Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[All] breaking, add allow_all config defaulting to False (CILogon: require allowed_idps) #625

Merged
merged 12 commits into from
Jun 28, 2023
Merged

[All] breaking, add allow_all config defaulting to False (CILogon: require allowed_idps) #625

merged 12 commits into from
Jun 28, 2023

Conversation

consideRatio
Copy link
Member

@consideRatio consideRatio commented Jun 26, 2023
edited
Loading

[All] allow_all config

When setting up a JupyterHub you may with a minimal config using an OAuthenticator based Authenticator end up allowing all authenticated users. Even if they were allowed for a brief amount of time, they can have ended up creating a user for access after login is restricted. This PR addresses this situation by defaulting to not allowing all authenticated users.

Example use

c.JupyterHub.authentication_class = "github" 
c.GitHubOAuthenticator.client_id = "..."
c.GitHubOAuthenticator.client_secret = "..."

# previously with a config like above all github users were allowed access
# now though allow_all needs to be configured explicitly for that situation
# using the allow_all config, like below
c.OAuthenticator.allow_all = True

Related

[CILogon] allowed_idps required

For CILogon, it was hard to add the allow_all functionality independently from the planned change of making CILogonOAuthenticator.allowed_idps to be required. Due to that, that change is bundled in this PR.

WIth CILogonOAuthenticator.allowed_idps required, it made sense to also stop using CILogonOAuthenticator's username_claim, additional_username_claims, and shown_idps, so use of them is now also causing loud errors. The main motivation for erroring loudly instead of providing a warning is that a misconfiguration here can be a security issue.

Related

For the reviewer

This is a humongous PR as it was hard to avoid it but I hope you don't panic! I've thought a lot on the commits I've made, making a few relatively small commits with actual changes free from updates to comments and tests which instead are put in other larger commits. With this in mind, I recommend reviewing this commit by commit.

Here are the commits, and only three contain relevant changes, and two of those are cilogon specific changes. That makes this PR include one key commit to review (223c89b - all, breaking change: add allow_all config, default to False). When reviewing that commit, I recommend starting by looking at the oauth2.py file's changes as the other changes build on logic changed in the OAuthenticator base class.

  1. 0bd5809 - (trivial) refactor, auth0: add help strings for auth0_domain and auth0_subdomain
  2. 2ade700 - (trivial) refactor, globus: fix help string indentation and misc whitespace
  3. 2e11e44 - cilogon, breaking change: allowed_idps must be configured
  4. 223c89b - all, breaking change: add allow_all config, default to False
  5. 0e2352e - (only tests/ folder touched) maint: update tests for recent change
  6. 561f13c - (~only comments etc touched) maint: update comments, helpstrings, and docstrings for other commits
  7. 89f7d9d - cilogon, breaking change: shown_idps, username_claim, additional_username_claims
  8. 84e1aac - (trivial) maint, google: use lower case when comparing domain names
  9. 032d5d2 - (trivial) maint, mediawiki: specify user_auth_state_key

Post review update

Following review, I've made the following commits so far.

  1. 8d1da50 - (trivial) cilogon: switch to another status code in an error response
  2. 69535f0 - (trivial) maint: update some additional docstrings
  3. e7f864d - (trivial) maint, generic: refactor to at least partially rely on base class

About changes in tests

  • I've added significant test coverage for allowed_all and other allow_... config by using @pytest.mark.parametrize one test per authenticator to run with a lot of different allow_ config. This parametrized test could largely be re-used across authenticators with small tweaks.
  • I've removed quite a few standalone tests that were covered well via the parametrized test, and some other tests. Overall, I've been very cautious to avoid reducing the tested situations.

@consideRatio
refactor, auth0: add help strings for auth0_domain and auth0_subdomain
0bd5809
@consideRatio
refactor, globus: fix help string indentation and misc whitespace
2ade700
@consideRatio
cilogon, breaking change: allowed_idps must be configured
2e11e44
@consideRatio
all, breaking change: add allow_all config, default to False
223c89b
@consideRatio
maint: update tests for recent change
0e2352e
@consideRatio
maint: update comments, helpstrings, and docstrings for other commits
561f13c
@consideRatio
cilogon, breaking change: shown_idps, username_claim, additional_user…
89f7d9d 
…name_claims

These are now all deprecated and will error if configured for
CILogonOAuthenticator.

When allowed_idps is configured the claim config is bypassed by the IdP
specific username_claim anyhow, and shown_idps should really be allowed_idps
instead.
@consideRatio
maint, google: use lower case when comparing domain names
84e1aac
@consideRatio
maint, mediawiki: specify user_auth_state_key
032d5d2
@consideRatio consideRatio changed the title [All] breaking, add allow_all config and default to False [All] breaking, add allow_all config defaulting to False (CILogon: require allowed_idps) Jun 26, 2023
@consideRatio consideRatio self-assigned this Jun 26, 2023
@consideRatio consideRatio marked this pull request as ready for review June 26, 2023 15:50
GeorgianaElena
GeorgianaElena reviewed Jun 27, 2023
View reviewed changes
Copy link
Member

@GeorgianaElena GeorgianaElena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much @consideRatio! This looks very good and describing what each commit did, was very helpful ❤️

@consideRatio
Copy link
Member Author

Thank you soo much for reviewing @GeorgianaElena!!!!

I pushed three commits, where e7f864d was not directly related to your review comments. When documenting GenericOAuthenticator, I concluded that it wad adding functionality in username_claim that the base class didn't have, and that it duplicated things done in the base class besides checking if username_claim was callable. The commit refactors away the duplicated code, now referencing the base class logic.

GeorgianaElena
GeorgianaElena approved these changes Jun 28, 2023
View reviewed changes
Copy link
Member

@GeorgianaElena GeorgianaElena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is amazing @consideRatio ❤️ Thank you very much for all this work and for making the review so straightforward. This is ready to be merged IMO 🚀

@GeorgianaElena GeorgianaElena merged commit 4dbac5c into jupyterhub:main Jun 28, 2023
@consideRatio
Copy link
Member Author

WIEEEEE thank you @GeorgianaElena !!!

Gehock added a commit to AaltoSciComp/jupyterhub-aalto that referenced this pull request Jul 21, 2023
@Gehock
jupyterhub_config: Allow all users to log in
ec513f2 
A breaking change in oauthenticator that went unnoticed:
jupyterhub/oauthenticator#625
@manics manics mentioned this pull request Jan 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GeorgianaElena GeorgianaElena GeorgianaElena approved these changes

@minrk minrk Awaiting requested review from minrk

@manics manics Awaiting requested review from manics

Assignees

@consideRatio consideRatio

Labels
breaking new
Projects
None yet
Milestone
No milestone
2 participants
@consideRatio @GeorgianaElena