Snapcraft

snapcraft register-key doesn't use U1 SSO login credentials

Bug #1634803 reported by Víctor R. Ruiz on 2016-10-19

12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Snapcraft	New	Undecided	Unassigned
	snapd	Invalid	Undecided	Unassigned

Bug Description

Test case.
- snap create-key <key name>
- snapcraft login (and introduce U1 SSO credentials).
- snapcraft register-key <key name>

Expected result.
- snapcraft is logged and registers the key name.

Actual result.
- snapcraft register-key asks again for U1 SSO credentials.

Tested with snapcraft 2.19

Víctor R. Ruiz (vrruiz) on 2016-10-19

summary:

- snapcraft register-key doesn't remember login credentials
+ snapcraft register-key doesn't use U1 SSO login credentials

Revision history for this message

Leo Arias (elopio) wrote on 2016-10-26:

#1

I think this is by design. But I will ask Celso or Colin to confirm.

Revision history for this message

Sergio Schvezov (sergiusens) wrote on 2016-10-26: Re: [Bug 1634803] Re: snapcraft register-key doesn't use U1 SSO login credentials

#2

El 26/10/16 a las 12:10, Leo Arias escribió:
> I think this is by design. But I will ask Celso or Colin to confirm.
>

To solve this we need to pass the macaroon that snapcraft gets onto
snapd as snapd has the lower level logic to actually create the key.

Revision history for this message

Colin Watson (cjwatson) wrote on 2016-10-30:

#3

This is intentional. Registering a key is a security-sensitive operation and requires independent authentication: the macaroon that grants authority to register a key must be fresh (generated in the last five minutes) and it must contain a specific permission that is not a subset of that granted by "snapcraft login". The credentials granted by "snapcraft login" are longer-lived and persist on disk, and we intentionally ensure that there are no persistent credentials that permit registering a new key that an attacker could use to upload snaps on behalf of the user.

I would simply amend the test case to delete the "snapcraft login" step here.

Sergio: That's incorrect. snapd does not require a macaroon here, as it does not communicate with the store.

Revision history for this message

Sergio Schvezov (sergiusens) wrote on 2016-11-01:

#4

El 30 oct. 2016 5:25 PM, "Colin Watson" <email address hidden> escribió:
>
> This is intentional. Registering a key is a security-sensitive
> operation and requires independent authentication: the macaroon that
> grants authority to register a key must be fresh (generated in the last
> five minutes) and it must contain a specific permission that is not a
> subset of that granted by "snapcraft login". The credentials granted by
> "snapcraft login" are longer-lived and persist on disk, and we
> intentionally ensure that there are no persistent credentials that
> permit registering a new key that an attacker could use to upload snaps
> on behalf of the user.
>
> I would simply amend the test case to delete the "snapcraft login" step
> here.
>
> Sergio: That's incorrect. snapd does not require a macaroon here, as it
> does not communicate with the store.

Your comments make sense. I wonder if we should tweak the messaging a bit
and remove the double login request too.

Revision history for this message

Colin Watson (cjwatson) wrote on 2016-11-01:

#5

Is there a document somewhere that recommends running login before register-key? I couldn't find it on snapcraft.io if so.

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2019-10-01:

#6

I'm closing the snapd side of this task. Please provide additional information if my understanding is incorrect.

affects:	snappy → snapd
Changed in snapd:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.