diracx-db 0.0.1a10__py3-none-any.whl → 0.0.1a12__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- diracx/db/os/utils.py +1 -2
- diracx/db/sql/auth/db.py +19 -12
- diracx/db/sql/auth/schema.py +2 -4
- {diracx_db-0.0.1a10.dist-info → diracx_db-0.0.1a12.dist-info}/METADATA +1 -1
- {diracx_db-0.0.1a10.dist-info → diracx_db-0.0.1a12.dist-info}/RECORD +8 -8
- {diracx_db-0.0.1a10.dist-info → diracx_db-0.0.1a12.dist-info}/WHEEL +1 -1
- {diracx_db-0.0.1a10.dist-info → diracx_db-0.0.1a12.dist-info}/entry_points.txt +0 -0
- {diracx_db-0.0.1a10.dist-info → diracx_db-0.0.1a12.dist-info}/top_level.txt +0 -0
diracx/db/os/utils.py
CHANGED
|
@@ -34,8 +34,7 @@ class BaseOSDB(metaclass=ABCMeta):
|
|
|
34
34
|
index_prefix: str
|
|
35
35
|
|
|
36
36
|
@abstractmethod
|
|
37
|
-
def index_name(self, doc_id: int) -> str:
|
|
38
|
-
...
|
|
37
|
+
def index_name(self, doc_id: int) -> str: ...
|
|
39
38
|
|
|
40
39
|
def __init__(self, connection_kwargs: dict[str, Any]) -> None:
|
|
41
40
|
self._client: AsyncOpenSearch | None = None
|
diracx/db/sql/auth/db.py
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
from __future__ import annotations
|
|
2
2
|
|
|
3
|
+
import hashlib
|
|
3
4
|
import secrets
|
|
4
5
|
from datetime import datetime
|
|
5
6
|
from uuid import uuid4
|
|
@@ -63,7 +64,7 @@ class AuthDB(BaseSQLDB):
|
|
|
63
64
|
),
|
|
64
65
|
).with_for_update()
|
|
65
66
|
stmt = stmt.where(
|
|
66
|
-
DeviceFlows.device_code == device_code,
|
|
67
|
+
DeviceFlows.device_code == hashlib.sha256(device_code.encode()).hexdigest(),
|
|
67
68
|
)
|
|
68
69
|
res = dict((await self.conn.execute(stmt)).one()._mapping)
|
|
69
70
|
|
|
@@ -74,7 +75,10 @@ class AuthDB(BaseSQLDB):
|
|
|
74
75
|
# Update the status to Done before returning
|
|
75
76
|
await self.conn.execute(
|
|
76
77
|
update(DeviceFlows)
|
|
77
|
-
.where(
|
|
78
|
+
.where(
|
|
79
|
+
DeviceFlows.device_code
|
|
80
|
+
== hashlib.sha256(device_code.encode()).hexdigest()
|
|
81
|
+
)
|
|
78
82
|
.values(status=FlowStatus.DONE)
|
|
79
83
|
)
|
|
80
84
|
return res
|
|
@@ -110,7 +114,6 @@ class AuthDB(BaseSQLDB):
|
|
|
110
114
|
self,
|
|
111
115
|
client_id: str,
|
|
112
116
|
scope: str,
|
|
113
|
-
audience: str,
|
|
114
117
|
) -> tuple[str, str]:
|
|
115
118
|
# Because the user_code might be short, there is a risk of conflicts
|
|
116
119
|
# This is why we retry multiple times
|
|
@@ -119,14 +122,16 @@ class AuthDB(BaseSQLDB):
|
|
|
119
122
|
secrets.choice(USER_CODE_ALPHABET)
|
|
120
123
|
for _ in range(DeviceFlows.user_code.type.length) # type: ignore
|
|
121
124
|
)
|
|
122
|
-
# user_code = "2QRKPY"
|
|
123
125
|
device_code = secrets.token_urlsafe()
|
|
126
|
+
|
|
127
|
+
# Hash the the device_code to avoid leaking information
|
|
128
|
+
hashed_device_code = hashlib.sha256(device_code.encode()).hexdigest()
|
|
129
|
+
|
|
124
130
|
stmt = insert(DeviceFlows).values(
|
|
125
131
|
client_id=client_id,
|
|
126
132
|
scope=scope,
|
|
127
|
-
audience=audience,
|
|
128
133
|
user_code=user_code,
|
|
129
|
-
device_code=
|
|
134
|
+
device_code=hashed_device_code,
|
|
130
135
|
)
|
|
131
136
|
try:
|
|
132
137
|
await self.conn.execute(stmt)
|
|
@@ -143,7 +148,6 @@ class AuthDB(BaseSQLDB):
|
|
|
143
148
|
self,
|
|
144
149
|
client_id: str,
|
|
145
150
|
scope: str,
|
|
146
|
-
audience: str,
|
|
147
151
|
code_challenge: str,
|
|
148
152
|
code_challenge_method: str,
|
|
149
153
|
redirect_uri: str,
|
|
@@ -154,7 +158,6 @@ class AuthDB(BaseSQLDB):
|
|
|
154
158
|
uuid=uuid,
|
|
155
159
|
client_id=client_id,
|
|
156
160
|
scope=scope,
|
|
157
|
-
audience=audience,
|
|
158
161
|
code_challenge=code_challenge,
|
|
159
162
|
code_challenge_method=code_challenge_method,
|
|
160
163
|
redirect_uri=redirect_uri,
|
|
@@ -172,7 +175,10 @@ class AuthDB(BaseSQLDB):
|
|
|
172
175
|
:raises: AuthorizationError if no such uuid or status not pending
|
|
173
176
|
"""
|
|
174
177
|
|
|
178
|
+
# Hash the code to avoid leaking information
|
|
175
179
|
code = secrets.token_urlsafe()
|
|
180
|
+
hashed_code = hashlib.sha256(code.encode()).hexdigest()
|
|
181
|
+
|
|
176
182
|
stmt = update(AuthorizationFlows)
|
|
177
183
|
|
|
178
184
|
stmt = stmt.where(
|
|
@@ -181,7 +187,7 @@ class AuthDB(BaseSQLDB):
|
|
|
181
187
|
AuthorizationFlows.creation_time > substract_date(seconds=max_validity),
|
|
182
188
|
)
|
|
183
189
|
|
|
184
|
-
stmt = stmt.values(id_token=id_token, code=
|
|
190
|
+
stmt = stmt.values(id_token=id_token, code=hashed_code, status=FlowStatus.READY)
|
|
185
191
|
res = await self.conn.execute(stmt)
|
|
186
192
|
|
|
187
193
|
if res.rowcount != 1:
|
|
@@ -190,15 +196,16 @@ class AuthDB(BaseSQLDB):
|
|
|
190
196
|
stmt = select(AuthorizationFlows.code, AuthorizationFlows.redirect_uri)
|
|
191
197
|
stmt = stmt.where(AuthorizationFlows.uuid == uuid)
|
|
192
198
|
row = (await self.conn.execute(stmt)).one()
|
|
193
|
-
return
|
|
199
|
+
return code, row.redirect_uri
|
|
194
200
|
|
|
195
201
|
async def get_authorization_flow(self, code: str, max_validity: int):
|
|
202
|
+
hashed_code = hashlib.sha256(code.encode()).hexdigest()
|
|
196
203
|
# The with_for_update
|
|
197
204
|
# prevents that the token is retrieved
|
|
198
205
|
# multiple time concurrently
|
|
199
206
|
stmt = select(AuthorizationFlows).with_for_update()
|
|
200
207
|
stmt = stmt.where(
|
|
201
|
-
AuthorizationFlows.code ==
|
|
208
|
+
AuthorizationFlows.code == hashed_code,
|
|
202
209
|
AuthorizationFlows.creation_time > substract_date(seconds=max_validity),
|
|
203
210
|
)
|
|
204
211
|
|
|
@@ -208,7 +215,7 @@ class AuthDB(BaseSQLDB):
|
|
|
208
215
|
# Update the status to Done before returning
|
|
209
216
|
await self.conn.execute(
|
|
210
217
|
update(AuthorizationFlows)
|
|
211
|
-
.where(AuthorizationFlows.code ==
|
|
218
|
+
.where(AuthorizationFlows.code == hashed_code)
|
|
212
219
|
.values(status=FlowStatus.DONE)
|
|
213
220
|
)
|
|
214
221
|
|
diracx/db/sql/auth/schema.py
CHANGED
|
@@ -45,8 +45,7 @@ class DeviceFlows(Base):
|
|
|
45
45
|
creation_time = DateNowColumn()
|
|
46
46
|
client_id = Column(String(255))
|
|
47
47
|
scope = Column(String(1024))
|
|
48
|
-
|
|
49
|
-
device_code = Column(String(128), unique=True) # hash it ?
|
|
48
|
+
device_code = Column(String(128), unique=True) # Should be a hash
|
|
50
49
|
id_token = NullColumn(JSON())
|
|
51
50
|
|
|
52
51
|
|
|
@@ -57,11 +56,10 @@ class AuthorizationFlows(Base):
|
|
|
57
56
|
client_id = Column(String(255))
|
|
58
57
|
creation_time = DateNowColumn()
|
|
59
58
|
scope = Column(String(1024))
|
|
60
|
-
audience = Column(String(255))
|
|
61
59
|
code_challenge = Column(String(255))
|
|
62
60
|
code_challenge_method = Column(String(8))
|
|
63
61
|
redirect_uri = Column(String(255))
|
|
64
|
-
code = NullColumn(String(255)) #
|
|
62
|
+
code = NullColumn(String(255)) # Should be a hash
|
|
65
63
|
id_token = NullColumn(JSON())
|
|
66
64
|
|
|
67
65
|
|
|
@@ -4,12 +4,12 @@ diracx/db/exceptions.py,sha256=-LSkEwsvjwU7vXqx-xeLvLKInTRAhjwB7K_AKfQcIH8,41
|
|
|
4
4
|
diracx/db/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
5
5
|
diracx/db/os/__init__.py,sha256=IZr6z6SefrRvuC8sTC4RmB3_wwOyEt1GzpDuwSMH8O4,112
|
|
6
6
|
diracx/db/os/job_parameters.py,sha256=Knca19uT2G-5FI7MOFlaOAXeHn4ecPVLIH30TiwhaTw,858
|
|
7
|
-
diracx/db/os/utils.py,sha256=
|
|
7
|
+
diracx/db/os/utils.py,sha256=mau0_2uRi-I3geefmKQRWFKo4JcIkIUADvnwBiQX700,9129
|
|
8
8
|
diracx/db/sql/__init__.py,sha256=R6tk5lo1EHbt8joGDesesYHcc1swIq9T4AaSixhh7lA,252
|
|
9
9
|
diracx/db/sql/utils.py,sha256=BuXjIuXN-_v8YkCoMoMhw2tHVUqG6lTBx-e4VEYWE8o,7857
|
|
10
10
|
diracx/db/sql/auth/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
11
|
-
diracx/db/sql/auth/db.py,sha256=
|
|
12
|
-
diracx/db/sql/auth/schema.py,sha256=
|
|
11
|
+
diracx/db/sql/auth/db.py,sha256=mKjy5B8orw0yu6nOwxyzbBqyeE-J9iYq6fKjuELmr9g,10273
|
|
12
|
+
diracx/db/sql/auth/schema.py,sha256=JCkSa2IRzqMHTpaSc9aB9h33XsFyEM_Ohsenex6xagY,2835
|
|
13
13
|
diracx/db/sql/dummy/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
14
14
|
diracx/db/sql/dummy/db.py,sha256=5PIPv6aKY7CGIwmvnGKowjVr9ZQWpbjFSd2PIX7YOUw,1627
|
|
15
15
|
diracx/db/sql/dummy/schema.py,sha256=uEkGDNVZbmJecytkHY1CO-M1MiKxe5w1_h0joJMPC9E,680
|
|
@@ -20,8 +20,8 @@ diracx/db/sql/jobs/status_utility.py,sha256=0kAt623nh1O5wgsgktctdCmHEynO1nU0vn-7
|
|
|
20
20
|
diracx/db/sql/sandbox_metadata/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
21
21
|
diracx/db/sql/sandbox_metadata/db.py,sha256=HjlbnsT4cRMuFAcTL_sK3IqCehA7zISzR_d7xIGZoNk,3498
|
|
22
22
|
diracx/db/sql/sandbox_metadata/schema.py,sha256=rngYYkJxBhjETBHGLD1CTipDGe44mRYR0wdaFoAJwp0,1400
|
|
23
|
-
diracx_db-0.0.
|
|
24
|
-
diracx_db-0.0.
|
|
25
|
-
diracx_db-0.0.
|
|
26
|
-
diracx_db-0.0.
|
|
27
|
-
diracx_db-0.0.
|
|
23
|
+
diracx_db-0.0.1a12.dist-info/METADATA,sha256=zVDM2BmbmonHESmP5ICvCqVWgp29TKYABvH7oqfWXSo,681
|
|
24
|
+
diracx_db-0.0.1a12.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
|
|
25
|
+
diracx_db-0.0.1a12.dist-info/entry_points.txt,sha256=xEFGu_zgmPgQPlUeFtdahQfQIboJ1ugFOK8eMio9gtw,271
|
|
26
|
+
diracx_db-0.0.1a12.dist-info/top_level.txt,sha256=vJx10tdRlBX3rF2Psgk5jlwVGZNcL3m_7iQWwgPXt-U,7
|
|
27
|
+
diracx_db-0.0.1a12.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|