search

ewjoachim / pypitoken

Creation & manipulation of PyPI tokens
http://pypitoken.readthedocs.io/en/latest/
MIT License
12 stars 1 forks source link

Add DateRestrictions #94

Closed ewjoachim closed 2 years ago

ewjoachim commented 2 years ago

Closes #92

Hey @fschulze :) Do you think you could do a round of code review ? Also, I haven't taken the time to try the new macaroons against (Test)PyPI, so if you want to give it a try, feel free :) (you can generate an unscoped token on TestPyPI, then use this PR to create 2 tokens with time restrictions: one that includes now and one that excludes now. PyPI should let you upload with the first one and not with the 2nd one)

Checklist:

fschulze commented 2 years ago

Wow, that was fast! I'm not sure when I will get to testing, as I'll be unavailable most of the time from June 1st to 15th.

ewjoachim commented 2 years ago

Ok, then I'll do it on my side :)

ewjoachim commented 2 years ago 
now = datetime.datetime.now(tz=datetime.timezone.utc)
one_day = datetime.timedelta(days=1)
original_token = os.environ["TOKEN"]

TOKEN_A = pypitoken.Token.load(original_token).restrict(not_before=now, not_after=now + one_day).dump()

TOKEN_B = pypitoken.Token.load(original_token).restrict(not_before=d - one_date - one_day, not_after=d - one_day).dump()
$ twine upload -r testpypi --verbose dist/ewjoachim-test-0-1000.tar.gz -u __token__ -p $TOKEN_A
Using configuration from /Users/joachim/.pypirc
Uploading distributions to https://test.pypi.org/legacy/
  dist/ewjoachim-test-0-1000.tar.gz (1.2 KB)
username set by command options
password set by command options
username: __token__
password: <hidden>
Uploading ewjoachim-test-0-1000.tar.gz
100%|████████████████████████████████████████████████████████████████████████████████████████| 3.68k/3.68k [00:00<00:00, 4.74kB/s]

View at:
https://test.pypi.org/project/ewjoachim-test-0/1000/

$ twine upload -r testpypi --verbose dist/ewjoachim-test-0-1000.tar.gz -u __token__ -p $TOKEN_B
Using configuration from /Users/joachim/.pypirc
Uploading distributions to https://test.pypi.org/legacy/
  dist/ewjoachim-test-0-1000.tar.gz (1.2 KB)
username set by command options
password set by command options
username: __token__
password: <hidden>
Uploading ewjoachim-test-0-1000.tar.gz
100%|████████████████████████████████████████████████████████████████████████████████████████| 3.68k/3.68k [00:00<00:00, 6.83kB/s]
Content received from server:
<html>
 <head>
  <title>403 Invalid API Token: InvalidMacaroonError('invalid macaroon')</title>
 </head>
 <body>
  <h1>403 Invalid API Token: InvalidMacaroonError('invalid macaroon')</h1>
  Access was denied to this resource.<br/><br/>
Invalid API Token: InvalidMacaroonError(&#x27;invalid macaroon&#x27;)

 </body>
</html>
HTTPError: 403 Forbidden from https://test.pypi.org/legacy/
Invalid API Token: InvalidMacaroonError('invalid macaroon')

Seems it's working as expected !

fschulze commented 2 years ago

I finally got around to implement pypitoken support for the upcoming devpi-client 6.0.0 and successfully tested it with test.pypi.org. Thanks again!

ewjoachim commented 2 years ago

I hope it's ok, but I left a few comments on the commit introducing this in devpi-client. Nice work !