Upgrade django-oauth-toolkit 1.7.1 to 3.3.0#375
Closed
blaipr wants to merge 2 commits into
Closed
Conversation
…wed versions - twisted 26.4.0rc2 -> 26.4.0 (rc promoted to stable, CVE-2026-42304 line unchanged) - kubernetes 29.0.0 -> 36.0.2 (new transitive dep durationpy added; google-auth and rsa are no longer required and drop out of the lockfile) - pyyaml 6.0.1 -> 6.0.3 (required by kubernetes 36.0.2) - Cython 0.29.37 -> 3.2.5 (the <3 cap predated pyyaml 6.0.1 fixing Cython 3 source builds; comment updated) - django 5.2.14 -> 5.2.15 (latest 5.2 patch; <6.0 cap kept and annotated: django-ansible-base requires Django<6.0 and djangorestframework<3.16) - licenses/: add durationpy, remove google-auth and rsa (keeps test_licenses green)
Removes the long-standing <2.0.0 cap. Migration 0198 brings the swapped OAuth2 models up to date with the new abstract models: - OAuth2AccessToken gains token_checksum, added in three stages exactly like django-oauth-toolkit's own 0012 migration (nullable column, data migration computing checksums for existing tokens, then unique+indexed) so existing tokens keep working; token becomes a TextField. - OAuth2Application gains post_logout_redirect_uris, allowed_origins and hash_client_secret. hash_client_secret defaults to False on our model: AWX stores client secrets encrypted (reversible) via OAuth2ClientSecretField rather than hashed, and django-oauth-toolkit's validator falls back to a constant-time comparison for non-hashed secrets, so existing client credentials continue to authenticate unchanged. The stale django-oauth-toolkit UPGRADE BLOCKER note in requirements/README.md is updated to describe the new state.
Contributor
Author
|
Closing for now — will resubmit after #374 merges, so the PRs can be reviewed and merged one at a time. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SUMMARY
Removes the long-standing
django-oauth-toolkit<2.0.0cap ("breaking changes that will need to be worked out") and upgrades to 3.3.0, working out those changes:0198brings the swapped models up to date with the new abstract models.OAuth2AccessToken.token_checksumis added in three stages exactly like django-oauth-toolkit's own0012_add_token_checksummigration (nullable column → data migration computing checksums for existing tokens → unique + indexed), so existing access tokens keep working.tokenbecomes aTextField.OAuth2Applicationgainspost_logout_redirect_uris,allowed_originsandhash_client_secret.hash_client_secretdefaults toFalseon our model. AWX stores client secrets encrypted (reversible) viaOAuth2ClientSecretField, not hashed. django-oauth-toolkit's_check_secret()falls back to constant-time comparison for non-hashed secrets, so existing application client credentials continue to authenticate unchanged, and new secrets keep AWX's encrypted storage (DOT's hashing field is fully overridden by ours).requirements/README.md(which suggested "may be fixable by creating a migration on our end?") is updated — that is what this PR does.oauthlib3.2.2 → 3.3.1 comes along as DOT 3.3's requirement.Stacked on #374 — merge that first; this branch contains its commit.
ISSUE TYPE
COMPONENT NAME
ASCENDER VERSION
ADDITIONAL INFORMATION
awx-manage migrateapplied cleanly to a populated dev database (including DOT's own packaged 0006–0014 migrations for the non-swapped RefreshToken/IDToken models).TransactionTestCaseclasses commit real rows to the per-worker SQLite DB, and Django's whole-DB FKcheck_constraints()at every rollback-test teardown can trip over the leaked state (victim test varies with xdist scheduling:test_update_model::test_normal_get,test_secret_key_regeneration::test_job_start_args,test_survey_specpassword tests). Reproduced on unmodified main with unmodified dependency pins; all victims pass in isolation.make dbchange).