identity: Remove support for manual OIDC grant type

This has been deprecated since 2.10.0 (July 2016/Newton). Time to remove it. Signed-off-by: Stephen Finucane <stephenfin@redhat.com> Change-Id: If7f52de7fe40720204da7c8712e52fdcb8b9b150
2024-09-10 11:38:46 +01:00 · 2024-09-10 11:38:46 +01:00 · c6b9ef3225
commit c6b9ef3225
parent 2a6bd4fec7
4 changed files with 11 additions and 50 deletions
--- a/keystoneauth1/exceptions/oidc.py
+++ b/keystoneauth1/exceptions/oidc.py
@ -18,7 +18,7 @@ __all__ = (
    'InvalidOidcDiscoveryDocument',
    'OidcAccessTokenEndpointNotFound',
    'OidcAuthorizationEndpointNotFound',
-    'OidcGrantTypeMissmatch',
+    'OidcInvalidCodeChallengeMethod',
    'OidcPluginNotSupported',
 )

@ -49,8 +49,8 @@ class OidcDeviceAuthorizationTimeOut(auth_plugins.AuthPluginException):
    message = "Timeout for OpenID Connect device authorization."


-class OidcGrantTypeMissmatch(auth_plugins.AuthPluginException):
-    message = "Missmatch between OpenID Connect plugin and grant_type argument"
+class OidcInvalidCodeChallengeMethod(auth_plugins.AuthPluginException):
+    message = "Invalid code challenge method."


 class OidcPluginNotSupported(auth_plugins.AuthPluginException):
--- a/keystoneauth1/identity/v3/oidc.py
+++ b/keystoneauth1/identity/v3/oidc.py
@ -17,8 +17,8 @@ import hashlib
 import logging
 import os
 import time
+import typing as ty
 from urllib import parse as urlparse
-import warnings

 from keystoneauth1 import _utils as utils
 from keystoneauth1 import access
@ -44,7 +44,7 @@ class _OidcBase(federation.FederationBaseAuth, metaclass=abc.ABCMeta):
    ``http://openid.net/specs/openid-connect-core-1_0.html``
    """

-    grant_type: str
+    grant_type: ty.ClassVar[str]

    def __init__(
        self,
@ -57,7 +57,6 @@ class _OidcBase(federation.FederationBaseAuth, metaclass=abc.ABCMeta):
        scope="openid profile",
        access_token_endpoint=None,
        discovery_endpoint=None,
-        grant_type=None,
        **kwargs,
    ):
        """The OpenID Connect plugin expects the following.
@ -115,21 +114,6 @@ class _OidcBase(federation.FederationBaseAuth, metaclass=abc.ABCMeta):
        self.access_token_type = access_token_type
        self.scope = scope

-        if grant_type is not None:
-            if grant_type != self.grant_type:
-                raise exceptions.OidcGrantTypeMissmatch()
-            warnings.warn(
-                "Passing grant_type as an argument has been "
-                "deprecated as it is now defined in the plugin "
-                "itself. You should stop passing this argument "
-                "to the plugin, as it will be ignored, since you "
-                "cannot pass a free text string as a grant_type. "
-                "This argument will be dropped from the plugin in "
-                "July 2017 or with the next major release of "
-                "keystoneauth (3.0.0)",
-                DeprecationWarning,
-            )
-
    def _get_discovery_document(self, session):
        """Get the contents of the OpenID Connect Discovery Document.

@ -686,7 +670,7 @@ class OidcDeviceAuthorization(_OidcBase):
    def _generate_pkce_challenge(self):
        """Generate PKCE challenge string as defined in RFC 7636."""
        if self.code_challenge_method not in ('plain', 'S256'):
-            raise exceptions.OidcGrantTypeMissmatch()
+            raise exceptions.OidcInvalidCodeChallengeMethod()
        self.code_verifier = self._generate_pkce_verifier()

        if self.code_challenge_method == 'plain':
--- a/keystoneauth1/tests/unit/identity/test_identity_v3_oidc.py
+++ b/keystoneauth1/tests/unit/identity/test_identity_v3_oidc.py
@ -15,7 +15,6 @@ import time
 from unittest import mock
 import urllib
 import uuid
-import warnings

 from keystoneauth1 import exceptions
 from keystoneauth1.identity.v3 import oidc
@ -55,33 +54,6 @@ class BaseOIDCTests:
        )
        self.GRANT_TYPE = None

-    def test_grant_type_and_plugin_missmatch(self):
-        self.assertRaises(
-            exceptions.OidcGrantTypeMissmatch,
-            self.plugin.__class__,
-            self.AUTH_URL,
-            self.IDENTITY_PROVIDER,
-            self.PROTOCOL,
-            client_id=self.CLIENT_ID,
-            client_secret=self.CLIENT_SECRET,
-            grant_type=uuid.uuid4().hex,
-        )
-
-    def test_can_pass_grant_type_but_warning_is_issued(self):
-        with warnings.catch_warnings(record=True) as w:
-            warnings.simplefilter("always")
-            self.plugin.__class__(
-                self.AUTH_URL,
-                self.IDENTITY_PROVIDER,
-                self.PROTOCOL,
-                client_id=self.CLIENT_ID,
-                client_secret=self.CLIENT_SECRET,
-                grant_type=self.GRANT_TYPE,
-            )
-            assert len(w) == 1
-            assert issubclass(w[-1].category, DeprecationWarning)
-            assert "grant_type" in str(w[-1].message)
-
    def test_discovery_not_found(self):
        self.requests_mock.get("http://not.found", status_code=404)

--- a/releasenotes/notes/drop-oidc-grant_type-parameter-79ca58f56238a615.yaml
+++ b/releasenotes/notes/drop-oidc-grant_type-parameter-79ca58f56238a615.yaml
@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    The OIDC plugins no longer accept a ``grant_type`` parameter. This was
+    deprecated in 2.10.0 (Newton) and has now been removed.