Install and refresh 404 on expired macaroon

I was going to test the upcoming snapd release but apparently I can’t install either one of them.

snap refresh --candidate core
error: cannot perform the following tasks:
- Download snap "core" (2601) from channel "candidate" (received an unexpected http response code (404) when trying to download https://api.snapcraft.io/api/v1/snaps/download/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_2601.snap)

$ snap refresh --beta core
error: cannot perform the following tasks:
- Download snap "core" (2660) from channel "beta" (received an unexpected http response code (404) when trying to download https://api.snapcraft.io/api/v1/snaps/download/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_2660.snap

Downloading the file via wget seems to work:

wget https://api.snapcraft.io/api/v1/snaps/download/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_2660.snap
--2017-08-14 11:36:17--  https://api.snapcraft.io/api/v1/snaps/download/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_2660.snap
Resolving api.snapcraft.io (api.snapcraft.io)... 91.189.92.19, 91.189.92.20
Connecting to api.snapcraft.io (api.snapcraft.io)|91.189.92.19|:443... connected.
HTTP request sent, awaiting response... 302 FOUND
Location: https://068ed04f23.site.internapcdn.net/download-snap/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_2660.snap?t=2017-08-14T11:00:00Z&h=5940fe7b5364098893c99c64d0a4ac8dbc4ec505 [following]
--2017-08-14 11:36:17--  https://068ed04f23.site.internapcdn.net/download-snap/99T7MUlRhtI3U0QFgl5mXXESAiSwt776_2660.snap?t=2017-08-14T11:00:00Z&h=5940fe7b5364098893c99c64d0a4ac8dbc4ec505
Resolving 068ed04f23.site.internapcdn.net (068ed04f23.site.internapcdn.net)... 95.172.71.43, 95.172.71.44, 95.172.71.45, ...
Connecting to 068ed04f23.site.internapcdn.net (068ed04f23.site.internapcdn.net)|95.172.71.43|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 85331968 (81M) [application/octet-stream]

Apparently it’s not just core, though. I can’t install or refresh any snap right now. Others I tried are handbrake-jz and tmux.

For reference:

snap version
snap    2.26.14
snapd   2.26.14
series  16
ubuntu  16.04
kernel  4.4.0-87-generic

The store is refusing downloads from your snapd because one of its macaroons has expired. We’ll need to check some more details about your system to work out exactly what’s gone wrong.

Is this a standard Ubuntu desktop/laptop or a little-used VM? What’s the mtime on ~/.snap/auth.json, and does /var/lib/snapd/state.json have a [‘data’][‘auth’][‘device’] key next to [‘data’][‘auth’][‘users’]?

If you want to update immediately you should be able to just “snap logout” and “snap login” again, but it’d be great if you could wait a bit so we can inspect your system first.

1 Like

Heavily used Ubuntu desktop.

$ stat ~/.snap/auth.json
File: ‘/home/cris/.snap/auth.json’
Size: 2160 Blocks: 24 IO Block: 4096 regular file
Device: 42h/66d Inode: 3443250 Links: 1
Access: (0600/-rw-------) Uid: ( 1000/ cris) Gid: ( 1000/ cris)
Access: 2017-08-14 11:32:51.652570330 +0200
Modify: 2016-08-12 14:00:36.759964816 +0200
Change: 2016-08-12 14:00:36.759964816 +0200
Birth: -

No such key anywhere.

It seems you are hitting the user macaroons auth hard expiration limit (1 year). There is no auto-refresh in this case and the user should re-login. We should check/improve the error you get when trying a download, though (since it is not really a 404).

OTOH, there were some discussions in the past about extending this limit, maybe this is a good time to revisit it.

Hello!

We discussed this a bit, and in order to avoid a flurry of arbitrarily expired macaroons with no friendly error message, we’ll extend macaroon lifetime by a few weeks. This will allow us to then work on returning a proper error code (a 401, which I assume snapd will surface to the client as a “you need to login again” message), as that’s the correct behavior in the face of an expired macaroon and will happen eventually again.

However, we probably need to think again about whether we want macaroons to expire, as they do now. In order not to pollute this topic (which is a very clear problem report, the mitigation for which I’ve outlined above), I’ll start a new topic with that.

Let me know your thoughts!

  • Daniel

probably a bit more explanatory like: “your authentication token has expired…” else we trigger support questions … “why do i have to log in again, is something wong ?”

It seems pretty unreasonable to have the download of snaps that do not require authentication in the first place failing because the macaroon has expired. Is there a valid reason to do that, and otherwise can we change the logic so it doesn’t fail at all in those cases?

I made the same argument, and logic is being changed afaiu.

The store-side use/meaning of the result of snap login has grown a bit too organically, we need to review it a bit at some point, also because we never implemented so far “store activation” as a concept which would cover/intersect with some of these issue.

1 Like

Agreed, though per

" I assume snapd will surface to the client as a “you need to login again” message"

it’s just an assumption, I’m not saying that’s what snap shows the user :slight_smile:

1 Like