search

tethysplatform / tethys

The Tethys Platform main Django website project repository.
http://tethysplatform.org/
BSD 2-Clause "Simplified" License
92 stars 49 forks source link

Unpin pyjwt #880

Closed sdc50 closed 1 year ago

sdc50 commented 1 year ago

I'm not sure why pyjwt was pinned, but it's preventing other packages (e.g. python-social-core) from updating to the latest version.

coveralls commented 1 year ago

Coverage Status

Coverage remained the same at 100.0% when pulling 3aaa0bfea7b1f54b955af9c823de45b490c0bdb0 on unpin_pyjwt into b3214c665fab1e970d7b052f2644c1fba959f77e on main.

swainn commented 1 year ago

Is this related to #879 ?

swainn commented 1 year ago

I dug into the history a bit and discovered the change was made in PR #629 with the commit message "Pin pyjwt version as version 2.0 breaks PythonSocialAuth". I'm not sure if that means that it breaks all of PSA or just the custom bits we've added to it. This PR also included adding multi-tenant versions of several PSA backends.

@ezrajrice do you have an environment setup where you could verify this change doesn't cause problems?

PS - @sdc50 this is a prime example of why we need to preserve the history. ;)

ezrajrice commented 1 year ago

I'd like to have @ezrajrice take a look at this as it may impact the multi-tenant auth features.

I'll work on setting up the environment tonight and get back to you in a timely manner. Note though that I currently only have a way to test the OneLogin tenant for MFA.

ezrajrice commented 1 year ago

OS: Ubuntu 22.04

After updating social-auth-core from version 4.0.2 to 4.3.0, I was able to update pyjwt from 1.7.0 to 2.6.0.

I am using OneLogin MultiTenant configuration for this test and I am getting an error shown below. Not sure what's going on. I'm fairly sure I have it configured in the same way as a working config. The only difference is me trying to use the localhost redirect urls. Also, I checked the OneLogin logs and they show successful login to the dev app. It seems to me that there is something on the Tethys side blocking the final authentication.

AuthForbidden at /oauth2/complete/onelogin-oidc/
Your credentials aren't allowed

ERROR Internal Server Error: /oauth2/complete/onelogin-oidc/

Traceback (most recent call last):
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/oauth.py", line 392, in auth_complete
    response = self.request_access_token(
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/open_id_connect.py", line 231, in request_access_token
    response = self.get_json(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 242, in get_json
    return self.request(url, *args, **kwargs).json()
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 238, in request
    response.raise_for_status()
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://dynamic-engineers-dev.onelogin.com/oidc/2/token

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 472, in thread_handler
    raise exc_info[1]
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/exception.py", line 38, in inner
    response = await get_response(request)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/base.py", line 233, in _get_response_async
    response = await wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 435, in __call__
    ret = await asyncio.wait_for(future, timeout=None)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
    return await fut
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/current_thread_executor.py", line 22, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 476, in thread_handler
    return func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/home/ezra/.tethys/tethys4-dev/tethys/tethys_portal/views/psa.py", line 55, in complete
    return do_complete(
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 252, in wrapper
    raise AuthForbidden(args[0])
social_core.exceptions.AuthForbidden: Your credentials aren't allowed

ERROR:django.request:Internal Server Error: /oauth2/complete/onelogin-oidc/

Traceback (most recent call last):
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/oauth.py", line 392, in auth_complete
    response = self.request_access_token(
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/open_id_connect.py", line 231, in request_access_token
    response = self.get_json(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 242, in get_json
    return self.request(url, *args, **kwargs).json()
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 238, in request
    response.raise_for_status()
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://dynamic-engineers-dev.onelogin.com/oidc/2/token

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 472, in thread_handler
    raise exc_info[1]
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/exception.py", line 38, in inner
    response = await get_response(request)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/base.py", line 233, in _get_response_async
    response = await wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 435, in __call__
    ret = await asyncio.wait_for(future, timeout=None)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
    return await fut
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/current_thread_executor.py", line 22, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 476, in thread_handler
    return func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/home/ezra/.tethys/tethys4-dev/tethys/tethys_portal/views/psa.py", line 55, in complete
    return do_complete(
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 252, in wrapper
    raise AuthForbidden(args[0])
social_core.exceptions.AuthForbidden: Your credentials aren't allowed
ezrajrice commented 1 year ago

Further investigation suggests that pyjwt isn't in use for the OneLogin backend. Tethys is using python-jose version 3.3.0 which hasn't been updated since Jun 4, 2021. It's possible that this is interfering, but I haven't looked too deep into it. I don't know if the other backends would work, but at the very least, OneLogin seems to be broken with this package upgrade.

swainn commented 1 year ago

Thanks for investigating that @ezrajrice. This is exactly what I feared. If I remember right, OneLogin is the only one that depends on the python-jose. I had to roll some things manually for mutli-tenant features I think. I have a couple of ideas for resolving this:

  1. Short-Term: we pull out the blocking dependencies as optional dependencies.
  2. We fix the issues caused by upgrading and see if we can use pyjwt instead of python-jose for the functionality needed by OneLogin.

The issue is I don't know if I'll have time to work on either anytime soon.

ezrajrice commented 1 year ago

@swainn I can try to work on switching from python-jose for OneLogin, but I'll need someone else to confirm that the updates to social-auth-core and pyjwt don't break the other services.

swainn commented 1 year ago

@ezrajrice @sdc50 and I discussed this today during Tethys scrum. I think we have a temporary workaround that should work for both of you:

We are going to merge the unpinned requirement, but add a note to the SSO docs for OneLogin that will describe how to install Tethys with the pyjwt pinned to the version that works for OneLogin.

@sdc50 is also going to open a new issue that references the discussion on this PR and will serve as the driver for the long-term fix. Ultimately, we need to test all of our SSO backends with the newest version of Python Social Auth and fix the ones that are broken.

swainn commented 1 year ago

@swainn I can try to work on switching from python-jose for OneLogin, but I'll need someone else to confirm that the updates to social-auth-core and pyjwt don't break the other services.

I can test all of the other backends.