[MIR] python-aws-requests-auth package

[Summary]
MIR Team ack, but a few follow-ups are needed to complete.
This does need a security review.
List of specific binary packages to be promoted to main: python3-aws-requests-auth

Required TODOs:
- subscriber was suggested to be foundations, but I'd need foundations
  to say that they are ok with that.
  @Matt - I'm assigning to you so you can make that call. If you agree
  subscribe Foundations-bugs (or at least confirm that you will do so
  eventually) - once done please assign ubuntu-security who is the next
  team that has to look at this.

Recommended TODOs:
- the source has tests, but they don't run at build time.
  Fixing that should be some easy extra coverage.
  @Josh/@Matt - do you have someone who could look at this?

[Duplication]
There is no other package in main providing the same functionality.
python3-awsauth comes close, but is not in main, and limited to just S3.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning (none)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- does not parse data formats
- does not deal with system authentication - not for the local system, but
  authentication it is. As Josh outlined this gladly is rather small, so
  it might be quick.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest (although superficial)
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python

Problems:
- does not have a test suite that runs at build time
  There would be these:
  ./aws_requests_auth/tests/test_boto_utils.py
  ./aws_requests_auth/tests/test_aws_auth.py
  Which for some reason are not discovered on python3.9 -m unittest discover -v
  at build time, fixing that up would help to get this more stable.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is slow but ok (not much movement)
- Debian/Ubuntu update history is slow but ok
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (python)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Matt has subscribed foundations (thanks)
$ ./get-packages-subscribed.py --team foundations-bugs -p | grep aws
python-aws-requests-auth

I've assigned it to the security Team for their review as the next step.

Hi Christian, MIR team,

[since I'm taking over this MIR..]

> Recommended TODOs:
> - the source has tests, but they don't run at build time.
> Fixing that should be some easy extra coverage.

and

> Problems:
> - does not have a test suite that runs at build time
> There would be these:
> ./aws_requests_auth/tests/test_boto_utils.py
> ./aws_requests_auth/tests/test_aws_auth.py
> Which for some reason are not discovered [...] at build time,
> fixing that up would help to get this more stable.

Both these things should be fixed now with the new upload to Debian (which has already sync'd in here; in the proposed pocket):

 python-aws-requests-auth (0.4.3-2) unstable; urgency=medium
 .
   * Team upload.
   * Run upstream tests during build time.
     - and thus add BD on python3-{mock,botocore}.
 .
  -- Utkarsh Gupta <email address hidden> Sat, 15 May 2021 20:16:59 +0530

Let me know if there's anything missing here to fix. TIA! :)

From:
https://launchpadlibrarian.net/539104376/buildlog_ubuntu-impish-amd64.python-aws-requests-auth_0.4.3-2_BUILDING.txt.gz

   dh_auto_test -O--buildsystem=pybuild
I: pybuild base:232: cd /<<PKGBUILDDIR>>/.pybuild/cpython3_3.9_aws-requests-auth/build; python3.9 -m unittest discover -v /<<PKGBUILDDIR>>/aws_requests_auth/tests/
test_auth_for_get (test_aws_auth.TestAWSRequestsAuth) ... ok
test_auth_for_post (test_aws_auth.TestAWSRequestsAuth) ... ok
test_auth_for_post_with_str_body (test_aws_auth.TestAWSRequestsAuth) ... ok
test_auth_for_post_with_unicode_body_python2 (test_aws_auth.TestAWSRequestsAuth) ... skipped "python3 produces a different hash that we're comparing."
test_auth_for_post_with_unicode_body_python3 (test_aws_auth.TestAWSRequestsAuth) ... ok
test_characters_escaped_in_path (test_aws_auth.TestAWSRequestsAuth)
Assert we generate the 'correct' cannonical query string ... ok
test_multiple_get_params (test_aws_auth.TestAWSRequestsAuth)
Assert we generate the 'correct' cannonical query string ... ok
test_no_query_params (test_aws_auth.TestAWSRequestsAuth)
Assert we generate the 'correct' cannonical query string ... ok
test_path_with_querystring (test_aws_auth.TestAWSRequestsAuth)
Assert we generate the 'correct' cannonical query string ... ok
test_post_request_with_get_param (test_aws_auth.TestAWSRequestsAuth)
Assert we generate the 'correct' cannonical query string ... ok
test_boto_class (test_boto_utils.TestBotoUtils) ... ok
test_get_credentials (test_boto_utils.TestBotoUtils) ... ok

----------------------------------------------------------------------
Ran 12 tests in 0.051s

I agree that those are good now, all you need to be ready is to complete the security review.

I reviewed python-aws-requests-auth 0.4.3-2 as checked into impish. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

python-aws-requests-auth is a python package for manually signing AWS requests with additional functionality to retrieve AWS credentials via boto.

- CVE History:
  - No history of CVEs
- Build-Depends?
  - debhelper-compat (= 13), dh-python, python3-all, python3-botocore, python3-mock, python3-setuptools
- pre/post inst/rm scripts?
  - Populated automatically by python debhelper
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - Unit tests passing
  - Unit tests run during build
  - Well-documented test suite
- No cron jobs
- Build logs:
  - No significant build errors or warnings
  - No lintian failures

- No processes spawned
- Memory management N/A
- No file IO
- No logging
- No environment variables
- No use of privileged functions
- Use of cryptography
  - Uses python HMAC module to sign the requests, in accordance with the official AWS examples.
- No use of temp files
- Use of networking
  - Retrieves AWS credentials with boto module in a non-core/convenience function.
- No use of WebKit
- No use of PolicyKit

- No significant cppcheck results
- No significant Coverity results
- No significant shellcheck results
- No significant bandit results

python-aws-requests-auth is not currently actively maintained upstream (https://github.com/DavidMuller/aws-requests-auth/pull/52#issuecomment-583591776), the latest PR from Feb 2021 has not been responded to. That said, the code base is small and neatly documented, heavily drawing from the existing AWS example code for it's functionality.

Security team ACK for promoting python-aws-requests-auth to main.

Thank you, thereby this is ready to be promoted.
It is not yet in component mismatches, so @utkarsh please pull it in somehow.

Hi Christian,

With your MIR hat on, can you please give an explicit ACK on promoting src:python-aws-requests-auth for all the releases until Bionic? (see: https://code.launchpad.net/~utkarsh/ubuntu-seeds/+git/ubuntu-seeds/+merge/404492/comments/1066318).

TIA! \o/

Yes that should be fine, it was discussed and reviewed with that in mind.

Override component to main
python-aws-requests-auth 0.4.3-2 in impish: universe/misc -> main
python3-aws-requests-auth 0.4.3-2 in impish amd64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-2 in impish arm64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-2 in impish armhf: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-2 in impish i386: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-2 in impish ppc64el: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-2 in impish riscv64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-2 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
python-aws-requests-auth 0.4.3-1 in hirsute: universe/misc -> main
python3-aws-requests-auth 0.4.3-1 in hirsute amd64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-1 in hirsute arm64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-1 in hirsute armhf: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-1 in hirsute i386: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-1 in hirsute ppc64el: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-1 in hirsute riscv64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.3-1 in hirsute s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
python-aws-requests-auth 0.4.1-2 in groovy: universe/misc -> main
python3-aws-requests-auth 0.4.1-2 in groovy amd64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in groovy arm64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in groovy armhf: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in groovy i386: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in groovy ppc64el: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in groovy riscv64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in groovy s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
python-aws-requests-auth 0.4.1-2 in focal: universe/misc -> main
python3-aws-requests-auth 0.4.1-2 in focal amd64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in focal arm64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in focal armhf: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in focal i386: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in focal ppc64el: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in focal riscv64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-2 in focal s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
python-aws-requests-auth 0.4.1-1 in bionic: universe/misc -> main
1 publication overridden.
Override component to main
python3-aws-requests-auth 0.4.1-1 in bionic amd64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-1 in bionic arm64: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-1 in bionic armhf: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-1 in bionic i386: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-1 in bionic ppc64el: universe/python/optional/100% -> main
python3-aws-requests-auth 0.4.1-1 in bionic s390x: universe/python/optional/100% -> main
6 publications overridden.