diff --git a/docs/changelog.md b/docs/changelog.md index b25e09d..6ee22b4 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,5 +1,9 @@ # Changelog +## 2.3.2 - 2026-07-08 +- Increase default timeout for auth code flow callback listener. +- Test updates and formatting related to upstream project changes. + ## 2.3.1 - 2025-12-10 - Fix a bug where sops protected files would be rewritten without preserving their sops protection. diff --git a/docs/examples/service/flask--oidc-multi-issuer--local-and-remote-validation.py b/docs/examples/service/flask--oidc-multi-issuer--local-and-remote-validation.py index 213af24..5d60a79 100644 --- a/docs/examples/service/flask--oidc-multi-issuer--local-and-remote-validation.py +++ b/docs/examples/service/flask--oidc-multi-issuer--local-and-remote-validation.py @@ -7,7 +7,6 @@ from flask import Flask, make_response, request from functools import wraps - ############################################################################# # Logging Configuration ############################################################################# diff --git a/src/planet_auth/oidc/api_clients/authorization_api_client.py b/src/planet_auth/oidc/api_clients/authorization_api_client.py index 2a071c7..95f5912 100644 --- a/src/planet_auth/oidc/api_clients/authorization_api_client.py +++ b/src/planet_auth/oidc/api_clients/authorization_api_client.py @@ -29,7 +29,7 @@ auth_logger = planet_auth.logging.auth_logger.getAuthLogger() DEFAULT_REDIRECT_LISTEN_PORT = 80 -AUTH_TIMEOUT = 60 +AUTH_TIMEOUT = 300 class AuthorizationApiException(OidcApiClientException): diff --git a/src/planet_auth/oidc/api_clients/userinfo_api_client.py b/src/planet_auth/oidc/api_clients/userinfo_api_client.py index ab15ca4..0b34b9c 100644 --- a/src/planet_auth/oidc/api_clients/userinfo_api_client.py +++ b/src/planet_auth/oidc/api_clients/userinfo_api_client.py @@ -15,7 +15,6 @@ from typing import Dict from planet_auth.oidc.api_clients.api_client import OidcApiClient - # class UserinfoApiException(OidcApiClientException): # def __init__(self, **kwargs): # super().__init__(**kwargs) diff --git a/src/planet_auth/oidc/auth_client.py b/src/planet_auth/oidc/auth_client.py index 6e2dda5..47ea900 100644 --- a/src/planet_auth/oidc/auth_client.py +++ b/src/planet_auth/oidc/auth_client.py @@ -30,7 +30,6 @@ from planet_auth.oidc.oidc_credential import FileBackedOidcCredential import planet_auth.logging.auth_logger - auth_logger = planet_auth.logging.auth_logger.getAuthLogger() diff --git a/src/planet_auth/oidc/auth_clients/device_code_flow.py b/src/planet_auth/oidc/auth_clients/device_code_flow.py index 7f54cfc..bec2de5 100644 --- a/src/planet_auth/oidc/auth_clients/device_code_flow.py +++ b/src/planet_auth/oidc/auth_clients/device_code_flow.py @@ -39,7 +39,6 @@ OidcAuthClientWithRefreshingOidcTokenRequestAuthenticator, ) - auth_logger = planet_auth.logging.auth_logger.getAuthLogger() diff --git a/src/planet_auth/oidc/oidc_credential.py b/src/planet_auth/oidc/oidc_credential.py index 06cdab2..00985ef 100644 --- a/src/planet_auth/oidc/oidc_credential.py +++ b/src/planet_auth/oidc/oidc_credential.py @@ -63,7 +63,7 @@ def _augment_rfc6749_data(self): try: access_token_str = self.access_token() if access_token_str: - (_, jwt_hazmat_body, _) = TokenValidator.hazmat_unverified_decode(access_token_str) + _, jwt_hazmat_body, _ = TokenValidator.hazmat_unverified_decode(access_token_str) else: jwt_hazmat_body = None except InvalidArgumentException: diff --git a/src/planet_auth/oidc/token_validator.py b/src/planet_auth/oidc/token_validator.py index 44b6f19..5502d13 100644 --- a/src/planet_auth/oidc/token_validator.py +++ b/src/planet_auth/oidc/token_validator.py @@ -226,7 +226,11 @@ def validate_token( if scopes_anyof: if validated_claims.get(_SCOPE_CLAIM_RFC8693): # RFC 8693 places scopes in a space delimited string. - token_scopes = validated_claims.get(_SCOPE_CLAIM_RFC8693).split() + _claim = validated_claims.get(_SCOPE_CLAIM_RFC8693) + if isinstance(_claim, str): + token_scopes = validated_claims.get(_SCOPE_CLAIM_RFC8693).split() # type: ignore + else: + token_scopes = [] elif validated_claims.get(_SCOPE_CLAIM_OKTA): # No split. Okta places a list of strings in the token. token_scopes = validated_claims.get(_SCOPE_CLAIM_OKTA) diff --git a/src/planet_auth/storage_utils.py b/src/planet_auth/storage_utils.py index 8faa94e..a1e9ef8 100644 --- a/src/planet_auth/storage_utils.py +++ b/src/planet_auth/storage_utils.py @@ -25,7 +25,6 @@ from planet_auth.auth_exception import AuthException from planet_auth.util import auth_logger - ObjectStorageProvider_KeyType = pathlib.Path """ Key type for object storage. Paths are currently used in part because of diff --git a/src/planet_auth_config_injection/builtins_provider.py b/src/planet_auth_config_injection/builtins_provider.py index bc8df12..d768c5d 100644 --- a/src/planet_auth_config_injection/builtins_provider.py +++ b/src/planet_auth_config_injection/builtins_provider.py @@ -15,7 +15,6 @@ from abc import ABC, abstractmethod from typing import Dict, List, Optional - # Unlike other environment variables, AUTH_BUILTIN_PROVIDER is not name-spaced. # It is intended for libraries and applications to inject configuration by # being set within the program. It's not expected to be set by end-users. diff --git a/src/planet_auth_utils/commands/cli/jwt_cmd.py b/src/planet_auth_utils/commands/cli/jwt_cmd.py index 14bb9e3..25e67cf 100644 --- a/src/planet_auth_utils/commands/cli/jwt_cmd.py +++ b/src/planet_auth_utils/commands/cli/jwt_cmd.py @@ -107,7 +107,7 @@ def print_jwt_parts(raw, header, body, signature, human_readable): def hazmat_print_jwt(token_str, human_readable): print("UNTRUSTED JWT Decoding\n") if token_str: - (hazmat_header, hazmat_body, hazmat_signature) = TokenValidator.hazmat_unverified_decode(token_str) + hazmat_header, hazmat_body, hazmat_signature = TokenValidator.hazmat_unverified_decode(token_str) print_jwt_parts( raw=token_str, header=hazmat_header, @@ -186,7 +186,7 @@ def cmd_jwt_validate_oauth(ctx, token, token_file, audience, issuer, human_reada trust with what audiences MUST be controlled by the service operator. """ token_to_validate = _get_token_or_fail(token_opt=token, token_file_opt=token_file) - (hazmat_header, hazmat_body, hazmat_signature) = TokenValidator.hazmat_unverified_decode(token_to_validate) + hazmat_header, hazmat_body, hazmat_signature = TokenValidator.hazmat_unverified_decode(token_to_validate) if issuer: validation_iss = issuer diff --git a/src/planet_auth_utils/commands/cli/options.py b/src/planet_auth_utils/commands/cli/options.py index 9b15bb1..35ff4ee 100644 --- a/src/planet_auth_utils/commands/cli/options.py +++ b/src/planet_auth_utils/commands/cli/options.py @@ -18,7 +18,6 @@ from planet_auth_utils.constants import EnvironmentVariables - _click_option_decorator_type = Callable[..., Any] diff --git a/src/planet_auth_utils/plauth_user_config.py b/src/planet_auth_utils/plauth_user_config.py index 57598c9..77be00a 100644 --- a/src/planet_auth_utils/plauth_user_config.py +++ b/src/planet_auth_utils/plauth_user_config.py @@ -19,7 +19,6 @@ from planet_auth.constants import USER_CONFIG_FILE from planet_auth.logging.auth_logger import getAuthLogger - auth_logger = getAuthLogger() diff --git a/src/planet_auth_utils/profile.py b/src/planet_auth_utils/profile.py index 208304f..dbe3a85 100644 --- a/src/planet_auth_utils/profile.py +++ b/src/planet_auth_utils/profile.py @@ -25,7 +25,6 @@ ) from planet_auth.storage_utils import ObjectStorageProvider - auth_logger = planet_auth.logging.auth_logger.getAuthLogger() diff --git a/tests/test_planet_auth/unit/auth/auth_clients/oidc/auth_clients/test_client_validator.py b/tests/test_planet_auth/unit/auth/auth_clients/oidc/auth_clients/test_client_validator.py index fb0467e..496c712 100644 --- a/tests/test_planet_auth/unit/auth/auth_clients/oidc/auth_clients/test_client_validator.py +++ b/tests/test_planet_auth/unit/auth/auth_clients/oidc/auth_clients/test_client_validator.py @@ -22,7 +22,6 @@ ) from planet_auth.request_authenticator import ForbiddenRequestAuthenticator - TEST_AUTH_SERVER_BASE = "https://auth.unittest.planet.com" diff --git a/tests/test_planet_auth/unit/auth/auth_clients/oidc/test_multi_validator.py b/tests/test_planet_auth/unit/auth/auth_clients/oidc/test_multi_validator.py index 3c87876..6db46e7 100644 --- a/tests/test_planet_auth/unit/auth/auth_clients/oidc/test_multi_validator.py +++ b/tests/test_planet_auth/unit/auth/auth_clients/oidc/test_multi_validator.py @@ -326,7 +326,11 @@ def test_malformed_token_5_iss_liars(self): # You can make the argument this is still valid, because the signature is still # from a trusted issuer. But, we reject it based on bad structure. token_body["iss"] = [primary_issuer.token_builder.issuer, untrusted_issuer.token_builder.issuer] - test_jwt = primary_issuer.token_builder.encode(body=token_body, extra_headers=token_header) + # Newer versions of PyJWT refuse to even build this test token. + # That does not mean that a bad actor could not construct one. + # The expected throw is before we even perform token validation, so it is OK to use a fake token. + # test_jwt = primary_issuer.token_builder.encode(body=token_body, extra_headers=token_header) + test_jwt = FakeTokenBuilder.fake_token(body=token_body, header=token_header) with pytest.raises( InvalidTokenException, match=re.escape("Issuer claim ('iss') must be a of string type. 'list' type was detected."), @@ -342,16 +346,6 @@ def test_malformed_token_5_iss_liars(self): ): under_test.validate_access_token(token=test_jwt) - # TC 3 - # Double-talk liar. Using the untrusted signing key, claiming to be ourselves and the trusted issuer. - token_body["iss"] = [primary_issuer.token_builder.issuer, untrusted_issuer.token_builder.issuer] - test_jwt = untrusted_issuer.token_builder.encode(body=token_body, extra_headers=token_header) - with pytest.raises( - InvalidTokenException, - match=re.escape("Issuer claim ('iss') must be a of string type. 'list' type was detected."), - ): - under_test.validate_access_token(token=test_jwt) - def test_missing_signature(self): # QE TC11 - JWT without a signature test_case_name = inspect.currentframe().f_code.co_name diff --git a/tests/test_planet_auth/unit/auth/test_auth_is_initialized.py b/tests/test_planet_auth/unit/auth/test_auth_is_initialized.py index b86849a..a3af54c 100644 --- a/tests/test_planet_auth/unit/auth/test_auth_is_initialized.py +++ b/tests/test_planet_auth/unit/auth/test_auth_is_initialized.py @@ -26,7 +26,6 @@ from tests.test_planet_auth.unit.auth.util import MockObjectStorageProvider, TestTokenBuilder - # This isn't the best unit test of Auth. Rather, this tests how several # things come together to make the request_authenticator_is_ready() work as # expected in the Auth class. We run this test for a number of common diff --git a/tests/test_planet_auth/unit/auth/test_storage_utils_file_backed_json_object.py b/tests/test_planet_auth/unit/auth/test_storage_utils_file_backed_json_object.py index 618267a..31fde21 100644 --- a/tests/test_planet_auth/unit/auth/test_storage_utils_file_backed_json_object.py +++ b/tests/test_planet_auth/unit/auth/test_storage_utils_file_backed_json_object.py @@ -35,7 +35,6 @@ from tests.test_planet_auth.unit.auth.util import MockObjectStorageProvider, MockStorageObjectNotFound from tests.test_planet_auth.util import tdata_resource_file_path - # class MockFileBackedEntity(FileBackedJsonObject): # def __init__(self, data=None, file_path=None): # super().__init__(data=data, file_path=file_path) diff --git a/tests/test_planet_auth_utils/unit/auth_utils/test_profile.py b/tests/test_planet_auth_utils/unit/auth_utils/test_profile.py index 7e93852..d2b4a1f 100644 --- a/tests/test_planet_auth_utils/unit/auth_utils/test_profile.py +++ b/tests/test_planet_auth_utils/unit/auth_utils/test_profile.py @@ -23,7 +23,6 @@ from planet_auth_utils.profile import Profile, ProfileException from tests.test_planet_auth_utils.util import tdata_resource_file_path, TestWithHomeDirProfiles - PROFILE1_NAME = "profile1_static_api_key" PROFILE2_NAME = "profile2_invalid" PROFILE3_NAME = "profile3_empty" diff --git a/version.txt b/version.txt index 2bf1c1c..f90b1af 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -2.3.1 +2.3.2