auth_oidc: ignore missing kid when comparing keysets (#87468)
gitea/authentic/pipeline/head This commit looks good
Details
gitea/authentic/pipeline/head This commit looks good
Details
This commit is contained in:
parent
7d6601c870
commit
f9d07d749a
|
@ -283,16 +283,17 @@ class OIDCProvider(BaseAuthenticator):
|
|||
self.save(update_fields=['jwkset_json', 'modified'])
|
||||
|
||||
def log_jwkset_change(self, old_jwkset, new_jwkset):
|
||||
if old_jwkset == new_jwkset:
|
||||
old_kids = {kid for key in (old_jwkset or dict()).get('keys', []) if (kid := key.get('kid'))}
|
||||
new_kids = {kid for key in new_jwkset.get('keys', []) if (kid := key.get('kid'))}
|
||||
|
||||
if old_kids == new_kids:
|
||||
return
|
||||
|
||||
old_keyset = {key.get('kid') for key in (old_jwkset or dict()).get('keys', [])}
|
||||
new_keyset = {key.get('kid') for key in new_jwkset.get('keys', [])}
|
||||
journal.record(
|
||||
'provider.keyset.change',
|
||||
provider=self.name,
|
||||
new_keyset=new_keyset,
|
||||
old_keyset=old_keyset,
|
||||
new_keyset=new_kids,
|
||||
old_keyset=old_kids,
|
||||
)
|
||||
|
||||
def authorization_claims_parameter(self):
|
||||
|
|
|
@ -217,7 +217,12 @@ def test_auth_oidc_refresh_jwkset_json(db, app, admin, settings, caplog):
|
|||
jwkset = JWKSet()
|
||||
jwkset.add(key_rsa)
|
||||
jwkset.add(key_ec)
|
||||
return jwkset.export(as_dict=True)
|
||||
d = jwkset.export(as_dict=True)
|
||||
# add extra key without kid to check it is just ignored by change logging
|
||||
other_key = JWK.generate(kty='EC', size=256).export(as_dict=True)
|
||||
other_key.pop('kid', None)
|
||||
d['keys'].append(other_key)
|
||||
return d
|
||||
|
||||
responses.get(
|
||||
jwkset_url,
|
||||
|
@ -251,7 +256,7 @@ def test_auth_oidc_refresh_jwkset_json(db, app, admin, settings, caplog):
|
|||
)
|
||||
provider.clean()
|
||||
provider.save()
|
||||
assert {key['kid'] for key in provider.jwkset_json['keys']} == {'123', '456'}
|
||||
assert {key.get('kid') for key in provider.jwkset_json['keys']} == {'123', '456', None}
|
||||
|
||||
kid_rsa = 'abcdefg'
|
||||
kid_ec = 'hijklmn'
|
||||
|
@ -270,4 +275,4 @@ def test_auth_oidc_refresh_jwkset_json(db, app, admin, settings, caplog):
|
|||
|
||||
call_command('oidc-refresh-jwkset-json', '-v1')
|
||||
provider.refresh_from_db()
|
||||
assert {key['kid'] for key in provider.jwkset_json['keys']} == {'abcdefg', 'hijklmn'}
|
||||
assert {key.get('kid') for key in provider.jwkset_json['keys']} == {'abcdefg', 'hijklmn', None}
|
||||
|
|
Loading…
Reference in New Issue