From 4822b9d81b583ff18c19b427c4c794c99f11215c Mon Sep 17 00:00:00 2001 From: Derek Schlabach Date: Fri, 12 Jul 2024 10:16:17 -0500 Subject: [PATCH] Fixed infinitely recursing GlobusApp login --- ...01420_derek_globus_app_fix_infinite_login_loop.rst | 6 ++++++ .../globus_app/_validating_token_storage.py | 11 ++++++++--- .../globus_app/test_validating_token_storage.py | 3 ++- 3 files changed, 16 insertions(+), 4 deletions(-) create mode 100644 changelog.d/20240712_101420_derek_globus_app_fix_infinite_login_loop.rst diff --git a/changelog.d/20240712_101420_derek_globus_app_fix_infinite_login_loop.rst b/changelog.d/20240712_101420_derek_globus_app_fix_infinite_login_loop.rst new file mode 100644 index 000000000..1d122ece4 --- /dev/null +++ b/changelog.d/20240712_101420_derek_globus_app_fix_infinite_login_loop.rst @@ -0,0 +1,6 @@ + +Fixed +~~~~~ + +- Fixed a bug where specifying dependent tokens in a new GlobusApp would cause the app + to infinitely prompt for log in. (:pr:`NUMBER`) diff --git a/src/globus_sdk/experimental/globus_app/_validating_token_storage.py b/src/globus_sdk/experimental/globus_app/_validating_token_storage.py index 4dc3305b0..2e65b34d8 100644 --- a/src/globus_sdk/experimental/globus_app/_validating_token_storage.py +++ b/src/globus_sdk/experimental/globus_app/_validating_token_storage.py @@ -121,7 +121,7 @@ def store_token_data_by_resource_server( ) for resource_server, token_data in token_data_by_resource_server.items(): self._validate_token_data_meets_scope_requirements( - resource_server, token_data + resource_server, token_data, eval_dependent=False ) self._token_storage.store_token_data_by_resource_server( @@ -207,7 +207,7 @@ def _validate_token_data_by_resource_server_meets_identity_requirements( ) def _validate_token_data_meets_scope_requirements( - self, resource_server: str, token_data: TokenData + self, resource_server: str, token_data: TokenData, eval_dependent: bool = True ) -> None: """ Given a particular resource server/token data, evaluate whether the token + @@ -215,6 +215,9 @@ def _validate_token_data_meets_scope_requirements( Note: If consent_client was omitted, only root scope requirements are validated. + :param resource_server: The resource server string to validate against. + :param token_data: The token data to validate against. + :param eval_dependent: Whether to evaluate dependent scope requirements. :raises: :exc:`UnmetScopeRequirements` if token/consent data does not meet the attached root or dependent scope requirements for the resource server. :returns: None if all scope requirements are met (or indeterminable). @@ -234,7 +237,9 @@ def _validate_token_data_meets_scope_requirements( ) # Short circuit - No dependent scopes; don't validate them. - if not any(scope.dependencies for scope in required_scopes): + if not eval_dependent or not any( + scope.dependencies for scope in required_scopes + ): return # 2. Does the consent forest meet all dependent scope requirements? diff --git a/tests/unit/experimental/globus_app/test_validating_token_storage.py b/tests/unit/experimental/globus_app/test_validating_token_storage.py index 54867b3a5..5b2c13926 100644 --- a/tests/unit/experimental/globus_app/test_validating_token_storage.py +++ b/tests/unit/experimental/globus_app/test_validating_token_storage.py @@ -74,10 +74,11 @@ def test_validating_token_storage_evaluates_dependent_scope_requirements( consent_client=consent_client, ) token_response = make_token_response(scopes={"rs1": "scope"}) + adapter.store_token_response(token_response) consent_client.mocked_forest = make_consent_forest("scope[different_subscope]") with pytest.raises(UnmetScopeRequirementsError): - adapter.store_token_response(token_response) + adapter.get_token_data("rs1") consent_client.mocked_forest = make_consent_forest("scope[subscope]") adapter.store_token_response(token_response)