 | url = client.getURLForAlias(fileAlias) | ||
1270 | 247 | # Now that we have a url which talks to the public librarian, make the | ||
1271 | 248 | # file restricted. | ||
1272 | 249 | IMasterStore(LibraryFileAlias).find(LibraryFileAlias, | ||
1273 | 250 | LibraryFileAlias.id==fileAlias).set( | ||
1274 | 251 | LibraryFileAlias.restricted==True) | ||
1275 | 252 | self.commit() | ||
1276 | 253 | return fileAlias, url | ||
1277 | 254 | |||
1278 | 255 | def test_restricted_subdomain_must_match_file_alias(self): | ||
1279 | 256 | # IFF there is a .restricted. in the host, then the library file alias | ||
1280 | 257 | # in the subdomain must match that in the path. | ||
1281 | 258 | client = LibrarianClient() | ||
1282 | 259 | fileAlias = client.addFile('sample', 12, StringIO('a'*12), | ||
1283 | 260 | contentType='text/plain') | ||
1284 | 261 | fileAlias2 = client.addFile('sample', 12, StringIO('b'*12), | ||
1285 | 262 | contentType='text/plain') | ||
1286 | 263 | self.commit() | ||
1287 | 264 | url = client.getURLForAlias(fileAlias) | ||
1288 | 265 | download_host = urlparse(config.librarian.download_url)[1] | ||
1289 | 266 | if ':' in download_host: | ||
1290 | 267 | download_host = download_host[:download_host.find(':')] | ||
1291 | 268 | template_host = 'i%%d.restricted.%s' % download_host | ||
1292 | 269 | path = get_libraryfilealias_download_path(fileAlias, 'sample') | ||
1293 | 270 | # The basic URL must work. | ||
1294 | 271 | urlopen(url) | ||
1295 | 272 | # Use the network level protocol because DNS resolution won't work | ||
1296 | 273 | # here (no wildcard support) | ||
1297 | 274 | connection = httplib.HTTPConnection( | ||
1298 | 275 | config.librarian.download_host, | ||
1299 | 276 | config.librarian.download_port) | ||
1300 | 277 | # A valid subdomain based URL must work. | ||
1301 | 278 | good_host = template_host % fileAlias | ||
1302 | 279 | connection.request("GET", path, headers={'Host': good_host}) | ||
1303 | 280 | response = connection.getresponse() | ||
1304 | 281 | response.read() | ||
1305 | 282 | self.assertEqual(200, response.status) | ||
1306 | 283 | # A subdomain based URL trying to put fileAlias into the restricted | ||
1307 | 284 | # domain of fileAlias2 must not work. | ||
1308 | 285 | hostile_host = template_host % fileAlias2 | ||
1309 | 286 | connection.request("GET", path, headers={'Host': hostile_host}) | ||
1310 | 287 | response = connection.getresponse() | ||
1311 | 288 | response.read() | ||
1312 | 289 | self.assertEqual(404, response.status) | ||
1313 | 290 | # A subdomain which matches the LFA but is nested under one that | ||
1314 | 291 | # doesn't is also treated as hostile. | ||
1315 | 292 | nested_host = 'i%d.restricted.i%d.restricted.%s' % ( | ||
1316 | 293 | fileAlias, fileAlias2, download_host) | ||
1317 | 294 | connection.request("GET", path, headers={'Host': nested_host}) | ||
1318 | 295 | response = connection.getresponse() | ||
1319 | 296 | response.read() | ||
1320 | 297 | self.assertEqual(404, response.status) | ||
1321 | 298 | |||
1322 | 299 | def test_restricted_no_token(self): | ||
1323 | 300 | fileAlias, url = self.get_restricted_file_and_public_url() | ||
1324 | 301 | # The file should not be able to be opened - we haven't allocated a | ||
1325 | 302 | # token. When the token is wrong or stale a 404 is given (to avoid | ||
1326 | 303 | # disclosure about what content we hold. Alternatively a 401 could be | ||
1327 | 304 | # given (as long as we give a 401 when the file is missing as well - | ||
1328 | 305 | # but that requires some more complex changes in the deployment | ||
1329 | 306 | # infrastructure to permit more backend knowledge of the frontend | ||
1330 | 307 | # request. | ||
1331 | 308 | self.require404(url) | ||
1332 | 309 | |||
1333 | 310 | def test_restricted_made_up_token(self): | ||
1334 | 311 | fileAlias, url = self.get_restricted_file_and_public_url() | ||
1335 | 312 | # The file should not be able to be opened - the token supplied | ||
1336 | 313 | # is not one we issued. | ||
1337 | 314 | self.require404(url + '?token=haxx0r') | ||
1338 | 315 | |||
1339 | 316 | def test_restricted_with_token(self): | ||
1340 | 317 | fileAlias, url = self.get_restricted_file_and_public_url() | ||
1341 | 318 | # We have the base url for a restricted file; grant access to it | ||
1342 | 319 | # for a short time. | ||
1343 | 320 | token = TimeLimitedToken.allocate(url) | ||
1344 | 321 | url = url + "?token=%s" % token | ||
1345 | 322 | # Now we should be able to access the file. | ||
1346 | 323 | fileObj = urlopen(url) | ||
1347 | 324 | try: | ||
1348 | 325 | self.assertEqual("a"*12, fileObj.read()) | ||
1349 | 326 | finally: | ||
1350 | 327 | fileObj.close() | ||
1351 | 328 | |||
1352 | 329 | def test_restricted_with_expired_token(self): | ||
1353 | 330 | fileAlias, url = self.get_restricted_file_and_public_url() | ||
1354 | 331 | # We have the base url for a restricted file; grant access to it | ||
1355 | 332 | # for a short time. | ||
1356 | 333 | token = TimeLimitedToken.allocate(url) | ||
1357 | 334 | # But time has passed | ||
1358 | 335 | store = session_store() | ||
1359 | 336 | tokens = store.find(TimeLimitedToken, TimeLimitedToken.token==token) | ||
1360 | 337 | tokens.set( | ||
1361 | 338 | TimeLimitedToken.created==SQL("created - interval '1 week'")) | ||
1362 | 339 | url = url + "?token=%s" % token | ||
1363 | 340 | # Now, as per test_restricted_no_token we should get a 404. | ||
1364 | 341 | self.require404(url) | ||
1365 | 342 | |||
1366 | 343 | def test_restricted_file_headers(self): | ||
1367 | 344 | fileAlias, url = self.get_restricted_file_and_public_url() | ||
1368 | 345 | token = TimeLimitedToken.allocate(url) | ||
1369 | 346 | url = url + "?token=%s" % token | ||
1370 | 347 | # Change the date_created to a known value for testing. | ||
1371 | 348 | file_alias = IMasterStore(LibraryFileAlias).get( | ||
1372 | 349 | LibraryFileAlias, fileAlias) | ||
1373 | 350 | file_alias.date_created = datetime( | ||
1374 | 351 | 2001, 01, 30, 13, 45, 59, tzinfo=pytz.utc) | ||
1375 | 352 | # Commit the update. | ||
1376 | 353 | self.commit() | ||
1377 | 354 | # Fetch the file via HTTP, recording the interesting headers | ||
1378 | 355 | result = urlopen(url) | ||
1379 | 356 | last_modified_header = result.info()['Last-Modified'] | ||
1380 | 357 | cache_control_header = result.info()['Cache-Control'] | ||
1381 | 358 | # No caching for restricted files. | ||
1382 | 359 | self.failUnlessEqual(cache_control_header, 'max-age=0, private') | ||
1383 | 360 | # And we should have a correct Last-Modified header too. | ||
1384 | 361 | self.failUnlessEqual( | ||
1385 | 362 | last_modified_header, 'Tue, 30 Jan 2001 13:45:59 GMT') | ||
1386 | 363 | # Perhaps we should also set Expires to the Last-Modified. | ||
1387 | 364 | |||
1388 | 365 | def require404(self, url): | ||
1389 | 366 | try: | ||
1390 | 367 | urlopen(url) | ||
1391 | 368 | self.fail('404 not raised') | ||
1392 | 369 | except HTTPError, e: | ||
1393 | 370 | self.failUnlessEqual(e.code, 404) | ||
1394 | 371 | |||
1395 | 240 | 372 | ||
1396 | 241 | class LibrarianZopelessWebTestCase(LibrarianWebTestCase): | 373 | class LibrarianZopelessWebTestCase(LibrarianWebTestCase): |
1397 | 242 | layer = LaunchpadZopelessLayer | 374 | layer = LaunchpadZopelessLayer |
1398 | 243 | 375 | ||
1399 | === modified file 'lib/canonical/librarian/interfaces.py' | |||
1400 | --- lib/canonical/librarian/interfaces.py 2010-08-17 21:05:47 +0000 | |||
1401 | +++ lib/canonical/librarian/interfaces.py 2010-09-07 04:07:54 +0000 | |||
1402 | @@ -89,8 +89,19 @@ | |||
1403 | 89 | class IFileDownloadClient(Interface): | 89 | class IFileDownloadClient(Interface): |
1404 | 90 | """Download API for the Librarian client.""" | 90 | """Download API for the Librarian client.""" |
1405 | 91 | 91 | ||
1408 | 92 | def getURLForAlias(aliasID): | 92 | def getURLForAlias(aliasID, secure=False): |
1409 | 93 | """Returns the URL to the given file""" | 93 | """Returns the URL to the given file. |
1410 | 94 | |||
1411 | 95 | :param aliasID: The LibraryFileAlias for the file to get. A DB lookup | ||
1412 | 96 | will be done for this - if many are to be calculated, eagar loading | ||
1413 | 97 | is recommended. | ||
1414 | 98 | :param secure: If False, generate an http url on the main librarian | ||
1415 | 99 | domain. | ||
1416 | 100 | If True, generate an https url on a subdomain | ||
1417 | 101 | i$aliasID.restricted.$main_librarian_domain. | ||
1418 | 102 | Note that when a secure URL is generated, a TimeLimitedToken must | ||
1419 | 103 | separately be obtained and combined with the URL to use it. | ||
1420 | 104 | """ | ||
1421 | 94 | 105 | ||
1422 | 95 | def getFileByAlias(aliasID, timeout=LIBRARIAN_SERVER_DEFAULT_TIMEOUT): | 106 | def getFileByAlias(aliasID, timeout=LIBRARIAN_SERVER_DEFAULT_TIMEOUT): |
1423 | 96 | """Returns a file-like object to read the file contents from. | 107 | """Returns a file-like object to read the file contents from. |
1424 | 97 | 108 | ||
1425 | === modified file 'lib/canonical/librarian/storage.py' | |||
1426 | --- lib/canonical/librarian/storage.py 2010-08-16 18:50:40 +0000 | |||
1427 | +++ lib/canonical/librarian/storage.py 2010-09-07 04:07:54 +0000 | |||
1428 | @@ -72,8 +72,8 @@ | |||
1429 | 72 | def startAddFile(self, filename, size): | 72 | def startAddFile(self, filename, size): |
1430 | 73 | return LibraryFileUpload(self, filename, size) | 73 | return LibraryFileUpload(self, filename, size) |
1431 | 74 | 74 | ||
1434 | 75 | def getFileAlias(self, aliasid): | 75 | def getFileAlias(self, aliasid, token, path): |
1435 | 76 | return self.library.getAlias(aliasid) | 76 | return self.library.getAlias(aliasid, token, path) |
1436 | 77 | 77 | ||
1437 | 78 | 78 | ||
1438 | 79 | class LibraryFileUpload(object): | 79 | class LibraryFileUpload(object): |
1439 | 80 | 80 | ||
1440 | === modified file 'lib/canonical/librarian/web.py' | |||
1441 | --- lib/canonical/librarian/web.py 2010-08-17 16:33:33 +0000 | |||
1442 | +++ lib/canonical/librarian/web.py 2010-09-07 04:07:54 +0000 | |||
1443 | @@ -5,10 +5,12 @@ | |||
1444 | 5 | 5 | ||
1445 | 6 | from datetime import datetime | 6 | from datetime import datetime |
1446 | 7 | import time | 7 | import time |
1447 | 8 | from urlparse import urlparse | ||
1448 | 8 | 9 | ||
1449 | 9 | from twisted.web import resource, static, util, server, proxy | 10 | from twisted.web import resource, static, util, server, proxy |
1450 | 10 | from twisted.internet.threads import deferToThread | 11 | from twisted.internet.threads import deferToThread |
1451 | 11 | 12 | ||
1452 | 13 | from canonical.config import config | ||
1453 | 12 | from canonical.librarian.client import url_path_quote | 14 | from canonical.librarian.client import url_path_quote |
1454 | 13 | from canonical.librarian.db import read_transaction, write_transaction | 15 | from canonical.librarian.db import read_transaction, write_transaction |
1455 | 14 | from canonical.librarian.utils import guess_librarian_encoding | 16 | from canonical.librarian.utils import guess_librarian_encoding |
1456 | @@ -62,11 +64,11 @@ | |||
1457 | 62 | self.upstreamPort = upstreamPort | 64 | self.upstreamPort = upstreamPort |
1458 | 63 | 65 | ||
1459 | 64 | def getChild(self, filename, request): | 66 | def getChild(self, filename, request): |
1460 | 65 | |||
1461 | 66 | # If we still have another component of the path, then we have | 67 | # If we still have another component of the path, then we have |
1462 | 67 | # an old URL that encodes the content ID. We want to keep supporting | 68 | # an old URL that encodes the content ID. We want to keep supporting |
1463 | 68 | # these, so we just ignore the content id that is currently in | 69 | # these, so we just ignore the content id that is currently in |
1465 | 69 | # self.aliasID and extract the real one from the URL. | 70 | # self.aliasID and extract the real one from the URL. Note that |
1466 | 71 | # tokens do not work with the old URL style: they are URL specific. | ||
1467 | 70 | if len(request.postpath) == 1: | 72 | if len(request.postpath) == 1: |
1468 | 71 | try: | 73 | try: |
1469 | 72 | self.aliasID = int(filename) | 74 | self.aliasID = int(filename) |
1470 | @@ -74,7 +76,27 @@ | |||
1471 | 74 | return fourOhFour | 76 | return fourOhFour |
1472 | 75 | filename = request.postpath[0] | 77 | filename = request.postpath[0] |
1473 | 76 | 78 | ||
1475 | 77 | deferred = deferToThread(self._getFileAlias, self.aliasID) | 79 | # IFF the request has a .restricted. subdomain, ensure there is a |
1476 | 80 | # alias id in the right most subdomain, and that it matches | ||
1477 | 81 | # self.aliasIDd, And that the host precisely matches what we generate | ||
1478 | 82 | # (specifically to stop people putting a good prefix to the left of an | ||
1479 | 83 | # attacking one). | ||
1480 | 84 | hostname = request.getRequestHostname() | ||
1481 | 85 | if '.restricted.' in hostname: | ||
1482 | 86 | # Configs can change without warning: evaluate every time. | ||
1483 | 87 | download_url = config.librarian.download_url | ||
1484 | 88 | parsed = list(urlparse(download_url)) | ||
1485 | 89 | netloc = parsed[1] | ||
1486 | 90 | # Strip port if present | ||
1487 | 91 | if netloc.find(':') > -1: | ||
1488 | 92 | netloc = netloc[:netloc.find(':')] | ||
1489 | 93 | expected_hostname = 'i%d.restricted.%s' % (self.aliasID, netloc) | ||
1490 | 94 | if expected_hostname != hostname: | ||
1491 | 95 | return fourOhFour | ||
1492 | 96 | |||
1493 | 97 | token = request.args.get('token', [None])[0] | ||
1494 | 98 | path = request.path | ||
1495 | 99 | deferred = deferToThread(self._getFileAlias, self.aliasID, token, path) | ||
1496 | 78 | deferred.addCallback( | 100 | deferred.addCallback( |
1497 | 79 | self._cb_getFileAlias, filename, request | 101 | self._cb_getFileAlias, filename, request |
1498 | 80 | ) | 102 | ) |
1499 | @@ -82,12 +104,12 @@ | |||
1500 | 82 | return util.DeferredResource(deferred) | 104 | return util.DeferredResource(deferred) |
1501 | 83 | 105 | ||
1502 | 84 | @write_transaction | 106 | @write_transaction |
1504 | 85 | def _getFileAlias(self, aliasID): | 107 | def _getFileAlias(self, aliasID, token, path): |
1505 | 86 | try: | 108 | try: |
1507 | 87 | alias = self.storage.getFileAlias(aliasID) | 109 | alias = self.storage.getFileAlias(aliasID, token, path) |
1508 | 88 | alias.updateLastAccessed() | 110 | alias.updateLastAccessed() |
1509 | 89 | return (alias.contentID, alias.filename, | 111 | return (alias.contentID, alias.filename, |
1511 | 90 | alias.mimetype, alias.date_created) | 112 | alias.mimetype, alias.date_created, alias.restricted) |
1512 | 91 | except LookupError: | 113 | except LookupError: |
1513 | 92 | raise NotFound | 114 | raise NotFound |
1514 | 93 | 115 | ||
1515 | @@ -96,7 +118,7 @@ | |||
1516 | 96 | return fourOhFour | 118 | return fourOhFour |
1517 | 97 | 119 | ||
1518 | 98 | def _cb_getFileAlias( | 120 | def _cb_getFileAlias( |
1520 | 99 | self, (dbcontentID, dbfilename, mimetype, date_created), | 121 | self, (dbcontentID, dbfilename, mimetype, date_created, restricted), |
1521 | 100 | filename, request | 122 | filename, request |
1522 | 101 | ): | 123 | ): |
1523 | 102 | # Return a 404 if the filename in the URL is incorrect. This offers | 124 | # Return a 404 if the filename in the URL is incorrect. This offers |
1524 | @@ -105,8 +127,14 @@ | |||
1525 | 105 | if dbfilename.encode('utf-8') != filename: | 127 | if dbfilename.encode('utf-8') != filename: |
1526 | 106 | return fourOhFour | 128 | return fourOhFour |
1527 | 107 | 129 | ||
1530 | 108 | # Set our caching headers. Librarian files can be cached forever. | 130 | if not restricted: |
1531 | 109 | request.setHeader('Cache-Control', 'max-age=31536000, public') | 131 | # Set our caching headers. Librarian files can be cached forever. |
1532 | 132 | request.setHeader('Cache-Control', 'max-age=31536000, public') | ||
1533 | 133 | else: | ||
1534 | 134 | # Restricted files require revalidation every time. For now, | ||
1535 | 135 | # until the deployment details are completely reviewed, the | ||
1536 | 136 | # simplest, most cautious approach is taken: no caching permited. | ||
1537 | 137 | request.setHeader('Cache-Control', 'max-age=0, private') | ||
1538 | 110 | 138 | ||
1539 | 111 | if self.storage.hasFile(dbcontentID) or self.upstreamHost is None: | 139 | if self.storage.hasFile(dbcontentID) or self.upstreamHost is None: |
1540 | 112 | # XXX: Brad Crittenden 2007-12-05 bug=174204: When encodings are | 140 | # XXX: Brad Crittenden 2007-12-05 bug=174204: When encodings are |
1541 | 113 | 141 | ||
1542 | === modified file 'lib/canonical/testing/layers.py' | |||
1543 | --- lib/canonical/testing/layers.py 2010-05-06 15:51:34 +0000 | |||
1544 | +++ lib/canonical/testing/layers.py 2010-09-07 04:07:54 +0000 | |||
1545 | @@ -96,7 +96,11 @@ | |||
1546 | 96 | from canonical.config import CanonicalConfig, config, dbconfig | 96 | from canonical.config import CanonicalConfig, config, dbconfig |
1547 | 97 | from canonical.database.revision import ( | 97 | from canonical.database.revision import ( |
1548 | 98 | confirm_dbrevision, confirm_dbrevision_on_startup) | 98 | confirm_dbrevision, confirm_dbrevision_on_startup) |
1550 | 99 | from canonical.database.sqlbase import cursor, ZopelessTransactionManager | 99 | from canonical.database.sqlbase import ( |
1551 | 100 | cursor, | ||
1552 | 101 | session_store, | ||
1553 | 102 | ZopelessTransactionManager, | ||
1554 | 103 | ) | ||
1555 | 100 | from canonical.launchpad.interfaces import IMailBox, IOpenLaunchBag | 104 | from canonical.launchpad.interfaces import IMailBox, IOpenLaunchBag |
1556 | 101 | from lp.testing import ANONYMOUS, login, logout, is_logged_in | 105 | from lp.testing import ANONYMOUS, login, logout, is_logged_in |
1557 | 102 | import lp.services.mail.stub | 106 | import lp.services.mail.stub |
1558 | @@ -193,9 +197,7 @@ | |||
1559 | 193 | # as soon as SQLBase._connection is accessed | 197 | # as soon as SQLBase._connection is accessed |
1560 | 194 | r = main_store.execute('SELECT count(*) FROM LaunchpadDatabaseRevision') | 198 | r = main_store.execute('SELECT count(*) FROM LaunchpadDatabaseRevision') |
1561 | 195 | assert r.get_one()[0] > 0, 'Storm is not talking to the database' | 199 | assert r.get_one()[0] > 0, 'Storm is not talking to the database' |
1565 | 196 | 200 | assert session_store() is not None, 'Failed to reconnect' | |
1563 | 197 | session_store = getUtility(IZStorm).get('session', 'launchpad-session:') | ||
1564 | 198 | assert session_store is not None, 'Failed to reconnect' | ||
1566 | 199 | 201 | ||
1567 | 200 | 202 | ||
1568 | 201 | def wait_children(seconds=120): | 203 | def wait_children(seconds=120): |
1569 | 202 | 204 | ||
1570 | === modified file 'lib/lp/bugs/browser/bugattachment.py' | |||
1571 | --- lib/lp/bugs/browser/bugattachment.py 2010-08-20 20:31:18 +0000 | |||
1572 | +++ lib/lp/bugs/browser/bugattachment.py 2010-09-07 04:07:54 +0000 | |||
1573 | @@ -10,7 +10,6 @@ | |||
1574 | 10 | 'BugAttachmentSetNavigation', | 10 | 'BugAttachmentSetNavigation', |
1575 | 11 | 'BugAttachmentEditView', | 11 | 'BugAttachmentEditView', |
1576 | 12 | 'BugAttachmentURL', | 12 | 'BugAttachmentURL', |
1577 | 13 | 'SafeStreamOrRedirectLibraryFileAliasView', | ||
1578 | 14 | ] | 13 | ] |
1579 | 15 | 14 | ||
1580 | 16 | from cStringIO import StringIO | 15 | from cStringIO import StringIO |
1581 | @@ -23,6 +22,7 @@ | |||
1582 | 23 | FileNavigationMixin, | 22 | FileNavigationMixin, |
1583 | 24 | ProxiedLibraryFileAlias, | 23 | ProxiedLibraryFileAlias, |
1584 | 25 | StreamOrRedirectLibraryFileAliasView, | 24 | StreamOrRedirectLibraryFileAliasView, |
1585 | 25 | SafeStreamOrRedirectLibraryFileAliasView, | ||
1586 | 26 | ) | 26 | ) |
1587 | 27 | from canonical.launchpad.interfaces.librarian import ILibraryFileAliasSet | 27 | from canonical.launchpad.interfaces.librarian import ILibraryFileAliasSet |
1588 | 28 | from canonical.launchpad.webapp import ( | 28 | from canonical.launchpad.webapp import ( |
1589 | @@ -242,21 +242,6 @@ | |||
1590 | 242 | return self.context.type == BugAttachmentType.PATCH | 242 | return self.context.type == BugAttachmentType.PATCH |
1591 | 243 | 243 | ||
1592 | 244 | 244 | ||
1593 | 245 | class SafeStreamOrRedirectLibraryFileAliasView( | ||
1594 | 246 | StreamOrRedirectLibraryFileAliasView): | ||
1595 | 247 | """A view for Librarian files that sets the content disposion header.""" | ||
1596 | 248 | |||
1597 | 249 | def __call__(self): | ||
1598 | 250 | """Stream the content of the context `ILibraryFileAlias`. | ||
1599 | 251 | |||
1600 | 252 | Set the content disposition header to the safe value "attachment". | ||
1601 | 253 | """ | ||
1602 | 254 | self.request.response.setHeader( | ||
1603 | 255 | 'Content-Disposition', 'attachment') | ||
1604 | 256 | return super( | ||
1605 | 257 | SafeStreamOrRedirectLibraryFileAliasView, self).__call__() | ||
1606 | 258 | |||
1607 | 259 | |||
1608 | 260 | class BugAttachmentFileNavigation(Navigation, FileNavigationMixin): | 245 | class BugAttachmentFileNavigation(Navigation, FileNavigationMixin): |
1609 | 261 | """Traversal to +files/${filename}.""" | 246 | """Traversal to +files/${filename}.""" |
1610 | 262 | 247 | ||
1611 | 263 | 248 | ||
1612 | === modified file 'lib/lp/bugs/browser/configure.zcml' | |||
1613 | --- lib/lp/bugs/browser/configure.zcml 2010-08-03 13:37:55 +0000 | |||
1614 | +++ lib/lp/bugs/browser/configure.zcml 2010-09-07 04:07:54 +0000 | |||
1615 | @@ -1159,9 +1159,5 @@ | |||
1616 | 1159 | classes=" | 1159 | classes=" |
1617 | 1160 | BugWatchSetNavigation"/> | 1160 | BugWatchSetNavigation"/> |
1618 | 1161 | </facet> | 1161 | </facet> |
1619 | 1162 | <class class="lp.bugs.browser.bugattachment.SafeStreamOrRedirectLibraryFileAliasView"> | ||
1620 | 1163 | <allow attributes="__call__" /> | ||
1621 | 1164 | <allow interface="zope.publisher.interfaces.browser.IBrowserPublisher" /> | ||
1622 | 1165 | </class> | ||
1623 | 1166 | 1162 | ||
1624 | 1167 | </configure> | 1163 | </configure> |
1625 | 1168 | 1164 | ||
1626 | === modified file 'lib/lp/bugs/browser/tests/test_bugattachment_file_access.py' | |||
1627 | --- lib/lp/bugs/browser/tests/test_bugattachment_file_access.py 2010-08-20 20:31:18 +0000 | |||
1628 | +++ lib/lp/bugs/browser/tests/test_bugattachment_file_access.py 2010-09-07 04:07:54 +0000 | |||
1629 | @@ -15,6 +15,7 @@ | |||
1630 | 15 | 15 | ||
1631 | 16 | from canonical.launchpad.browser.librarian import ( | 16 | from canonical.launchpad.browser.librarian import ( |
1632 | 17 | StreamOrRedirectLibraryFileAliasView, | 17 | StreamOrRedirectLibraryFileAliasView, |
1633 | 18 | SafeStreamOrRedirectLibraryFileAliasView, | ||
1634 | 18 | ) | 19 | ) |
1635 | 19 | from canonical.launchpad.interfaces import ILaunchBag | 20 | from canonical.launchpad.interfaces import ILaunchBag |
1636 | 20 | from canonical.launchpad.interfaces.librarian import ( | 21 | from canonical.launchpad.interfaces.librarian import ( |
1637 | @@ -25,12 +26,13 @@ | |||
1638 | 25 | from canonical.testing import LaunchpadFunctionalLayer | 26 | from canonical.testing import LaunchpadFunctionalLayer |
1639 | 26 | from lp.bugs.browser.bugattachment import ( | 27 | from lp.bugs.browser.bugattachment import ( |
1640 | 27 | BugAttachmentFileNavigation, | 28 | BugAttachmentFileNavigation, |
1641 | 28 | SafeStreamOrRedirectLibraryFileAliasView, | ||
1642 | 29 | ) | 29 | ) |
1643 | 30 | from lp.testing import ( | 30 | from lp.testing import ( |
1644 | 31 | login_person, | 31 | login_person, |
1645 | 32 | TestCaseWithFactory, | 32 | TestCaseWithFactory, |
1646 | 33 | ) | 33 | ) |
1647 | 34 | import lp.services.features | ||
1648 | 35 | from lp.services.features.flags import NullFeatureController | ||
1649 | 34 | 36 | ||
1650 | 35 | 37 | ||
1651 | 36 | class TestAccessToBugAttachmentFiles(TestCaseWithFactory): | 38 | class TestAccessToBugAttachmentFiles(TestCaseWithFactory): |
1652 | @@ -80,7 +82,10 @@ | |||
1653 | 80 | self.assertIsNot(None, mo) | 82 | self.assertIsNot(None, mo) |
1654 | 81 | 83 | ||
1655 | 82 | def test_access_to_restricted_file(self): | 84 | def test_access_to_restricted_file(self): |
1657 | 83 | # Requests of restricted files are handled by ProxiedLibraryFileAlias. | 85 | # Requests of restricted files are handled by ProxiedLibraryFileAlias |
1658 | 86 | # until we enable the publicrestrictedlibrarian (at which point | ||
1659 | 87 | # this test should check the view like | ||
1660 | 88 | # test_access_to_unrestricted_file. | ||
1661 | 84 | lfa_with_parent = getMultiAdapter( | 89 | lfa_with_parent = getMultiAdapter( |
1662 | 85 | (self.bugattachment.libraryfile, self.bugattachment), | 90 | (self.bugattachment.libraryfile, self.bugattachment), |
1663 | 86 | ILibraryFileAliasWithParent) | 91 | ILibraryFileAliasWithParent) |
1664 | @@ -91,6 +96,11 @@ | |||
1665 | 91 | request.setTraversalStack(['foo.txt']) | 96 | request.setTraversalStack(['foo.txt']) |
1666 | 92 | navigation = BugAttachmentFileNavigation(self.bugattachment, request) | 97 | navigation = BugAttachmentFileNavigation(self.bugattachment, request) |
1667 | 93 | view = navigation.publishTraverse(request, '+files') | 98 | view = navigation.publishTraverse(request, '+files') |
1668 | 99 | # XXX Ensure the feature will be off - everything is off with | ||
1669 | 100 | # NullFeatureController. bug=631884 | ||
1670 | 101 | lp.services.features.per_thread.features = NullFeatureController() | ||
1671 | 102 | self.addCleanup( | ||
1672 | 103 | setattr, lp.services.features.per_thread, 'features', None) | ||
1673 | 94 | next_view, traversal_path = view.browserDefault(request) | 104 | next_view, traversal_path = view.browserDefault(request) |
1674 | 95 | self.assertEqual(view, next_view) | 105 | self.assertEqual(view, next_view) |
1675 | 96 | file_ = next_view() | 106 | file_ = next_view() |
1676 | @@ -130,6 +140,11 @@ | |||
1677 | 130 | request.setTraversalStack(['foo.txt']) | 140 | request.setTraversalStack(['foo.txt']) |
1678 | 131 | navigation = BugAttachmentFileNavigation(self.bugattachment, request) | 141 | navigation = BugAttachmentFileNavigation(self.bugattachment, request) |
1679 | 132 | view = navigation.publishTraverse(request, '+files') | 142 | view = navigation.publishTraverse(request, '+files') |
1680 | 143 | # XXX Ensure the feature will be off - everything is off with | ||
1681 | 144 | # NullFeatureController. bug=631884 | ||
1682 | 145 | lp.services.features.per_thread.features = NullFeatureController() | ||
1683 | 146 | self.addCleanup( | ||
1684 | 147 | setattr, lp.services.features.per_thread, 'features', None) | ||
1685 | 133 | next_view, traversal_path = view.browserDefault(request) | 148 | next_view, traversal_path = view.browserDefault(request) |
1686 | 134 | self.assertIsInstance( | 149 | self.assertIsInstance( |
1687 | 135 | next_view, SafeStreamOrRedirectLibraryFileAliasView) | 150 | next_view, SafeStreamOrRedirectLibraryFileAliasView) |
1688 | 136 | 151 | ||
1689 | === modified file 'lib/lp/scripts/utilities/importfascist.py' | |||
1690 | --- lib/lp/scripts/utilities/importfascist.py 2010-08-20 20:31:18 +0000 | |||
1691 | +++ lib/lp/scripts/utilities/importfascist.py 2010-09-07 04:07:54 +0000 | |||
1692 | @@ -31,6 +31,7 @@ | |||
1693 | 31 | lp.codehosting.inmemory | 31 | lp.codehosting.inmemory |
1694 | 32 | canonical.launchpad.browser.branchlisting | 32 | canonical.launchpad.browser.branchlisting |
1695 | 33 | lp.code.browser.branchlisting | 33 | lp.code.browser.branchlisting |
1696 | 34 | canonical.launchpad.browser.librarian | ||
1697 | 34 | canonical.launchpad.feed.branch | 35 | canonical.launchpad.feed.branch |
1698 | 35 | lp.code.feed.branch | 36 | lp.code.feed.branch |
1699 | 36 | canonical.launchpad.interfaces.person | 37 | canonical.launchpad.interfaces.person |
1700 | 37 | 38 | ||
1701 | === modified file 'lib/lp/services/features/webapp.py' | |||
1702 | --- lib/lp/services/features/webapp.py 2010-08-20 20:31:18 +0000 | |||
1703 | +++ lib/lp/services/features/webapp.py 2010-09-07 04:07:54 +0000 | |||
1704 | @@ -19,6 +19,14 @@ | |||
1705 | 19 | self._request = request | 19 | self._request = request |
1706 | 20 | 20 | ||
1707 | 21 | def lookup(self, scope_name): | 21 | def lookup(self, scope_name): |
1708 | 22 | """Determine if scope_name applies to this request. | ||
1709 | 23 | |||
1710 | 24 | Currently supports the following scopes: | ||
1711 | 25 | - default | ||
1712 | 26 | - is_edge/is_lpnet etc (thunks through to the config) | ||
1713 | 27 | """ | ||
1714 | 28 | if scope_name == 'default': | ||
1715 | 29 | return True | ||
1716 | 22 | parts = scope_name.split('.') | 30 | parts = scope_name.split('.') |
1717 | 23 | if len(parts) == 2: | 31 | if len(parts) == 2: |
1718 | 24 | if parts[0] == 'server': | 32 | if parts[0] == 'server': |
1719 | 25 | 33 | ||
1720 | === modified file 'lib/lp/testing/fakelibrarian.py' | |||
1721 | --- lib/lp/testing/fakelibrarian.py 2010-09-03 13:08:42 +0000 | |||
1722 | +++ lib/lp/testing/fakelibrarian.py 2010-09-07 04:07:54 +0000 | |||
1723 | @@ -150,7 +150,7 @@ | |||
1724 | 150 | """See `IFileUploadClient`.""" | 150 | """See `IFileUploadClient`.""" |
1725 | 151 | return NotImplementedError() | 151 | return NotImplementedError() |
1726 | 152 | 152 | ||
1728 | 153 | def getURLForAlias(self, aliasID): | 153 | def getURLForAlias(self, aliasID, secure=False): |
1729 | 154 | """See `IFileDownloadClient`.""" | 154 | """See `IFileDownloadClient`.""" |
1730 | 155 | alias = self.aliases.get(aliasID) | 155 | alias = self.aliases.get(aliasID) |
1731 | 156 | path = get_libraryfilealias_download_path(aliasID, alias.filename) | 156 | path = get_libraryfilealias_download_path(aliasID, alias.filename) |
The idea seems good.
I don't see why the table should exist in the session database. It should exist in the main database. Putting it in the session database just doubles the number of database connections the Librarian and garbage collector need to maintain, and makes things a maintenance pain as that database has to have schema changes and database permissions applied manually to the primary and fail over databases. This table will get comparatively little traffic, so scalability issues are a non-issue.
I believe the blessed import location for the Storm class is from storm.locals.
Should we be storing the expiry timestamp? I'm wondering if the length of time a token is valid for should be a function of the file size, or if it will be different for different parts of Launchpad.
The index on (url, token) is redundant, as it is created implicitly by the primary key constraint.
Do we actually need to store url and token separately, or just a single url column that includes the query string?
Do we want to store the url, or just the path segment? Storing just the path segment would avoid ambiguities between host and host:port, and might future proof things a bit if our SSL front ends get distributed around the world on different domain names.
Are their any magic headers the Librarian can emit so if a launchpadlibrar ian.net URL is bookmarked, the original launchpad.net URL is bookmarked instead? Not terribly important, but if we can do this we will need to store the source URL too as the Librarian has no way of reconstructing it.