From 53a635ebaf11b784d01b43995c2137dc7084edda Mon Sep 17 00:00:00 2001 From: Daniel 'Vector' Kerr Date: Sat, 26 Mar 2022 16:05:44 +1100 Subject: [PATCH 01/11] Add --algorithm argument and fix --skip-authorization help text for createapplication command --- oauth2_provider/management/commands/createapplication.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/oauth2_provider/management/commands/createapplication.py b/oauth2_provider/management/commands/createapplication.py index 92c4ae46b..b59158676 100644 --- a/oauth2_provider/management/commands/createapplication.py +++ b/oauth2_provider/management/commands/createapplication.py @@ -49,9 +49,14 @@ def add_arguments(self, parser): parser.add_argument( "--skip-authorization", action="store_true", - help="The ID of the new application", + help="If set, completely bypass the authorization form, even on the first use of the application", ) - + parser.add_argument( + "--algorithm", + type=str, + help="The OIDC token signing algorithm for this application (e.g., 'RS256' or 'HS256')" + ) + def handle(self, *args, **options): # Extract all fields related to the application, this will work now and in the future # and also with custom application models. From 005809d46b12a863d5972bb1cd5c4acf8f528bf4 Mon Sep 17 00:00:00 2001 From: Daniel 'Vector' Kerr Date: Sat, 26 Mar 2022 16:32:38 +1100 Subject: [PATCH 02/11] Add unit test for update to createapplication command --- tests/test_commands.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/test_commands.py b/tests/test_commands.py index 13b0eeb3d..e977401a0 100644 --- a/tests/test_commands.py +++ b/tests/test_commands.py @@ -1,5 +1,6 @@ from io import StringIO +import pytest from django.contrib.auth import get_user_model from django.contrib.auth.hashers import check_password from django.core.management import call_command @@ -8,6 +9,7 @@ from oauth2_provider.models import get_application_model +from . import presets Application = get_application_model() @@ -112,6 +114,20 @@ def test_application_created_with_user(self): self.assertEqual(app.user, user) + @pytest.mark.usefixtures("oauth2_settings") + @pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RW) + def test_application_created_with_algorithm(self): + call_command( + "createapplication", + "confidential", + "authorization-code", + "--redirect-uris=http://example.com http://example2.com", + "--algorithm=RS256", + ) + app = Application.objects.get() + + self.assertEqual(app.algorithm, "RS256") + def test_validation_failed_message(self): output = StringIO() call_command( From 3a34eab555987eca33d7a22f1c6f9e82795241e0 Mon Sep 17 00:00:00 2001 From: Daniel 'Vector' Kerr Date: Sat, 26 Mar 2022 16:36:46 +1100 Subject: [PATCH 03/11] Add to AUTHORS --- AUTHORS | 1 + 1 file changed, 1 insertion(+) diff --git a/AUTHORS b/AUTHORS index 7f3f21276..962cc7d00 100644 --- a/AUTHORS +++ b/AUTHORS @@ -23,6 +23,7 @@ Bart Merenda Bas van Oostveen Brian Helba Carl Schwan +Daniel 'Vector' Kerr Dave Burkholder David Fischer David Smith From de44122f4afeb811b3ea5a4fabff7628c7f9d06d Mon Sep 17 00:00:00 2001 From: Daniel 'Vector' Kerr Date: Sat, 26 Mar 2022 16:42:23 +1100 Subject: [PATCH 04/11] Update changelog for createapplication command changes --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6b089f5f..33552dea4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,9 +32,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 If you've [customized OIDC responses](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses) and want to retain the pre-2.x behavior, set `oidc_claim_scope = None` in your subclass of `OAuth2Validator`. * #1108 OIDC: Make the `access_token` available to `get_oidc_claims` when called from `get_userinfo_claims`. +* Added `--algorithm` argument to `createapplication` management command ### Fixed * #1108 OIDC: Fix `validate_bearer_token()` to properly set `request.scopes` to the list of granted scopes. +* Fixed help text for `--skip-authorization` argument of the `createapplication` management command ### Removed * #1124 (**Breaking**, **Security**) Removes support for insecure `urn:ietf:wg:oauth:2.0:oob` and `urn:ietf:wg:oauth:2.0:oob:auto` which are replaced From 75b62cffc513b13ccbd0a31ffe401a694ec1a331 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Sat, 26 Mar 2022 05:50:14 +0000 Subject: [PATCH 05/11] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- oauth2_provider/management/commands/createapplication.py | 4 ++-- tests/test_commands.py | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/oauth2_provider/management/commands/createapplication.py b/oauth2_provider/management/commands/createapplication.py index b59158676..f8575a8b0 100644 --- a/oauth2_provider/management/commands/createapplication.py +++ b/oauth2_provider/management/commands/createapplication.py @@ -54,9 +54,9 @@ def add_arguments(self, parser): parser.add_argument( "--algorithm", type=str, - help="The OIDC token signing algorithm for this application (e.g., 'RS256' or 'HS256')" + help="The OIDC token signing algorithm for this application (e.g., 'RS256' or 'HS256')", ) - + def handle(self, *args, **options): # Extract all fields related to the application, this will work now and in the future # and also with custom application models. diff --git a/tests/test_commands.py b/tests/test_commands.py index e977401a0..f9a9f5ade 100644 --- a/tests/test_commands.py +++ b/tests/test_commands.py @@ -11,6 +11,7 @@ from . import presets + Application = get_application_model() From efddb1222c09a27056670ac9710431941409b99d Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 27 Mar 2022 11:19:15 +1100 Subject: [PATCH 06/11] Update CHANGELOG.md Co-authored-by: Alan Crosswell --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 33552dea4..cf8c83564 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,7 +32,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 If you've [customized OIDC responses](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses) and want to retain the pre-2.x behavior, set `oidc_claim_scope = None` in your subclass of `OAuth2Validator`. * #1108 OIDC: Make the `access_token` available to `get_oidc_claims` when called from `get_userinfo_claims`. -* Added `--algorithm` argument to `createapplication` management command +* #1132: Added `--algorithm` argument to `createapplication` management command ### Fixed * #1108 OIDC: Fix `validate_bearer_token()` to properly set `request.scopes` to the list of granted scopes. From 2928215b33e032041b466e13386fee15a32168f6 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 27 Mar 2022 11:19:20 +1100 Subject: [PATCH 07/11] Update CHANGELOG.md Co-authored-by: Alan Crosswell --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf8c83564..da0fede00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,7 +36,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed * #1108 OIDC: Fix `validate_bearer_token()` to properly set `request.scopes` to the list of granted scopes. -* Fixed help text for `--skip-authorization` argument of the `createapplication` management command +* #1132: Fixed help text for `--skip-authorization` argument of the `createapplication` management command ### Removed * #1124 (**Breaking**, **Security**) Removes support for insecure `urn:ietf:wg:oauth:2.0:oob` and `urn:ietf:wg:oauth:2.0:oob:auto` which are replaced From de0db700a3da94b44e5239461ca4eb130b25f662 Mon Sep 17 00:00:00 2001 From: Daniel 'Vector' Kerr Date: Sun, 27 Mar 2022 11:43:04 +1100 Subject: [PATCH 08/11] Add documentation for 'createapplication' command to 'management_commands.rst' --- docs/management_commands.rst | 38 ++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/docs/management_commands.rst b/docs/management_commands.rst index 147a0bbe4..ae710e0bf 100644 --- a/docs/management_commands.rst +++ b/docs/management_commands.rst @@ -4,6 +4,8 @@ Management commands Django OAuth Toolkit exposes some useful management commands that can be run via shell or by other means (eg: cron) .. _cleartokens: +.. _createapplication: + cleartokens ~~~~~~~~~~~ @@ -21,3 +23,39 @@ To prevent the CPU and RAM high peaks during deletion process use ``CLEAR_EXPIRE Note: Refresh tokens need to expire before AccessTokens can be removed from the database. Using ``cleartokens`` without ``REFRESH_TOKEN_EXPIRE_SECONDS`` has limited effect. + + + +createapplication +~~~~~~~~~~~~~~~~~ + +The ``createapplication`` management command provides a shortcut to create a new application in a programmatic way. + +This command is used like this: + +.. code-block:: sh + + python3 manage.py createapplication [arguments] + + +This command provides the following arguments: + ++----------------------------+------+-------------------------------------------------------------------------------------------------+ +| Argument | type | Description | ++============================+======+=================================================================================================+ +| `--client_id` | str | The ID of the new application | ++----------------------------+------+-------------------------------------------------------------------------------------------------+ +| `--user` | int | The ID of the user that the application belongs to | ++----------------------------+------+-------------------------------------------------------------------------------------------------+ +| `--redirect-uris` | str | The redirect URIs. This must be a space-separated string (e.g., `"https://uri1/ https://uri2"`) | ++----------------------------+------+-------------------------------------------------------------------------------------------------+ +| `--name` | str | The name of this application | ++----------------------------+------+-------------------------------------------------------------------------------------------------+ +| `--skip-authorization` | flag | If set, completely bypass the authorization form, even on the first use of the application | ++----------------------------+------+-------------------------------------------------------------------------------------------------+ +| `--algorithm` | str | The OIDC token signing algorithm for this application (e.g., `RS256` or `HS256`) | ++----------------------------+------+-------------------------------------------------------------------------------------------------+ +| `client_type` | str | The client type, can be `confidential` or `public` | ++----------------------------+------+-------------------------------------------------------------------------------------------------+ +| `authorization_grant_type` | str | The type of authorization grant to be used | ++----------------------------+------+-------------------------------------------------------------------------------------------------+ From 88f7b2ff3106606c30c6125934f4fa1176aeafc2 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Sun, 27 Mar 2022 00:43:24 +0000 Subject: [PATCH 09/11] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/management_commands.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management_commands.rst b/docs/management_commands.rst index ae710e0bf..c197175e5 100644 --- a/docs/management_commands.rst +++ b/docs/management_commands.rst @@ -34,7 +34,7 @@ The ``createapplication`` management command provides a shortcut to create a new This command is used like this: .. code-block:: sh - + python3 manage.py createapplication [arguments] From 044a0c86cb2cc025be9902def8fab509c83c0d16 Mon Sep 17 00:00:00 2001 From: Daniel Date: Mon, 28 Mar 2022 07:25:56 +1100 Subject: [PATCH 10/11] Update `createapplication` command docs to mimic CLI help text output Co-authored-by: Alan Crosswell --- docs/management_commands.rst | 46 ++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/docs/management_commands.rst b/docs/management_commands.rst index c197175e5..381d5a5c9 100644 --- a/docs/management_commands.rst +++ b/docs/management_commands.rst @@ -38,24 +38,28 @@ This command is used like this: python3 manage.py createapplication [arguments] -This command provides the following arguments: - -+----------------------------+------+-------------------------------------------------------------------------------------------------+ -| Argument | type | Description | -+============================+======+=================================================================================================+ -| `--client_id` | str | The ID of the new application | -+----------------------------+------+-------------------------------------------------------------------------------------------------+ -| `--user` | int | The ID of the user that the application belongs to | -+----------------------------+------+-------------------------------------------------------------------------------------------------+ -| `--redirect-uris` | str | The redirect URIs. This must be a space-separated string (e.g., `"https://uri1/ https://uri2"`) | -+----------------------------+------+-------------------------------------------------------------------------------------------------+ -| `--name` | str | The name of this application | -+----------------------------+------+-------------------------------------------------------------------------------------------------+ -| `--skip-authorization` | flag | If set, completely bypass the authorization form, even on the first use of the application | -+----------------------------+------+-------------------------------------------------------------------------------------------------+ -| `--algorithm` | str | The OIDC token signing algorithm for this application (e.g., `RS256` or `HS256`) | -+----------------------------+------+-------------------------------------------------------------------------------------------------+ -| `client_type` | str | The client type, can be `confidential` or `public` | -+----------------------------+------+-------------------------------------------------------------------------------------------------+ -| `authorization_grant_type` | str | The type of authorization grant to be used | -+----------------------------+------+-------------------------------------------------------------------------------------------------+ +usage: manage.py createapplication [-h] [--client-id CLIENT_ID] [--user USER] [--redirect-uris REDIRECT_URIS] + [--client-secret CLIENT_SECRET] [--name NAME] [--skip-authorization] [--version] [-v {0,1,2,3}] + [--settings SETTINGS] [--pythonpath PYTHONPATH] [--traceback] [--no-color] [--force-color] + [--skip-checks] + client_type authorization_grant_type + +Shortcut to create a new application in a programmatic way + +positional arguments: + client_type The client type, can be confidential or public + authorization_grant_type + The type of authorization grant to be used + +optional arguments: + -h, --help show this help message and exit + --client-id CLIENT_ID + The ID of the new application + --user USER The user the application belongs to + --redirect-uris REDIRECT_URIS + The redirect URIs, this must be a space separated string e.g 'URI1 URI2' + --client-secret CLIENT_SECRET + The secret for this application + --name NAME The name this application + --skip-authorization The ID of the new application + ... From 294531c1040be9d6b5d31556e51af165d7783326 Mon Sep 17 00:00:00 2001 From: Alan Crosswell Date: Mon, 28 Mar 2022 07:55:42 -0400 Subject: [PATCH 11/11] Indent for RST version of GH-flavored markdown triple backtick --- docs/management_commands.rst | 55 ++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 30 deletions(-) diff --git a/docs/management_commands.rst b/docs/management_commands.rst index 381d5a5c9..956ce9ef9 100644 --- a/docs/management_commands.rst +++ b/docs/management_commands.rst @@ -31,35 +31,30 @@ createapplication The ``createapplication`` management command provides a shortcut to create a new application in a programmatic way. -This command is used like this: - .. code-block:: sh - python3 manage.py createapplication [arguments] - - -usage: manage.py createapplication [-h] [--client-id CLIENT_ID] [--user USER] [--redirect-uris REDIRECT_URIS] - [--client-secret CLIENT_SECRET] [--name NAME] [--skip-authorization] [--version] [-v {0,1,2,3}] - [--settings SETTINGS] [--pythonpath PYTHONPATH] [--traceback] [--no-color] [--force-color] - [--skip-checks] - client_type authorization_grant_type - -Shortcut to create a new application in a programmatic way - -positional arguments: - client_type The client type, can be confidential or public - authorization_grant_type - The type of authorization grant to be used - -optional arguments: - -h, --help show this help message and exit - --client-id CLIENT_ID - The ID of the new application - --user USER The user the application belongs to - --redirect-uris REDIRECT_URIS - The redirect URIs, this must be a space separated string e.g 'URI1 URI2' - --client-secret CLIENT_SECRET - The secret for this application - --name NAME The name this application - --skip-authorization The ID of the new application - ... + usage: manage.py createapplication [-h] [--client-id CLIENT_ID] [--user USER] [--redirect-uris REDIRECT_URIS] + [--client-secret CLIENT_SECRET] [--name NAME] [--skip-authorization] [--version] [-v {0,1,2,3}] + [--settings SETTINGS] [--pythonpath PYTHONPATH] [--traceback] [--no-color] [--force-color] + [--skip-checks] + client_type authorization_grant_type + + Shortcut to create a new application in a programmatic way + + positional arguments: + client_type The client type, can be confidential or public + authorization_grant_type + The type of authorization grant to be used + + optional arguments: + -h, --help show this help message and exit + --client-id CLIENT_ID + The ID of the new application + --user USER The user the application belongs to + --redirect-uris REDIRECT_URIS + The redirect URIs, this must be a space separated string e.g 'URI1 URI2' + --client-secret CLIENT_SECRET + The secret for this application + --name NAME The name this application + --skip-authorization The ID of the new application + ...