diracx-db 0.0.1a10__tar.gz → 0.0.1a12__tar.gz

{diracx-db-0.0.1a10 → diracx-db-0.0.1a12}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: diracx-db
-Version: 0.0.1a10
+Version: 0.0.1a12
 Summary: TODO
 License: GPL-3.0-only
 Classifier: Intended Audience :: Science/Research

{diracx-db-0.0.1a10 → diracx-db-0.0.1a12}/src/diracx/db/os/utils.py

@@ -34,8 +34,7 @@ class BaseOSDB(metaclass=ABCMeta):
     index_prefix: str
 
     @abstractmethod
-    def index_name(self, doc_id: int) -> str:
-        ...
+    def index_name(self, doc_id: int) -> str: ...
 
     def __init__(self, connection_kwargs: dict[str, Any]) -> None:
         self._client: AsyncOpenSearch | None = None

{diracx-db-0.0.1a10 → diracx-db-0.0.1a12}/src/diracx/db/sql/auth/db.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import hashlib
 import secrets
 from datetime import datetime
 from uuid import uuid4
@@ -63,7 +64,7 @@ class AuthDB(BaseSQLDB):
             ),
         ).with_for_update()
         stmt = stmt.where(
-            DeviceFlows.device_code == device_code,
+            DeviceFlows.device_code == hashlib.sha256(device_code.encode()).hexdigest(),
         )
         res = dict((await self.conn.execute(stmt)).one()._mapping)
 
@@ -74,7 +75,10 @@ class AuthDB(BaseSQLDB):
             # Update the status to Done before returning
             await self.conn.execute(
                 update(DeviceFlows)
-                .where(DeviceFlows.device_code == device_code)
+                .where(
+                    DeviceFlows.device_code
+                    == hashlib.sha256(device_code.encode()).hexdigest()
+                )
                 .values(status=FlowStatus.DONE)
             )
             return res
@@ -110,7 +114,6 @@ class AuthDB(BaseSQLDB):
         self,
         client_id: str,
         scope: str,
-        audience: str,
     ) -> tuple[str, str]:
         # Because the user_code might be short, there is a risk of conflicts
         # This is why we retry multiple times
@@ -119,14 +122,16 @@ class AuthDB(BaseSQLDB):
                 secrets.choice(USER_CODE_ALPHABET)
                 for _ in range(DeviceFlows.user_code.type.length)  # type: ignore
             )
-            # user_code = "2QRKPY"
             device_code = secrets.token_urlsafe()
+
+            # Hash the the device_code to avoid leaking information
+            hashed_device_code = hashlib.sha256(device_code.encode()).hexdigest()
+
             stmt = insert(DeviceFlows).values(
                 client_id=client_id,
                 scope=scope,
-                audience=audience,
                 user_code=user_code,
-                device_code=device_code,
+                device_code=hashed_device_code,
             )
             try:
                 await self.conn.execute(stmt)
@@ -143,7 +148,6 @@ class AuthDB(BaseSQLDB):
         self,
         client_id: str,
         scope: str,
-        audience: str,
         code_challenge: str,
         code_challenge_method: str,
         redirect_uri: str,
@@ -154,7 +158,6 @@ class AuthDB(BaseSQLDB):
             uuid=uuid,
             client_id=client_id,
             scope=scope,
-            audience=audience,
             code_challenge=code_challenge,
             code_challenge_method=code_challenge_method,
             redirect_uri=redirect_uri,
@@ -172,7 +175,10 @@ class AuthDB(BaseSQLDB):
         :raises: AuthorizationError if no such uuid or status not pending
         """
 
+        # Hash the code to avoid leaking information
         code = secrets.token_urlsafe()
+        hashed_code = hashlib.sha256(code.encode()).hexdigest()
+
         stmt = update(AuthorizationFlows)
 
         stmt = stmt.where(
@@ -181,7 +187,7 @@ class AuthDB(BaseSQLDB):
             AuthorizationFlows.creation_time > substract_date(seconds=max_validity),
         )
 
-        stmt = stmt.values(id_token=id_token, code=code, status=FlowStatus.READY)
+        stmt = stmt.values(id_token=id_token, code=hashed_code, status=FlowStatus.READY)
         res = await self.conn.execute(stmt)
 
         if res.rowcount != 1:
@@ -190,15 +196,16 @@ class AuthDB(BaseSQLDB):
         stmt = select(AuthorizationFlows.code, AuthorizationFlows.redirect_uri)
         stmt = stmt.where(AuthorizationFlows.uuid == uuid)
         row = (await self.conn.execute(stmt)).one()
-        return row.code, row.redirect_uri
+        return code, row.redirect_uri
 
     async def get_authorization_flow(self, code: str, max_validity: int):
+        hashed_code = hashlib.sha256(code.encode()).hexdigest()
         # The with_for_update
         # prevents that the token is retrieved
         # multiple time concurrently
         stmt = select(AuthorizationFlows).with_for_update()
         stmt = stmt.where(
-            AuthorizationFlows.code == code,
+            AuthorizationFlows.code == hashed_code,
             AuthorizationFlows.creation_time > substract_date(seconds=max_validity),
         )
 
@@ -208,7 +215,7 @@ class AuthDB(BaseSQLDB):
             # Update the status to Done before returning
             await self.conn.execute(
                 update(AuthorizationFlows)
-                .where(AuthorizationFlows.code == code)
+                .where(AuthorizationFlows.code == hashed_code)
                 .values(status=FlowStatus.DONE)
             )
 

{diracx-db-0.0.1a10 → diracx-db-0.0.1a12}/src/diracx/db/sql/auth/schema.py

@@ -45,8 +45,7 @@ class DeviceFlows(Base):
     creation_time = DateNowColumn()
     client_id = Column(String(255))
     scope = Column(String(1024))
-    audience = Column(String(255))
-    device_code = Column(String(128), unique=True)  # hash it ?
+    device_code = Column(String(128), unique=True)  # Should be a hash
     id_token = NullColumn(JSON())
 
 
@@ -57,11 +56,10 @@ class AuthorizationFlows(Base):
     client_id = Column(String(255))
     creation_time = DateNowColumn()
     scope = Column(String(1024))
-    audience = Column(String(255))
     code_challenge = Column(String(255))
     code_challenge_method = Column(String(8))
     redirect_uri = Column(String(255))
-    code = NullColumn(String(255))  # hash it ?
+    code = NullColumn(String(255))  # Should be a hash
     id_token = NullColumn(JSON())
 
 

{diracx-db-0.0.1a10 → diracx-db-0.0.1a12}/src/diracx_db.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: diracx-db
-Version: 0.0.1a10
+Version: 0.0.1a12
 Summary: TODO
 License: GPL-3.0-only
 Classifier: Intended Audience :: Science/Research

{diracx-db-0.0.1a10 → diracx-db-0.0.1a12}/tests/auth/test_authorization_flow.py

@@ -23,7 +23,7 @@ async def test_insert_id_token(auth_db: AuthDB):
     # First insert
     async with auth_db as auth_db:
         uuid = await auth_db.insert_authorization_flow(
-            "client_id", "scope", "audience", "code_challenge", "S256", "redirect_uri"
+            "client_id", "scope", "code_challenge", "S256", "redirect_uri"
         )
 
     id_token = {"sub": "myIdToken"}
@@ -68,12 +68,11 @@ async def test_insert(auth_db: AuthDB):
     # First insert
     async with auth_db as auth_db:
         uuid1 = await auth_db.insert_authorization_flow(
-            "client_id", "scope", "audience", "code_challenge", "S256", "redirect_uri"
+            "client_id", "scope", "code_challenge", "S256", "redirect_uri"
         )
         uuid2 = await auth_db.insert_authorization_flow(
             "client_id2",
             "scope2",
-            "audience2",
             "code_challenge2",
             "S256",
             "redirect_uri2",

{diracx-db-0.0.1a10 → diracx-db-0.0.1a12}/tests/auth/test_device_flow.py

@@ -28,20 +28,22 @@ async def test_device_user_code_collision(auth_db: AuthDB, monkeypatch):
     # First insert should work
     async with auth_db as auth_db:
         code, device = await auth_db.insert_device_flow(
-            "client_id", "scope", "audience"
+            "client_id",
+            "scope",
         )
         assert code == "A" * USER_CODE_LENGTH
         assert device
 
     async with auth_db as auth_db:
         with pytest.raises(NotImplementedError, match="insert new device flow"):
-            await auth_db.insert_device_flow("client_id", "scope", "audience")
+            await auth_db.insert_device_flow("client_id", "scope")
 
     monkeypatch.setattr(secrets, "choice", lambda _: "B")
 
     async with auth_db as auth_db:
         code, device = await auth_db.insert_device_flow(
-            "client_id", "scope", "audience"
+            "client_id",
+            "scope",
         )
         assert code == "B" * USER_CODE_LENGTH
         assert device
@@ -59,10 +61,12 @@ async def test_device_flow_lookup(auth_db: AuthDB, monkeypatch):
     # First insert
     async with auth_db as auth_db:
         user_code1, device_code1 = await auth_db.insert_device_flow(
-            "client_id1", "scope1", "audience1"
+            "client_id1",
+            "scope1",
         )
         user_code2, device_code2 = await auth_db.insert_device_flow(
-            "client_id2", "scope2", "audience2"
+            "client_id2",
+            "scope2",
         )
 
         assert user_code1 != user_code2
@@ -123,7 +127,8 @@ async def test_device_flow_insert_id_token(auth_db: AuthDB):
     # First insert
     async with auth_db as auth_db:
         user_code, device_code = await auth_db.insert_device_flow(
-            "client_id", "scope", "audience"
+            "client_id",
+            "scope",
         )
 
     # Make sure it exists, and is Pending