-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release v0.19.0 #179
Merged
Merged
Release v0.19.0 #179
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merge back to `main`
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.1.6 to 4.1.7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@a5ac7e5...692973e) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-0bd1363a87 Bump actions/checkout from 4.1.6 to 4.1.7 in the github-actions group
updates: - [github.com/pycqa/flake8: 7.0.0 → 7.1.0](PyCQA/flake8@7.0.0...7.1.0)
[pre-commit.ci] pre-commit autoupdate
Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.6.2 to 2024.7.4. - [Commits](certifi/python-certifi@2024.06.02...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…/test/certifi-2024.7.4 Bump certifi from 2024.6.2 to 2024.7.4 in /requirements/test
Bumps [certifi](https://github.com/certifi/python-certifi) from 2024.6.2 to 2024.7.4. - [Commits](certifi/python-certifi@2024.06.02...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…/docs/certifi-2024.7.4 Bump certifi from 2024.6.2 to 2024.7.4 in /requirements/docs
Run `tox run -m update`
Bumps the github-actions group with 3 updates: [actions/setup-python](https://github.com/actions/setup-python), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/setup-python` from 5.1.0 to 5.1.1 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@82c7e63...39cd149) Updates `actions/upload-artifact` from 4.3.3 to 4.3.4 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@6546280...0b2256b) Updates `actions/download-artifact` from 4.1.7 to 4.1.8 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@65a9edc...fa0a91b) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-5070efb06b Bump the github-actions group with 3 updates
Bumps the github-actions group with 2 updates: [actions/setup-python](https://github.com/actions/setup-python) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/setup-python` from 5.1.1 to 5.2.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@39cd149...f677139) Updates `actions/upload-artifact` from 4.3.4 to 4.4.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@0b2256b...5076954) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-142643c1bf Bump the github-actions group with 2 updates
Remove tox `isolated_build` config options
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.1.7 to 4.2.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@692973e...d632683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-aa3137d618 Bump actions/checkout from 4.1.7 to 4.2.0 in the github-actions group
Add Max to CODEOWNERS
Move to a src-layout and remove poetry.toml
updates: - [github.com/pre-commit/pre-commit-hooks: v4.6.0 → v5.0.0](pre-commit/pre-commit-hooks@v4.6.0...v5.0.0) - [github.com/psf/black-pre-commit-mirror: 24.8.0 → 24.10.0](psf/black-pre-commit-mirror@24.8.0...24.10.0)
Remove an unused and deprecated module
[pre-commit.ci] pre-commit autoupdate
Removing audience checking is safe, in that we remain fully spec compliant. The field is optional for servers and optional for clients to validate even when it's present. The source for the expected audience value is typically the same as that of the client credentials, and therefore there is no additional safety (e.g., against credential confusion bugs) being added by requiring this field. It only serves to add surface area and therefore complexity. This is a breaking change, in that the interfaces for the library are changing to remove a field.
This is a *large* surface area exposed via a very small number of low-utility test helpers. The contracts here cannot be maintained as the main source itself changes, and therefore each change to the source requires an attendant change to the testing helpers and documentation of the change in both locations. Move the only "surviving" test in `test_mocks` to a new `test_meta` test module.
- Ensure introspect is cached even if 'active=False' - Don't check claims pointlessly: exp and nbf can fail if your clock is drifted, so it's not safe to be checking them unless users can configure a leeway. Also, 'active' tells you everything you need in OAuth2. - Capture scope validation failures with an exception, not None. - Cache by token hash, not full token string.
* Refactor `get_authorizer_for_scope` Better control where and how dependent token callouts happen, and note with inline FIXME comments several issues which persist even with the refined implementation. Logically, there is almost no change, although the refactor may make it appear that there is one. `get_authorizer_for_scope` now retries by clearing the cache and fetching new dependent tokens on failure, and has clearer failure semantics. This happened in the previous code as well -- if the access token is expired and the refresh token is missing, a second call to get dependent tokens is issued. However, due to an inaccurate type annotation (`refresh_token` is `cast(str, ...)`, where it should be `str | None`), it *appears* that there was a previously unreachable behavior -- a retry -- which is now reachable. In practical fact, these subtleties do not yet make any difference, as `refresh_token` will always be present and will be a string if there is any data at all. Anything else is an invalid and unreachable state, given that refresh tokens are currently always requested. With the refactor completed, we can tackle separate changes to actually alter behavior. * Add tests for dependent token handling These are just some initial unit tests which validate that some of the basic scenarios behave as expected.
* Make mypy stricter - turn on a variety of mypy strictness flags, but stay short of `disallow_untyped_defs` -- which is why we aren't in strict mode - `tox r -e mypy` does not pass any CLI flags - cleanup numerous annotations - in some cases, make minor implementation ordering adjustments to make things pass - Put a small shim in place over TTLCache to allow its contents to be type checked * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Update src/globus_action_provider_tools/utils.py Co-authored-by: Ada <107940310+ada-globus@users.noreply.github.com> * Fix typing issues on older pythons --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Ada <107940310+ada-globus@users.noreply.github.com>
This change replaces 'TokenChecker' wherever it appears. This fixes some bad naming, but it also moves the confidential client construction *out of* the state builder, so that it is more visible and can examined as a location which needs attention in order for us to tune and control network behaviors.
* Replace releasing segments of workflow doc Declare the steps which need to be performed, without extraneous documentation about the hows and wherefores. Discard misleading and overly verbose internal documentation. This change only touches the sections of the workflow doc which touch on release process, and only for normal releases. * Refine the new releasing doc * Define merge-back as a PR command
sirosen
requested review from
ada-globus,
derek-globus,
jakeglobus and
kurtmckee
as code owners
October 18, 2024 17:06
kurtmckee
approved these changes
Oct 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Features
The token introspect checking and caching performed in
AuthState
hasbeen improved.
The cache is keyed off of token hashes, rather than raw token strings.
The
exp
andnbf
values are no longer verified, removing thepossibility of incorrect treatment of valid tokens as invalid due to clock
drift.
Introspect response caching caches the raw response even for invalid
tokens, meaning that Action Providers will no longer repeatedly introspect
a token once it is known to be invalid.
Scope validation raises a new, dedicated error class,
globus_action_provider_tools.authentication.InvalidTokenScopesError
, onfailure.
Changes
The
TokenChecker
class has been removed and replaced in all cases with anAuthStateBuilder
which better matches the purpose of this class.The
check_token
flask-specific helper has been replaced with aFlaskAuthStateBuilder
which subclassesAuthStateBuilder
andspecializes it to handle a
flask.Request
object.The
aud
field of token introspect responses is no longer validated andfields associated with it have been removed. This includes changes to
function and class initializer signatures.
The
expected_audience
field is no longer supported inAuthState
andTokenChecker
. It has been removed from the initializers for theseclasses.
globus_auth_client_name
has been removed fromActionProviderBlueprint
.client_name
has been removed fromadd_action_routes_to_blueprint
.Development
Move to
src/
tree layoutRefactor
AuthState.get_authorizer_for_scope
without changing itsprimary outward semantics. The
bypass_dependent_token_cache
argumenthas been removed from its interface, as it is not necessary to expose
with the improved implementation.
tox run -m update
isolated_build
optionget_authorizer_for_scope
(Refactorget_authorizer_for_scope
#175)