lp:~roadmr/canonical-identity-provider

Author: Daniel Manrique
Author Date: 2022-07-12 00:23:45 UTC

u2f devices are two-factor devices too

Author: Daniel Manrique
Author Date: 2023-02-15 22:05:34 UTC

Excise mentions of focal from readme and ols-vms.conf

Author: Daniel Manrique
Author Date: 2023-02-14 22:50:50 UTC

Replace implicit mock object creation with explicit

Create MagicMock and pass to patch as explicit replacement
for the mocked object. This works around test failure that happens
with Python 3.8 and cache objects for some reason.

The behavior as described above matches what not passing the
MagicMock explicitly does (i.e. I'm reimplementing default behavior),
but bypasses a section of the code in Python 3.8 which was erroring out:

======================================================================
FAIL: api.v20.tests.test_handlers.AnonymousAccountRegistrationHandlerTestCase.test_throttle_only_by_ip
----------------------------------------------------------------------
Traceback (most recent call last):
  File "src/api/v20/tests/test_handlers.py", line 707, in test_throttle_only_by_ip
    with patch('piston.utils.cache') as mock_cache:
  File "/usr/lib/python3.8/unittest/mock.py", line 1416, in __enter__
    if spec is None and _is_async_obj(original):
  File "/usr/lib/python3.8/unittest/mock.py", line 53, in _is_async_obj
    return asyncio.iscoroutinefunction(obj) or inspect.isawaitable(obj)
  File "/usr/lib/python3.8/inspect.py", line 234, in isawaitable
    isinstance(object, collections.abc.Awaitable))
  File "/usr/lib/python3.8/abc.py", line 98, in __instancecheck__
    return _abc_instancecheck(cls, instance)
  File "/usr/lib/python3.8/abc.py", line 102, in __subclasscheck__
    return _abc_subclasscheck(cls, subclass)
TypeError: issubclass() arg 1 must be a class

Author: Daniel Manrique
Author Date: 2023-02-13 22:52:36 UTC

Refactor a couple of SAML tests

Ordering-related failures were spotted on Python 3.8.
The changes here are not 3.8-dependent but make the tests more robust.

I only refactored the ones having this problem because it does
make them lengthier; the rest of the tests where I can get away
with just checking for final, rendered XML were left as-is.

Author: Daniel Manrique
Author Date: 2023-02-10 22:23:20 UTC

Rename ambiguous variable (flake8 E741)

Author: John Paraskevopoulos
Author Date: 2022-10-07 14:48:11 UTC

Fix ssh key without comments formatting

Merged from https://code.launchpad.net/~quantifics/canonical-identity-provider/+git/canonical-identity-provider/+merge/431197

Author: Daniel Manrique
Author Date: 2022-09-12 16:42:27 UTC

unhappiness

Author: Daniel Manrique
Author Date: 2022-06-02 13:46:11 UTC

"Bad bot" honeypot response page: provide a better explanation.

In practice humans who have this problem end up filing Launchpad bugs
where we give them this exact response, so the presence of the honeypot
field is not really secret in any way. There's probably no downside to
explaining this right in the page. Humans who get misidentified will see
this and have a chance to get themselves out of trouble.

Author: Daniel Manrique
Author Date: 2022-02-22 18:03:19 UTC

Implement/test max password length at the HTML form level

Author: Daniel Manrique
Author Date: 2021-10-13 21:31:18 UTC

JSON-encode parameters to Launchpad's API.

lazr.restfulclient has slightly weird parameter encoding rules, but
basically, parameter values other than ws.op, binary parameters, and
option (enumeration) values are meant to be JSON-encoded. Unfortunately
lazr.restful is quite permissive about this so it's easy to get things
wrong and not notice.

Concretely, a username of "null" will be passed in such a way that
lazr.restful deserializes it as a literal null, causing a "name:
Required input is missing." response which confuses SSO.

Author: Daniel Manrique
Author Date: 2021-08-09 17:05:30 UTC

Add webui tests for NO_PASSWORD_RESET_EMAIL_IF_NONEXISTENT behavior

Author: Daniel Manrique
Author Date: 2021-06-22 16:56:02 UTC

Added a couple of new tests for teams_list

Author: Daniel Manrique
Author Date: 2021-06-18 21:48:01 UTC

Process {{teams}} SAML attribute substitution

{{teams}} will be replaced with a SAML multi-value attribute
containing the names of all teams of which the user is a member,
as long as they are also listed in the SAMLConfig's
exposable_teams setting.

It's effectively the intersection of the user's set of teams
and the exposable_teams for the SAMLConfig.

Author: Daniel Manrique
Author Date: 2020-10-27 20:48:47 UTC

separate title from content

Author: Daniel Manrique
Author Date: 2020-09-04 21:29:26 UTC

Properly reset the thread's translation context to avoid a test depen-fail - this tine in test_views_i18n

Author: Daniel Manrique
Author Date: 2020-09-04 19:56:35 UTC

Properly reset the thread's translation context to avoid a test depen-fail

Author: Daniel Manrique
Author Date: 2020-08-19 16:49:05 UTC

No randint in models.twofactor anymore

Author: Daniel Manrique
Author Date: 2020-08-03 20:40:14 UTC

Update sha512 test and key/cert files so it works

Author: Daniel Manrique
Author Date: 2020-07-28 20:36:31 UTC

Test that the proper signing/digest algorithm is used throughout SAML assertion

Author: Daniel Manrique
Author Date: 2020-07-27 15:45:49 UTC

Make backup device-related timestamps admin-editable.

Author: Daniel Manrique
Author Date: 2020-07-24 20:20:44 UTC

Processors: actually pass signing_algorithm where needed

Author: Daniel Manrique
Author Date: 2020-07-20 16:42:56 UTC

flip order dsa/rsa

Author: Daniel Manrique
Author Date: 2020-07-15 21:11:49 UTC

cols

Author: Daniel Manrique
Author Date: 2020-07-07 15:50:38 UTC

Review comments

Author: Daniel Manrique
Author Date: 2020-07-06 20:24:06 UTC

Visual tweaks to username format instructions.

* move instructions below the field
* fix css, nesting and styling
* simplify length instructions

Author: Daniel Manrique
Author Date: 2020-07-06 13:38:04 UTC

periods at end of sentences.

Author: Daniel Manrique
Author Date: 2020-06-18 21:16:25 UTC

Update last_nag only for codes from paper device

Author: Daniel Manrique
Author Date: 2020-06-18 20:16:44 UTC

Faily test for json encoding.

    return self.render(request, token=token, rpconfig=rpconfig, form=form)
  File "/src/canonical-identity-provider/sso-git/src/webui/views/ui.py", line 128, in render
    context = self.get_context(request, **kwargs)
  File "/src/canonical-identity-provider/sso-git/src/webui/views/ui.py", line 286, in get_context
    if gargoyle.is_active('TWOFACTOR_BACKUP_NAG', request):
  File "/src/canonical-identity-provider/sso-git/env/local/lib/python2.7/site-packages/gargoyle/testutils.py", line 125, in wrapped
    return is_active_func(key, *args, **kwargs)
  File "/src/canonical-identity-provider/sso-git/env/local/lib/python2.7/site-packages/gargoyle/manager.py", line 89, in is_active
    result = switch.has_active_condition(conditions, instances)
  File "/src/canonical-identity-provider/sso-git/env/local/lib/python2.7/site-packages/gargoyle/conditions.py", line 293, in has_active_condition
    result = self.is_active(instance, conditions)
  File "/src/canonical-identity-provider/sso-git/env/local/lib/python2.7/site-packages/gargoyle/conditions.py", line 307, in is_active
    field_conditions = conditions.get(self.get_namespace(), {}).get(name)
AttributeError: 'unicode' object has no attribute 'get'

THis is apparently because something is fucked in JSONField and it's
returning the data as the verbatim string and not the expected de-jsoned
thing (i.e. it's not running the json payload by json.loads())

Author: Daniel Manrique
Author Date: 2020-06-18 14:57:27 UTC

Revert "Update gargoyle-yplan to 1.5.0"

This reverts commit d8bff9ed50ca966e5631eb96abadcc1acb71e163.

Note this reverts only the actual requirements.txt updates, not the
fixed test (since the fixed version still works and should be more
robust)

Author: Daniel Manrique
Author Date: 2020-06-18 10:37:59 UTC

Fix assertable value scoping

Author: Daniel Manrique
Author Date: 2020-06-17 19:02:14 UTC

Use a notification-style box for 2fa nag 'did you know'

Author: Daniel Manrique
Author Date: 2020-06-10 21:17:45 UTC

Test tweaks and complete test for redirect_with_next and correct code. Some todos remain.

Author: Daniel Manrique
Author Date: 2020-06-02 16:18:59 UTC

Ensure makefile works with git worktree checkouts.

The way we determined if the SSO checkout was git-hosted was by
checking directoryness of .git, but if the checkout was produced
using git worktree, .git is a file. The proposed solution uses git
itself to determine if the repo is a valid one and should be more
resilient.

Author: Daniel Manrique
Author Date: 2020-06-01 20:09:32 UTC

Ignore version-info.txt

Author: Daniel Manrique
Author Date: 2020-05-22 13:04:56 UTC

Update lost device message with current contact info

Author: Daniel Manrique
Author Date: 2020-05-21 21:31:02 UTC

Emit metrics when 2fa devices are added.

The metric includes the device type (automatically-added backup devices
have the fake "paper_auto" type) and subtype (for OATH devices which
can be TOTP or HOTP)

Author: Daniel Manrique
Author Date: 2020-05-21 13:15:31 UTC

Add flows.2fa metric.

It can have success, error, or requested.

Note a failed 2fa check also emits a flows.login.error metric.

Author: Daniel Manrique
Author Date: 2020-05-08 20:09:55 UTC

test tweaks

Author: Daniel Manrique
Author Date: 2020-04-21 15:44:17 UTC

fixed header name

Author: Daniel Manrique
Author Date: 2020-04-20 15:35:58 UTC

Bad punctuation