Release v0.19.0 #179
Merged
Release v0.19.0 #179
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merge back to `main`
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.1.6 to 4.1.7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@a5ac7e5...692973e) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-0bd1363a87 Bump actions/checkout from 4.1.6 to 4.1.7 in the github-actions group
updates: - [github.com/pycqa/flake8: 7.0.0 → 7.1.0](PyCQA/flake8@7.0.0...7.1.0)
[pre-commit.ci] pre-commit autoupdate
Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.6.2 to 2024.7.4. - [Commits](certifi/python-certifi@2024.06.02...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…/test/certifi-2024.7.4 Bump certifi from 2024.6.2 to 2024.7.4 in /requirements/test
Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.6.2 to 2024.7.4. - [Commits](certifi/python-certifi@2024.06.02...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…/docs/certifi-2024.7.4 Bump certifi from 2024.6.2 to 2024.7.4 in /requirements/docs
Run `tox run -m update`
Bumps the github-actions group with 3 updates: [actions/setup-python](https://github.com/actions/setup-python), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/setup-python` from 5.1.0 to 5.1.1 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@82c7e63...39cd149) Updates `actions/upload-artifact` from 4.3.3 to 4.3.4 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@6546280...0b2256b) Updates `actions/download-artifact` from 4.1.7 to 4.1.8 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@65a9edc...fa0a91b) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-5070efb06b Bump the github-actions group with 3 updates
Bumps the github-actions group with 2 updates: [actions/setup-python](https://github.com/actions/setup-python) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/setup-python` from 5.1.1 to 5.2.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@39cd149...f677139) Updates `actions/upload-artifact` from 4.3.4 to 4.4.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@0b2256b...5076954) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-142643c1bf Bump the github-actions group with 2 updates
Remove tox `isolated_build` config options
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.1.7 to 4.2.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@692973e...d632683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-aa3137d618 Bump actions/checkout from 4.1.7 to 4.2.0 in the github-actions group
Add Max to CODEOWNERS
Move to a src-layout and remove poetry.toml
updates: - [github.com/pre-commit/pre-commit-hooks: v4.6.0 → v5.0.0](pre-commit/pre-commit-hooks@v4.6.0...v5.0.0) - [github.com/psf/black-pre-commit-mirror: 24.8.0 → 24.10.0](psf/black-pre-commit-mirror@24.8.0...24.10.0)
Remove an unused and deprecated module
[pre-commit.ci] pre-commit autoupdate
Removing audience checking is safe, in that we remain fully spec compliant. The field is optional for servers and optional for clients to validate even when it's present. The source for the expected audience value is typically the same as that of the client credentials, and therefore there is no additional safety (e.g., against credential confusion bugs) being added by requiring this field. It only serves to add surface area and therefore complexity. This is a breaking change, in that the interfaces for the library are changing to remove a field.
This is a *large* surface area exposed via a very small number of low-utility test helpers. The contracts here cannot be maintained as the main source itself changes, and therefore each change to the source requires an attendant change to the testing helpers and documentation of the change in both locations. Move the only "surviving" test in `test_mocks` to a new `test_meta` test module.
- Ensure introspect is cached even if 'active=False' - Don't check claims pointlessly: exp and nbf can fail if your clock is drifted, so it's not safe to be checking them unless users can configure a leeway. Also, 'active' tells you everything you need in OAuth2. - Capture scope validation failures with an exception, not None. - Cache by token hash, not full token string.
* Refactor `get_authorizer_for_scope` Better control where and how dependent token callouts happen, and note with inline FIXME comments several issues which persist even with the refined implementation. Logically, there is almost no change, although the refactor may make it appear that there is one. `get_authorizer_for_scope` now retries by clearing the cache and fetching new dependent tokens on failure, and has clearer failure semantics. This happened in the previous code as well -- if the access token is expired and the refresh token is missing, a second call to get dependent tokens is issued. However, due to an inaccurate type annotation (`refresh_token` is `cast(str, ...)`, where it should be `str | None`), it *appears* that there was a previously unreachable behavior -- a retry -- which is now reachable. In practical fact, these subtleties do not yet make any difference, as `refresh_token` will always be present and will be a string if there is any data at all. Anything else is an invalid and unreachable state, given that refresh tokens are currently always requested. With the refactor completed, we can tackle separate changes to actually alter behavior. * Add tests for dependent token handling These are just some initial unit tests which validate that some of the basic scenarios behave as expected.
* Make mypy stricter - turn on a variety of mypy strictness flags, but stay short of `disallow_untyped_defs` -- which is why we aren't in strict mode - `tox r -e mypy` does not pass any CLI flags - cleanup numerous annotations - in some cases, make minor implementation ordering adjustments to make things pass - Put a small shim in place over TTLCache to allow its contents to be type checked * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Update src/globus_action_provider_tools/utils.py Co-authored-by: Ada <107940310+ada-globus@users.noreply.github.com> * Fix typing issues on older pythons --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Ada <107940310+ada-globus@users.noreply.github.com>
This change replaces 'TokenChecker' wherever it appears. This fixes some bad naming, but it also moves the confidential client construction *out of* the state builder, so that it is more visible and can examined as a location which needs attention in order for us to tune and control network behaviors.
* Replace releasing segments of workflow doc Declare the steps which need to be performed, without extraneous documentation about the hows and wherefores. Discard misleading and overly verbose internal documentation. This change only touches the sections of the workflow doc which touch on release process, and only for normal releases. * Refine the new releasing doc * Define merge-back as a PR command
sirosen
requested review from
ada-globus,
derek-globus,
jakeglobus and
kurtmckee
as code owners
kurtmckee
approved these changes
Oct 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Features
The token introspect checking and caching performed in
AuthStatehasbeen improved.
The cache is keyed off of token hashes, rather than raw token strings.
The
expandnbfvalues are no longer verified, removing thepossibility of incorrect treatment of valid tokens as invalid due to clock
drift.
Introspect response caching caches the raw response even for invalid
tokens, meaning that Action Providers will no longer repeatedly introspect
a token once it is known to be invalid.
Scope validation raises a new, dedicated error class,
globus_action_provider_tools.authentication.InvalidTokenScopesError, onfailure.
Changes
The
TokenCheckerclass has been removed and replaced in all cases with anAuthStateBuilderwhich better matches the purpose of this class.The
check_tokenflask-specific helper has been replaced with aFlaskAuthStateBuilderwhich subclassesAuthStateBuilderandspecializes it to handle a
flask.Requestobject.The
audfield of token introspect responses is no longer validated andfields associated with it have been removed. This includes changes to
function and class initializer signatures.
The
expected_audiencefield is no longer supported inAuthStateandTokenChecker. It has been removed from the initializers for theseclasses.
globus_auth_client_namehas been removed fromActionProviderBlueprint.client_namehas been removed fromadd_action_routes_to_blueprint.Development
Move to
src/tree layoutRefactor
AuthState.get_authorizer_for_scopewithout changing itsprimary outward semantics. The
bypass_dependent_token_cacheargumenthas been removed from its interface, as it is not necessary to expose
with the improved implementation.
tox run -m updateisolated_buildoptionget_authorizer_for_scope(Refactorget_authorizer_for_scope#175)