Http backend #61
Http backend #61
Conversation
njgheorghita
force-pushed
the
http-backend
branch
from
5c0d25a
to
b0e11e6
Compare
njgheorghita
force-pushed
the
http-backend
branch
6 times, most recently
from
4ab4671
to
b0534f6
Compare
njgheorghita
force-pushed
the
http-backend
branch
6 times, most recently
from
ae865bf
to
40d2703
Compare
njgheorghita
force-pushed
the
http-backend
branch
3 times, most recently
from
025d161
to
8a06f33
Compare
njgheorghita
force-pushed
the
http-backend
branch
9 times, most recently
from
c511a6b
to
2482b30
Compare
njgheorghita
force-pushed
the
http-backend
branch
3 times, most recently
from
d7e9ea0
to
b5c6c98
Compare
|
@pipermerriam ping for review. The scheme i'm using here isn't quite exactly, what's discussed in the ERC 1319](ethereum/EIPs#1319), I'm not sure if that's a problem or not. IMO just using the I also thought about requiring a content hash fragment suffixing the github uri . . . i.e. |
|
@njgheorghita on not including the hash in the URL: I don't think this is ok. While I agree that it doesn't allow for arbitrary modification of the resouce by the user, it doesn't provide protection against github serving up incorrect content. I acknowledge this probably isn't a concern we're likely to see realized, but I'd prefer we do it correctly and both require the hash as well as verifying the payload we receive matches said hash. Which makes me realize that we should be doing the same with the IPFS gateway backends (and probably generically via any of the IPFS backends) just to be doubly sure that the content we receive is indeed the content that should have been at the address. |
njgheorghita
force-pushed
the
http-backend
branch
2 times, most recently
from
6a4d4f2
to
04c78eb
Compare
njgheorghita
force-pushed
the
http-backend
branch
4 times, most recently
from
6cc6b74
to
a2fe704
Compare
|
@pipermerriam Makes sense, added the requirement for a valid content hash to the end of github uris. And added a validation to IPFS backend that the hash of the retrieved contents matches the content hash in the uri |
njgheorghita
force-pushed
the
http-backend
branch
2 times, most recently
from
5277de2
to
ac6b813
Compare
| @pytest.mark.parametrize( | ||
| "uri", | ||
| ( | ||
| "https://raw.githubusercontent.com/ethpm/ethpm-spec/3945c47dedb04930ee12c0281494a1b5bdd692a0/examples/owned/1.0.0.json", # noqa: E501 |
There was a problem hiding this comment.
Worth pointing out that this test will fail occasionally in CI since it makes network requests. I think that's ok for now, but it might be worth leaving a note in the test indicating as much.
tests/ethpm/utils/test_uri_utils.py
Outdated
| ("https://raw.githubusercontent.com", False), | ||
| # valid github urls | ||
| ("http://raw.githubusercontent.com/any/path", True), | ||
| ("https://raw.githubusercontent.com/any/path", True), |
There was a problem hiding this comment.
Allowing this will result in people not using content addressed URIs, which will result in people not correctly linking to commit based files which will lead to people using URIs like https://raw.githubusercontent.com/ethpm/ethpm-spec/master/examples/owned/1.0.0.json which will lead to people getting content that isn't guaranteed to remain static and I don't think that's something we want to allow.
docs/uri_backends.rst
Outdated
|
|
||
| .. py:method:: BaseURIBackend.can_resolve_uri(uri) | ||
|
|
||
| Returns a bool indicating whether or not this backend is capable of resolving the given URI to a manifest. |
There was a problem hiding this comment.
No need to cleanup now but:
- Wrong ?tense?. I think the official term is "imperitive present tense". See: Add
BeaconStateMachineoutline ethereum/py-evm#1373 (comment) - These are more suited for API docs and thus can be done with
autodocand docstrings. Take a look at how @cburgdorf has structured the documentation inpy-evm
There was a problem hiding this comment.
👍 autodoc, moving all (or as many) of the docs over to autodoc is next on my todo list
| - Go to the target manifest in your browser. | ||
| - Press ``y`` to generate the permalink in the address bar. | ||
| - Replace ``"github"`` with ``"raw.githubusercontent"``, and remove the ``"blob"`` namespace from the URI. | ||
| - Suffix the URI with ``#`` followed by the ``keccak`` hash of the bytes found at the Github URI. |
There was a problem hiding this comment.
Not for this PR, but it'd be pretty cool to provide a utility on the GithubOverHTTPSBackend that did this automatically with a uri and supported a handful of formats.
>>> GithubOverHTTPSBackend.get_permalink_with_content_hash('https://github.com/ethpm/ethpm-spec/blob/master/examples/owned/1.0.0.json')
"https://raw.githubusercontent.com/ethpm/ethpm-spec/3945c47dedb04930ee12c0281494a1b5bdd692a0/examples/owned/1.0.0.json#0x01cbc2a69a9f86e9d9e7b87475e2ba2619404dc8d6ee3cb3a8acf3176c2cace1"Should be able to:
- parse the repository name and file path and branch
- use the github API to pull the latest commit hash
- generate the
raw.github.comURL - pull the file and compute the
keccakof the contents.
This would be something well defined enough that it could be bountied.
ethpm/backends/http.py
Outdated
| return False | ||
|
|
||
| def fetch_uri_contents(self, uri: str) -> bytes: | ||
| http_uri, validation_hash = uri.split("#") |
There was a problem hiding this comment.
You should use urllib.parse.urlpase and pull the fragment from that return value.
ethpm/backends/ipfs.py
Outdated
| validation_hash = generate_file_hash(contents) | ||
| if validation_hash != ipfs_hash: | ||
| raise ValidationError( | ||
| "Hashed IPFS contents retrieved from uri: {0} " |
There was a problem hiding this comment.
If you're python 3.6+ you can start using f-strings for formatting: https://realpython.com/python-f-strings/
ethpm/validation.py
Outdated
| raise ValidationError( | ||
| "Invalid content-addressed URI. " | ||
| "Validation hash:{0} does not match the hash of URI contents: {1}.".format( | ||
| decoded_validation, hashed_contents |
There was a problem hiding this comment.
Probably good to output these in their hex encoded formats for friendlier error messages.
tests/conftest.py
Outdated
| @@ -104,6 +104,12 @@ def _get_factory(package, factory_name): | |||
| return _get_factory | |||
|
|
|||
|
|
|||
| @pytest.fixture | |||
| def owned_contract(): | |||
| with open(V2_PACKAGES_DIR / "owned" / "contracts" / "Owned.sol") as file_obj: | |||
There was a problem hiding this comment.
I think you can also do (V2_PACKAGES_DIR / "owned" / "contracts" / "Owned.sol").open() but I'm undecided on whether I think it's a good pattern. The outer parenthesis wrapping is sort of awkward. Not advocating change, just bringing up my thoughts.
There was a problem hiding this comment.
Agreed on the parenthesis wrapping being weird, but i'm a fan of pathlib and think the weirdness is worth it
tests/ethpm/test_dependencies.py
Outdated
| @@ -43,7 +43,7 @@ def test_get_dependency_package(dependencies): | |||
|
|
|||
| def test_validate_build_dependencies(dummy_ipfs_backend, piper_coin_manifest): | |||
| result = validate_build_dependency( | |||
| "standard-token", "ipfs://QmVu9zuza5mkJwwcFdh2SXBugm1oSgZVuEKkph9XLsbUwg" | |||
| "standard-token", "ipfs://QmVu9zuza5mkJwwcFdh2SXBugm1oSgZVuEKkph9XLsbUwg#0x123" | |||
njgheorghita
force-pushed
the
http-backend
branch
from
ac6b813
to
1f977b5
Compare
What was wrong?
URI backend needed to serve content-addressed github URIs
How was it fixed?
Wrote backend that serves github URIs conforming to
https://raw.githubusercontent.com/user/repo/commit_hash/path/to/manifest.jsonCute Animal Picture