Merge into trunk : create-oauth-tokens-startup : Code : desktopcouch

Reviewer	Date Requested	Status
Mark G. Saye (community)		Needs Fixing on 2009-08-24
Elliot Murphy (community)		Needs Fixing on 2009-08-23
Joshua Blount (community)	2009-08-20	Approve on 2009-08-21
Review via email: mp+10481@code.launchpad.net

Revision history for this message

Stuart Langridge (sil) wrote on 2009-08-20:

#

Add oauth tokens as part of initial desktopcouch setup, and lock desktopcouch access to authenticated users only.

(NB: do not merge into desktopcouch trunk until http://issues.apache.org/jira/browse/COUCHDB-478 is in your couchdb build, or this will prevent access to your desktop Couch; it sets up an admin user in the ini file, but oauth authentication doesn't read from the ini file in Couch trunk; that's what the above patch is for.)

Revision history for this message

Joshua Blount (jblount) on 2009-08-21:

#

review: Approve

Revision history for this message

Elliot Murphy (statik) wrote on 2009-08-23:

#

I've packaged 0.10.0~svn806985~ppa1, which is a snapshot of the 0.10 branch that Jan created today, + the part of the patch for COUCHDB-478 that has not been applied to the branch yet.

After merging with trunk and resolving the merge conflicts, I get errors on a number of tests, all appear to have the same cause: 401 on a HEAD request.

===============================================================================
[ERROR]: desktopcouch.records.tests.test_server.TestCouchDatabase.test_record_exists

Traceback (most recent call last):
  File "/usr/lib/python2.6/dist-packages/testtools/testcase.py", line 161, in run
    self.setUp()
  File "/home/emurphy/canonical/ubuntuone/shared/desktopcouch/trunk/desktopcouch/records/tests/test_server.py", line 44, in setUp
    self.dbname, create=True, uri=URI)
  File "/home/emurphy/canonical/ubuntuone/shared/desktopcouch/trunk/desktopcouch/records/server.py", line 58, in __init__
    if database not in self._server:
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 124, in __contains__
    self.resource.head(validate_dbname(name))
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 981, in head
    return self._request('HEAD', path, headers=headers, **params)
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 1035, in _request
    raise ServerError((status_code, error))
couchdb.client.ServerError: (401, '')
===============================================================================
[ERROR]: desktopcouch.records.tests.test_server.TestCouchDatabase.test_update_fields

Traceback (most recent call last):
  File "/usr/lib/python2.6/dist-packages/testtools/testcase.py", line 161, in run
    self.setUp()
  File "/home/emurphy/canonical/ubuntuone/shared/desktopcouch/trunk/desktopcouch/records/tests/test_server.py", line 44, in setUp
    self.dbname, create=True, uri=URI)
  File "/home/emurphy/canonical/ubuntuone/shared/desktopcouch/trunk/desktopcouch/records/server.py", line 58, in __init__
    if database not in self._server:
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 124, in __contains__
    self.resource.head(validate_dbname(name))
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 981, in head
    return self._request('HEAD', path, headers=headers, **params)
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 1035, in _request
    raise ServerError((status_code, error))
couchdb.client.ServerError: (401, '')

I've packaged 0.10.0~svn806985~ppa1, which is a snapshot of the 0.10 branch that Jan created today, + the part of the patch for COUCHDB-478 that has not been applied to the branch yet.

After merging with trunk and resolving the merge conflicts, I get errors on a number of tests, all appear to have the same cause: 401 on a HEAD request.

===============================================================================
[ERROR]: desktopcouch.records.tests.test_server.TestCouchDatabase.test_record_exists

Traceback (most recent call last):
  File "/usr/lib/python2.6/dist-packages/testtools/testcase.py", line 161, in run
    self.setUp()
  File "/home/emurphy/canonical/ubuntuone/shared/desktopcouch/trunk/desktopcouch/records/tests/test_server.py", line 44, in setUp
    self.dbname, create=True, uri=URI)
  File "/home/emurphy/canonical/ubuntuone/shared/desktopcouch/trunk/desktopcouch/records/server.py", line 58, in __init__
    if database not in self._server:
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 124, in __contains__
    self.resource.head(validate_dbname(name))
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 981, in head
    return self._request('HEAD', path, headers=headers, **params)
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 1035, in _request
    raise ServerError((status_code, error))
couchdb.client.ServerError: (401, '')
===============================================================================
[ERROR]: desktopcouch.records.tests.test_server.TestCouchDatabase.test_update_fields

Traceback (most recent call last):
  File "/usr/lib/python2.6/dist-packages/testtools/testcase.py", line 161, in run
    self.setUp()
  File "/home/emurphy/canonical/ubuntuone/shared/desktopcouch/trunk/desktopcouch/records/tests/test_server.py", line 44, in setUp
    self.dbname, create=True, uri=URI)
  File "/home/emurphy/canonical/ubuntuone/shared/desktopcouch/trunk/desktopcouch/records/server.py", line 58, in __init__
    if database not in self._server:
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 124, in __contains__
    self.resource.head(validate_dbname(name))
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 981, in head
    return self._request('HEAD', path, headers=headers, **params)
  File "/usr/lib/pymodules/python2.6/couchdb/client.py", line 1035, in _request
    raise ServerError((status_code, error))
couchdb.client.ServerError: (401, '')

review: Needs Fixing

Revision history for this message

Stuart Langridge (sil) wrote on 2009-08-24:

#

> I've packaged 0.10.0~svn806985~ppa1, which is a snapshot of the 0.10 branch
> that Jan created today, + the part of the patch for COUCHDB-478 that has not
> been applied to the branch yet.
>
> After merging with trunk and resolving the merge conflicts, I get errors on a
> number of tests, all appear to have the same cause: 401 on a HEAD request.

Yep. This is a COuch bug (http://issues.apache.org/jira/browse/COUCHDB-479) the fix for which has not yet been merged into trunk :-(

Revision history for this message

Stuart Langridge (sil) wrote on 2009-08-24:

#

> > I've packaged 0.10.0~svn806985~ppa1, which is a snapshot of the 0.10 branch
> > that Jan created today, + the part of the patch for COUCHDB-478 that has not
> > been applied to the branch yet.
> >
> > After merging with trunk and resolving the merge conflicts, I get errors on
> a
> > number of tests, all appear to have the same cause: 401 on a HEAD request.
>
> Yep. This is a COuch bug (http://issues.apache.org/jira/browse/COUCHDB-479)
> the fix for which has not yet been merged into trunk :-(

Ah, it may have been merged now, looking at the bug report, but I don't know if it's in our packages yet...

Revision history for this message

Mark G. Saye (markgsaye) wrote on 2009-08-24:

#

Download full text (5.6 KiB)

> bzr merge lp:~sil/desktopcouch/create-oauth-tokens-startup
M data/couchdb.tmpl
M desktopcouch/start_local_couchdb.py
Text conflict in desktopcouch/start_local_couchdb.py
1 conflicts encountered.

> bzr diff desktopcouch/start_local_couchdb.py
=== modified file 'desktopcouch/start_local_couchdb.py'
--- desktopcouch/start_local_couchdb.py 2009-08-21 22:45:24 +0000
+++ desktopcouch/start_local_couchdb.py 2009-08-24 11:12:48 +0000
@@ -34,14 +34,16 @@
"""

from __future__ import with_statement
-import os, subprocess, sys, glob
+import os, subprocess, sys, glob, random, string
import desktopcouch
from desktopcouch import local_files
import xdg.BaseDirectory
import errno
-import time
+import time, gtk, gnomekeyring
from desktopcouch.records.server import CouchDatabase

+ACCEPTABLE_USERNAME_PASSWORD_CHARS = string.lowercase + string.uppercase
+
def dump_ini(data, filename):
     """Dump INI data with sorted sections and keywords"""
     fd = open(filename, 'w')
@@ -60,9 +62,38 @@
         ini_path=local_files.FILE_INI, db_dir=local_files.DIR_DB,
         log_path=local_files.FILE_LOG, port="0"):
     """Write CouchDB ini file if not already present"""
+<<<<<<< TREE
     if os.path.exists(ini_path):
         return
     ini = {
+=======
+ if os.path.exists(local_files.FILE_INI):
+ # load the username and password from the keyring
+ try:
+ data = gnomekeyring.find_items_sync(gnomekeyring.ITEM_GENERIC_SECRET,
+ {'desktopcouch': 'basic'})
+ except gnomekeyring.NoMatchError:
+ data = None
+ if data:
+ username, password = data[0].secret.split(":")
+ return username, password
+ # otherwise fall through; for some reason the access details aren't
+ # in the keyring, so re-create the ini file and do it all again
+
+ # randomly generate tokens and usernames
+ def make_random_string(count):
+ return ''.join([random.choice(ACCEPTABLE_USERNAME_PASSWORD_CHARS)
+ for x in range(count)])
+
+ ADMIN_ACCOUNT_USERNAME = make_random_string(10)
+ ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD = make_random_string(10)
+ CONSUMER_KEY = make_random_string(10)
+ CONSUMER_SECRET = make_random_string(10)
+ TOKEN = make_random_string(10)
+ TOKEN_SECRET = make_random_string(10)
+
+ local = {
+>>>>>>> MERGE-SOURCE
         'couchdb': {
             'database_dir': db_dir,
             'view_index_dir': db_dir,
@@ -75,10 +106,51 @@
             'file': log_path,
             'level': 'info',
         },
+ 'admins': {
+ ADMIN_ACCOUNT_USERNAME: ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD
+ },
+ 'oauth_consumer_secrets': {
+ CONSUMER_KEY: CONSUMER_SECRET
+ },
+ 'oauth_token_secrets': {
+ TOKEN: TOKEN_SECRET
+ },
+ 'oauth_token_users': {
+ TOKEN: ADMIN_ACCOUNT_USERNAME
+ },
+ 'couch_httpd_auth': {
+ 'require_valid_user': 'true'
+ }
     }
+<<<<<<< TREE
     dump...

> bzr merge lp:~sil/desktopcouch/create-oauth-tokens-startup
 M  data/couchdb.tmpl                                                          
 M  desktopcouch/start_local_couchdb.py
Text conflict in desktopcouch/start_local_couchdb.py
1 conflicts encountered.

> bzr diff desktopcouch/start_local_couchdb.py
=== modified file 'desktopcouch/start_local_couchdb.py'
--- desktopcouch/start_local_couchdb.py	2009-08-21 22:45:24 +0000
+++ desktopcouch/start_local_couchdb.py	2009-08-24 11:12:48 +0000
@@ -34,14 +34,16 @@
 """
 
 from __future__ import with_statement
-import os, subprocess, sys, glob
+import os, subprocess, sys, glob, random, string
 import desktopcouch
 from desktopcouch import local_files
 import xdg.BaseDirectory
 import errno
-import time
+import time, gtk, gnomekeyring
 from desktopcouch.records.server import CouchDatabase
 
+ACCEPTABLE_USERNAME_PASSWORD_CHARS = string.lowercase + string.uppercase
+
 def dump_ini(data, filename):
     """Dump INI data with sorted sections and keywords"""
     fd = open(filename, 'w')
@@ -60,9 +62,38 @@
         ini_path=local_files.FILE_INI, db_dir=local_files.DIR_DB,
         log_path=local_files.FILE_LOG, port="0"):
     """Write CouchDB ini file if not already present"""
+<<<<<<< TREE
     if os.path.exists(ini_path):
         return
     ini = {
+=======
+    if os.path.exists(local_files.FILE_INI):
+        # load the username and password from the keyring
+        try:
+            data = gnomekeyring.find_items_sync(gnomekeyring.ITEM_GENERIC_SECRET,
+                                            {'desktopcouch': 'basic'})
+        except gnomekeyring.NoMatchError:
+            data = None
+        if data:
+            username, password = data[0].secret.split(":")
+            return username, password
+        # otherwise fall through; for some reason the access details aren't
+        # in the keyring, so re-create the ini file and do it all again
+    
+    # randomly generate tokens and usernames
+    def make_random_string(count):
+        return ''.join([random.choice(ACCEPTABLE_USERNAME_PASSWORD_CHARS)
+                        for x in range(count)])
+    
+    ADMIN_ACCOUNT_USERNAME = make_random_string(10)
+    ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD = make_random_string(10)
+    CONSUMER_KEY = make_random_string(10)
+    CONSUMER_SECRET = make_random_string(10)
+    TOKEN = make_random_string(10)
+    TOKEN_SECRET = make_random_string(10)
+    
+    local = {
+>>>>>>> MERGE-SOURCE
         'couchdb': {
             'database_dir': db_dir,
             'view_index_dir': db_dir,
@@ -75,10 +106,51 @@
             'file': log_path,
             'level': 'info',
         },
+        'admins': {
+            ADMIN_ACCOUNT_USERNAME: ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD
+        },
+        'oauth_consumer_secrets': {
+            CONSUMER_KEY: CONSUMER_SECRET
+        },
+        'oauth_token_secrets': {
+            TOKEN: TOKEN_SECRET
+        },
+        'oauth_token_users': {
+            TOKEN: ADMIN_ACCOUNT_USERNAME
+        },
+        'couch_httpd_auth': {
+            'require_valid_user': 'true'
+        }
     }
+<<<<<<< TREE
     dump_ini(ini, ini_path)
 
 def run_couchdb(exec_command=local_files.COUCH_EXEC_COMMAND):
+=======
+
+    dump_ini(local, local_files.FILE_INI)
+    # save admin account details in keyring
+    item_id = gnomekeyring.item_create_sync(
+            None,
+            gnomekeyring.ITEM_GENERIC_SECRET,
+            'Desktop Couch user authentication',
+            {'desktopcouch': 'basic'},
+            "%s:%s" % (ADMIN_ACCOUNT_USERNAME, ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD),
+            True)
+    # and oauth tokens
+    item_id = gnomekeyring.item_create_sync(
+            None,
+            gnomekeyring.ITEM_GENERIC_SECRET,
+            'Desktop Couch user authentication',
+            {'desktopcouch': 'oauth'},
+            "%s:%s:%s:%s" % (CONSUMER_KEY, CONSUMER_SECRET, TOKEN, TOKEN_SECRET),
+            True)
+    
+
+    return (ADMIN_ACCOUNT_USERNAME, ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD)
+
+def run_couchdb():
+>>>>>>> MERGE-SOURCE
     """Actually start the CouchDB process"""
     local_exec = exec_command + ['-b']
     try:
@@ -142,7 +214,7 @@
                 # than inefficiently just overwriting it regardless
                 db.add_view(view_name, mapjs, reducejs, dd_name)
 
-def write_bookmark_file():
+def write_bookmark_file(username, password):
     """Write out an HTML document that the user can bookmark to find their DB"""
     bookmark_file = os.path.join(local_files.DIR_DB, "couchdb.html")
 
@@ -182,21 +254,24 @@
             pass
     else:
         fp = open(bookmark_file, "w")
-        fp.write(html.replace("[[COUCHDB_PORT]]", port))
+        out = html.replace("[[COUCHDB_PORT]]", port)
+        out = out.replace("[[COUCHDB_USERNAME]]", username)
+        out = out.replace("[[COUCHDB_PASSWORD]]", password)
+        fp.write(out)
         fp.close()
         print "Browse your desktop CouchDB at file://%s" % \
           os.path.realpath(bookmark_file)
 
 def start_couchdb():
     """Execute each step to start a desktop CouchDB"""
-    create_ini_file()
+    username, password = create_ini_file()
     run_couchdb()
     # Note that we do not call update_design_documents here. This is because
     # Couch won't actually have started yet, so when update_design_documents
     # calls the Records API, that will call back into get_pid and we end up
     # starting Couch again. Instead, get_pid calls update_design_documents
     # *after* Couch startup has occurred.
-    write_bookmark_file()
+    write_bookmark_file(username, password)
 
 
 if __name__ == "__main__":

review: Needs Fixing

Revision history for this message

Elliot Murphy (statik) wrote on 2009-08-24:

#

> Ah, it may have been merged now, looking at the bug report, but I don't know
> if it's in our packages yet...

Yep, I made sure that the commit which included the purported fix for COUCHDB-479 was included in the couchdb snapshot, but looks like the fix for COUCHDB-479 was broken. We're waiting for couchdb devs to give us a working fix.

Revision history for this message

Elliot Murphy (statik) wrote on 2009-08-25:

#

rejecting this branch, and merging thisfreds noauth, which combines everything as we discussed this morning.

desktopcouch

Merge lp:~sil/desktopcouch/create-oauth-tokens-startup into lp:desktopcouch

Commit message

Description of the change

Unmerged revisions

Preview Diff

Subscribers

 === modified file 'data/couchdb.tmpl'
 --- data/couchdb.tmpl	2009-07-14 13:53:21 +0000
 +++ data/couchdb.tmpl	2009-08-20 12:55:54 +0000
@@ -31,7 +31,7 @@
  come back to browse your CouchDB again.</p>
  <p>Don't bookmark the CouchDB page itself, because its location may change!</p>
  <p>Taking you to your Desktop CouchDB in <span>30</span> seconds...
--<a id="there" href="http://localhost:[[COUCHDB_PORT]]/_utils">take me
++<a id="there" href="http://[[COUCHDB_USERNAME]]:[[COUCHDB_PASSWORD]]@localhost:[[COUCHDB_PORT]]/_utils">take me
  there straight away from now on</a> (remember to bookmark this page first!)</p>
  </body>
  </html>
 === modified file 'desktopcouch/start_local_couchdb.py'
 --- desktopcouch/start_local_couchdb.py	2009-08-19 16:00:01 +0000
 +++ desktopcouch/start_local_couchdb.py	2009-08-20 12:55:54 +0000
@@ -32,14 +32,16 @@
  """
  from __future__ import with_statement
--import os, subprocess, sys, glob
++import os, subprocess, sys, glob, random, string
  import desktopcouch
  from desktopcouch import local_files
  import xdg.BaseDirectory
  import errno
--import time
++import time, gtk, gnomekeyring
  from desktopcouch.records.server import CouchDatabase
++ACCEPTABLE_USERNAME_PASSWORD_CHARS = string.lowercase + string.uppercase
++
  def dump_ini(data, filename):
      """Dump INI data with sorted sections and keywords"""
      fd = open(filename, 'w')
@@ -56,18 +58,31 @@
  def create_ini_file():
      """Write CouchDB ini file if not already present"""
--    # FIXME add update trigger folder
--    #update_trigger_dir = [
--    #    'lib', 'canonical', 'ubuntuone', 'cloud_server', 'update_triggers']
--    #
--    #timestamp_trigger = os.path.join(
--    #    *update_trigger_dir + ['timestamp_trigger.py'])
--    #update_trigger =  os.path.join(
--    #    *update_trigger_dir + ['update_trigger.py'])
--
      if os.path.exists(local_files.FILE_INI):
--        return
--
++        # load the username and password from the keyring
++        try:
++            data = gnomekeyring.find_items_sync(gnomekeyring.ITEM_GENERIC_SECRET,
++                                            {'desktopcouch': 'basic'})
++        except gnomekeyring.NoMatchError:
++            data = None
++        if data:
++            username, password = data[0].secret.split(":")
++            return username, password
++        # otherwise fall through; for some reason the access details aren't
++        # in the keyring, so re-create the ini file and do it all again
++
++    # randomly generate tokens and usernames
++    def make_random_string(count):
++        return ''.join([random.choice(ACCEPTABLE_USERNAME_PASSWORD_CHARS)
++                        for x in range(count)])
++
++    ADMIN_ACCOUNT_USERNAME = make_random_string(10)
++    ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD = make_random_string(10)
++    CONSUMER_KEY = make_random_string(10)
++    CONSUMER_SECRET = make_random_string(10)
++    TOKEN = make_random_string(10)
++    TOKEN_SECRET = make_random_string(10)
++
      local = {
          'couchdb': {
              'database_dir': local_files.DIR_DB,
@@ -81,9 +96,43 @@
              'file': local_files.FILE_LOG,
              'level': 'info',
          },
++        'admins': {
++            ADMIN_ACCOUNT_USERNAME: ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD
++        },
++        'oauth_consumer_secrets': {
++            CONSUMER_KEY: CONSUMER_SECRET
++        },
++        'oauth_token_secrets': {
++            TOKEN: TOKEN_SECRET
++        },
++        'oauth_token_users': {
++            TOKEN: ADMIN_ACCOUNT_USERNAME
++        },
++        'couch_httpd_auth': {
++            'require_valid_user': 'true'
++        }
+     }
      dump_ini(local, local_files.FILE_INI)
++    # save admin account details in keyring
++    item_id = gnomekeyring.item_create_sync(
++            None,
++            gnomekeyring.ITEM_GENERIC_SECRET,
++            'Desktop Couch user authentication',
++            {'desktopcouch': 'basic'},
++            "%s:%s" % (ADMIN_ACCOUNT_USERNAME, ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD),
++            True)
++    # and oauth tokens
++    item_id = gnomekeyring.item_create_sync(
++            None,
++            gnomekeyring.ITEM_GENERIC_SECRET,
++            'Desktop Couch user authentication',
++            {'desktopcouch': 'oauth'},
++            "%s:%s:%s:%s" % (CONSUMER_KEY, CONSUMER_SECRET, TOKEN, TOKEN_SECRET),
++            True)
++
++
++    return (ADMIN_ACCOUNT_USERNAME, ADMIN_ACCOUNT_BASIC_AUTH_PASSWORD)
  def run_couchdb():
      """Actually start the CouchDB process"""
@@ -146,7 +195,7 @@
                  # than inefficiently just overwriting it regardless
                  db.add_view(view_name, mapjs, reducejs, dd_name)
--def write_bookmark_file():
++def write_bookmark_file(username, password):
      """Write out an HTML document that the user can bookmark to find their DB"""
      bookmark_file = os.path.join(local_files.DIR_DB, "couchdb.html")
@@ -182,21 +231,24 @@
              pass
      else:
          fp = open(bookmark_file, "w")
--        fp.write(html.replace("[[COUCHDB_PORT]]", port))
++        out = html.replace("[[COUCHDB_PORT]]", port)
++        out = out.replace("[[COUCHDB_USERNAME]]", username)
++        out = out.replace("[[COUCHDB_PASSWORD]]", password)
++        fp.write(out)
          fp.close()
          print "Browse your desktop CouchDB at file://%s" % \
            os.path.realpath(bookmark_file)
  def start_couchdb():
      """Execute each step to start a desktop CouchDB"""
--    create_ini_file()
++    username, password = create_ini_file()
      run_couchdb()
      # Note that we do not call update_design_documents here. This is because
      # Couch won't actually have started yet, so when update_design_documents
      # calls the Records API, that will call back into get_pid and we end up
      # starting Couch again. Instead, get_pid calls update_design_documents
      # *after* Couch startup has occurred.
--    write_bookmark_file()
++    write_bookmark_file(username, password)
  if __name__ == "__main__":