generic, deprecation: deprecate tls_verify in favor of validate_serve…

…r_cert
jupyterhub · Jul 6, 2023 · d80885a · d80885a
1 parent 39c8c55
commit d80885a
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 22 deletions.
diff --git a/oauthenticator/generic.py b/oauthenticator/generic.py
@@ -6,7 +6,6 @@
 
 from jupyterhub.auth import LocalAuthenticator
 from jupyterhub.traitlets import Callable
-from tornado.httpclient import AsyncHTTPClient
 from traitlets import Bool, Dict, Set, Unicode, Union, default
 
 from .oauth2 import OAuthenticator
@@ -70,26 +69,15 @@ def _login_service_default(self):
         """,
     )
 
-    tls_verify = Bool(
-        os.environ.get('OAUTH2_TLS_VERIFY', 'True').lower() in {'true', '1'},
-        config=True,
-        help="Require valid tls certificates in HTTP requests",
-    )
-
     @default("basic_auth")
     def _basic_auth_default(self):
         return os.environ.get('OAUTH2_BASIC_AUTH', 'True').lower() in {'true', '1'}
 
-    @default("http_client")
-    def _default_http_client(self):
-        return AsyncHTTPClient(
-            force_instance=True, defaults=dict(validate_cert=self.tls_verify)
-        )
-
     # _deprecated_oauth_aliases is used by deprecation logic in OAuthenticator
     _deprecated_oauth_aliases = {
         "username_key": ("username_claim", "16.0.0"),
         "extra_params": ("token_params", "16.0.0"),
+        "tls_verify": ("validate_server_cert", "16.0.2"),
         **OAuthenticator._deprecated_oauth_aliases,
     }
     username_key = Union(
@@ -109,6 +97,14 @@ def _default_http_client(self):
            Use :attr:`token_params`.
         """,
     )
+    tls_verify = Bool(
+        config=True,
+        help="""
+        .. deprecated:: 16.0
+
+           Use :attr:`validate_server_cert`.
+        """,
+    )
 
     def user_info_to_username(self, user_info):
         """

diff --git a/oauthenticator/github.py b/oauthenticator/github.py
@@ -216,7 +216,6 @@ async def update_auth_model(self, auth_model):
                 "fetching user emails",
                 method="GET",
                 headers=self.build_userdata_request_headers(access_token, token_type),
-                validate_cert=self.validate_server_cert,
             )
             for val in resp_json:
                 if val["primary"]:
@@ -254,7 +253,6 @@ async def _paginated_fetch(self, api_url, access_token, token_type):
                 parse_json=False,
                 method="GET",
                 headers=self.build_userdata_request_headers(access_token, token_type),
-                validate_cert=self.validate_server_cert,
             )
 
             resp_json = json.loads(resp.body.decode())
@@ -316,7 +314,6 @@ async def _check_membership_allowed_organizations(
             raise_error=False,
             method="GET",
             headers=headers,
-            validate_cert=self.validate_server_cert,
         )
         if resp.code == 204:
             self.log.debug(f"Allowing {username} as member of {org_team}")

diff --git a/oauthenticator/gitlab.py b/oauthenticator/gitlab.py
@@ -191,7 +191,6 @@ async def _get_gitlab_version(self, access_token):
             url,
             method="GET",
             headers=_api_headers(access_token),
-            validate_cert=self.validate_server_cert,
         )
         version_strings = resp_json['version'].split('-')[0].split('.')[:3]
         version_ints = list(map(int, version_strings))
@@ -215,7 +214,6 @@ async def _check_membership_allowed_groups(self, user_id, access_token):
                 raise_error=False,
                 method="GET",
                 headers=headers,
-                validate_cert=self.validate_server_cert,
             )
             if resp.code == 200:
                 return True  # user _is_ in group
@@ -238,7 +236,6 @@ async def _check_membership_allowed_project_ids(self, user_id, access_token):
                 raise_error=False,
                 method="GET",
                 headers=headers,
-                validate_cert=self.validate_server_cert,
             )
             if resp_json:
                 access_level = resp_json.get('access_level', 0)

diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py
@@ -555,7 +555,9 @@ def _validate_server_cert_default(self):
 
     @default("http_client")
     def _default_http_client(self):
-        return AsyncHTTPClient()
+        return AsyncHTTPClient(
+            force_instance=True, defaults=dict(validate_cert=self.validate_server_cert)
+        )
 
     async def fetch(self, req, label="fetching", parse_json=True, **kwargs):
         """Wrapper for http requests
@@ -808,7 +810,6 @@ async def get_token_info(self, handler, params):
             method="POST",
             headers=self.build_token_info_request_headers(),
             body=urlencode(params).encode("utf-8"),
-            validate_cert=self.validate_server_cert,
         )
 
         if "error_description" in token_info:
@@ -851,7 +852,6 @@ async def token_to_user(self, token_info):
             "Fetching user info...",
             method="GET",
             headers=self.build_userdata_request_headers(access_token, token_type),
-            validate_cert=self.validate_server_cert,
         )
 
     def build_auth_state_dict(self, token_info, user_info):