Feat/id token projects #684
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This PR contains code that is not formatted correctly according to Expand the full diff to see formatting changes--- fence/jwt/token.py
+++ blackened
@@ -374,33 +374,33 @@
},
"azp": client_id or "",
}
if include_project_access:
- # NOTE: "THIS IS A TERRIBLE STOP-GAP SOLUTION SO THAT USERS WITH
- # MINIMAL ACCESS CAN STILL USE LATEST VERSION OF FENCE
- # WITH VERSIONS OF PEREGRINE/SHEEPDOG THAT DO NOT CURENTLY
- # SUPPORT AUTHORIZATION CHECKS AGAINST ARBORIST (AND INSTEAD
- # RELY ON THE PROJECTS IN THE TOKEN). If the token is too large
- # everything breaks. I'm sorry" --See PXP-3717
- if len(dict(user.project_access)) < config["TOKEN_PROJECTS_CUTOFF"]:
- claims["context"]["user"]["projects"] = dict(user.project_access)
- else:
- # truncate to configured number of projects in token
- projects = dict(user.project_access)
- for key in list(projects)[config["TOKEN_PROJECTS_CUTOFF"]:]:
- del projects[key]
- claims["context"]["user"]["projects"] = projects
- logger.warning(
- "NOT including project_access = {} in claims for user {} because there are too many projects for the token\n".format(
- {
- k: dict(user.project_access)[k]
- for k in set(dict(user.project_access)) - set(projects)
- },
- user.username,
- )
- )
+ # NOTE: "THIS IS A TERRIBLE STOP-GAP SOLUTION SO THAT USERS WITH
+ # MINIMAL ACCESS CAN STILL USE LATEST VERSION OF FENCE
+ # WITH VERSIONS OF PEREGRINE/SHEEPDOG THAT DO NOT CURENTLY
+ # SUPPORT AUTHORIZATION CHECKS AGAINST ARBORIST (AND INSTEAD
+ # RELY ON THE PROJECTS IN THE TOKEN). If the token is too large
+ # everything breaks. I'm sorry" --See PXP-3717
+ if len(dict(user.project_access)) < config["TOKEN_PROJECTS_CUTOFF"]:
+ claims["context"]["user"]["projects"] = dict(user.project_access)
+ else:
+ # truncate to configured number of projects in token
+ projects = dict(user.project_access)
+ for key in list(projects)[config["TOKEN_PROJECTS_CUTOFF"] :]:
+ del projects[key]
+ claims["context"]["user"]["projects"] = projects
+ logger.warning(
+ "NOT including project_access = {} in claims for user {} because there are too many projects for the token\n".format(
+ {
+ k: dict(user.project_access)[k]
+ for k in set(dict(user.project_access)) - set(projects)
+ },
+ user.username,
+ )
+ )
# only add google linkage information if provided
if linked_google_email:
claims["context"]["user"]["google"][
"linked_google_account"This formatting comment was generated automatically by a script in uc-cdis/wool. |
Pull Request Test Coverage Report for Build 7616
💛 - Coveralls |
…oken for implicit flow
Co-Authored-By: Pauline Ribeyre <ribeyre@uchicago.edu>
Co-Authored-By: Pauline Ribeyre <ribeyre@uchicago.edu>
paulineribeyre
approved these changes
Aug 27, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New Features
Breaking Changes
Bug Fixes
Improvements
Dependency updates
Deployment changes