Merge pull request #625 from consideRatio/pr/add-allow-all

[All] breaking, add allow_all config defaulting to False (CILogon: require allowed_idps)

docs/source/reference/changelog.md

@@ -23,6 +23,8 @@ command line for details.
   lists as as they are converted to sets automatically, but anyone reading and
   adding entries must now use set logic and not list logic.
 - [Google] Authentication state's `google_groups` is now a set, not a list.
+- [CILogon] `allowed_idps` is now required config, and `shown_idps`,
+  `username_claim`, `additional_username_claims` must no longer be configured.
 
 (changelog:version-15)=
 

oauthenticator/auth0.py

@@ -54,13 +54,15 @@ class Auth0OAuthenticator(OAuthenticator):
     def _username_claim_default(self):
         return "email"
 
-    auth0_subdomain = Unicode(config=True)
-    auth0_domain = Unicode(config=True)
+    auth0_domain = Unicode(
+        config=True,
+        help="""
+        The domain for your Auth0 account.
 
-    @default("auth0_subdomain")
-    def _auth0_subdomain_default(self):
-        # This is allowed to be empty unless auth0_domain is not supplied either
-        return os.getenv("AUTH0_SUBDOMAIN", "")
+        Used to determine the default values for `logout_redirect_url`,
+        `authorize_url`, `token_url`, and `userdata_url`.
+        """,
+    )
 
     @default("auth0_domain")
     def _auth0_domain_default(self):
@@ -70,12 +72,23 @@ def _auth0_domain_default(self):
         if self.auth0_subdomain:
             return f"{self.auth0_subdomain}.auth0.com"
         raise ValueError(
-            "Please specify $AUTH0_DOMAIN env, $AUTH0_SUBDOMAIN env, "
-            "{part}.auth0_domain config, or {part}.auth0_subdomain config".format(
-                part=self.__class__.__name__
-            )
+            "Configuring either auth0_domain or auth0_subdomain is required"
         )
 
+    auth0_subdomain = Unicode(
+        config=True,
+        help="""
+        A shorthand for configuring `auth0_domain`, if configured to
+        "something", it is the same as configuring `auth0_domain` to
+        "something.auth0.com".
+        """,
+    )
+
+    @default("auth0_subdomain")
+    def _auth0_subdomain_default(self):
+        # This is allowed to be empty unless auth0_domain is not supplied either
+        return os.getenv("AUTH0_SUBDOMAIN", "")
+
     username_key = Unicode(
         config=True,
         help="Deprecated, use `Auth0OAuthenticator.username_claim`",

oauthenticator/bitbucket.py

@@ -71,33 +71,19 @@ async def update_auth_model(self, auth_model):
 
     async def check_allowed(self, username, auth_model):
         """
-        Returns True for users allowed to be authorized.
-
-        Overrides the OAuthenticator.check_allowed implementation to allow users
-        either part of `allowed_users` or `allowed_teams`, and not just those
-        part of `allowed_users`.
+        Overrides the OAuthenticator.check_allowed to also allow users part of
+        `allowed_teams`.
         """
-        # A workaround for JupyterHub<=4.0.1, described in
-        # https://github.com/jupyterhub/oauthenticator/issues/621
-        if auth_model is None:
-            return True
-
-        # allow admin users recognized via admin_users or update_auth_model
-        if auth_model["admin"]:
+        if await super().check_allowed(username, auth_model):
             return True
 
-        # if allowed_users or allowed_teams is configured, we deny users not
-        # part of either
-        if self.allowed_users or self.allowed_teams:
+        if self.allowed_teams:
             user_teams = auth_model["auth_state"]["user_teams"]
-            if username in self.allowed_users:
-                return True
             if any(user_teams & self.allowed_teams):
                 return True
-            return False
 
-        # otherwise, authorize all users
-        return True
+        # users should be explicitly allowed via config, otherwise they aren't
+        return False
 
 
 class LocalBitbucketOAuthenticator(LocalAuthenticator, BitbucketOAuthenticator):