Update upstream source from tag 'upstream/1.2.1'

Update to upstream version '1.2.1'
with Debian dir ccd0e7fdc6e29a6c6f8c47c3e463ae6e6a3343c3

2 files changed, 21 insertions, 12 deletions

diff --git a/macaroonbakery/bakery/_discharge.py b/macaroonbakery/bakery/_discharge.py
index 1831209..32284b7 100644
--- a/macaroonbakery/bakery/_discharge.py
+++ b/macaroonbakery/bakery/_discharge.py
@@ -33,9 +33,12 @@ def discharge_all(m, get_discharge, local_key=None):
     It returns a list of macaroon with m as the first element, followed by all
     the discharge macaroons.
     All the discharge macaroons will be bound to the primary macaroon.
+
     The get_discharge function is passed a context (AuthContext),
-    the caveat(Caveat) to be discharged and encrypted_caveat (bytes)will be
+    the caveat(pymacaroons.Caveat) to be discharged and encrypted_caveat (bytes) will be
     passed the external caveat payload found in m, if any.
+    It should return a bakery.Macaroon object holding the discharge
+    macaroon for the third party caveat.
     '''
     primary = m.macaroon
     discharges = [primary]
@@ -161,7 +164,7 @@ def discharge(ctx, id, caveat, key, checker, locator):
         raise VerificationError(exc.args[0])
 
     if cond == checkers.COND_NEED_DECLARED:
-        cav_info = cav_info._replace(condition=arg.encode('utf-8'))
+        cav_info = cav_info._replace(condition=arg)
         caveats = _check_need_declared(ctx, cav_info, checker)
     else:
         caveats = checker.check_third_party_caveat(ctx, cav_info)
@@ -185,7 +188,7 @@ def discharge(ctx, id, caveat, key, checker, locator):
 
 
 def _check_need_declared(ctx, cav_info, checker):
-    arg = cav_info.condition.decode('utf-8')
+    arg = cav_info.condition
     i = arg.find(' ')
     if i <= 0:
         raise VerificationError(
@@ -197,7 +200,7 @@ def _check_need_declared(ctx, cav_info, checker):
             raise VerificationError('need-declared caveat with empty required attribute')
     if len(need_declared) == 0:
         raise VerificationError('need-declared caveat with no required attributes')
-    cav_info = cav_info._replace(condition=arg[i + 1:].encode('utf-8'))
+    cav_info = cav_info._replace(condition=arg[i + 1:])
     caveats = checker.check_third_party_caveat(ctx, cav_info)
     declared = {}
     for cav in caveats:
diff --git a/macaroonbakery/bakery/_oven.py b/macaroonbakery/bakery/_oven.py
index 414a164..d0a2a23 100644
--- a/macaroonbakery/bakery/_oven.py
+++ b/macaroonbakery/bakery/_oven.py
@@ -28,10 +28,6 @@ from macaroonbakery._utils import (
 )
 from ._internal import id_pb2
 from pymacaroons import MACAROON_V2, Verifier
-from pymacaroons.exceptions import (
-    MacaroonInvalidSignatureException,
-    MacaroonUnmetCaveatException,
-)
 
 
 class Oven:
@@ -183,10 +179,20 @@ class Oven:
         v.satisfy_general(validator)
         try:
             v.verify(macaroons[0], root_key, macaroons[1:])
-        except (MacaroonUnmetCaveatException,
-                MacaroonInvalidSignatureException) as exc:
-            raise VerificationError(
-                'verification failed: {}'.format(exc.args[0]))
+        except Exception as exc:
+            # Unfortunately pymacaroons doesn't control
+            # the set of exceptions that can be raised here.
+            # Possible candidates are:
+            # pymacaroons.exceptions.MacaroonUnmetCaveatException
+            # pymacaroons.exceptions.MacaroonInvalidSignatureException
+            # ValueError
+            # nacl.exceptions.CryptoError
+            #
+            # There may be others too, so just catch everything.
+            raise six.raise_from(
+                VerificationError('verification failed: {}'.format(str(exc))),
+                exc,
+            )
 
         if (self.ops_store is not None
             and len(ops) == 1