Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Changelog

## 2.3.2 - 2026-07-08
- Increase default timeout for auth code flow callback listener.
- Test updates and formatting related to upstream project changes.

## 2.3.1 - 2025-12-10
- Fix a bug where sops protected files would be rewritten without preserving
their sops protection.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
from flask import Flask, make_response, request
from functools import wraps


#############################################################################
# Logging Configuration
#############################################################################
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@

auth_logger = planet_auth.logging.auth_logger.getAuthLogger()
DEFAULT_REDIRECT_LISTEN_PORT = 80
AUTH_TIMEOUT = 60
AUTH_TIMEOUT = 300


class AuthorizationApiException(OidcApiClientException):
Expand Down
1 change: 0 additions & 1 deletion src/planet_auth/oidc/api_clients/userinfo_api_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
from typing import Dict
from planet_auth.oidc.api_clients.api_client import OidcApiClient


# class UserinfoApiException(OidcApiClientException):
# def __init__(self, **kwargs):
# super().__init__(**kwargs)
Expand Down
1 change: 0 additions & 1 deletion src/planet_auth/oidc/auth_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@
from planet_auth.oidc.oidc_credential import FileBackedOidcCredential
import planet_auth.logging.auth_logger


auth_logger = planet_auth.logging.auth_logger.getAuthLogger()


Expand Down
1 change: 0 additions & 1 deletion src/planet_auth/oidc/auth_clients/device_code_flow.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@
OidcAuthClientWithRefreshingOidcTokenRequestAuthenticator,
)


auth_logger = planet_auth.logging.auth_logger.getAuthLogger()


Expand Down
2 changes: 1 addition & 1 deletion src/planet_auth/oidc/oidc_credential.py
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ def _augment_rfc6749_data(self):
try:
access_token_str = self.access_token()
if access_token_str:
(_, jwt_hazmat_body, _) = TokenValidator.hazmat_unverified_decode(access_token_str)
_, jwt_hazmat_body, _ = TokenValidator.hazmat_unverified_decode(access_token_str)
else:
jwt_hazmat_body = None
except InvalidArgumentException:
Expand Down
6 changes: 5 additions & 1 deletion src/planet_auth/oidc/token_validator.py
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,11 @@ def validate_token(
if scopes_anyof:
if validated_claims.get(_SCOPE_CLAIM_RFC8693):
# RFC 8693 places scopes in a space delimited string.
token_scopes = validated_claims.get(_SCOPE_CLAIM_RFC8693).split()
_claim = validated_claims.get(_SCOPE_CLAIM_RFC8693)
if isinstance(_claim, str):
token_scopes = validated_claims.get(_SCOPE_CLAIM_RFC8693).split() # type: ignore
else:
token_scopes = []
elif validated_claims.get(_SCOPE_CLAIM_OKTA):
# No split. Okta places a list of strings in the token.
token_scopes = validated_claims.get(_SCOPE_CLAIM_OKTA)
Expand Down
1 change: 0 additions & 1 deletion src/planet_auth/storage_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
from planet_auth.auth_exception import AuthException
from planet_auth.util import auth_logger


ObjectStorageProvider_KeyType = pathlib.Path
"""
Key type for object storage. Paths are currently used in part because of
Expand Down
1 change: 0 additions & 1 deletion src/planet_auth_config_injection/builtins_provider.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
from abc import ABC, abstractmethod
from typing import Dict, List, Optional


# Unlike other environment variables, AUTH_BUILTIN_PROVIDER is not name-spaced.
# It is intended for libraries and applications to inject configuration by
# being set within the program. It's not expected to be set by end-users.
Expand Down
4 changes: 2 additions & 2 deletions src/planet_auth_utils/commands/cli/jwt_cmd.py
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ def print_jwt_parts(raw, header, body, signature, human_readable):
def hazmat_print_jwt(token_str, human_readable):
print("UNTRUSTED JWT Decoding\n")
if token_str:
(hazmat_header, hazmat_body, hazmat_signature) = TokenValidator.hazmat_unverified_decode(token_str)
hazmat_header, hazmat_body, hazmat_signature = TokenValidator.hazmat_unverified_decode(token_str)
print_jwt_parts(
raw=token_str,
header=hazmat_header,
Expand Down Expand Up @@ -186,7 +186,7 @@ def cmd_jwt_validate_oauth(ctx, token, token_file, audience, issuer, human_reada
trust with what audiences MUST be controlled by the service operator.
"""
token_to_validate = _get_token_or_fail(token_opt=token, token_file_opt=token_file)
(hazmat_header, hazmat_body, hazmat_signature) = TokenValidator.hazmat_unverified_decode(token_to_validate)
hazmat_header, hazmat_body, hazmat_signature = TokenValidator.hazmat_unverified_decode(token_to_validate)

if issuer:
validation_iss = issuer
Expand Down
1 change: 0 additions & 1 deletion src/planet_auth_utils/commands/cli/options.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@

from planet_auth_utils.constants import EnvironmentVariables


_click_option_decorator_type = Callable[..., Any]


Expand Down
1 change: 0 additions & 1 deletion src/planet_auth_utils/plauth_user_config.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
from planet_auth.constants import USER_CONFIG_FILE
from planet_auth.logging.auth_logger import getAuthLogger


auth_logger = getAuthLogger()


Expand Down
1 change: 0 additions & 1 deletion src/planet_auth_utils/profile.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
)
from planet_auth.storage_utils import ObjectStorageProvider


auth_logger = planet_auth.logging.auth_logger.getAuthLogger()


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
)
from planet_auth.request_authenticator import ForbiddenRequestAuthenticator


TEST_AUTH_SERVER_BASE = "https://auth.unittest.planet.com"


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -326,7 +326,11 @@ def test_malformed_token_5_iss_liars(self):
# You can make the argument this is still valid, because the signature is still
# from a trusted issuer. But, we reject it based on bad structure.
token_body["iss"] = [primary_issuer.token_builder.issuer, untrusted_issuer.token_builder.issuer]
test_jwt = primary_issuer.token_builder.encode(body=token_body, extra_headers=token_header)
# Newer versions of PyJWT refuse to even build this test token.
# That does not mean that a bad actor could not construct one.
# The expected throw is before we even perform token validation, so it is OK to use a fake token.
# test_jwt = primary_issuer.token_builder.encode(body=token_body, extra_headers=token_header)
test_jwt = FakeTokenBuilder.fake_token(body=token_body, header=token_header)
with pytest.raises(
InvalidTokenException,
match=re.escape("Issuer claim ('iss') must be a of string type. 'list' type was detected."),
Expand All @@ -342,16 +346,6 @@ def test_malformed_token_5_iss_liars(self):
):
under_test.validate_access_token(token=test_jwt)

# TC 3
# Double-talk liar. Using the untrusted signing key, claiming to be ourselves and the trusted issuer.
token_body["iss"] = [primary_issuer.token_builder.issuer, untrusted_issuer.token_builder.issuer]
test_jwt = untrusted_issuer.token_builder.encode(body=token_body, extra_headers=token_header)
with pytest.raises(
InvalidTokenException,
match=re.escape("Issuer claim ('iss') must be a of string type. 'list' type was detected."),
):
under_test.validate_access_token(token=test_jwt)

def test_missing_signature(self):
# QE TC11 - JWT without a signature
test_case_name = inspect.currentframe().f_code.co_name
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@

from tests.test_planet_auth.unit.auth.util import MockObjectStorageProvider, TestTokenBuilder


# This isn't the best unit test of Auth. Rather, this tests how several
# things come together to make the request_authenticator_is_ready() work as
# expected in the Auth class. We run this test for a number of common
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
from tests.test_planet_auth.unit.auth.util import MockObjectStorageProvider, MockStorageObjectNotFound
from tests.test_planet_auth.util import tdata_resource_file_path


# class MockFileBackedEntity(FileBackedJsonObject):
# def __init__(self, data=None, file_path=None):
# super().__init__(data=data, file_path=file_path)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@
from planet_auth_utils.profile import Profile, ProfileException
from tests.test_planet_auth_utils.util import tdata_resource_file_path, TestWithHomeDirProfiles


PROFILE1_NAME = "profile1_static_api_key"
PROFILE2_NAME = "profile2_invalid"
PROFILE3_NAME = "profile3_empty"
Expand Down
2 changes: 1 addition & 1 deletion version.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.3.1
2.3.2
Loading