Misc fixes for previous commits based on self review

jupyterhub · Jun 29, 2023 · 6cc6fdb · 6cc6fdb
1 parent 6e82da0
commit 6cc6fdb
Show file tree

Hide file tree

Showing 9 changed files with 79 additions and 44 deletions.
diff --git a/docs/source/tutorials/provider-specific-setup/providers/bitbucket.md b/docs/source/tutorials/provider-specific-setup/providers/bitbucket.md
@@ -1,7 +1,7 @@
-# BitBucket Setup
+# Bitbucket Setup
 
-You need to have an BitBucket OAuth application registered ahead of time, see
-BitBucket's official documentation about [registering an app].
+You need to have an Bitbucket OAuth application registered ahead of time, see
+Bitbucket's official documentation about [registering an app].
 
 [registering an app]: https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/
 
@@ -18,7 +18,7 @@ c.OAuthenticator.client_secret = "[your oauth2 application secret]"
 
 ## Additional configuration
 
-BitBucketOAuthenticator expands OAuthenticator with the following config that may
+BitbucketOAuthenticator expands OAuthenticator with the following config that may
 be relevant to read more about in the configuration reference:
 
-- {attr}`.BitBucketOAuthenticator.allowed_teams`
+- {attr}`.BitbucketOAuthenticator.allowed_teams`
diff --git a/oauthenticator/azuread.py b/oauthenticator/azuread.py
@@ -17,6 +17,10 @@ class AzureAdOAuthenticator(OAuthenticator):
     def _login_service_default(self):
         return os.environ.get("LOGIN_SERVICE", "Azure AD")
 
+    @default("username_claim")
+    def _username_claim_default(self):
+        return "name"
+
     tenant_id = Unicode(
         config=True,
         help="""
@@ -32,10 +36,6 @@ def _login_service_default(self):
     def _tenant_id_default(self):
         return os.environ.get('AAD_TENANT_ID', '')
 
-    @default("username_claim")
-    def _username_claim_default(self):
-        return "name"
-
     @default("authorize_url")
     def _authorize_url_default(self):
         return f"https://login.microsoftonline.com/{self.tenant_id}/oauth2/authorize"

diff --git a/oauthenticator/bitbucket.py b/oauthenticator/bitbucket.py
@@ -46,7 +46,7 @@ def _userdata_url_default(self):
     allowed_teams = Set(
         config=True,
         help="""
-        Allow members of selected BitBucket teams to sign in.
+        Allow members of selected Bitbucket teams to sign in.
         """,
     )
 

diff --git a/oauthenticator/generic.py b/oauthenticator/generic.py
@@ -44,13 +44,29 @@ def _login_service_default(self):
     allowed_groups = Set(
         Unicode(),
         config=True,
-        help="Automatically allow members of selected groups",
+        help="""
+        Allow members of selected groups to sign in.
+
+        When configuring this you may need to configure `claim_groups_key` as
+        well as it determines the key in the `userdata_url` response that is
+        assumed to list the groups a user is a member of.
+        """,
     )
 
     admin_groups = Set(
         Unicode(),
         config=True,
-        help="Groups whose members should have Jupyterhub admin privileges",
+        help="""
+        Allow members of selected groups to sign in and consider them as
+        JupyterHub admins.
+
+        If this is set and a user isn't part of one of these groups or listed in
+        `admin_users`, a user signing in will have their admin status revoked.
+
+        When configuring this you may need to configure `claim_groups_key` as
+        well as it determines the key in the `userdata_url` response that is
+        assumed to list the groups a user is a member of.
+        """,
     )
 
     username_key = Union(

diff --git a/oauthenticator/gitlab.py b/oauthenticator/gitlab.py
@@ -72,10 +72,6 @@ def _default_gitlab_url(self):
 
         return gitlab_url
 
-    @default("gitlab_api")
-    def _default_gitlab_api(self):
-        return f"{self.gitlab_url}/api/v{self.gitlab_api_version}"
-
     @default("authorize_url")
     def _authorize_url_default(self):
         return f"{self.gitlab_url}/oauth/authorize"
@@ -104,6 +100,10 @@ def _gitlab_api_version_default(self):
         """,
     )
 
+    @default("gitlab_api")
+    def _default_gitlab_api(self):
+        return f"{self.gitlab_url}/api/v{self.gitlab_api_version}"
+
     @default("userdata_url")
     def _userdata_url_default(self):
         return f"{self.gitlab_api}/user"

diff --git a/oauthenticator/globus.py b/oauthenticator/globus.py
@@ -88,13 +88,17 @@ def _token_url_default(self):
     revocation_url = Unicode(
         "https://auth.globus.org/v2/oauth2/token/revoke",
         config=True,
-        help="Globus URL to revoke live tokens.",
+        help="""
+        Globus URL to revoke live tokens.
+        """,
     )
 
     globus_groups_url = Unicode(
         "https://groups.api.globus.org/v2/groups/my_groups",
         config=True,
-        help="Globus URL to get list of user's Groups.",
+        help="""
+        Globus URL to get list of user's Groups.
+        """,
     )
 
     identity_provider = Unicode(
@@ -179,7 +183,7 @@ def _revoke_tokens_on_logout_default(self):
     allowed_globus_groups = Set(
         config=True,
         help="""
-        Allow members of selected Google groups to sign in. Globus groups should
+        Allow members of selected Globus groups to sign in. Globus groups should
         be specified using their UUIDs.
 
         If this is configured, the default value of the scope configuration is

diff --git a/oauthenticator/google.py b/oauthenticator/google.py
@@ -153,14 +153,6 @@ def _cast_hosted_domain(self, proposal):
             return [proposal.value.lower()]
         return [hd.lower() for hd in proposal.value]
 
-    login_service = Unicode(
-        os.environ.get('LOGIN_SERVICE', 'Google'),
-        config=True,
-        help="""
-        Google Apps hosted domain string, e.g. My College
-        """,
-    )
-
     async def update_auth_model(self, auth_model):
         """
         Fetch and store `google_groups` in auth state if `allowed_google_groups`

diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py
@@ -463,7 +463,8 @@ def _validate_server_cert_default(self):
 
     http_request_kwargs = Dict(
         config=True,
-        help="""Extra default kwargs passed to all HTTPRequests.
+        help="""
+        Extra default kwargs passed to all HTTPRequests.
 
         For example, to use a HTTP proxy for all requests:
 

diff --git a/oauthenticator/openshift.py b/oauthenticator/openshift.py
@@ -13,11 +13,15 @@
 
 
 class OpenShiftOAuthenticator(OAuthenticator):
-    login_service = "OpenShift"
+    user_auth_state_key = "openshift_user"
 
-    scope = ['user:info']
+    @default("scope")
+    def _scope_default(self):
+        return ["user:info"]
 
-    user_auth_state_key = "openshift_user"
+    @default("login_service")
+    def _login_service_default(self):
+        return os.environ.get("LOGIN_SERVICE", "OpenShift")
 
     @default("username_claim")
     def _username_claim_default(self):
@@ -27,7 +31,10 @@ def _username_claim_default(self):
         os.environ.get('OPENSHIFT_URL')
         or 'https://openshift.default.svc.cluster.local',
         config=True,
-        help="""""",
+        help="""
+        Used to determine the default values for `openshift_auth_api_url` and
+        `openshift_rest_api_url`.
+        """,
     )
 
     allowed_groups = Set(
@@ -50,14 +57,22 @@ def _username_claim_default(self):
 
     ca_certs = Unicode(
         config=True,
-        help="""""",
+        help="""
+        Path to a certificate authority (CA) certificate file. Used to trust the
+        certificates from a specific CA.
+        """,
     )
 
+    # FIXME: validate_cert is defined here, but OAuthenticator also defines
+    #        validate_server_cert. If both should exist separately its too
+    #        confusing without further documentation, and if only one should
+    #        exist the one here should be deprecated in favor of the other.
+    #
     validate_cert = Bool(
         True,
         config=True,
         help="""
-        Set to False to disable certificate validation
+        Set to False to disable certificate validation.
         """,
     )
 
@@ -70,7 +85,10 @@ def _ca_certs_default(self):
 
     openshift_auth_api_url = Unicode(
         config=True,
-        help="""""",
+        help="""
+        Used to determine the default values for `authorize_url` and
+        `token_url`.
+        """,
     )
 
     @default("openshift_auth_api_url")
@@ -82,15 +100,6 @@ def _openshift_auth_api_url_default(self):
 
         return resp_json.get('issuer')
 
-    openshift_rest_api_url = Unicode(
-        config=True,
-        help="""""",
-    )
-
-    @default("openshift_rest_api_url")
-    def _openshift_rest_api_url_default(self):
-        return self.openshift_url
-
     @default("authorize_url")
     def _authorize_url_default(self):
         return f"{self.openshift_auth_api_url}/oauth/authorize"
@@ -99,6 +108,19 @@ def _authorize_url_default(self):
     def _token_url_default(self):
         return f"{self.openshift_auth_api_url}/oauth/token"
 
+    openshift_rest_api_url = Unicode(
+        config=True,
+        help="""
+        Used to determine the default value for `userdata_url`.
+
+        Defaults to the `openshift_url`.
+        """,
+    )
+
+    @default("openshift_rest_api_url")
+    def _openshift_rest_api_url_default(self):
+        return self.openshift_url
+
     @default("userdata_url")
     def _userdata_url_default(self):
         return f"{self.openshift_rest_api_url}/apis/user.openshift.io/v1/users/~"