From 80eda5d81f4da1d9d194480c65a4c01216ce95e1 Mon Sep 17 00:00:00 2001 From: Asif Saif Uddin Date: Thu, 18 May 2023 10:03:11 +0600 Subject: [PATCH 01/13] Create dependency-review.yml --- .github/workflows/dependency-review.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..fe461b42 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v2 From 5bac97eca82af06c6013b9aba7f9af952859d3a1 Mon Sep 17 00:00:00 2001 From: Asif Saif Uddin Date: Sun, 27 Aug 2023 12:50:42 +0600 Subject: [PATCH 02/13] Update .github/workflows/dependency-review.yml --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index fe461b42..b0dedc42 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,4 +17,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@v2 + uses: actions/dependency-review-action@v3 From 3dda26bd2bd19c5c6f992812fd81995ca7feca7c Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Sun, 27 Aug 2023 07:12:29 -0600 Subject: [PATCH 03/13] Add support for Python 3.12 (#859) * Update docs to match supported versions * Add support for Python 3.12 * Add colour to CI logs for readability * Also test PRs and add manual trigger --- .github/workflows/python-build.yml | 6 ++++-- docs/contributing.rst | 2 +- setup.py | 1 + tox.ini | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/python-build.yml b/.github/workflows/python-build.yml index c7af97ad..0f7ddf1b 100644 --- a/.github/workflows/python-build.yml +++ b/.github/workflows/python-build.yml @@ -1,19 +1,21 @@ name: Python Tests run-name: Run Tests by ${{ github.actor }} -on: [push] +on: [push, pull_request, workflow_dispatch] jobs: tests: env: + FORCE_COLOR: 1 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} strategy: matrix: - python: ["3.8", "3.9", "3.10", "3.11"] + python: ["3.8", "3.9", "3.10", "3.11", "3.12"] runs-on: ubuntu-latest steps: - name: Set up Python ${{ matrix.python }} uses: actions/setup-python@v4 with: python-version: ${{ matrix.python }} + allow-prereleases: true - name: Check out repository code uses: actions/checkout@v3 - name: Install prereq diff --git a/docs/contributing.rst b/docs/contributing.rst index 19ff9c9c..e7d12173 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -152,7 +152,7 @@ request that fails this test suite will be **rejected**. Testing multiple versions of Python ----------------------------------- -OAuthLib supports Python 3.5, 3.6, 3.7 and PyPy 2.7 & PyPy 3. Testing +OAuthLib supports Python 3.6+ and PyPy3. Testing all versions conveniently can be done using `Tox`_. .. sourcecode:: bash diff --git a/setup.py b/setup.py index cec2bfdb..8752eba8 100755 --- a/setup.py +++ b/setup.py @@ -58,6 +58,7 @@ def fread(fn): 'Programming Language :: Python :: 3.9', 'Programming Language :: Python :: 3.10', 'Programming Language :: Python :: 3.11', + 'Programming Language :: Python :: 3.12', 'Programming Language :: Python :: 3 :: Only', 'Programming Language :: Python :: Implementation', 'Programming Language :: Python :: Implementation :: CPython', diff --git a/tox.ini b/tox.ini index 3195c771..229dd9df 100644 --- a/tox.ini +++ b/tox.ini @@ -1,6 +1,6 @@ # require tox>=4 [tox] -envlist = py38,py39,py310,py311,pypy3,docs,readme,bandit,isort +envlist = py38,py39,py310,py311,py312,pypy3,docs,readme,bandit,isort [testenv] deps= From af7c6aa8abcd8e375a773c60218adca52e808ad3 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Sat, 26 Aug 2023 16:11:24 +0300 Subject: [PATCH 04/13] CI: Only attempt upload for upstream --- .github/workflows/python-publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 89262709..43417ee5 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -7,6 +7,7 @@ on: jobs: pypi-publish: if: | + github.repository_owner == 'oauthlib' && ${{ github.event.workflow_run.conclusion == 'success' }} && ${{ github.ref_type == 'tag' }} name: Upload release to PyPI From b216ce1add7321a88153c2263a556874cbc024ff Mon Sep 17 00:00:00 2001 From: Christian Clauss Date: Mon, 28 Aug 2023 23:48:41 +0200 Subject: [PATCH 05/13] Lint with ruff to replace bandit, flake8, isort, pyupgrade --- .github/workflows/lint_python.yml | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/.github/workflows/lint_python.yml b/.github/workflows/lint_python.yml index fe654d9f..f50e8aa9 100644 --- a/.github/workflows/lint_python.yml +++ b/.github/workflows/lint_python.yml @@ -8,20 +8,15 @@ jobs: - uses: actions/setup-python@v4 with: python-version: 3.x + check-latest: true - run: pip install --upgrade pip setuptools wheel - - run: pip install bandit black codespell flake8 flake8-2020 flake8-bugbear - flake8-comprehensions isort mypy pytest pyupgrade safety - - run: bandit --recursive --skip B101,B105,B106,B107,B324 . + - run: pip install black codespell mypy pytest ruff safety + - run: ruff --format=github . - run: black --check . || true - - run: codespell || true # --ignore-words-list="" --skip="*.css,*.js,*.lock" - - run: flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics - - run: flake8 . --count --exit-zero --max-complexity=10 --max-line-length=88 - --show-source --statistics - - run: isort --check-only --profile black . || true - - run: pip install -r requirements.txt || pip install --editable . || true + - run: codespell # --ignore-words-list="" --skip="*.css,*.js,*.lock" + - run: pip install -r requirements-test.txt + - run: pip install --editable . - run: mkdir --parents --verbose .mypy_cache - run: mypy --ignore-missing-imports --install-types --non-interactive . || true - - run: pytest . || true - - run: pytest --doctest-modules . || true - - run: shopt -s globstar && pyupgrade --py36-plus **/*.py || true + - run: pytest - run: safety check From 00f9a212004a80df790ed071a59af53a05f5e3f2 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Fri, 11 Aug 2023 09:35:16 -0700 Subject: [PATCH 06/13] Ensure that `request.client_id` is set during Refresh Token Grant. --- .../oauth2/rfc6749/grant_types/refresh_token.py | 3 +++ .../rfc6749/grant_types/test_refresh_token.py | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py b/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py index ce33df0e..43bf55ac 100644 --- a/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py +++ b/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py @@ -101,6 +101,9 @@ def validate_token_request(self, request): if not self.request_validator.authenticate_client(request): log.debug('Invalid client (%r), denying access.', request) raise errors.InvalidClientError(request=request) + # Ensure that request.client_id is set. + if request.client_id is None and request.client is not None: + request.client_id = request.client.client_id elif not self.request_validator.authenticate_client_id(request.client_id, request): log.debug('Client authentication failed, %r.', request) raise errors.InvalidClientError(request=request) diff --git a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py index 581f2a4d..0a4ddd9a 100644 --- a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py +++ b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py @@ -130,6 +130,22 @@ def test_authentication_required(self): self.request) self.mock_validator.client_authentication_required.assert_called_once_with(self.request) + + def test_authentication_required_populate_client_id(self): + """ + Make sure that request.client_id is populated from + request.client.client_id if None. + + """ + self.mock_validator.client_authentication_required.return_value = True + self.mock_validator.authenticate_client.return_value = True + # self.mock_validator.authenticate_client_id.return_value = False + # self.request.code = 'waffles' + self.request.client_id = None + self.request.client.client_id = 'foobar' + self.auth.validate_token_request(self.request) + self.request.client_id = 'foobar' + def test_invalid_grant_type(self): self.request.grant_type = 'wrong_type' self.assertRaises(errors.UnsupportedGrantTypeError, From eddb461c1043f8ad583fd67af34749e32fdc19cc Mon Sep 17 00:00:00 2001 From: Christian Clauss Date: Sun, 3 Sep 2023 22:08:57 +0200 Subject: [PATCH 07/13] Tox use ruff (#864) * Tox: Use ruff * Tox: Use ruff --- Makefile | 10 +++++----- tox.ini | 21 ++++++--------------- 2 files changed, 11 insertions(+), 20 deletions(-) diff --git a/Makefile b/Makefile index 2d2e1ed7..28081659 100644 --- a/Makefile +++ b/Makefile @@ -34,11 +34,11 @@ clean-build: @rm -fr dist/ @rm -fr *.egg-info -format fmt: - isort --recursive oauthlib tests +format fmt black: + black . -lint: - isort --recursive --check-only --diff oauthlib tests +lint ruff: + ruff . test: tox @@ -81,4 +81,4 @@ dance: .DEFAULT_GOAL := all .PHONY: clean test bottle dance django flask requests -all: test bottle dance django flask requests +all: lint test bottle dance django flask requests diff --git a/tox.ini b/tox.ini index 229dd9df..fb476a12 100644 --- a/tox.ini +++ b/tox.ini @@ -1,6 +1,6 @@ # require tox>=4 [tox] -envlist = py38,py39,py310,py311,py312,pypy3,docs,readme,bandit,isort +envlist = py38,py39,py310,py311,py312,pypy3,docs,readme,ruff [testenv] deps= @@ -9,7 +9,6 @@ commands= pytest --cov=oauthlib tests/ # tox -e docs to mimic readthedocs build. -# as of today, RTD is using python3.7 and doesn't run "setup.py install" [testenv:docs] basepython=python3.11 skipsdist=True @@ -28,16 +27,8 @@ allowlist_externals=echo commands= twine check .tox/.pkg/dist/* -[testenv:bandit] -basepython=python3.11 -skipsdist=True -deps=bandit -commands=bandit -b bandit.json -r oauthlib/ -allowlist_externals=bandit - -[testenv:isort] -basepython = python3.8 -usedevelop = false -deps = isort -changedir = {toxinidir} -commands = isort --recursive --check-only --diff oauthlib tests +[testenv:ruff] +deps=ruff +allowlist_externals=ruff +skip_install=true +commands=ruff . From fe020db74199d5284c00d7735aa7d4ddc90f5d61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Tue, 24 Oct 2023 15:08:10 +0200 Subject: [PATCH 08/13] Make UtilsTests.test_filter_params Python 3.13+ compatible Since Python 3.13.0a1, docstrings are automatically dedented. See https://github.com/python/cpython/issues/81283 and https://docs.python.org/3.13/whatsnew/3.13.html#other-language-changes As a result, using a docstring with leading space as a test case breaks the test assumption. The initial commit which introduced this test a decade ago (6c0c7914f3a57823834b1be492b307992f943629) does not specify why testing the spaces is important. --- tests/oauth1/rfc5849/test_utils.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/oauth1/rfc5849/test_utils.py b/tests/oauth1/rfc5849/test_utils.py index 013c71a9..22128908 100644 --- a/tests/oauth1/rfc5849/test_utils.py +++ b/tests/oauth1/rfc5849/test_utils.py @@ -53,11 +53,11 @@ def test_filter_params(self): # The following is an isolated test function used to test the filter_params decorator. @filter_params def special_test_function(params, realm=None): - """ I am a special test function """ + """I am a special test function""" return 'OAuth ' + ','.join(['='.join([k, v]) for k, v in params]) # check that the docstring got through - self.assertEqual(special_test_function.__doc__, " I am a special test function ") + self.assertEqual(special_test_function.__doc__, "I am a special test function") # Check that the decorator filtering works as per design. # Any param that does not start with 'oauth' From dcbcbeff6c1ff5775e372b4ce0b0d0223c8cae29 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Fri, 22 Dec 2023 23:15:19 +0100 Subject: [PATCH 09/13] Add dependency with CVE to trigger security check --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index c3c427e3..3515dbc5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ pyjwt>=2.0.0,<3 blinker==1.4 cryptography>=3.0.0 +setuptools==65.5.1 From e4ffc08930c70f8379897eba497a2adbacd17f59 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Fri, 22 Dec 2023 23:18:47 +0100 Subject: [PATCH 10/13] Trigger security check failure --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 3515dbc5..ac50b73b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ pyjwt>=2.0.0,<3 blinker==1.4 cryptography>=3.0.0 -setuptools==65.5.1 +setuptools==65.5.0 From 7e3462ca59372c382a61d33d64c9a1ace54b2e99 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Fri, 22 Dec 2023 23:32:19 +0100 Subject: [PATCH 11/13] Revert "Trigger security check failure" This reverts commit e4ffc08930c70f8379897eba497a2adbacd17f59. --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index ac50b73b..3515dbc5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ pyjwt>=2.0.0,<3 blinker==1.4 cryptography>=3.0.0 -setuptools==65.5.0 +setuptools==65.5.1 From dbda1ea43cd1cc157a1dc563b9220ddc00546694 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Fri, 22 Dec 2023 23:32:25 +0100 Subject: [PATCH 12/13] Revert "Add dependency with CVE to trigger security check" This reverts commit dcbcbeff6c1ff5775e372b4ce0b0d0223c8cae29. --- requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 3515dbc5..c3c427e3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,3 @@ pyjwt>=2.0.0,<3 blinker==1.4 cryptography>=3.0.0 -setuptools==65.5.1 From b80f6b5d712fb72fef70f45840efcfce8cc2cc7e Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Fri, 22 Dec 2023 23:35:39 +0100 Subject: [PATCH 13/13] Bump actions/checkout Co-authored-by: Christian Clauss --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index b0dedc42..4e751977 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,6 +15,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 'Dependency Review' uses: actions/dependency-review-action@v3