Snap Store Server

Listing all snaps from Brand Store requires "store admin"

Bug #1824538 reported by Konrad Zapałowicz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snap Store Server
Won't Fix
Undecided
Celso Providelo

Bug Description

To list snaps from Brand Store one can use the Brand Store (list all snaps) and Snaps (list releases for a snap) APIs.

The first stage (list all snaps) requires store_admin permissions where for the second stage just the package_access is enough. It feels that requiring the admin-like permission for reading snaps from the store is too much and it would be better to be able to access this information w/o requiring such an elevated access level.

This has high importance as it triggers security issues.

Using viewer credentials does not change anything, store admin is required anyways:

λ ~ surl -s production -e <email address hidden> https://dashboard.snapcraft.io/api/v2/stores/$STOREID/snaps
Password for <email address hidden>:
{"error-list": [{"message": "Permission \"store_admin\" is required as a macaroon caveat.", "code": "macaroon-permission-required", "extra": {"permission": "store_admin"}}]}% λ ~

Bret Barker (noise)
Changed in snapstore:
assignee: nobody → Celso Providelo (cprov)
Revision history for this message
Celso Providelo (cprov) wrote :

Konrad,

There is a fundamental problem with your suggestion to reduce permission to access the Publisher's store-snaps (<dashboard>/api/v2/stores/<store>/snaps) because it's not equivalent to the Device's snap-browsing (api.s.io/api/v1/snaps) API.

See the usage examples:

{{{
# Store-snaps
$ surl -a prod-store https://dashboard.snapcraft.io//api/v2/stores/test-feeds/snaps | jq '.snaps | length'
10

# Snap-browsing
$ curl -s -H 'X-Ubuntu-Series: 16' -H 'X-Ubuntu-Store: test-feeds' "https://api.snapcraft.io/api/v1/snaps?fields=package_name" | jq '._embedded["clickindex:package"] | length'
103
}}}

The store-snaps API is supposed to be used by store-admins only because it doesn't not include snaps from whitelist-ed stores, for which the store admin has no authority. The store-snaps list 3 categories os snaps only: local (registered in the context store), essential (implicitly inherited from Global) and included (from other stores the allow inclusion by the context one). Only the "included" snap set can be managed.

Summing up the store-snaps API was not designed to "list all snaps in a store", but instead to manage snap inclusion, if one wants to list all snaps available in a store in their most-stable channel the `snap-browsing` API should be used.

Let me know if the explanation makes sense.

Changed in snapstore:
status: New → Won't Fix
Revision history for this message
Konrad Zapałowicz (kzapalowicz) wrote :

Allright, this makes sense - thank you for explanations. Could you also link the relevant documentation page that I could share with the customer so that they have full information. Thanks in advance.

Revision history for this message
Celso Providelo (cprov) wrote :

Konrad,

We have just extended the existing API documentation to cover the store_snaps:

https://api.staging.snapcraft.io/docs/search.html

(this is from staging, mostly for review. We will roll it out to production later this week)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.