From d80885afc1c5e4abfd5b368916937947e6827877 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 6 Jul 2023 18:44:21 +0200 Subject: [PATCH] generic, deprecation: deprecate tls_verify in favor of validate_server_cert --- oauthenticator/generic.py | 22 +++++++++------------- oauthenticator/github.py | 3 --- oauthenticator/gitlab.py | 3 --- oauthenticator/oauth2.py | 6 +++--- 4 files changed, 12 insertions(+), 22 deletions(-) diff --git a/oauthenticator/generic.py b/oauthenticator/generic.py index c71e3299..f29e8a8e 100644 --- a/oauthenticator/generic.py +++ b/oauthenticator/generic.py @@ -6,7 +6,6 @@ from jupyterhub.auth import LocalAuthenticator from jupyterhub.traitlets import Callable -from tornado.httpclient import AsyncHTTPClient from traitlets import Bool, Dict, Set, Unicode, Union, default from .oauth2 import OAuthenticator @@ -70,26 +69,15 @@ def _login_service_default(self): """, ) - tls_verify = Bool( - os.environ.get('OAUTH2_TLS_VERIFY', 'True').lower() in {'true', '1'}, - config=True, - help="Require valid tls certificates in HTTP requests", - ) - @default("basic_auth") def _basic_auth_default(self): return os.environ.get('OAUTH2_BASIC_AUTH', 'True').lower() in {'true', '1'} - @default("http_client") - def _default_http_client(self): - return AsyncHTTPClient( - force_instance=True, defaults=dict(validate_cert=self.tls_verify) - ) - # _deprecated_oauth_aliases is used by deprecation logic in OAuthenticator _deprecated_oauth_aliases = { "username_key": ("username_claim", "16.0.0"), "extra_params": ("token_params", "16.0.0"), + "tls_verify": ("validate_server_cert", "16.0.2"), **OAuthenticator._deprecated_oauth_aliases, } username_key = Union( @@ -109,6 +97,14 @@ def _default_http_client(self): Use :attr:`token_params`. """, ) + tls_verify = Bool( + config=True, + help=""" + .. deprecated:: 16.0 + + Use :attr:`validate_server_cert`. + """, + ) def user_info_to_username(self, user_info): """ diff --git a/oauthenticator/github.py b/oauthenticator/github.py index 29535e81..9cbe0405 100644 --- a/oauthenticator/github.py +++ b/oauthenticator/github.py @@ -216,7 +216,6 @@ async def update_auth_model(self, auth_model): "fetching user emails", method="GET", headers=self.build_userdata_request_headers(access_token, token_type), - validate_cert=self.validate_server_cert, ) for val in resp_json: if val["primary"]: @@ -254,7 +253,6 @@ async def _paginated_fetch(self, api_url, access_token, token_type): parse_json=False, method="GET", headers=self.build_userdata_request_headers(access_token, token_type), - validate_cert=self.validate_server_cert, ) resp_json = json.loads(resp.body.decode()) @@ -316,7 +314,6 @@ async def _check_membership_allowed_organizations( raise_error=False, method="GET", headers=headers, - validate_cert=self.validate_server_cert, ) if resp.code == 204: self.log.debug(f"Allowing {username} as member of {org_team}") diff --git a/oauthenticator/gitlab.py b/oauthenticator/gitlab.py index 1d32fe34..8dac7612 100644 --- a/oauthenticator/gitlab.py +++ b/oauthenticator/gitlab.py @@ -191,7 +191,6 @@ async def _get_gitlab_version(self, access_token): url, method="GET", headers=_api_headers(access_token), - validate_cert=self.validate_server_cert, ) version_strings = resp_json['version'].split('-')[0].split('.')[:3] version_ints = list(map(int, version_strings)) @@ -215,7 +214,6 @@ async def _check_membership_allowed_groups(self, user_id, access_token): raise_error=False, method="GET", headers=headers, - validate_cert=self.validate_server_cert, ) if resp.code == 200: return True # user _is_ in group @@ -238,7 +236,6 @@ async def _check_membership_allowed_project_ids(self, user_id, access_token): raise_error=False, method="GET", headers=headers, - validate_cert=self.validate_server_cert, ) if resp_json: access_level = resp_json.get('access_level', 0) diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index c91eecd4..b3476cb1 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -555,7 +555,9 @@ def _validate_server_cert_default(self): @default("http_client") def _default_http_client(self): - return AsyncHTTPClient() + return AsyncHTTPClient( + force_instance=True, defaults=dict(validate_cert=self.validate_server_cert) + ) async def fetch(self, req, label="fetching", parse_json=True, **kwargs): """Wrapper for http requests @@ -808,7 +810,6 @@ async def get_token_info(self, handler, params): method="POST", headers=self.build_token_info_request_headers(), body=urlencode(params).encode("utf-8"), - validate_cert=self.validate_server_cert, ) if "error_description" in token_info: @@ -851,7 +852,6 @@ async def token_to_user(self, token_info): "Fetching user info...", method="GET", headers=self.build_userdata_request_headers(access_token, token_type), - validate_cert=self.validate_server_cert, ) def build_auth_state_dict(self, token_info, user_info):