This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Record the SSO Auth Provider in the login token #9510
Merged
Merged
Changes from 8 commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
c5934f8
Factor out `satisfy_expiry` function
richvdh 444c697
Factor out `get_value_from_macaroon` utility function
richvdh 7fa4d77
get_value_from_macaroon: check only one instance of caveat
richvdh 7f104a2
Replace get_user_id_from_macaroon with calls to get_value_from_macaroon
richvdh d651626
create verify_short_term_login_token function
richvdh 0b8dfb1
Return an object from `validate_short_term_login_token_and_get_user_id`
richvdh 3d4902b
Allow login tokens to include auth_provider_id
richvdh f2466b2
Store auth provider id in login tokens
richvdh cd7448e
changelog
richvdh a7e5112
Ensure that each login token has an auth provider id
richvdh cf5b9e1
Merge remote-tracking branch 'origin/develop' into rav/auth_provider_…
richvdh 94226a4
fix tests
richvdh 92a2f05
Remove support for default values in macaroons
richvdh ee4f580
auth_provider_id is no longer Optional
richvdh File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A macaroon that doesn't have an
auth_provider_id
caveat allows clients to add anyauth_provider_id
themselves. I think we want to add aauth_provider_id = None
(or equivalent) whenauth_provider_id
is None?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the advantage of storing this information in a macaroon instead of recording it internally in the database?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we were actually setting it to something not-None on all code paths. I've updated the method signature to enforce this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's just easier! To store it in the database, we'd have to add a table, do a bunch of sql to insert and select rows, and do a bunch more sql to delete rows once they expire. Not having to do the database queries seems more efficient too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/me looks at the size of this PR :p
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:-p
This PR is mostly moving existing stuff about. Storing it in the DB would be a bunch of new code.