-
-
Notifications
You must be signed in to change notification settings - Fork 7.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apple_auth: Remove decode_id_token override and update social-auth-core #15553
Conversation
zproject/computed_settings.py
Outdated
@@ -1030,6 +1031,7 @@ def zulip_path(path: str) -> str: | |||
# SERVICES_ID to make things more readable in the configuration | |||
# and our own custom backend code. | |||
SOCIAL_AUTH_APPLE_CLIENT = SOCIAL_AUTH_APPLE_SERVICES_ID | |||
SOCIAL_AUTH_APPLE_AUDIENCE = [SOCIAL_AUTH_APPLE_SERVICES_ID, SOCIAL_AUTH_APPLE_BUNDLE_ID] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is why you're getting the mypy error for test_extra_settings. The way you're defining this AUDIENCE list here means it might end up being something like ["some.services.id", None]
. That's not what we want. If BUNDLE_ID isn't specified, AUDIENCE should only have the services id
4279341
to
22146b1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @chdinesh1089 ! One comment below, apart from the spots Mateusz has mentioned.
@@ -1209,7 +1209,7 @@ def social_associate_user_helper(backend: BaseAuth, return_data: Dict[str, Any], | |||
# In SAML authentication, the IdP may support only sending | |||
# the first and last name as separate attributes - in that case | |||
# we construct the full name from them. | |||
return_data["full_name"] = f"{first_name} {last_name}".strip() # strip removes the unnecessary ' ' | |||
return_data["full_name"] = f"{first_name or ''} {last_name or ''}".strip() # strip removes the unnecessary ' ' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that it's not just SAML using this code, we should update the comment above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do these or ''
do anything? They’re already looked up with a default of ''
above:
first_name = kwargs['details'].get('first_name', '')
last_name = kwargs['details'].get('last_name', '')
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when the name details aren't sent by apple, python-social-auth sets first_name
and last_name
to None
. Because of that return_data["full_name"] is getting the value "None None"
. Those or ''
are used to avoid that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general this whole structure is kind of weird:
if full_name is None:
if not first_name and not last_name:
# We need custom code here for any social auth backends
# that don't provide name details feature.
if (backend.name == 'apple'):
# Apple authentication provides the user's name only
# the very first time a user tries to login. So if
# the user aborts login or otherwise is doing this the
# second time, we won't have any name data. We handle
# this by setting full_name to be the empty string.
full_name = ""
else:
raise AssertionError("Social auth backend doesn't provide name")
if full_name:
return_data["full_name"] = full_name
else:
# In SAML authentication, the IdP may support only sending
# the first and last name as separate attributes - in that case
# we construct the full name from them.
return_data["full_name"] = f"{first_name} {last_name}".strip() # strip removes the unnecessary ' '
return_data["full_name"] = f"{first_name or ''} {last_name or ''}".strip() # strip removes the unnecessary ' '
The block if (backend.name == 'apple'):
does nothing, because then we fall into the else
condition of if full_name / else
. I think this needs to be cleaned up.
zproject/test_extra_settings.py
Outdated
@@ -175,6 +175,7 @@ def set_loglevel(logger_name: str, level: str) -> None: | |||
SOCIAL_AUTH_APPLE_SERVICES_ID = 'com.zulip.chat' | |||
SOCIAL_AUTH_APPLE_BUNDLE_ID = 'com.zulip.bundle.id' | |||
SOCIAL_AUTH_APPLE_CLIENT = 'com.zulip.chat' | |||
SOCIAL_AUTH_APPLE_AUDIENCE: List[Optional[str]] = [SOCIAL_AUTH_APPLE_BUNDLE_ID, SOCIAL_AUTH_APPLE_SERVICES_ID] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not correct yet, having a None
in this list is not something we want. The type should be List[str]
and we should make mypy happy with it (by correctly defining this list in computed_settings - in a way the ensures mypy there are no None
in there).
The changes that are related to the package update should be in the same commit as the update. The other things are good as separate commits. |
@@ -144,7 +144,7 @@ py3dns | |||
|
|||
# Install Python Social Auth | |||
social-auth-app-django | |||
social-auth-core[azuread,saml] | |||
https://github.com/python-social-auth/social-core/archive/3.4.0.zip/#egg=social-auth-core[azuread,saml]==3.4.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you asked upstream why this hasn’t been released to PyPI?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, just opened an issue asking. python-social-auth/social-core#485
zproject/test_extra_settings.py
Outdated
SOCIAL_AUTH_APPLE_CLIENT = 'com.zulip.chat' | ||
SOCIAL_AUTH_APPLE_AUDIENCE: List[Optional[str]] = [SOCIAL_AUTH_APPLE_APP_ID, SOCIAL_AUTH_APPLE_SERVICES_ID] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why Optional
? Is None
really a valid element of this list, or are you just missing a SOCIAL_AUTH_APPLE_CLIENT is not None
check in computed_settings
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mypy gets that None
from having SOCIAL_AUTH_APPLE_SERVICES_ID = get_secret('social_auth_apple_services_id', development_only=True)
in default_settings.py
where get_secret
returns Optional[str]
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed with adding a SOCIAL_AUTH_APPLE_CLIENT is not None
check.
@@ -1209,7 +1209,7 @@ def social_associate_user_helper(backend: BaseAuth, return_data: Dict[str, Any], | |||
# In SAML authentication, the IdP may support only sending | |||
# the first and last name as separate attributes - in that case | |||
# we construct the full name from them. | |||
return_data["full_name"] = f"{first_name} {last_name}".strip() # strip removes the unnecessary ' ' | |||
return_data["full_name"] = f"{first_name or ''} {last_name or ''}".strip() # strip removes the unnecessary ' ' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do these or ''
do anything? They’re already looked up with a default of ''
above:
first_name = kwargs['details'].get('first_name', '')
last_name = kwargs['details'].get('last_name', '')
e185bc2
to
38817be
Compare
full_name = "" | ||
else: | ||
raise AssertionError("Social auth backend doesn't provide name") | ||
if all(name is None for name in [full_name, first_name, last_name]) and backend.name != "apple": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this won't work correctly if e.g. first_name is the empty string rather than None. We want not name
I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ohh, I used is None
thinking we'll restrict full_name = ''
case with not name
.
Can we change
first_name = kwargs['details'].get('first_name', '')
last_name = kwargs['details'].get('last_name', '')
to
first_name = kwargs['details'].get('first_name')
last_name = kwargs['details'].get('last_name')
so that this nice if
line will still be correct?
@timabbott I think this is ready for review. Could you take a look? |
I don't understand the end state with |
Yes, Only for apple, |
OK; we should look at reporting an issue with |
yes, looks like it isn't the convention that the project uses, but that was an intentional change introduced in python-social-auth/social-core#465 The author of PR says
Python social auth says to avoid @mateuszmandera Could you confirm if it is a mistake? (I'm not sure if it's a mistake as it got merged as some sort of a fix) |
e278dc1
to
3d8206a
Compare
It does seem like perhaps the original intent was to use
Perhaps we should submit PRs to upstream for apple and SAML to fix this, but regardless I don't think we can rely on this convention being followed and we cannot be investigating if it's not suddenly being broken on every PSA version bump - so I'd say in our code we should handle the |
@chdinesh1089 Do you want to take care of submitting the PR to upstream? |
What's the status of this PR? Are we blocked on upstream? And if not, @mateuszmandera are you happy with it? |
@timabbott I don't believe we're blocked. The answer to the #15553 (comment) concern is that One controversy might that the new PSA version isn't released to pypi due to Travis failing, but as explained by python-social-auth/social-core#485 (comment) it seems safe to upgrade. The commits LGTM, so should be ready for your review. @chdinesh1089 Can you fix the conflict and post a link to the discussion on renaming the certificate file as reference since it seems useful to havae it here. |
Uses git release as this version 3.4.0 is not released to pypi. This is required for removing some overriden functions of apple auth backend class AppleAuthBackend. With the update we also make following changes: * Fix full name being populated as "None None". c5c74f27dd that's included in update assigns first_name and last_name to None when no name is provided by apple. Due to this our code is filling return_data['full_name'] to 'None None'. This commit fixes it by making first and last name strings empty. * Remove decode_id_token override. Python social auth merged the PR we sent including the changes we made to decode_id_token function. So, now there is no necessity for the override. * Add _AUDIENCE setting in computed_settings.py. `decode_id_token` is dependent on this setting.
Changes to a better name apple-auth-key.p8 and removes the extra directory apple.
The apple developer webapp consistently refers this App ID. So, this clears any confusion that can occur. Since python social auth only requires us to include App ID in _AUDIENCE(a list), we do that in computed settings making it easier for server admin and we make it much clear by having it set to APP_ID instead of BUNDLE_ID.
Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
Apple has some other obligatory settings other than key and secret. To handle that this commit adds a function check_config() similar to that of SAML.
Rebased. |
Heads up @chdinesh1089, we just merged some commits that conflict with the changes your made in this pull request! You can review this repository's recent commits to see where the conflicts occur. Please rebase your feature branch against the |
Merged as the series ending with 9583554 after rebasing. One thing to note is the PROVISION_VERSION bump here was wrong; |
Testing Plan:
https://circleci.com/gh/chdinesh1089/zulip/tree/apple_auth