Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-384w-5v3f-q499
fix conflict with deprecations in jupyterhub 1.2
  • Loading branch information
minrk committed Nov 30, 2020
2 parents a156b3b + 079050e commit a4aac19
Show file tree
Hide file tree
Showing 11 changed files with 58 additions and 60 deletions.
4 changes: 4 additions & 0 deletions docs/source/changelog.md
Expand Up @@ -10,6 +10,10 @@ command line for details.

## 0.12

### [0.12.2] - 2020-11-30

Security fix for GHSA-384w-5v3f-q499: Deprecated `c.Authenticator.whitelist` configuration was ignored instead of mapped to newer `c.Authenticator.allowed_users` when used with JupyterHub 1.2 and OAuthenticator 0.12.0-0.12.1.

### [0.12.1] - 2020-11-20

#### Bugs fixed
Expand Down
7 changes: 2 additions & 5 deletions oauthenticator/bitbucket.py
Expand Up @@ -28,14 +28,11 @@ def _api_headers(access_token):

class BitbucketOAuthenticator(OAuthenticator):

_deprecated_aliases = {
_deprecated_oauth_aliases = {
"team_whitelist": ("allowed_teams", "0.12.0"),
**OAuthenticator._deprecated_oauth_aliases,
}

@observe(*list(_deprecated_aliases))
def _deprecated_trait(self, change):
super()._deprecated_trait(change)

login_service = "Bitbucket"
client_id_env = 'BITBUCKET_CLIENT_ID'
client_secret_env = 'BITBUCKET_CLIENT_SECRET'
Expand Down
7 changes: 2 additions & 5 deletions oauthenticator/cilogon.py
Expand Up @@ -44,14 +44,11 @@ def authorize_redirect(self, *args, **kwargs):


class CILogonOAuthenticator(OAuthenticator):
_deprecated_aliases = {
_deprecated_oauth_aliases = {
"idp_whitelist": ("allowed_idps", "0.12.0"),
**OAuthenticator._deprecated_oauth_aliases,
}

@observe(*list(_deprecated_aliases))
def _deprecated_trait(self, change):
super()._deprecated_trait(change)

login_service = "CILogon"

client_id_env = 'CILOGON_CLIENT_ID'
Expand Down
7 changes: 2 additions & 5 deletions oauthenticator/github.py
Expand Up @@ -37,14 +37,11 @@ class GitHubOAuthenticator(OAuthenticator):
# set scopes via config, e.g.
# c.GitHubOAuthenticator.scope = ['read:org']

_deprecated_aliases = {
_deprecated_oauth_aliases = {
"github_organization_whitelist": ("allowed_organizations", "0.12.0"),
**OAuthenticator._deprecated_oauth_aliases,
}

@observe(*list(_deprecated_aliases))
def _deprecated_trait(self, change):
super()._deprecated_trait(change)

login_service = "GitHub"

github_url = Unicode("https://github.com", config=True)
Expand Down
9 changes: 3 additions & 6 deletions oauthenticator/gitlab.py
Expand Up @@ -37,15 +37,12 @@ class GitLabOAuthenticator(OAuthenticator):
# set scopes via config, e.g.
# c.GitLabOAuthenticator.scope = ['read_user']

_deprecated_aliases = {
_deprecated_oauth_aliases = {
"gitlab_group_whitelist": ("allowed_gitlab_groups", "0.12.0"),
"gitlab_project_id_whitelist": ("allowed_project_ids", "0.12.0")
"gitlab_project_id_whitelist": ("allowed_project_ids", "0.12.0"),
**OAuthenticator._deprecated_oauth_aliases,
}

@observe(*list(_deprecated_aliases))
def _deprecated_trait(self, change):
super()._deprecated_trait(change)

login_service = "GitLab"

client_id_env = 'GITLAB_CLIENT_ID'
Expand Down
7 changes: 2 additions & 5 deletions oauthenticator/google.py
Expand Up @@ -30,14 +30,11 @@ def check_user_in_groups(member_groups, allowed_groups):


class GoogleOAuthenticator(OAuthenticator, GoogleOAuth2Mixin):
_deprecated_aliases = {
_deprecated_oauth_aliases = {
"google_group_whitelist": ("allowed_google_groups", "0.12.0"),
**OAuthenticator._deprecated_oauth_aliases,
}

@observe(*list(_deprecated_aliases))
def _deprecated_trait(self, change):
super()._deprecated_trait(change)

google_api_url = Unicode("https://www.googleapis.com", config=True)

@default('google_api_url')
Expand Down
13 changes: 11 additions & 2 deletions oauthenticator/oauth2.py
Expand Up @@ -347,11 +347,12 @@ def get_handlers(self, app):
async def authenticate(self, handler, data=None):
raise NotImplementedError()

_deprecated_oauth_aliases = {}

def _deprecated_trait(self, change):
def _deprecated_oauth_trait(self, change):
"""observer for deprecated traits"""
old_attr = change.name
new_attr, version = self._deprecated_aliases.get(old_attr)
new_attr, version = self._deprecated_oauth_aliases.get(old_attr)
new_value = getattr(self, new_attr)
if new_value != change.new:
# only warn if different
Expand All @@ -366,3 +367,11 @@ def _deprecated_trait(self, change):
)
)
setattr(self, new_attr, change.new)

def __init__(self, **kwargs):
# observe deprecated config names in oauthenticator
if self._deprecated_oauth_aliases:
self.observe(
self._deprecated_oauth_trait, names=list(self._deprecated_oauth_aliases)
)
super().__init__(**kwargs)
16 changes: 8 additions & 8 deletions oauthenticator/tests/test_bitbucket.py
Expand Up @@ -86,16 +86,16 @@ def list_teams(request):
def test_deprecated_config(caplog):
cfg = Config()
cfg.BitbucketOAuthenticator.team_whitelist = ['red']
cfg.BitbucketOAuthenticator.whitelist = {"blue"}

log = logging.getLogger("testlog")
authenticator = BitbucketOAuthenticator(config=cfg, log=log)
assert caplog.record_tuples == [
(
log.name,
logging.WARNING,
'BitbucketOAuthenticator.team_whitelist is deprecated in BitbucketOAuthenticator 0.12.0, use '
'BitbucketOAuthenticator.allowed_teams instead',
)
]
assert (
log.name,
logging.WARNING,
'BitbucketOAuthenticator.team_whitelist is deprecated in BitbucketOAuthenticator 0.12.0, use '
'BitbucketOAuthenticator.allowed_teams instead',
) in caplog.record_tuples

assert authenticator.allowed_teams == {"red"}
assert authenticator.allowed_users == {"blue"}
16 changes: 8 additions & 8 deletions oauthenticator/tests/test_github.py
Expand Up @@ -156,16 +156,16 @@ def team_membership(request):
def test_deprecated_config(caplog):
cfg = Config()
cfg.GitHubOAuthenticator.github_organization_whitelist = ["jupy"]
cfg.Authenticator.whitelist = {"user1"}

log = logging.getLogger("testlog")
authenticator = GitHubOAuthenticator(config=cfg, log=log)
assert caplog.record_tuples == [
(
log.name,
logging.WARNING,
'GitHubOAuthenticator.github_organization_whitelist is deprecated in GitHubOAuthenticator 0.12.0, use '
'GitHubOAuthenticator.allowed_organizations instead',
)
]
assert (
log.name,
logging.WARNING,
'GitHubOAuthenticator.github_organization_whitelist is deprecated in GitHubOAuthenticator 0.12.0, use '
'GitHubOAuthenticator.allowed_organizations instead',
) in caplog.record_tuples

assert authenticator.allowed_organizations == {"jupy"}
assert authenticator.allowed_users == {"user1"}
16 changes: 8 additions & 8 deletions oauthenticator/tests/test_gitlab.py
Expand Up @@ -260,16 +260,16 @@ def is_member(request):
def test_deprecated_config(caplog):
cfg = Config()
cfg.GitLabOAuthenticator.gitlab_group_whitelist = {'red'}
cfg.GitLabOAuthenticator.whitelist = {"blue"}

log = logging.getLogger("testlog")
authenticator = GitLabOAuthenticator(config=cfg, log=log)
assert caplog.record_tuples == [
(
log.name,
logging.WARNING,
'GitLabOAuthenticator.gitlab_group_whitelist is deprecated in GitLabOAuthenticator 0.12.0, use '
'GitLabOAuthenticator.allowed_gitlab_groups instead'
)
]
assert (
log.name,
logging.WARNING,
'GitLabOAuthenticator.gitlab_group_whitelist is deprecated in GitLabOAuthenticator 0.12.0, use '
'GitLabOAuthenticator.allowed_gitlab_groups instead',
) in caplog.record_tuples

assert authenticator.allowed_gitlab_groups == {'red'}
assert authenticator.allowed_users == {"blue"}
16 changes: 8 additions & 8 deletions oauthenticator/tests/test_google.py
Expand Up @@ -114,16 +114,16 @@ async def test_allowed_google_groups(google_client):
def test_deprecated_config(caplog):
cfg = Config()
cfg.GoogleOAuthenticator.google_group_whitelist = {'email.com': ['group']}
cfg.Authenticator.whitelist = {"user1"}

log = logging.getLogger("testlog")
authenticator = GoogleOAuthenticator(config=cfg, log=log)
assert caplog.record_tuples == [
(
log.name,
logging.WARNING,
'GoogleOAuthenticator.google_group_whitelist is deprecated in GoogleOAuthenticator 0.12.0, use '
'GoogleOAuthenticator.allowed_google_groups instead',
)
]
assert (
log.name,
logging.WARNING,
'GoogleOAuthenticator.google_group_whitelist is deprecated in GoogleOAuthenticator 0.12.0, use '
'GoogleOAuthenticator.allowed_google_groups instead',
) in caplog.record_tuples

assert authenticator.allowed_google_groups == {'email.com': ['group']}
assert authenticator.allowed_users == {"user1"}

0 comments on commit a4aac19

Please sign in to comment.