Launchpad itself

Merge lp:~leonardr/launchpad/automatically-calculate-request-token-expire-time into lp:launchpad/db-devel

automatically-calculate-request-token-expire-time
Merge into db-devel

Proposed by Leonard Richardson on 2010-10-14

Status:	Merged
Approved by:	Leonard Richardson on 2010-10-18
Approved revision:	no longer in the source branch.
Merge reported by:	Leonard Richardson
Merged at revision:	not available
Proposed branch:	lp:~leonardr/launchpad/automatically-calculate-request-token-expire-time
Merge into:	lp:launchpad/db-devel
Diff against target:	1405 lines (+672/-275) 17 files modified lib/canonical/launchpad/browser/oauth.py (+106/-27) lib/canonical/launchpad/database/oauth.py (+79/-10) lib/canonical/launchpad/doc/oauth.txt (+39/-0) lib/canonical/launchpad/doc/webapp-authorization.txt (+5/-13) lib/canonical/launchpad/interfaces/oauth.py (+44/-9) lib/canonical/launchpad/pagetests/oauth/authorize-token.txt (+146/-60) lib/canonical/launchpad/templates/oauth-authorize.pt (+63/-22) lib/canonical/launchpad/tests/test_oauth_tokens.py (+47/-0) lib/canonical/launchpad/webapp/authorization.py (+4/-2) lib/canonical/launchpad/webapp/interfaces.py (+6/-7) lib/canonical/launchpad/webapp/servers.py (+1/-3) lib/lp/archiveuploader/nascentuploadfile.py (+7/-33) lib/lp/archiveuploader/tests/nascentupload-epoch-handling.txt (+8/-3) lib/lp/archiveuploader/tests/nascentupload.txt (+11/-85) lib/lp/archiveuploader/tests/test_buildduploads.py (+8/-0) lib/lp/archiveuploader/tests/test_nascentuploadfile.py (+69/-1) lib/lp/testing/factory.py (+29/-0)
To merge this branch:	bzr merge lp:~leonardr/launchpad/automatically-calculate-request-token-expire-time
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Paul Hummer (community)		2010-10-14	Approve on 2010-10-14
Review via email: mp+38423@code.launchpad.net

Description of the change

Our use of the 'date_expires' field in IOAuthToken is a mess, but it didn't matter much up to this point, because we never really used it. I'm about to start using it, so this branch is cleanup to make it something I can use.

I plan to move the doctests in lib/canonical/launchpad/doc/oauth.txt into unit tests in the new test_oauth.py, but since this branch is subtle on its own I would rather do that in a separate branch.

The design behind this branch is salgado-approved.

Here are the problems with our current use of date_expires:

1. Request tokens always expire after REQUEST_TOKEN_VALIDITY hours. This is a site-wide constant, so there's no need to manually set the date that a request token expires--you can calculate it from REQUEST_TOKEN_VALIDITY and date_created.

2. Request tokens may pass their expiration date, but we never do anything to expired tokens, or check whether they have expired. So, effectively, request tokens never expire. A request token can be three years old and you'll still be able to review it and exchange it for an access token. This opens up our users to attacks when an intermediary acquires the key to a reviewed and forgotten request token.

3. Before a request token is exchanged for an access token, there is no way to distinguish between the date on which a request token expires, and the date on which the end-user wants the not-yet-created access token to expire. This isn't a problem now because the end-user is never given the choice of creating an access token that will expire. But I'm about to give them that choice.

I also noticed a smaller, less serious problem:

4. REQUEST_TOKEN_VALIDITY is twelve hours. That's way too long. Users will either exchange a request token for an access token within a few minutes, or forget about it altogether.

My solution to problem #4 is to reduce REQUEST_TOKEN_VALIDITY to two hours. My solution to the first three problems is a little more complex.

First, I am no longer storing the expiration date of a request token in date_expires. I am calculating it from date_created and REQUEST_TOKEN_VALIDITY. I have introduced an is_expired attribute to IOAuthToken, and separate implementations for OAuthRequestToken and OAuthAccessToken. I check token.is_expired whenever an access token is used to sign a request, and whenever an attempt is made to review a request token or exchange one for an access token.

This is the code tested by my unit tests, and this means that request tokens will in fact become unusable after REQUEST_TOKEN_VALIDITY hours. I do not do anything special to clean up expired tokens, but we weren't doing anything special before.

Second, I am taking date_expires out of IOAuthToken, and introducing it separately into the subclasses IOAuthRequestToken and IOAuthAccessToken. IOAuthRequestToken.date_expires is now the expiration date of the access token that will eventually be created from the request token--not anything to do with the request token itself. When the request token is exchanged for an access token, the IOAuthRequestToken.date_expires field is copied into IOAuthAccessToken.date_expires.

This is by direct analogy to IOAuthRequestToken.permission, which is the access level of the access token that will eventually be created from the request token--not anything to do with the request token itself. When a request token is exchanged for an access token, IOAuthRequestToken.permission becomes IOAuthAccessToken.permission.

I also split out IOAuthToken.date_created into the IOAuthRequestToken and IOAuthAccessToken, though the only difference is the description. It looked a little awkward to have the .date_created description say that .date_created is the date that a request token was created *or* the date an access token was created from some preexisting request token. It's easier to explain that separately for request and access tokens.

Revision history for this message

Paul Hummer (rockstar) wrote on 2010-10-14:

37 @@ -254,10 +257,19 @@
38 else:
39 return None
40
41 + @property
42 + def is_expired(self):
43 + now = datetime.now(pytz.timezone('UTC'))
44 + expires = self.date_created + timedelta(hours=REQUEST_TOKEN_VALIDITY)
45 + return expires <= now
46 +
47 def review(self, user, permission, context=None):
48 """See `IOAuthRequestToken`."""
49 assert not self.is_reviewed, (
50 "Request tokens can be reviewed only once.")
51 + assert not self.is_expired, (
52 + 'This request token has expired and can no longer be reviewed.'
53 + )
54 self.date_reviewed = datetime.now(pytz.timezone('UTC'))
55 self.person = user
56 self.permission = permission
57 @@ -279,6 +291,11 @@
58 'Cannot create an access token from an unreviewed request token.')
59 assert self.permission != OAuthPermission.UNAUTHORIZED, (
60 'The user did not grant access to this consumer.')
61 + assert not self.is_expired, (
62 + 'This request token has expired and can no longer be exchanged '
63 + 'for an access token.'
64 + )
65 +

I think it's better to raise AssertionError with your text than it is to use the assert command. At least, that's the policy we've been trying to enforce.

Other than that, I think this branch is good.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Celso Providelo

Colin Watson

Launchpad code reviewers from Canonical

Leonard Richardson

Mantavya Gajjar (Open ERP)

Stuart Bishop

William Grant

to status/vote changes:

Tomi Karjalainen

 === modified file 'lib/canonical/launchpad/browser/oauth.py'
 --- lib/canonical/launchpad/browser/oauth.py	2010-09-20 16:45:03 +0000
 +++ lib/canonical/launchpad/browser/oauth.py	2010-10-19 14:17:46 +0000
@@ -16,6 +16,7 @@
      Action,
      Actions,
+     )
++from zope.security.interfaces import Unauthorized
  from canonical.launchpad.interfaces.oauth import (
      IOAuthConsumerSet,
@@ -88,11 +89,13 @@
          token = consumer.newRequestToken()
          if self.request.headers.get('Accept') == HTTPResource.JSON_TYPE:
--            # Don't show the client the GRANT_PERMISSIONS access
++            # Don't show the client the DESKTOP_INTEGRATION access
              # level. If they have a legitimate need to use it, they'll
              # already know about it.
--            permissions = [permission for permission in OAuthPermission.items
--                           if permission != OAuthPermission.GRANT_PERMISSIONS]
++            permissions = [
++                permission for permission in OAuthPermission.items
++                if (permission != OAuthPermission.DESKTOP_INTEGRATION)
++                ]
              return self.getJSONRepresentation(
                  permissions, token, include_secret=True)
          return u'oauth_token=%s&oauth_token_secret=%s' % (
@@ -102,26 +105,36 @@
      return form.token is not None and not form.token.is_reviewed
++def token_review_success(form, action, data):
++    """The success callback for a button to approve a token."""
++    form.reviewToken(action.permission)
++
++
  def create_oauth_permission_actions():
--    """Return a list of `Action`s for each possible `OAuthPermission`."""
--    actions = Actions()
--    actions_excluding_grant_permissions = Actions()
--    def success(form, action, data):
--        form.reviewToken(action.permission)
++    """Return two `Actions` objects containing each possible `OAuthPermission`.
++
++    The first `Actions` object contains every action supported by the
++    OAuthAuthorizeTokenView. The second list contains a good default
++    set of actions, omitting special permissions like DESKTOP_INTEGRATION.
++    """
++    all_actions = Actions()
++    ordinary_actions = Actions()
      for permission in OAuthPermission.items:
          action = Action(
--            permission.title, name=permission.name, success=success,
++            permission.title, name=permission.name,
++            success=token_review_success,
              condition=token_exists_and_is_not_reviewed)
          action.permission = permission
--        actions.append(action)
--        if permission != OAuthPermission.GRANT_PERMISSIONS:
--            actions_excluding_grant_permissions.append(action)
--    return actions, actions_excluding_grant_permissions
++        all_actions.append(action)
++        if permission != OAuthPermission.DESKTOP_INTEGRATION:
++            ordinary_actions.append(action)
++    return all_actions, ordinary_actions
++
  class OAuthAuthorizeTokenView(LaunchpadFormView, JSONTokenMixin):
      """Where users authorize consumers to access Launchpad on their behalf."""
--    actions, actions_excluding_grant_permissions = (
++    actions, actions_excluding_special_permissions = (
          create_oauth_permission_actions())
      label = "Authorize application to access Launchpad on your behalf"
      schema = IOAuthRequestToken
@@ -130,7 +143,7 @@
      @property
      def visible_actions(self):
--        """Restrict the actions to the subset the client can make use of.
++        """Restrict the actions to a subset to be presented to the client.
          Not all client programs can function with all levels of
          access. For instance, a client that needs to modify the
@@ -150,7 +163,7 @@
          allowed_permissions = self.request.form_ng.getAll('allow_permission')
          if len(allowed_permissions) == 0:
--            return self.actions_excluding_grant_permissions
++            return self.actions_excluding_special_permissions
          actions = Actions()
          # UNAUTHORIZED is always one of the options. If the client
@@ -159,18 +172,59 @@
          if OAuthPermission.UNAUTHORIZED.name in allowed_permissions:
              allowed_permissions.remove(OAuthPermission.UNAUTHORIZED.name)
--        # GRANT_PERMISSIONS cannot be requested as one of several
++        # DESKTOP_INTEGRATION cannot be requested as one of several
          # options--it must be the only option (other than
--        # UNAUTHORIZED). If GRANT_PERMISSIONS is one of several
++        # UNAUTHORIZED). If DESKTOP_INTEGRATION is one of several
          # options, remove it from the list.
--        if (OAuthPermission.GRANT_PERMISSIONS.name in allowed_permissions
++        desktop_permission = OAuthPermission.DESKTOP_INTEGRATION
++        if (desktop_permission.name in allowed_permissions
              and len(allowed_permissions) > 1):
--            allowed_permissions.remove(OAuthPermission.GRANT_PERMISSIONS.name)
--
--        for action in self.actions:
--            if (action.permission.name in allowed_permissions
--                or action.permission is OAuthPermission.UNAUTHORIZED):
--                actions.append(action)
++            allowed_permissions.remove(desktop_permission.name)
++
++        if desktop_permission.name in allowed_permissions:
++            if not self.token.consumer.is_integrated_desktop:
++                # Consumers may only ask for desktop integration if
++                # they give a desktop type (eg. "Ubuntu") and a
++                # user-recognizable desktop name (eg. the hostname).
++                raise Unauthorized(
++                    ('Consumer "%s" asked for desktop integration, '
++                     "but didn't say what kind of desktop it is, or name "
++                     "the computer being integrated."
++                     % self.token.consumer.key))
++
++            # We're going for desktop integration. The only two
++            # possibilities are "allow" and "deny". We'll customize
++            # the "allow" message using the hostname provided by the
++            # desktop.
++            #
++            # Since self.actions is a descriptor that returns copies
++            # of Action objects, we can modify the actions we get
++            # in-place without ruining the Action objects for everyone
++            # else.
++            desktop_name = self.token.consumer.integrated_desktop_name
++            label = (
++                'Give all programs running on &quot;%s&quot; access '
++                'to my Launchpad account.')
++            allow_action = [
++                action for action in self.actions
++                if action.name == desktop_permission.name][0]
++            allow_action.label = label % desktop_name
++            actions.append(allow_action)
++
++            # We'll customize the "deny" message as well.
++            label = "No, thanks, I don't trust &quot;%s&quot;."
++            deny_action = [
++                action for action in self.actions
++                if action.name == OAuthPermission.UNAUTHORIZED.name][0]
++            deny_action.label = label % desktop_name
++            actions.append(deny_action)
++
++        else:
++            # We're going for web-based integration.
++            for action in self.actions_excluding_special_permissions:
++                if (action.permission.name in allowed_permissions
++                    or action.permission is OAuthPermission.UNAUTHORIZED):
++                    actions.append(action)
          if len(list(actions)) == 1:
              # The only visible action is UNAUTHORIZED. That means the
@@ -179,8 +233,8 @@
              # UNAUTHORIZED). Rather than present the end-user with an
              # impossible situation where their only option is to deny
              # access, we'll present the full range of actions (except
--            # for GRANT_PERMISSIONS).
--            return self.actions_excluding_grant_permissions
++            # for special permissions like DESKTOP_INTEGRATION).
++            return self.actions_excluding_special_permissions
          return actions
      def initialize(self):
@@ -189,6 +243,31 @@
          key = form.get('oauth_token')
          if key:
              self.token = getUtility(IOAuthRequestTokenSet).getByKey(key)
++
++
++        callback = self.request.form.get('oauth_callback')
++        if (self.token is not None
++            and self.token.consumer.is_integrated_desktop):
++            # Nip problems in the bud by appling special rules about
++            # what desktop integrations are allowed to do.
++            if callback is not None:
++                # A desktop integration is not allowed to specify a callback.
++                raise Unauthorized(
++                    "A desktop integration may not specify an "
++                    "OAuth callback URL.")
++            # A desktop integration token can only have one of two
++            # permission levels: "Desktop Integration" and
++            # "Unauthorized". It shouldn't even be able to ask for any
++            # other level.
++            for action in self.visible_actions:
++                if action.permission not in (
++                    OAuthPermission.DESKTOP_INTEGRATION,
++                    OAuthPermission.UNAUTHORIZED):
++                    raise Unauthorized(
++                        ("Desktop integration token requested a permission "
++                         '("%s") not supported for desktop-wide use.')
++                         % action.label)
++
          super(OAuthAuthorizeTokenView, self).initialize()
      def render(self):
 === modified file 'lib/canonical/launchpad/database/oauth.py'
 --- lib/canonical/launchpad/database/oauth.py	2010-10-03 15:30:06 +0000
 +++ lib/canonical/launchpad/database/oauth.py	2010-10-19 14:17:46 +0000
@@ -15,6 +15,7 @@
      timedelta,
+     )
++import re
  import pytz
  from sqlobject import (
      BoolCol,
@@ -59,7 +60,7 @@
  from lp.registry.interfaces.projectgroup import IProjectGroup
  # How many hours should a request token be valid for?
--REQUEST_TOKEN_VALIDITY = 12
++REQUEST_TOKEN_VALIDITY = 2
  # The OAuth Core 1.0 spec (http://oauth.net/core/1.0/#nonce) says that a
  # timestamp "MUST be equal or greater than the timestamp used in previous
  # requests," but this is likely to cause problems if the client does request
@@ -93,6 +94,7 @@
      getStore = _get_store
++
  class OAuthConsumer(OAuthBase):
      """See `IOAuthConsumer`."""
      implements(IOAuthConsumer)
@@ -102,13 +104,56 @@
      key = StringCol(notNull=True)
      secret = StringCol(notNull=False, default='')
++    # This regular expression singles out a consumer key that
++    # represents any and all apps running on a specific computer
++    # (usually a desktop). For instance:
++    #
++    # System-wide: Ubuntu desktop (hostname1)
++    #  - An Ubuntu desktop called "hostname1"
++    # System-wide: Windows desktop (Computer Name)
++    #  - A Windows desktop called "Computer Name"
++    # System-wide: Mac OS desktop (hostname2)
++    #  - A Macintosh desktop called "hostname2"
++    # System-wide Android phone (Bob's Phone)
++    #  - An Android phone called "Bob's Phone"
++    integrated_desktop_re = re.compile("^System-wide: (.*) \(([^)]*)\)$")
++
++    def _integrated_desktop_match_group(self, position):
++        """Return information about a desktop integration token.
++
++        A convenience method that runs the desktop integration regular
++        expression against the consumer key.
++
++        :param position: The match group to return if the regular
++        expression matches.
++
++        :return: The value of one of the match groups, or None.
++        """
++        match = self.integrated_desktop_re.match(self.key)
++        if match is None:
++            return None
++        return match.groups()[position]
++
++    @property
++    def is_integrated_desktop(self):
++        """See `IOAuthConsumer`."""
++        return self.integrated_desktop_re.match(self.key) is not None
++
++    @property
++    def integrated_desktop_type(self):
++        """See `IOAuthConsumer`."""
++        return self._integrated_desktop_match_group(0)
++
++    @property
++    def integrated_desktop_name(self):
++        """See `IOAuthConsumer`."""
++        return self._integrated_desktop_match_group(1)
++
      def newRequestToken(self):
          """See `IOAuthConsumer`."""
          key, secret = create_token_key_and_secret(table=OAuthRequestToken)
--        date_expires = (datetime.now(pytz.timezone('UTC'))
--                        + timedelta(hours=REQUEST_TOKEN_VALIDITY))
          return OAuthRequestToken(
--            consumer=self, key=key, secret=secret, date_expires=date_expires)
++            consumer=self, key=key, secret=secret)
      def getAccessToken(self, key):
          """See `IOAuthConsumer`."""
@@ -177,6 +222,11 @@
          else:
              return None
++    @property
++    def is_expired(self):
++        now = datetime.now(pytz.timezone('UTC'))
++        return self.date_expires is not None and self.date_expires <= now
++
      def checkNonceAndTimestamp(self, nonce, timestamp):
          """See `IOAuthAccessToken`."""
          timestamp = float(timestamp)
@@ -254,10 +304,21 @@
          else:
              return None
++    @property
++    def is_expired(self):
++        now = datetime.now(pytz.timezone('UTC'))
++        expires = self.date_created + timedelta(hours=REQUEST_TOKEN_VALIDITY)
++        return expires <= now
++
      def review(self, user, permission, context=None):
          """See `IOAuthRequestToken`."""
--        assert not self.is_reviewed, (
--            "Request tokens can be reviewed only once.")
++        if self.is_reviewed:
++            raise AssertionError(
++                "Request tokens can be reviewed only once.")
++        if self.is_expired:
++            raise AssertionError(
++                'This request token has expired and can no longer be '
++                'reviewed.')
          self.date_reviewed = datetime.now(pytz.timezone('UTC'))
          self.person = user
          self.permission = permission
@@ -275,10 +336,18 @@
      def createAccessToken(self):
          """See `IOAuthRequestToken`."""
--        assert self.is_reviewed, (
--            'Cannot create an access token from an unreviewed request token.')
--        assert self.permission != OAuthPermission.UNAUTHORIZED, (
--            'The user did not grant access to this consumer.')
++        if not self.is_reviewed:
++            raise AssertionError(
++                'Cannot create an access token from an unreviewed request '
++                'token.')
++        if self.permission == OAuthPermission.UNAUTHORIZED:
++            raise AssertionError(
++                'The user did not grant access to this consumer.')
++        if self.is_expired:
++            raise AssertionError(
++                'This request token has expired and can no longer be '
++                'exchanged for an access token.')
++
          key, secret = create_token_key_and_secret(table=OAuthAccessToken)
          access_level = AccessLevel.items[self.permission.name]
          access_token = OAuthAccessToken(
 === modified file 'lib/canonical/launchpad/doc/oauth.txt'
 --- lib/canonical/launchpad/doc/oauth.txt	2010-10-09 16:36:22 +0000
 +++ lib/canonical/launchpad/doc/oauth.txt	2010-10-19 14:17:46 +0000
@@ -38,6 +38,45 @@
      ...
      AssertionError: ...
++Desktop consumers
++=================
++
++In a web context, each application is represented by a unique consumer
++key. But a typical user sitting at a typical desktop (or other
++personal computer), using multiple desktop applications that integrate
++with Launchpad, is represented by a single consumer key. The user's
++session as a whole is a single "consumer", and the consumer key is
++expected to contain structured information: the type of system
++(usually the operating system plus the word "desktop") and a string
++that the end-user would recognize as identifying their computer.
++
++    >>> desktop_key = consumer_set.new(
++    ...     "System-wide: Ubuntu desktop (hostname)")
++    >>> desktop_key.is_integrated_desktop
++    True
++    >>> print desktop_key.integrated_desktop_type
++    Ubuntu desktop
++    >>> print desktop_key.integrated_desktop_name
++    hostname
++
++    >>> desktop_key = consumer_set.new(
++    ...     "System-wide: Android phone (My Phone)")
++    >>> desktop_key.is_integrated_desktop
++    True
++    >>> print desktop_key.integrated_desktop_type
++    Android phone
++    >>> print desktop_key.integrated_desktop_name
++    My Phone
++
++A normal OAuth consumer does not have this information.
++
++    >>> ordinary_key = consumer_set.new("Not a desktop at all.")
++    >>> ordinary_key.is_integrated_desktop
++    False
++    >>> print ordinary_key.integrated_desktop_type
++    None
++    >>> print ordinary_key.integrated_desktop_name
++    None
  Request tokens
  ==============
 === modified file 'lib/canonical/launchpad/doc/webapp-authorization.txt'
 --- lib/canonical/launchpad/doc/webapp-authorization.txt	2010-10-09 16:36:22 +0000
 +++ lib/canonical/launchpad/doc/webapp-authorization.txt	2010-10-19 14:17:46 +0000
@@ -79,24 +79,16 @@
      >>> check_permission('launchpad.View', bug_1)
      False
--Now consider a principal authorized to create OAuth tokens. Whenever
--it's not creating OAuth tokens, it has a level of permission
--equivalent to READ_PUBLIC.
++A token used for desktop integration has a level of permission
++equivalent to WRITE_PUBLIC.
--    >>> principal.access_level = AccessLevel.GRANT_PERMISSIONS
++    >>> principal.access_level = AccessLevel.DESKTOP_INTEGRATION
      >>> setupInteraction(principal)
      >>> check_permission('launchpad.View', bug_1)
--    False
++    True
      >>> check_permission('launchpad.Edit', sample_person)
--    False
--
--This may seem useless from a security standpoint, since once a
--malicious client is authorized to create OAuth tokens, it can escalate
--its privileges at any time by creating a new token for itself. The
--security benefit is more subtle: by discouraging feature creep in
--clients that have this super-access level, we reduce the risk that a
--bug in a _trusted_ client will enable privilege escalation attacks.
++    True
  Users logged in through the web application have full access, which
  means they can read/change any object they have access to.
 === modified file 'lib/canonical/launchpad/interfaces/oauth.py'
 --- lib/canonical/launchpad/interfaces/oauth.py	2010-08-20 20:31:18 +0000
 +++ lib/canonical/launchpad/interfaces/oauth.py	2010-10-19 14:17:46 +0000
@@ -64,12 +64,26 @@
          description=_('The secret which, if not empty, should be used by the '
                        'consumer to sign its requests.'))
++    is_integrated_desktop = Attribute(
++        """This attribute is true if the consumer corresponds to a
++        user account on a personal computer or similar device.""")
++
++    integrated_desktop_name = Attribute(
++        """If the consumer corresponds to a user account on a personal
++        computer or similar device, this is the self-reported name of
++        the computer. If the consumer is a specific web or desktop
++        application, this is None.""")
++
++    integrated_desktop_type = Attribute(
++        """If the consumer corresponds to a user account on a personal
++        computer or similar device, this is the self-reported type of
++        that computer (usually the operating system plus the word
++        "desktop"). If the consumer is a specific web or desktop
++        application, this is None.""")
++
      def newRequestToken():
          """Return a new `IOAuthRequestToken` with a random key and secret.
--        Also sets the token's date_expires to `REQUEST_TOKEN_VALIDITY` hours
--        from the creation date (now).
--
          The other attributes of the token are supposed to be set whenever the
          user logs into Launchpad and grants (or not) access to this consumer.
          """
@@ -131,12 +145,6 @@
      person = Object(
          schema=IPerson, title=_('Person'), required=False, readonly=False,
          description=_('The user on whose behalf the consumer is accessing.'))
--    date_created = Datetime(
--        title=_('Date created'), required=True, readonly=True)
--    date_expires = Datetime(
--        title=_('Date expires'), required=False, readonly=False,
--        description=_('From this date onwards this token can not be used '
--                      'by the consumer to access protected resources.'))
      key = TextLine(
          title=_('Key'), required=True, readonly=True,
          description=_('The key used to identify this token.  It is included '
@@ -154,6 +162,12 @@
          title=_("Distribution"), required=False, vocabulary='Distribution')
      context = Attribute("FIXME")
++    is_expired = Bool(
++        title=_("Whether or not this token has expired."),
++        required=False, readonly=True,
++        description=_("A token may only be usable for a limited time, "
++                      "after which it will expire."))
++
  class IOAuthAccessToken(IOAuthToken):
      """A token used by a consumer to access protected resources in LP.
@@ -168,6 +182,16 @@
          description=_('The level of access given to the application acting '
                        'on your behalf.'))
++    date_created = Datetime(
++        title=_('Date created'), required=True, readonly=True,
++        description=_('The date some request token was exchanged for '
++                      'this token.'))
++
++    date_expires = Datetime(
++        title=_('Date expires'), required=False, readonly=False,
++        description=_('From this date onwards this token can not be used '
++                      'by the consumer to access protected resources.'))
++
      def checkNonceAndTimestamp(nonce, timestamp):
          """Verify the nonce and timestamp.
@@ -202,11 +226,22 @@
          vocabulary=OAuthPermission,
          description=_('The permission you give to the application which may '
                        'act on your behalf.'))
++    date_created = Datetime(
++        title=_('Date created'), required=True, readonly=True,
++        description=_('The date the token was created. The request token '
++                      'will be good for a limited time after this date.'))
++
++    date_expires = Datetime(
++        title=_('Date expires'), required=False, readonly=False,
++        description=_('The expiration date for the permission you give to '
++                      'the application which may act on your behalf.'))
++
      date_reviewed = Datetime(
          title=_('Date reviewed'), required=True, readonly=True,
          description=_('The date in which the user authorized (or not) the '
                        'consumer to access his protected resources on '
                        'Launchpad.'))
++
      is_reviewed = Bool(
          title=_('Has this token been reviewed?'),
          required=False, readonly=True,
 === modified file 'lib/canonical/launchpad/pagetests/oauth/authorize-token.txt'
 --- lib/canonical/launchpad/pagetests/oauth/authorize-token.txt	2010-10-09 16:36:22 +0000
 +++ lib/canonical/launchpad/pagetests/oauth/authorize-token.txt	2010-10-19 14:17:46 +0000
@@ -39,32 +39,29 @@
      >>> main_content = find_tag_by_id(browser.contents, 'maincontent')
      >>> print extract_text(main_content)
++    Integrating foobar123451432 into your Launchpad account
      The application identified as foobar123451432 wants to access Launchpad on
      your behalf. What level of access do you want to grant?
      ...
      See all applications authorized to access Launchpad on your behalf.
  This page contains one submit button for each item of OAuthPermission,
--except for 'Grant Permissions', which must be specifically requested.
--
--    >>> browser.getControl('No Access')
--    <SubmitControl...
--    >>> browser.getControl('Read Non-Private Data')
--    <SubmitControl...
--    >>> browser.getControl('Change Non-Private Data')
--    <SubmitControl...
--    >>> browser.getControl('Read Anything')
--    <SubmitControl...
--    >>> browser.getControl('Change Anything')
--    <SubmitControl...
--
--    >>> browser.getControl('Grant Permissions')
--    Traceback (most recent call last):
--    ...
--    LookupError: label 'Grant Permissions'
--
++except for 'Desktop Integration', which must be specifically requested.
++
++    >>> def print_access_levels(main_content):
++    ...     actions = main_content.findAll('input', attrs={'type': 'submit'})
++    ...     for action in actions:
++    ...         print action['value']
++
++    >>> print_access_levels(main_content)
++    No Access
++    Read Non-Private Data
++    Change Non-Private Data
++    Read Anything
++    Change Anything
++
++    >>> from canonical.launchpad.webapp.interfaces import OAuthPermission
      >>> actions = main_content.findAll('input', attrs={'type': 'submit'})
--    >>> from canonical.launchpad.webapp.interfaces import OAuthPermission
      >>> len(actions) == len(OAuthPermission.items) - 1
      True
@@ -74,57 +71,53 @@
  that isn't enough for the application. The user always has the option
  to deny permission altogether.
--    >>> def print_access_levels(allow_permission):
++    >>> def authorize_token_main_content(allow_permission):
      ...     browser.open(
      ...         "http://launchpad.dev/+authorize-token?%s&%s"
      ...         % (urlencode(params), allow_permission))
--    ...     main_content = find_tag_by_id(browser.contents, 'maincontent')
--    ...     actions = main_content.findAll('input', attrs={'type': 'submit'})
--    ...     for action in actions:
--    ...         print action['value']
--
--    >>> print_access_levels(
++    ...     return find_tag_by_id(browser.contents, 'maincontent')
++
++    >>> def print_access_levels_for(allow_permission):
++    ...     main_content = authorize_token_main_content(allow_permission)
++    ...     print_access_levels(main_content)
++
++    >>> print_access_levels_for(
      ...     'allow_permission=WRITE_PUBLIC&allow_permission=WRITE_PRIVATE')
      No Access
      Change Non-Private Data
      Change Anything
--The only time the 'Grant Permissions' permission shows up in this list
--is if the client specifically requests it, and no other
--permission. (Also requesting UNAUTHORIZED is okay--it will show up
--anyway.)
--
--    >>> print_access_levels('allow_permission=GRANT_PERMISSIONS')
--    No Access
--    Grant Permissions
--
--    >>> print_access_levels(
--    ...     'allow_permission=GRANT_PERMISSIONS&allow_permission=UNAUTHORIZED')
--    No Access
--    Grant Permissions
--
--    >>> print_access_levels(
--    ...     'allow_permission=WRITE_PUBLIC&allow_permission=GRANT_PERMISSIONS')
--    No Access
--    Change Non-Private Data
--
  If an application doesn't specify any valid access levels, or only
  specifies the UNAUTHORIZED access level, Launchpad will show all the
--access levels, except for GRANT_PERMISSIONS.
--
--    >>> print_access_levels('')
--    No Access
--    Read Non-Private Data
--    Change Non-Private Data
--    Read Anything
--    Change Anything
--
--    >>> print_access_levels('allow_permission=UNAUTHORIZED')
--    No Access
--    Read Non-Private Data
--    Change Non-Private Data
--    Read Anything
--    Change Anything
++access levels, except for DESKTOP_INTEGRATION.
++
++    >>> print_access_levels_for('')
++    No Access
++    Read Non-Private Data
++    Change Non-Private Data
++    Read Anything
++    Change Anything
++
++    >>> print_access_levels_for('allow_permission=UNAUTHORIZED')
++    No Access
++    Read Non-Private Data
++    Change Non-Private Data
++    Read Anything
++    Change Anything
++
++An application may not request the DESKTOP_INTEGRATION access level
++unless its consumer key matches a certain pattern. (Successful desktop
++integration has its own section, below.)
++
++    >>> allow_permission = "allow_permission=DESKTOP_INTEGRATION"
++    >>> browser.open(
++    ...     "http://launchpad.dev/+authorize-token?%s&%s"
++    ...         % (urlencode(params), allow_permission))
++    Traceback (most recent call last):
++    ...
++    Unauthorized: Consumer "foobar123451432" asked for desktop
++    integration, but didn't say what kind of desktop it is, or name
++    the computer being integrated.
  An application may also specify a context, so that the access granted
  by the user is restricted to things related to that context.
@@ -136,6 +129,7 @@
      ...     % urlencode(params_with_context))
      >>> main_content = find_tag_by_id(browser.contents, 'maincontent')
      >>> print extract_text(main_content)
++    Integrating foobar123451432 into your Launchpad account
      The application...wants to access things related to Mozilla Firefox...
  A client other than a web browser may request a JSON representation of
@@ -263,3 +257,95 @@
      This request for accessing Launchpad on your behalf has been
      reviewed ... ago.
      See all applications authorized to access Launchpad on your behalf.
++
++Desktop integration
++===================
++
++The test case given above shows how to integrate a single application
++or website into Launchpad. But it's also possible to integrate an
++entire desktop environment into Launchpad.
++
++The desktop integration option is only available for OAuth consumers
++that say what kind of desktop they are (eg. Ubuntu) and give a name
++that a user can identify with their computer (eg. the hostname). Here,
++we'll create such a token.
++
++    >>> login('salgado@ubuntu.com')
++    >>> desktop_key = "System-wide: Ubuntu desktop (mycomputer)"
++    >>> consumer = getUtility(IOAuthConsumerSet).new(desktop_key)
++    >>> token = consumer.newRequestToken()
++    >>> logout()
++
++When a desktop tries to integrate with Launchpad, the user gets a
++special warning about giving access to every program running on their
++desktop.
++
++    >>> params = dict(oauth_token=token.key)
++    >>> print extract_text(
++    ...     authorize_token_main_content(
++    ...         'allow_permission=DESKTOP_INTEGRATION'))
++    Integrating mycomputer into your Launchpad account
++    The Ubuntu desktop called mycomputer wants access to your
++    Launchpad account. If you allow the integration, all applications
++    running on mycomputer will have read-write access to your
++    Launchpad account, including to your private data.
++    If you're using a public computer, if mycomputer is not the
++    computer you're using right now, or if something just doesn't feel
++    right about this situation, you should choose "No, thanks, I don't
++    trust 'mycomputer'", or close this window now. You can always try
++    again later.
++    Even if you decide to allow the integration, you can change your
++    mind later.
++    See all applications authorized to access Launchpad on your behalf.
++
++
++The only time the 'Desktop Integration' permission shows up in the
++list of permissions is if the client specifically requests it, and no
++other permission. (Also requesting UNAUTHORIZED is okay--it will show
++up anyway.)
++
++    >>> print_access_levels_for('allow_permission=DESKTOP_INTEGRATION')
++    Give all programs running on "mycomputer" access to my Launchpad account.
++    No, thanks, I don't trust "mycomputer".
++
++    >>> print_access_levels_for(
++    ...     'allow_permission=DESKTOP_INTEGRATION&allow_permission=UNAUTHORIZED')
++    Give all programs running on "mycomputer" access to my Launchpad account.
++    No, thanks, I don't trust "mycomputer".
++
++A desktop may not request a level of access other than
++DESKTOP_INTEGRATION, since the whole point is to have a permission
++level that specifically applies across the entire desktop.
++
++    >>> print_access_levels_for('allow_permission=WRITE_PRIVATE')
++    Traceback (most recent call last):
++    ...
++    Unauthorized: Desktop integration token requested a permission
++    ("Change Anything") not supported for desktop-wide use.
++
++    >>> print_access_levels_for(
++    ...     'allow_permission=WRITE_PUBLIC&allow_permission=DESKTOP_INTEGRATION')
++    Traceback (most recent call last):
++    ...
++    Unauthorized: Desktop integration token requested a permission
++    ("Change Non-Private Data") not supported for desktop-wide use.
++
++You can't specify a callback URL when authorizing a desktop-wide
++token, since callback URLs should only be used when integrating
++websites into Launchpad.
++
++    >>> params['oauth_callback'] = 'http://launchpad.dev/bzr'
++    >>> print_access_levels_for('allow_permission=DESKTOP_INTEGRATION')
++    Traceback (most recent call last):
++    ...
++    Unauthorized: A desktop integration may not specify an OAuth
++    callback URL.
++
++This is true even if the desktop token isn't asking for the
++DESKTOP_INTEGRATION permission.
++
++    >>> print_access_levels_for('allow_permission=WRITE_PRIVATE')
++    Traceback (most recent call last):
++    ...
++    Unauthorized: A desktop integration may not specify an OAuth
++    callback URL.
 === modified file 'lib/canonical/launchpad/templates/oauth-authorize.pt'
 --- lib/canonical/launchpad/templates/oauth-authorize.pt	2009-07-17 17:59:07 +0000
 +++ lib/canonical/launchpad/templates/oauth-authorize.pt	2010-10-19 14:17:46 +0000
@@ -21,28 +21,69 @@
        <tal:token-not-reviewed condition="not:token/is_reviewed">
          <div metal:use-macro="context/@@launchpad_form/form">
            <div metal:fill-slot="extra_top">
--            <p>The application identified as
--              <strong tal:content="token/consumer/key">consumer</strong>
--              wants to access
--              <tal:has-context condition="view/token_context">
--                things related to
--                <strong tal:content="view/token_context/title">Context</strong>
--                in
--              </tal:has-context>
--              Launchpad on your behalf. What level of access
--              do you want to grant?</p>
--
--            <table>
--              <tr tal:repeat="action view/visible_actions">
--                <td style="text-align: right">
--                  <tal:action replace="structure action/render" />
--                </td>
--                <td>
--                  <span class="lesser"
--                    tal:content="action/permission/description" />
--                </td>
--              </tr>
--            </table>
++
++           <tal:desktop-integration-token condition="token/consumer/is_integrated_desktop">
++             <h1>Integrating
++               <tal:hostname replace="structure
++                token/consumer/integrated_desktop_name" />
++               into your Launchpad account</h1>
++             <p>The
++               <tal:desktop replace="structure
++               token/consumer/integrated_desktop_type" />
++             called
++             <strong tal:content="token/consumer/integrated_desktop_name">hostname</strong>
++             wants access to your Launchpad account. If you allow the
++             integration, all applications running
++             on <strong tal:content="token/consumer/integrated_desktop_name">hostname</strong>
++             will have read-write access to your Launchpad account,
++             including to your private data.</p>
++
++             <p>If you're using a public computer, if
++             <strong tal:content="token/consumer/integrated_desktop_name">hostname</strong>
++             is not the computer you're using right now, or if
++             something just doesn't feel right about this situation,
++             you should choose "No, thanks, I don't trust
++             '<tal:hostname replace="structure
++              token/consumer/integrated_desktop_name" />'",
++             or close this window now. You can always try
++             again later.</p>
++
++             <p>Even if you decide to allow the integration, you can
++             change your mind later.</p>
++           </tal:desktop-integration-token>
++
++           <tal:web-integration-token condition="not:token/consumer/is_integrated_desktop">
++             <h1>Integrating
++               <tal:hostname replace="structure token/consumer/key" />
++               into your Launchpad account</h1>
++
++             <p>The application identified as
++               <strong tal:content="token/consumer/key">consumer</strong>
++               wants to access
++               <tal:has-context condition="view/token_context">
++                 things related to
++                 <strong tal:content="view/token_context/title">Context</strong>
++                 in
++               </tal:has-context>
++               Launchpad on your behalf. What level of access
++               do you want to grant?</p>
++           </tal:web-integration-token>
++
++           <table>
++             <tr tal:repeat="action view/visible_actions">
++               <td style="text-align: right">
++                 <tal:action replace="structure action/render" />
++               </td>
++
++               <tal:web-integration-token
++                  condition="not:token/consumer/is_integrated_desktop">
++                 <td>
++                   <span class="lesser"
++                     tal:content="action/permission/description" />
++                 </td>
++               </tal:web-integration-token>
++             </tr>
++           </table>
            </div>
            <div metal:fill-slot="extra_bottom">
 === added file 'lib/canonical/launchpad/tests/test_oauth_tokens.py'
 --- lib/canonical/launchpad/tests/test_oauth_tokens.py	1970-01-01 00:00:00 +0000
 +++ lib/canonical/launchpad/tests/test_oauth_tokens.py	2010-10-19 14:17:46 +0000
@@ -0,0 +1,47 @@
++# Copyright 2010 Canonical Ltd.  This software is licensed under the
++# GNU Affero General Public License version 3 (see the file LICENSE).
++
++from datetime import (
++    datetime,
++    timedelta
++    )
++import pytz
++
++from canonical.launchpad.webapp.interfaces import OAuthPermission
++from canonical.testing.layers import DatabaseFunctionalLayer
++
++from lp.testing import (
++    TestCaseWithFactory,
++    )
++
++
++class TestRequestTokens(TestCaseWithFactory):
++
++    layer = DatabaseFunctionalLayer
++
++    def setUp(self):
++        """Set up a dummy person and OAuth consumer."""
++        super(TestRequestTokens, self).setUp()
++
++        self.person = self.factory.makePerson()
++        self.consumer = self.factory.makeOAuthConsumer()
++
++        now = datetime.now(pytz.timezone('UTC'))
++        self.a_long_time_ago = now - timedelta(hours=1000)
++
++    def testExpiredRequestTokenCantBeReviewed(self):
++        """An expired request token can't be reviewed."""
++        token = self.factory.makeOAuthRequestToken(
++            date_created=self.a_long_time_ago)
++        self.assertRaises(
++            AssertionError, token.review, self.person,
++            OAuthPermission.WRITE_PUBLIC)
++
++    def testExpiredRequestTokenCantBeExchanged(self):
++        """An expired request token can't be exchanged for an access token.
++
++        This can only happen if the token was reviewed before it expired.
++        """
++        token = self.factory.makeOAuthRequestToken(
++            date_created=self.a_long_time_ago, reviewed_by=self.person)
++        self.assertRaises(AssertionError, token.createAccessToken)
 === modified file 'lib/canonical/launchpad/webapp/authorization.py'
 --- lib/canonical/launchpad/webapp/authorization.py	2010-08-20 20:31:18 +0000
 +++ lib/canonical/launchpad/webapp/authorization.py	2010-10-19 14:17:46 +0000
@@ -61,7 +61,8 @@
          lp_permission = getUtility(ILaunchpadPermission, permission)
          if lp_permission.access_level == "write":
              required_access_level = [
--                AccessLevel.WRITE_PUBLIC, AccessLevel.WRITE_PRIVATE]
++                AccessLevel.WRITE_PUBLIC, AccessLevel.WRITE_PRIVATE,
++                AccessLevel.DESKTOP_INTEGRATION]
              if access_level not in required_access_level:
                  return False
          elif lp_permission.access_level == "read":
@@ -80,7 +81,8 @@
          access to private objects, return False.  Return True otherwise.
          """
          private_access_levels = [
--            AccessLevel.READ_PRIVATE, AccessLevel.WRITE_PRIVATE]
++            AccessLevel.READ_PRIVATE, AccessLevel.WRITE_PRIVATE,
++            AccessLevel.DESKTOP_INTEGRATION]
          if access_level in private_access_levels:
              # The user has access to private objects. Return early,
              # before checking whether the object is private, since
 === modified file 'lib/canonical/launchpad/webapp/interfaces.py'
 --- lib/canonical/launchpad/webapp/interfaces.py	2010-09-24 09:42:01 +0000
 +++ lib/canonical/launchpad/webapp/interfaces.py	2010-10-19 14:17:46 +0000
@@ -531,14 +531,13 @@
          for reading and changing anything, including private data.
          """)
--    GRANT_PERMISSIONS = DBItem(60, """
--        Grant Permissions
++    DESKTOP_INTEGRATION = DBItem(60, """
++        Desktop Integration
--        The application will be able to grant access to your Launchpad
--        account to any other application. This is a very powerful
--        level of access. You should not grant this level of access to
--        any application except the official Launchpad credential
--        manager.
++        Every application running on your desktop will have read-write
++        access to your Launchpad account, including to your private
++        data. You should not allow this unless you trust the computer
++        you're using right now.
          """)
  class AccessLevel(DBEnumeratedType):
 === modified file 'lib/canonical/launchpad/webapp/servers.py'
 --- lib/canonical/launchpad/webapp/servers.py	2010-09-28 07:00:56 +0000
 +++ lib/canonical/launchpad/webapp/servers.py	2010-10-19 14:17:46 +0000
@@ -8,7 +8,6 @@
  __metaclass__ = type
  import cgi
--from datetime import datetime
  import threading
  import xmlrpclib
@@ -1277,10 +1276,9 @@
              token.checkNonceAndTimestamp(nonce, timestamp)
          except (NonceAlreadyUsed, TimestampOrderingError, ClockSkew), e:
              raise Unauthorized('Invalid nonce/timestamp: %s' % e)
--        now = datetime.now(pytz.timezone('UTC'))
          if token.permission == OAuthPermission.UNAUTHORIZED:
              raise Unauthorized('Unauthorized token (%s).' % token.key)
--        elif token.date_expires is not None and token.date_expires <= now:
++        elif token.is_expired:
              raise Unauthorized('Expired token (%s).' % token.key)
          elif not check_oauth_signature(request, consumer, token):
              raise Unauthorized('Invalid signature.')
 === modified file 'lib/lp/archiveuploader/nascentuploadfile.py'
 --- lib/lp/archiveuploader/nascentuploadfile.py	2010-10-02 11:41:43 +0000
 +++ lib/lp/archiveuploader/nascentuploadfile.py	2010-10-19 14:17:46 +0000
@@ -50,8 +50,8 @@
  from lp.soyuz.enums import (
      BinaryPackageFormat,
      PackagePublishingPriority,
++    PackagePublishingStatus,
      PackageUploadCustomFormat,
--    PackageUploadStatus,
+     )
  from lp.soyuz.interfaces.binarypackagename import IBinaryPackageNameSet
  from lp.soyuz.interfaces.component import IComponentSet
@@ -781,11 +781,9 @@
      #   Database relationship methods
+     #
      def findSourcePackageRelease(self):
--        """Return the respective ISourcePackagRelease for this binary upload.
++        """Return the respective ISourcePackageRelease for this binary upload.
--        It inspect publication in the targeted DistroSeries and also the
--        ACCEPTED queue for sources matching stored
--        (source_name, source_version).
++        It inspect publication in the targeted DistroSeries.
          It raises UploadError if the source was not found.
@@ -793,43 +791,19 @@
          mixed_uploads (source + binary) we do not have the source stored
          in DB yet (see verifySourcepackagerelease).
          """
++        assert self.source_name is not None
++        assert self.source_version is not None
          distroseries = self.policy.distroseries
          spphs = distroseries.getPublishedSources(
              self.source_name, version=self.source_version,
              include_pending=True, archive=self.policy.archive)
--        sourcepackagerelease = None
--        if spphs:
--            # We know there's only going to be one release because
--            # version is unique.
--            assert spphs.count() == 1, "Duplicated ancestry"
--            sourcepackagerelease = spphs[0].sourcepackagerelease
--        else:
--            # XXX cprov 2006-08-09 bug=55774: Building from ACCEPTED is
--            # special condition, not really used in production. We should
--            # remove the support for this use case.
--            self.logger.debug(
--                "No source published, checking the ACCEPTED queue")
--
--            queue_candidates = distroseries.getQueueItems(
--                status=PackageUploadStatus.ACCEPTED,
--                name=self.source_name, version=self.source_version,
--                archive=self.policy.archive, exact_match=True)
--
--            for queue_item in queue_candidates:
--                if queue_item.sources.count():
--                    sourcepackagerelease = queue_item.sourcepackagerelease
--
--        if sourcepackagerelease is None:
--            # At this point, we can't really do much more to try
--            # building this package. If we look in the NEW queue it is
--            # possible that multiple versions of the package exist there
--            # and we know how bad that can be. Time to give up!
++        if spphs.count() == 0:
              raise UploadError(
                  "Unable to find source package %s/%s in %s" % (
                  self.source_name, self.source_version, distroseries.name))
--        return sourcepackagerelease
++        return spphs[0].sourcepackagerelease
      def verifySourcePackageRelease(self, sourcepackagerelease):
          """Check if the given ISourcePackageRelease matches the context."""
 === modified file 'lib/lp/archiveuploader/tests/nascentupload-epoch-handling.txt'
 --- lib/lp/archiveuploader/tests/nascentupload-epoch-handling.txt	2009-04-17 10:32:16 +0000
 +++ lib/lp/archiveuploader/tests/nascentupload-epoch-handling.txt	2010-10-19 14:17:46 +0000
@@ -208,6 +208,14 @@
      >>> bar_spr.version
      u'1:1.0-9'
++    >>> from lp.registry.interfaces.pocket import PackagePublishingPocket
++    >>> from lp.soyuz.interfaces.publishing import IPublishingSet
++    >>> getUtility(IPublishingSet).newSourcePublication(
++    ...     bar_src_upload.policy.distro.main_archive, bar_spr,
++    ...     bar_src_upload.policy.distroseries, bar_spr.component,
++    ...     bar_spr.section, PackagePublishingPocket.RELEASE)
++    <SourcePackagePublishingHistory at ...>
++
  Let's accept the source and claim 'build from accepted' to process the
  respective binary:
@@ -217,9 +225,6 @@
      >>> bar_src_queue.status.name
      'ACCEPTED'
--    >>> from canonical.launchpad.ftests import syncUpdate
--    >>> syncUpdate(bar_src_queue)
--
  For a binary upload we expect the same, a BinaryPackageRelease
  'version' that includes 'epoch':
 === modified file 'lib/lp/archiveuploader/tests/nascentupload.txt'
 --- lib/lp/archiveuploader/tests/nascentupload.txt	2010-10-14 18:42:19 +0000
 +++ lib/lp/archiveuploader/tests/nascentupload.txt	2010-10-19 14:17:46 +0000
@@ -484,86 +484,6 @@
--=== Building From ACCEPTED queue ===
--
--XXX cprov 20060728: Building from ACCEPTED is special condition, not
--really used in production. We should remove the support for this use
--case, see further info in bug #55774.
--
--Next we send in the binaries, since the source should be in ACCEPTED the
--binary should go straight there too. Note that we are not specifying
--any build, so it should be created appropriately, it is what happens
--with staged security uploads:
--
--XXX cprov 20070404: we are using a modified sync policy because we
--need unsigned changes and binaries uploads (same as security, but also
--accepts non-security uploads)
--
--  >>> from lp.archiveuploader.uploadpolicy import ArchiveUploadType
--  >>> modified_sync_policy = getPolicy(
--  ...     name='sync', distro='ubuntu', distroseries='hoary')
--  >>> modified_sync_policy.accepted_type = ArchiveUploadType.BINARY_ONLY
--
--  >>> ed_bin = NascentUpload.from_changesfile_path(
--  ...      datadir('split-upload-test/ed_0.2-20_i386.changes'),
--  ...      modified_sync_policy, mock_logger_quiet)
--
--  >>> ed_bin.process()
--  >>> ed_bin.is_rejected
--  False
--
--  >>> success = ed_bin.do_accept()
--
--  >>> ed_bin.queue_root.status.name
--  'NEW'
--
--A build was created to represent the relationship between ed_src
--(waiting in ACCEPTED queue) and the just uploaded ed_bin:
--
--  >>> ed_build = ed_bin.queue_root.builds[0].build
--
--  >>> ed_spr.id  == ed_build.source_package_release.id
--  True
--
--  >>> ed_build.title
--  u'i386 build of ed 0.2-20 in ubuntu hoary RELEASE'
--
--  >>> ed_build.status.name
--  'FULLYBUILT'
--
--Binary control file attributes are stored as text in the
--BinaryPackageRelease record.
--
--  >>> ed_bpr = ed_build.binarypackages[0]
--
--  >>> ed_bpr.depends
--  u'libc6 (>= 2.6-1)'
--
--  >>> ed_bpr.suggests
--  u'emacs'
--
--  >>> ed_bpr.conflicts
--  u'vi'
--
--  >>> ed_bpr.replaces
--  u'vim'
--
--  >>> ed_bpr.provides
--  u'ed'
--
--  >>> ed_bpr.essential
--  False
--
--  >>> ed_bpr.pre_depends
--  u'dpkg'
--
--  >>> ed_bpr.enhances
--  u'bash'
--
--  >>> ed_bpr.breaks
--  u'emacs'
--
--
  === Staged Source and Binary upload with multiple binaries ===
  As we could see both, sources and binaries, get into Launchpad via
@@ -613,12 +533,18 @@
    >>> multibar_src_queue.status.name
    'ACCEPTED'
--We can just assume the source was published by step 3 and 4 for
--simplicity and claim 'build from ACCEPTED' feature.
++Then the source gets accepted and published, step 3 and 4:
++
++  >>> from lp.registry.interfaces.pocket import PackagePublishingPocket
++  >>> from lp.soyuz.interfaces.publishing import IPublishingSet
++  >>> getUtility(IPublishingSet).newSourcePublication(
++  ...     multibar_src_queue.archive, multibar_spr,
++  ...     sync_policy.distroseries, multibar_spr.component,
++  ...     multibar_spr.section, PackagePublishingPocket.RELEASE)
++  <SourcePackagePublishingHistory at ...>
  Build creation is done based on the SourcePackageRelease object, step 5:
--  >>> from lp.registry.interfaces.pocket import PackagePublishingPocket
    >>> multibar_build = multibar_spr.createBuild(
    ...     hoary['i386'], PackagePublishingPocket.RELEASE,
    ...     multibar_src_queue.archive)
@@ -636,8 +562,8 @@
  and the collection of DEB files produced.
  At this point slave-scanner moves the upload to the appropriate path
--(/srv/launchpad.net/builddmaster) and invokes process-upload.py with
--the 'buildd' upload policy and the build record id.
++(/srv/launchpad.net/builddmaster). A cron job invokes process-upload.py
++with the 'buildd' upload policy and processes all files in that directory.
    >>> buildd_policy = getPolicy(
    ...     name='buildd', distro='ubuntu', distroseries='hoary')
 === modified file 'lib/lp/archiveuploader/tests/test_buildduploads.py'
 --- lib/lp/archiveuploader/tests/test_buildduploads.py	2010-10-06 11:46:51 +0000
 +++ lib/lp/archiveuploader/tests/test_buildduploads.py	2010-10-19 14:17:46 +0000
@@ -20,6 +20,7 @@
+     )
  from lp.registry.interfaces.distribution import IDistributionSet
  from lp.registry.interfaces.pocket import PackagePublishingPocket
++from lp.soyuz.interfaces.publishing import IPublishingSet
  from lp.soyuz.model.binarypackagebuild import BinaryPackageBuild
@@ -195,6 +196,13 @@
          real_policy = self.policy
          self.policy = 'insecure'
          super(TestBuilddUploads, self).setUp()
++        # Publish the source package release so it can be found by
++        # NascentUploadFile.findSourcePackageRelease().
++        spr = self.source_queue.sources[0].sourcepackagerelease
++        getUtility(IPublishingSet).newSourcePublication(
++            self.distroseries.main_archive, spr,
++            self.distroseries, spr.component,
++            spr.section, PackagePublishingPocket.RELEASE)
          self.policy = real_policy
      def _publishBuildQueueItem(self, queue_item):
 === modified file 'lib/lp/archiveuploader/tests/test_nascentuploadfile.py'
 --- lib/lp/archiveuploader/tests/test_nascentuploadfile.py	2010-10-06 11:46:51 +0000
 +++ lib/lp/archiveuploader/tests/test_nascentuploadfile.py	2010-10-19 14:17:46 +0000
@@ -25,7 +25,10 @@
  from lp.registry.interfaces.pocket import PackagePublishingPocket
  from lp.archiveuploader.tests import AbsolutelyAnythingGoesUploadPolicy
  from lp.buildmaster.enums import BuildStatus
--from lp.soyuz.enums import PackageUploadCustomFormat
++from lp.soyuz.enums import (
++    PackageUploadCustomFormat,
++    PackagePublishingStatus,
++    )
  from lp.testing import TestCaseWithFactory
@@ -387,3 +390,68 @@
              "foo_0.42_i386.deb", "main/python", "unknown", "mypkg", "0.42",
              None)
          self.assertRaises(UploadError, uploadfile.checkBuild, build)
++
++    def test_findSourcePackageRelease(self):
++        # findSourcePackageRelease finds the matching SourcePackageRelease.
++        das = self.factory.makeDistroArchSeries(
++            distroseries=self.policy.distroseries, architecturetag="i386")
++        build = self.factory.makeBinaryPackageBuild(
++            distroarchseries=das,
++            archive=self.policy.archive)
++        uploadfile = self.createDebBinaryUploadFile(
++            "foo_0.42_i386.deb", "main/python", "unknown", "mypkg", "0.42",
++            None)
++        spph = self.factory.makeSourcePackagePublishingHistory(
++            sourcepackagename=self.factory.makeSourcePackageName("foo"),
++            distroseries=self.policy.distroseries,
++            version="0.42", archive=self.policy.archive)
++        control = self.getBaseControl()
++        control["Source"] = "foo"
++        uploadfile.parseControl(control)
++        self.assertEquals(
++            spph.sourcepackagerelease, uploadfile.findSourcePackageRelease())
++
++    def test_findSourcePackageRelease_no_spph(self):
++        # findSourcePackageRelease raises UploadError if there is no
++        # SourcePackageRelease.
++        das = self.factory.makeDistroArchSeries(
++            distroseries=self.policy.distroseries, architecturetag="i386")
++        build = self.factory.makeBinaryPackageBuild(
++            distroarchseries=das,
++            archive=self.policy.archive)
++        uploadfile = self.createDebBinaryUploadFile(
++            "foo_0.42_i386.deb", "main/python", "unknown", "mypkg", "0.42",
++            None)
++        control = self.getBaseControl()
++        control["Source"] = "foo"
++        uploadfile.parseControl(control)
++        self.assertRaises(UploadError, uploadfile.findSourcePackageRelease)
++
++    def test_findSourcePackageRelease_multiple_sprs(self):
++        # findSourcePackageRelease finds the last uploaded
++        # SourcePackageRelease and can deal with multiple pending source
++        # package releases.
++        das = self.factory.makeDistroArchSeries(
++            distroseries=self.policy.distroseries, architecturetag="i386")
++        build = self.factory.makeBinaryPackageBuild(
++            distroarchseries=das,
++            archive=self.policy.archive)
++        uploadfile = self.createDebBinaryUploadFile(
++            "foo_0.42_i386.deb", "main/python", "unknown", "mypkg", "0.42",
++            None)
++        spn = self.factory.makeSourcePackageName("foo")
++        spph1 = self.factory.makeSourcePackagePublishingHistory(
++            sourcepackagename=spn,
++            distroseries=self.policy.distroseries,
++            version="0.42", archive=self.policy.archive,
++            status=PackagePublishingStatus.PUBLISHED)
++        spph2 = self.factory.makeSourcePackagePublishingHistory(
++            sourcepackagename=spn,
++            distroseries=self.policy.distroseries,
++            version="0.42", archive=self.policy.archive,
++            status=PackagePublishingStatus.PENDING)
++        control = self.getBaseControl()
++        control["Source"] = "foo"
++        uploadfile.parseControl(control)
++        self.assertEquals(
++            spph2.sourcepackagerelease, uploadfile.findSourcePackageRelease())
 === modified file 'lib/lp/testing/factory.py'
 --- lib/lp/testing/factory.py	2010-10-18 21:18:03 +0000
 +++ lib/lp/testing/factory.py	2010-10-19 14:17:46 +0000
@@ -79,6 +79,7 @@
      EmailAddressStatus,
      IEmailAddressSet,
+     )
++from canonical.launchpad.interfaces.oauth import IOAuthConsumerSet
  from canonical.launchpad.interfaces.gpghandler import IGPGHandler
  from canonical.launchpad.interfaces.launchpad import ILaunchpadCelebrities
  from canonical.launchpad.interfaces.librarian import ILibraryFileAliasSet
@@ -91,6 +92,7 @@
      DEFAULT_FLAVOR,
      IStoreSelector,
      MAIN_STORE,
++    OAuthPermission,
+     )
  from lp.app.enums import ServiceUsage
  from lp.archiveuploader.dscfile import DSCFile
@@ -3165,6 +3167,33 @@
                  to_source=to_source, date_fulfilled=date_fulfilled,
                  status=status, diff_content=lfa))
++    # Factory methods for OAuth tokens.
++    def makeOAuthConsumer(self, key=None, secret=None):
++        if key is None:
++            key = self.getUniqueString("oauthconsumerkey")
++        if secret is None:
++            secret = ''
++        return getUtility(IOAuthConsumerSet).new(key, secret)
++
++    def makeOAuthRequestToken(
++        self, consumer=None, date_created=None, reviewed_by=None,
++        access_level=OAuthPermission.READ_PUBLIC):
++        """Create a (possibly reviewed) OAuth request token."""
++        if consumer is None:
++            consumer = self.makeOAuthConsumer()
++        token = consumer.newRequestToken()
++
++        if reviewed_by is not None:
++            # Review the token before modifying the date_created,
++            # since the date_created can be used to simulate an
++            # expired token.
++            token.review(reviewed_by, access_level)
++
++        if date_created is not None:
++            unwrapped_token = removeSecurityProxy(token)
++            unwrapped_token.date_created = date_created
++        return token
++
  # Some factory methods return simple Python types. We don't add
  # security wrappers for them, as well as for objects created by

Launchpad itself

Merge lp:~leonardr/launchpad/automatically-calculate-request-token-expire-time into lp:launchpad/db-devel

Commit message

Description of the change

Preview Diff

Subscribers